What is the correct way to open a range of ports in iptables
Solution 1
This is the correct way:
iptables -A INPUT -p tcp --match multiport --dports 1024:3000 -j ACCEPT
As an example. Source here.
Solution 2
What you've been told is right, although you've written it wrong (you've forgotten --dport
).
iptables -A INPUT -p tcp --dport 1000:2000
will open up inbound traffic to TCP ports 1000 to 2000 inclusive.
-m multiport --dports
is only needed if the range you want to open is not continuous, eg -m multiport --dports 80,443
, which will open up HTTP and HTTPS only - not the ones in between.
Note that the ordering of rules is important, and (as Iain alludes to in his comment elsewhere) it's your job to make sure that any rule you add is in a place where it will be effective.
Solution 3
TL;DR but...
Pure port range without multiport module:
iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT
Equivalent multiport example:
iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT
...and variation about multi port with multi ranges (yes, this is also possible):
iptables -A INPUT -p tcp -m multiport --dports 1000,1001,1002:1500,1501:2000 -j ACCEPT
...and equivalent multi port multi range example with negation:
iptables -A INPUT -p tcp -m multiport ! --dports 0:999,2001:65535 -j ACCEPT
Have phun.
Solution 4
there is an other way to add the entry directly on the Iptables file.
location /etc/sysconfig/iptables
-A INPUT -p tcp -m multiport --dports 1024:3000 -m state --state NEW -j ACCEPT
after that restart iptable service
Paul Whalley
Updated on September 18, 2022Comments
-
Paul Whalley almost 2 years
I have come across articles advising for the following:
iptables -A INPUT -p tcp 1000:2000 -j ACCEPT
And others stating that the above will not work and iptables only supports multiple port declarations with the
--multiport
option.Is there a correct way to open many ports with iptables?
-
iSee about 10 yearsRelated question: iptables and multiple ports
-
-
user9517 about 10 yearsIf you don't know the state of the ruleset
-I
is somewhat safer than-A
. -
user9517 about 10 yearsI could allude here as well if you want ;)
-
MadHatter about 10 yearsHee hee hee! Go on, then, the message is worth repeating!
-
jayhendren about 10 years@Iain, could you please explain the reasoning behind that?
-
user9517 about 10 years@jayhendren many rulesets will have a default drop everything rule e.g.
-A INPUT -j REJECT --reject-with icmp-host-prohibited
at the end of the INPUT and other tables. Using-A
adds the rule at the end of the table, after the final rule so it won't ever be considered as netfilter works on a first match wins basis. Using-I
inserts the rule at the beginning of the table ans as such it will always be considered. -
jayhendren about 10 years@Iain however, some rulesets also have rules at the beginning that filter or ratelimit packets, so it's worthwhile to point out that
-I
isn't always safer if you don't know the ruleset. -
user9517 about 10 years@jayhendren I think you just did and also note I said somewhat not always.
-
Andrew Kozak over 8 yearsThis is the correct answer; it is more thorough.
-
Ahmet Özer over 2 yearsIf you only use
NEW
state, only the first packets are accepted. You can useNEW,ESTABLISHED,RELATED
to allow incoming requests for the port range