iptables multiple source IPs in single rule

Question

I'd like to create a single rule in iptables (if possible) that uses multiple source IP addresses. Is this possible?

// , You can do the same thing for ports, according to http://search.cpan.org/~phillips/IPTables-Rule-0.01/lib/IPTables/Rule.pm. — Nathan Basanese, Feb 22 '16 at 20:16

score 140 · Answer 1 · edited Oct 05 '15 at 19:24

140

To add multiple sources in a single command I would do this:

iptables -t filter -A INPUT -s 192.168.1.1,2.2.2.2,10.10.10.10 -j ACCEPT

iptables will automatically translate it into multiple rules.

edited Oct 05 '15 at 19:24

Dana the Sane

828
10
19

answered Dec 06 '14 at 17:57

Ali Pandidan

1,709
2
10
7

4

Despite the lack of votes, this works and is the right answer to the question – phil-lavin Feb 16 '15 at 08:17
// , Can you do the same with the ports? – Nathan Basanese Feb 22 '16 at 19:47
1

@NathanBasanese You can use `-m multiport --dports 123,456,789` for multiple ports – mahemoff Mar 12 '18 at 09:00
1

Tobia now has a better answer than this one. See below. – Ben Aveling Mar 29 '18 at 11:17
Using `iptables v1.3.7` Given command `iptables -I FORWARD -s 5.188.206.14,193.238.47.5 -j DROP` this returns error "`host/network '5.188.206.14,193.238.47.5' not found`". – JamesThomasMoon Dec 23 '18 at 23:59
1

`iptables v1.6.1: ! not allowed with multiple source or destination IP addresses` :-( – tudor -Reinstate Monica- Jun 25 '19 at 02:10
compatible iptables 1.8.7 – acgbox Sep 06 '22 at 16:43

score 21 · Answer 2 · answered Nov 03 '16 at 12:08

The original question is from May 2009, but since May 2011 the Linux kernel has had a feature to address this need called ipset.

Here is an example creating an ipset, adding addresses to it, and then using it in a firewall rule:

ipset -N office365 iphash

ipset -A office365 132.245.228.194
ipset -A office365 132.245.77.34
ipset -A office365 132.245.48.34
ipset -A office365 132.245.68.242
ipset -A office365 132.245.55.2
ipset -A office365 40.101.17.98
ipset -A office365 132.245.48.18
ipset -A office365 132.245.229.114
ipset -A office365 132.245.196.34
ipset -A office365 132.245.56.114

iptables -A OUTPUT -m set --match-set office365 dst -j ACCEPT

See man iptables and man ipset for more info.

score 17 · Answer 3 · answered May 31 '13 at 07:58

you can use the iprange module in combination with '--src-range' like for e.x.:

-A INPUT -i eth0 -m iprange --src-range 192.168.1.90-192.168.1.101 -j ACCEPT

Source: iptables 1.4.7 man page

   iprange
   This matches on a given arbitrary range of IP addresses.

   [!] --src-range from[-to]
          Match source IP in the specified range.

   [!] --dst-range from[-to]
          Match destination IP in the specified range.

(i know this is like a 4 year old question, but just to answer for anyone who seeks this on the net)

score 14 · Accepted Answer · answered May 11 '09 at 13:26

14

This is only possible if you can aggregate the source IP's you want into a contiguous range. eg

iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.5 -p tcp -j ACCEPT

If you cannot find a common netmask that covers the IP's you want, you'll have to write several identical rules to do what you want.

