UFW - allow range of IP addresees?

networking configuration firewall ufw

67,638

Solution 1

You need to use a binary number (2,4,8,16, 32) so either you use a bigger or a smaller range. Exactly 20 hosts just is not possible with a bitmask in a single rule:

16 hosts (192.168.1.16 to 192.168.1.31):

sudo ufw allow proto tcp from  192.168.1.16/28 to 192.168.1.48 port 80

Details

Address:   192.168.1.16          11000000.10101000.00000001.0001 0000
Rule Mask: 255.255.255.240 = 28  11111111.11111111.11111111.1111 0000
Wildcard:  0.0.0.15              00000000.00000000.00000000.0000 1111

HostMin:   192.168.1.16          11000000.10101000.00000001.0001 0000
HostMax:   192.168.1.31          11000000.10101000.00000001.0000 1111

32 hosts (192.168.1.0 - 192.168.1.31)

sudo ufw allow proto tcp from 192.168.1.0/27 to 192.168.1.48 port 80

Details

Address:   192.168.1.0           11000000.10101000.00000001.000 00000
Rule Mask: 255.255.255.224 = 27  11111111.11111111.11111111.111 00000
Wildcard:  0.0.0.31              00000000.00000000.00000000.000 11111

HostMin:   192.168.1.0           11000000.10101000.00000001.000 00000
HostMax:   192.168.1.31          11000000.10101000.00000001.000 11111

64 hosts (192.168.1.0 - 192.168.1.63)

sudo ufw allow proto tcp from 192.168.1.0/26 to 192.168.1.48 port 80

Details

Address:   192.168.1.0           11000000.10101000.00000001.00 000000
Rule Mask: 255.255.255.192 = 26  11111111.11111111.11111111.11 000000
Wildcard:  0.0.0.63              00000000.00000000.00000000.00 111111

HostMin:   192.168.1.0           11000000.10101000.00000001.00 000000
HostMax:   192.168.1.63          11000000.10101000.00000001.00 111111

Explanation

I can't give a better explanation than wikipedia

Solution 2

Allow Incoming from Specific IP Address or Subnet To allow incoming connections from a specific IP address or subnet, specify the source. For example, run this command:

sudo ufw allow from 192.168.1.0/24 to any port 22

sudo ufw allow from 192.168.1.0/24 to 192.168.1.48 port 80

67,638

Wilf

It is important to remember the difference between mythical trolls and internet trolls. One sort is ugly, stupid and bad-tempered - the other sort is imaginary.

Updated on September 18, 2022

Comments

Wilf over 1 year
I can add a rule using UFW firewall to allow a single known IP 192.168.1.32 to access my test webserver (192.168.1.48 (on a local mostly trusted network) on Ubuntu 14.04 using:
```
sudo ufw allow proto tcp from 192.168.1.23 to 192.168.1.48 port 80
```
Is there a way I can add a range of addressees (e.g. 192.168.1.30-192.168.1.50 to allow more machines on my current network)? Using 192.168.1.30-192.168.1.50 and 192.168.1.30-192.168.1.50 don't work and results in ERROR: Bad source address.
- A.B. almost 9 years
  
  For 14 hosts (192.168.1.17 to 192.168.1.30) 192.168.1.23/28, For 30 hosts 192.168.1.0/27 (192.168.1.1 - 192.168.1.30) but nothing for 20 hosts.
- Doug Smythies almost 9 years
  
  Where did the previous comments go? The text of the question does not agree with the example ufw line. (?) @A.B. a mask of 28 bits would allow 16 host addresses through and a mask of 27 bits would allow 32 host addresses through. Wouldn't it? Disclaimer: I use iptables and not ufw.
- Wilf almost 9 years
  
  @Doug If it was my comment I might have removed because I couldn't edit it and copied the wrong info :). Both answers (which I think were good :(, and I could give screenshots of if needed) have been deleted though, but here is a screenshot of the thing I think you were replying too
- Wilf almost 9 years
  
  @A.B. the answer you gave worked (the second command did anyways, the first not at all), the addresses I have were ones I was testing from - the one I think I want access from could be in 192.168.1.10-192.168.1.50 (sorry if not clear, they seem to be assigned pretty randomly... ). I was going to test from other addresses but I think your answer could be the solution. BTW, due to having less than 10k, doug can't see your answer.
- Doug Smythies almost 9 years
  
  For 192.168.1.10-192.168.1.50 the nearest, but larger, rule would use 192.168.1.0/26 which would be 192.168.1.0-192.168.1.63
Wilf almost 9 years

Hmmmm.... the second works from IPs 192.168.1.23, 192.168.1.27 and 192.168.1.31, but 192.168.1.0/28 doesn't work with any. What reason is their for constriction on the ranges?
A.B. almost 9 years

@Wilf Sorry, I can't give a better explanation than wikipedia :\
A.B. almost 9 years

@Wilf Only for 192.168.1.23, 192.168.1.27 and 192.168.1.31?
Doug Smythies almost 9 years

You are are not defining a sub-net with a bit mask allow rule for iptables or ufw. A mask of 28 will allow 16 host addresses and a mask of 27 will allow 32 host addresses through. But yes, it does depend on what your real sub-net mask is, and if you hit the boundaries or not. The 28 bit mask example doesn't overlap the desired range at all, it should be 192.168.1.16/28 to cover 192.168.1.16 through 192.168.1.31 inclusive.