What is the correct way to open a range of ports in iptables

linux iptables linux-networking

183,130

Solution 1

This is the correct way:

iptables -A INPUT -p tcp --match multiport --dports 1024:3000 -j ACCEPT

As an example. Source here.

Solution 2

What you've been told is right, although you've written it wrong (you've forgotten --dport).

iptables -A INPUT -p tcp --dport 1000:2000 will open up inbound traffic to TCP ports 1000 to 2000 inclusive.

-m multiport --dports is only needed if the range you want to open is not continuous, eg -m multiport --dports 80,443, which will open up HTTP and HTTPS only - not the ones in between.

Note that the ordering of rules is important, and (as Iain alludes to in his comment elsewhere) it's your job to make sure that any rule you add is in a place where it will be effective.

Solution 3

TL;DR but...

Pure port range without multiport module: iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Equivalent multiport example: iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT

...and variation about multi port with multi ranges (yes, this is also possible): iptables -A INPUT -p tcp -m multiport --dports 1000,1001,1002:1500,1501:2000 -j ACCEPT

...and equivalent multi port multi range example with negation: iptables -A INPUT -p tcp -m multiport ! --dports 0:999,2001:65535 -j ACCEPT

Have phun.

Solution 4

there is an other way to add the entry directly on the Iptables file. location /etc/sysconfig/iptables

-A INPUT -p tcp -m multiport --dports 1024:3000 -m state --state NEW -j ACCEPT

after that restart iptable service

View more solutions

183,130

Author by

Paul Whalley

Updated on September 18, 2022

Comments

Paul Whalley almost 2 years
I have come across articles advising for the following:
```
iptables -A INPUT -p tcp 1000:2000 -j ACCEPT
```
And others stating that the above will not work and iptables only supports multiple port declarations with the --multiport option.

Is there a correct way to open many ports with iptables?
- iSee about 10 years
  
  Related question: iptables and multiple ports
user9517 about 10 years

If you don't know the state of the ruleset -I is somewhat safer than -A.
user9517 about 10 years

I could allude here as well if you want ;)
MadHatter about 10 years

Hee hee hee! Go on, then, the message is worth repeating!
jayhendren about 10 years

@Iain, could you please explain the reasoning behind that?
user9517 about 10 years

@jayhendren many rulesets will have a default drop everything rule e.g. -A INPUT -j REJECT --reject-with icmp-host-prohibited at the end of the INPUT and other tables. Using -A adds the rule at the end of the table, after the final rule so it won't ever be considered as netfilter works on a first match wins basis. Using -I inserts the rule at the beginning of the table ans as such it will always be considered.
jayhendren about 10 years

@Iain however, some rulesets also have rules at the beginning that filter or ratelimit packets, so it's worthwhile to point out that -I isn't always safer if you don't know the ruleset.
user9517 about 10 years

@jayhendren I think you just did and also note I said somewhat not always.
Andrew Kozak over 8 years

This is the correct answer; it is more thorough.
Ahmet Özer over 2 years

If you only use NEW state, only the first packets are accepted. You can use NEW,ESTABLISHED,RELATED to allow incoming requests for the port range