There are several iptables frameworks around which can deal with the low level of writing the iptables rules, allowing you to define your rules at a more symolic level. Shorewall is a common one that ships with most current linux distributions.

answered May 11 '09 at 13:26

Dave Cheney

18,567
8
49
56

// , This is incorrect, according to http://search.cpan.org/~phillips/IPTables-Rule-0.01/lib/IPTables/Rule.pm. – Nathan Basanese Feb 22 '16 at 20:16
1

[This Answer](https://serverfault.com/a/649693/410783) of Ali Pandidan is actually the corect one – derHugo Jun 19 '17 at 20:14

score 5 · Answer 5 · answered May 31 '13 at 08:04

In addition to the comment of Bòss King, you can also simply specify several addresses seperated with a comma:

[!] -s, --source address[/mask][,...]
      Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel.  Please note  that  specifying
      any  name  to  be resolved with a remote query such as DNS is a really bad idea.  The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask.  Thus, a mask of 24 is equivalent to
      255.255.255.0.  A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.  Multiple addresses can be specified, but this will expand to multiple rules (when adding with  -A),
      or will cause multiple rules to be deleted (with -D).

From the shell like `bash`, I must escape the inversion with a backslash: `\! -s 192.168.1.3 ...` — Marcos, Sep 08 '14 at 10:46
`iptables v1.6.1: ! not allowed with multiple source or destination IP addresses` :-( — tudor -Reinstate Monica-, Jun 25 '19 at 02:12

score 4 · Answer 6 · answered May 11 '09 at 13:42

You can define multiple chains such that you can combine independent lists of requirements. I doubt this is exactly what you want, but it's still pretty handy. We use this to define lists of valid user-types by IP, and then apply port restrictions to the source networks. So, for instance:

# Allow SMTP from anywhere
-A tcp_inbound -p tcp -m tcp -s 0/0 --dport 25 -j allowed
#
# Define the set of IP ranges we'll send to the tcp_user_inbound chain
-A tcp_inbound -p tcp -m tcp -s 172.19.1.0/24 -j tcp_user_inbound
-A tcp_inbound -p tcp -m tcp -s 172.19.6.0/23 -j tcp_user_inbound
-A tcp_inbound -p tcp -m tcp -s 172.19.8.0/24 -j tcp_user_inbound
-A tcp_inbound -p tcp -m tcp -s 172.19.10.0/23 -j tcp_user_inbound
-A tcp_inbound -p tcp -m tcp -s 172.19.12.0/23 -j tcp_user_inbound
-A tcp_inbound -p tcp -m tcp -s 172.19.4.0/23 -j tcp_user_inbound
#
# Ports we allow access to based on a source-address prereq.
# SSH
-A tcp_user_inbound -p tcp -m tcp --dport 22 -j allowed
# VNC
-A tcp_user_inbound -p tcp -m tcp --dport 5950:5958 -j allowed
# https
-A tcp_user_inbound -p tcp -m tcp --dport 443 -j allowed

score -1 · Answer 7 · answered Dec 06 '14 at 17:20

Let's say for example that you only want to accept SMTP packets that come from 10.0.0.2 or 192.168.1.2. You can user the following rules:

  # create a new chain
  iptables --new-chain multiple_sources_smtp
  # send all SMTP connections to the new chain
  iptables --append INPUT --protocol tcp --dport 25 --jump multiple_sources_smtp
  # use the default INPUT rules for packets coming from allowed sources
  iptables --append multiple_sources_smtp --source 10.0.0.2 --jump RETURN
  iptables --append multiple_sources_smtp --source 192.168.1.2 --jump RETURN
  # drop packets from anywhere else
  iptables --append multiple_sources_smtp -j DROP

Or as the output of iptables-save

  # Generated by iptables-save v1.4.14 on Sat Dec  6 09:17:11 2014
  *filter
  :INPUT ACCEPT [32:13325]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [25:3084]
  :multiple_sources_smtp - [0:0]
  -A INPUT -p tcp -m tcp --dport 25 -j multiple_sources_smtp
  -A multiple_sources_smtp -s 10.0.0.2/32 -j RETURN
  -A multiple_sources_smtp -s 192.168.1.2/32 -j RETURN
  -A multiple_sources_smtp -j DROP
  COMMIT
  # Completed on Sat Dec  6 09:17:11 2014

iptables multiple source IPs in single rule

7 Answers7

Linked