iptables: using the same address lists against multiple ports - Networking

This is a discussion on iptables: using the same address lists against multiple ports - Networking ; I am using iptables to allow access to a certain port from a list of permitted IP addresses using a shell script as follows: #!/bin/sh ALLOWED="12.0.0.0/8 27.3.0.0/16 10.0.0.0/8 " for addr in $ALLOWED do iptables -A INPUT -s $addr -p ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: iptables: using the same address lists against multiple ports

  1. iptables: using the same address lists against multiple ports

    I am using iptables to allow access to a certain port from a list of
    permitted IP addresses using a shell script as follows:

    #!/bin/sh

    ALLOWED="12.0.0.0/8
    27.3.0.0/16



    10.0.0.0/8
    "

    for addr in $ALLOWED
    do
    iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    done

    iptables -A INPUT -p tcp --dport 7500 -jDROP

    Supposing I want to use the same rules against another port number, for
    example, port 23000.

    I could repeat the loop against port 23000, but wouldn't that double the
    storage space for the tables, because I have two copies of the same
    address list for two different port numbers?

    Is there a way to setup a single table in memory, and then map the port
    numbers against it?

    I want to do something like:

    FILTEREDPORTS="7500
    23000
    "
    for port in $FILTEREDPORTS
    do
    # filtered port against permitted address list
    done

    How can I do this?

    Mark.

    --
    Mark Hobley
    Linux User: #370818 http://markhobley.yi.org/


  2. Re: iptables: using the same address lists against multiple ports

    Mark Hobley wrote:
    > I am using iptables to allow access to a certain port from a list of
    > permitted IP addresses using a shell script as follows:
    >
    > #!/bin/sh
    >
    > ALLOWED="12.0.0.0/8
    > 27.3.0.0/16
    >
    >
    >
    > 10.0.0.0/8
    > "
    >
    > for addr in $ALLOWED
    > do
    > iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
    > done
    >
    > iptables -A INPUT -p tcp --dport 7500 -jDROP
    >
    > Supposing I want to use the same rules against another port number, for
    > example, port 23000.
    >
    > I could repeat the loop against port 23000, but wouldn't that double the
    > storage space for the tables, because I have two copies of the same
    > address list for two different port numbers?
    >
    > Is there a way to setup a single table in memory, and then map the port
    > numbers against it?
    >
    > I want to do something like:
    >
    > FILTEREDPORTS="7500
    > 23000
    > "
    > for port in $FILTEREDPORTS
    > do
    > # filtered port against permitted address list
    > done
    >
    > How can I do this?
    >
    > Mark.
    >

    One of the iptables modules allows filtering on multiple ports.
    It's under Netfilter Xtables support and is called "multiport"
    multiple port match support.

    Jerry

  3. Re: iptables: using the same address lists against multiple ports

    Jerry Peters wrote:

    > One of the iptables modules allows filtering on multiple ports.
    > It's under Netfilter Xtables support and is called "multiport"
    > multiple port match support.


    Hmmm. ok. I just had a quick look at that.

    How do I deploy this from my script?

    The iptables documentation is awful, and I am really struggling to
    decipher
    it.

    I may eventually use the same address list against a completely
    different set of rules. I was wondering if I could somehow create some
    sort of custom table or chain of permitted IP addresses and then use input
    rules to jump to my table.

    for example:

    if port=7500 then jump to my_chain
    if port=20000 then jump to my_chain
    allow # port is not filtered

    then rules for custom_table simply match against source ip address and
    allow traffic for listed ip addresses, otherwise deny. (There would be
    no port matching in custom_chain, and custom_chain is only effective if
    explicitly called.

    I guess this would look something like:

    Chain INPUT (policy ACCEPT)
    my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000

    Chain my_chain (policy DENY)
    ACCEPT tcp -- 12.0.0.0/8 0.0.0.0/0 tcp
    ACCEPT tcp -- 27.3.0.0/16 0.0.0.0/0 tcp

    Can I do something like this?

    Mark.

    --
    Mark Hobley
    Linux User: #370818 http://markhobley.yi.org/


  4. Re: iptables: using the same address lists against multiple ports

    On Mon, 3 Nov 2008 01:50:31 +0000, markhobley@hotpop.donottypethisbit.com (Mark Hobley) wrote:

    >Jerry Peters wrote:
    >
    >> One of the iptables modules allows filtering on multiple ports.
    >> It's under Netfilter Xtables support and is called "multiport"
    >> multiple port match support.

    >
    >Hmmm. ok. I just had a quick look at that.
    >
    >How do I deploy this from my script?
    >
    >The iptables documentation is awful, and I am really struggling to
    >decipher
    >it.
    >
    >I may eventually use the same address list against a completely
    >different set of rules. I was wondering if I could somehow create some
    >sort of custom table or chain of permitted IP addresses and then use input
    >rules to jump to my table.
    >
    >for example:
    >
    > if port=7500 then jump to my_chain
    > if port=20000 then jump to my_chain
    > allow # port is not filtered
    >
    >then rules for custom_table simply match against source ip address and
    >allow traffic for listed ip addresses, otherwise deny. (There would be
    >no port matching in custom_chain, and custom_chain is only effective if
    >explicitly called.
    >
    >I guess this would look something like:
    >
    >Chain INPUT (policy ACCEPT)
    >my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
    >my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000
    >
    >Chain my_chain (policy DENY)
    >ACCEPT tcp -- 12.0.0.0/8 0.0.0.0/0 tcp
    >ACCEPT tcp -- 27.3.0.0/16 0.0.0.0/0 tcp
    >
    >Can I do something like this?


