74

I have come across articles advising for the following:

iptables -A INPUT -p tcp 1000:2000 -j ACCEPT

And others stating that the above will not work and iptables only supports multiple port declarations with the --multiport option.

Is there a correct way to open many ports with iptables?

Cristian Ciupitu
  • 6,396
  • 2
  • 42
  • 56
Paul Whalley
  • 763
  • 1
  • 7
  • 6

5 Answers5

85

This is the correct way:

iptables -A INPUT -p tcp --match multiport --dports 1024:3000 -j ACCEPT

As an example. Source here.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • 6
    If you don't know the state of the ruleset `-I` is somewhat safer than `-A`. – user9517 May 13 '14 at 17:11
  • @Iain, could you please explain the reasoning behind that? – jayhendren May 13 '14 at 19:04
  • 7
    @jayhendren many rulesets will have a default drop everything rule e.g. `-A INPUT -j REJECT --reject-with icmp-host-prohibited` at the end of the INPUT and other tables. Using `-A` adds the rule at the end of the table, after the final rule so it won't ever be considered as netfilter works on a first match wins basis. Using `-I` inserts the rule at the beginning of the table ans as such it will always be considered. – user9517 May 13 '14 at 19:14
  • 4
    @Iain however, some rulesets also have rules at the beginning that filter or ratelimit packets, so it's worthwhile to point out that `-I` isn't *always* safer if you don't know the ruleset. – jayhendren May 13 '14 at 19:24
  • 4
    @jayhendren I think you just did and also note I said somewhat not _always_. – user9517 May 13 '14 at 19:26
78

What you've been told is right, although you've written it wrong (you've forgotten --dport).

iptables -A INPUT -p tcp --dport 1000:2000 will open up inbound traffic to TCP ports 1000 to 2000 inclusive.

-m multiport --dports is only needed if the range you want to open is not continuous, eg -m multiport --dports 80,443, which will open up HTTP and HTTPS only - not the ones in between.

Note that the ordering of rules is important, and (as Iain alludes to in his comment elsewhere) it's your job to make sure that any rule you add is in a place where it will be effective.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
15

TL;DR but...

Pure port range without multiport module: iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Equivalent multiport example: iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT

...and variation about multi port with multi ranges (yes, this is also possible): iptables -A INPUT -p tcp -m multiport --dports 1000,1001,1002:1500,1501:2000 -j ACCEPT

...and equivalent multi port multi range example with negation: iptables -A INPUT -p tcp -m multiport ! --dports 0:999,2001:65535 -j ACCEPT

Have phun.

BloodMan
  • 151
  • 1
  • 4
1

there is an other way to add the entry directly on the Iptables file. location /etc/sysconfig/iptables

-A INPUT -p tcp -m multiport --dports 1024:3000 -m state --state NEW -j ACCEPT

after that restart iptable service

Paul
  • 3,037
  • 6
  • 27
  • 40
Anil Rana
  • 111
  • 1
  • If you only use `NEW` state, only the first packets are accepted. You can use `NEW,ESTABLISHED,RELATED` to allow incoming requests for the port range – Ahmet Özer Dec 12 '21 at 18:40
1

According to man iptables-extensions you can define a port range just by using the --dport switch.

tcp
These extensions can be used if `--protocol tcp' is specified. It provides the following options:
[!] --destination-port,--dport port[:port]

Destination port or port range specification. The flag --dport is a convenient alias for this option.

So this is also specifying a port range:
iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Community
  • 1
caf3babe
  • 11
  • 1