UFW - allow range of IP addresees?
Solution 1
You need to use a binary number (2,4,8,16, 32) so either you use a bigger or a smaller range. Exactly 20 hosts just is not possible with a bitmask in a single rule:
-
16 hosts (192.168.1.16 to 192.168.1.31):
sudo ufw allow proto tcp from 192.168.1.16/28 to 192.168.1.48 port 80
Details
Address: 192.168.1.16 11000000.10101000.00000001.0001 0000 Rule Mask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000 Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111 HostMin: 192.168.1.16 11000000.10101000.00000001.0001 0000 HostMax: 192.168.1.31 11000000.10101000.00000001.0000 1111
-
32 hosts (192.168.1.0 - 192.168.1.31)
sudo ufw allow proto tcp from 192.168.1.0/27 to 192.168.1.48 port 80
Details
Address: 192.168.1.0 11000000.10101000.00000001.000 00000 Rule Mask: 255.255.255.224 = 27 11111111.11111111.11111111.111 00000 Wildcard: 0.0.0.31 00000000.00000000.00000000.000 11111 HostMin: 192.168.1.0 11000000.10101000.00000001.000 00000 HostMax: 192.168.1.31 11000000.10101000.00000001.000 11111
-
64 hosts (192.168.1.0 - 192.168.1.63)
sudo ufw allow proto tcp from 192.168.1.0/26 to 192.168.1.48 port 80
Details
Address: 192.168.1.0 11000000.10101000.00000001.00 000000 Rule Mask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000 Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111 HostMin: 192.168.1.0 11000000.10101000.00000001.00 000000 HostMax: 192.168.1.63 11000000.10101000.00000001.00 111111
Explanation
I can't give a better explanation than wikipedia
Solution 2
Allow Incoming from Specific IP Address or Subnet To allow incoming connections from a specific IP address or subnet, specify the source. For example, run this command:
sudo ufw allow from 192.168.1.0/24 to any port 22
OR
sudo ufw allow from 192.168.1.0/24 to 192.168.1.48 port 80
Related videos on Youtube
Wilf
It is important to remember the difference between mythical trolls and internet trolls. One sort is ugly, stupid and bad-tempered - the other sort is imaginary.
Updated on September 18, 2022Comments
-
Wilf over 1 year
I can add a rule using UFW firewall to allow a single known IP
192.168.1.32
to access my test webserver (192.168.1.48
(on a local mostly trusted network) on Ubuntu 14.04 using:sudo ufw allow proto tcp from 192.168.1.23 to 192.168.1.48 port 80
Is there a way I can add a range of addressees (e.g.
192.168.1.30-192.168.1.50
to allow more machines on my current network)? Using192.168.1.30-192.168.1.50
and192.168.1.30-192.168.1.50
don't work and results inERROR: Bad source address
.-
A.B. almost 9 yearsFor 14 hosts (192.168.1.17 to 192.168.1.30) 192.168.1.23/28, For 30 hosts 192.168.1.0/27 (192.168.1.1 - 192.168.1.30) but nothing for 20 hosts.
-
Doug Smythies almost 9 yearsWhere did the previous comments go? The text of the question does not agree with the example ufw line. (?) @A.B. a mask of 28 bits would allow 16 host addresses through and a mask of 27 bits would allow 32 host addresses through. Wouldn't it? Disclaimer: I use iptables and not ufw.
-
Wilf almost 9 years@Doug If it was my comment I might have removed because I couldn't edit it and copied the wrong info :). Both answers (which I think were good :(, and I could give screenshots of if needed) have been deleted though, but here is a screenshot of the thing I think you were replying too
-
Wilf almost 9 years@A.B. the answer you gave worked (the second command did anyways, the first not at all), the addresses I have were ones I was testing from - the one I think I want access from could be in
192.168.1.10-192.168.1.50
(sorry if not clear, they seem to be assigned pretty randomly... ). I was going to test from other addresses but I think your answer could be the solution. BTW, due to having less than 10k, doug can't see your answer. -
Doug Smythies almost 9 yearsFor 192.168.1.10-192.168.1.50 the nearest, but larger, rule would use 192.168.1.0/26 which would be 192.168.1.0-192.168.1.63
-
-
Wilf almost 9 yearsHmmmm.... the second works from IPs 192.168.1.23, 192.168.1.27 and 192.168.1.31, but
192.168.1.0/28
doesn't work with any. What reason is their for constriction on the ranges? -
A.B. almost 9 years@Wilf Sorry, I can't give a better explanation than wikipedia :\
-
A.B. almost 9 years@Wilf Only for 192.168.1.23, 192.168.1.27 and 192.168.1.31?
-
Doug Smythies almost 9 yearsYou are are not defining a sub-net with a bit mask allow rule for iptables or ufw. A mask of 28 will allow 16 host addresses and a mask of 27 will allow 32 host addresses through. But yes, it does depend on what your real sub-net mask is, and if you hit the boundaries or not. The 28 bit mask example doesn't overlap the desired range at all, it should be
192.168.1.16/28
to cover 192.168.1.16 through 192.168.1.31 inclusive.