    Sort of, but your syntax is way off the track, policy is only for builtin
    chains, and you're writing nothing that looks like the examples from
    'man iptables'. A gotcha, if you're using a recent kernel, make sure the
    iptrables is recent too, otherwise the thing will disagree with kernel and
    may give misleading error messages (not that it doesn't already issue poorly
    worded errors).

    INPUT chain should be default DROP, then allow what traffic you need,
    start with the basic firewall (read netfilter.org starter) then poke holes
    on the INPUT side for services offered.

    Grant.
    --
    http://bugsplatter.id.au

  5. Re: iptables: using the same address lists against multiple ports

    Grant wrote:

    > INPUT chain should be default DROP, then allow what traffic you need


    I can't do that at this time. It will drop all of my LAN and Internet
    server and client side traffic. This machine is externally firewalled.
    The reason for the filter on the specific input ports is due to a
    limitation with the external hardware firewall device which is not able
    to limit traffic on particular input ports to a list of known IP
    addresses.

    This is what I have come up with:

    #!/bin/sh

    FILTERED="
    7500
    23000
    "

    ALLOWED="
    12.0.0.0/8
    27.3.0.0/16
    10.0.0.0/24

    iptables -N MYTABLE

    for addr in $ALLOWED
    do
    iptables -A MYTABLE -s $addr -p tcp -jACCEPT
    done

    iptables -A MYTABLE -p tcp -jDROP

    for fport in $FILTERED
    do
    iptables -A INPUT -p tcp --dport $fport -jMYTABLE
    done


    --
    Mark Hobley
    Linux User: #370818 http://markhobley.yi.org/


  6. Re: iptables: using the same address lists against multiple ports

    Hello,

    Mark Hobley a écrit :
    > Jerry Peters wrote:
    >
    >> One of the iptables modules allows filtering on multiple ports.
    >> It's under Netfilter Xtables support and is called "multiport"
    >> multiple port match support.

    >
    > Hmmm. ok. I just had a quick look at that.
    >
    > How do I deploy this from my script?


    FILTEREDPORTS="7500,23000"

    iptables [...] -m multiport --dports $FILTEREDPORTS -j [...]

    IIRC, the limit is 16 ports.

  7. Re: iptables: using the same address lists against multiple ports

    On Monday 3 November 2008 02:50, Mark Hobley wrote:

    > Jerry Peters wrote:
    >
    >> One of the iptables modules allows filtering on multiple ports.
    >> It's under Netfilter Xtables support and is called "multiport"
    >> multiple port match support.

    >
    > Hmmm. ok. I just had a quick look at that.
    >
    > How do I deploy this from my script?
    >
    > The iptables documentation is awful, and I am really struggling to
    > decipher it.


    Uh?

    multiport
    This module matches a set of source or destination ports. Up to 15
    ports can be specified. A port range (portort) counts as two ports. It
    can only be used in conjunction with -p tcp or -p udp.

    --source-ports [!] port[,port[,portort...]]
    Match if the source port is one of the given ports. The
    flag --sports is a convenient alias for this option.

    --destination-ports [!] port[,port[,portort...]]
    Match if the destination port is one of the given ports. The
    flag --dports is a convenient alias for this option.

    --ports [!] port[,port[,portort...]]
    Match if either the source or destination ports are equal to
    one of the given ports.


    Could it be clearer than that?


  8. Re: iptables: using the same address lists against multiple ports

    pk a écrit :
    >
    > multiport
    > This module matches a set of source or destination ports. Up to 15
    > ports can be specified. A port range (portort) counts as two ports. It
    > can only be used in conjunction with -p tcp or -p udp.
    >
    > --source-ports [!] port[,port[,portort...]]
    > Match if the source port is one of the given ports. The
    > flag --sports is a convenient alias for this option.
    >
    > --destination-ports [!] port[,port[,portort...]]
    > Match if the destination port is one of the given ports. The
    > flag --dports is a convenient alias for this option.
    >
    > --ports [!] port[,port[,portort...]]
    > Match if either the source or destination ports are equal to
    > one of the given ports.
    >
    > Could it be clearer than that?


    Yes, quite.
    It could state that :

    * -p SCTP and -p DCCP are also supported since kernel 2.6.18 (and
    iptables 1.3.6).

    * Port range and inversion support requires a kernel 2.6.11 at least
    (and iptables 1.3.0).

    * The multiple match can only have one option among --dports, --sports
    and --ports. Several options cannot be used simultaneously in the same
    match. Using two or more of them in the same rule requires multiple
    multiport matches (multiple matches of the same type within a single
    rule are supported since iptables 1.3.6).

  9. Re: iptables: using the same address lists against multiple ports

    On Tuesday 4 November 2008 11:32, Pascal Hambourg wrote:

    >> Could it be clearer than that?

    >
    > Yes, quite.
    > It could state that :
    >
    > * -p SCTP and -p DCCP are also supported since kernel 2.6.18 (and
    > iptables 1.3.6).
    >
    > * Port range and inversion support requires a kernel 2.6.11 at least
    > (and iptables 1.3.0).
    >
    > * The multiple match can only have one option among --dports, --sports
    > and --ports. Several options cannot be used simultaneously in the same
    > match. Using two or more of them in the same rule requires multiple
    > multiport matches (multiple matches of the same type within a single
    > rule are supported since iptables 1.3.6).


    Fair enough. However, the syntax to use is indicated very clearly.


+ Reply to Thread