how to define a specific range of IPs and/or multiple IPs in an iptables rule?...

TheHellsMaster · 09-14-2004, 06:53 AM

hi all,

how can I define a customized range of IPs (a segment from 192.168.0.0/24) or multiple IPs in a single iptables rule?...
...if possible at all...

like for example if you want to define source ports form 10 to 25 you type "--sport 10:25" or if you want to use multiple ports you type "-m multiport --sport 3,6,7,32"
...and you don't need to type one and the same rule for each port...

I need to do the same thing for IPs...
using the netmask does not work for me, since the ranges I need to define are custom...

if anyone can help me do this in iptables rule or using external script that will export the IPs - the beer is on me... :-)

10x in advance...

stickman · 09-14-2004, 03:27 PM

It's as simple as:
-s 192.168.0.0/24

TheIrish · 09-14-2004, 04:53 PM

Quote:

It's as simple as:
-s 192.168.0.0/24

piece of cake! But i actually think he meant a more strict range like from 192.168.0.5 to 192.168.1.10.
In this case there's a netfilter patch available... i don't think it passed stable yet, so probably you'll need patch'o'matic: www.netfilter.org

scottman · 09-14-2004, 06:01 PM

You could also try this (wasn't aware of the patch before I started it)

Code:

#!/bin/bash

range1="192.168.55.1:192.168.55.15"

function load_ranges()
{
	if [ $range1 != "" ]; then
		first_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f1)
		second_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f2)
		third_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f3)
		low_range_num=$(echo "$range1" | cut -d : -f1 | cut -d . -f4)
		high_range_num=$(echo "$range1" | cut -d : -f2 | cut -d . -f4)
                counter=1

		# The until loop stops once the top of the range is hit,
		# Note that it stops one ip address before the end of the
		# range.  I'm not sure how to test for greater than

		until [[ $low_range_num = $high_range_num ]];do
			current_ip="$first_num.$second_num.$third_num.$low_range_num"
			
			#you can add your rules here, and use $current_ip for the
			#range.

			#iptables -A FORWARD -i eth1 -d $current_ip -j DROP

			#iptables -A INPUT -d $current_ip -j DROP
						
#echo $current_ip

			let low_range_num=$low_range_num+1

                        let counter=$counter+1
                        if [ $counter = "255" ];then
                                           break
                         fi
		done
	fi
}
load_ranges

TheIrish · 09-14-2004, 06:59 PM

phew! pure rock'n'roll

TheHellsMaster · 09-15-2004, 10:09 AM

10x for that script - that's about what I ment and it works for me...

as I said - the beer is on me... :-)

scottman · 09-15-2004, 02:38 PM

No prob, I could use a cold one.

You could make it more useful for multiple ranges by taking an argument to it.

load_ranges "$range1"
or
load_ranges "$range2"

That would allow you to replace all times $range1 is used in the function with
$*. Then you could use it for multiple rangers, however you'd bestill be restricted
to one generic ruleset.

Code:

	if [ $* != "" ]; then
		first_num=$(echo "$*" | cut -d : -f2 | cut -d . -f1)

Also be careful with modifying this, any small errors could cause up to
255 output messages

TheHellsMaster · 09-16-2004, 03:04 AM

10x for that too... :-)
it may get in use in future times since now I have a very complicated firewall and with slight exclusions almost every machine or custom range have it's own rules, access and restrictions...

another question...
how about having multiple IPs but not a range?...
...like for example 192.168.0.15, 192.168.0.31 and 192.168.0.134...

currently in such cases I just have a rule for each machine, but it's slower to maintain when some change in the rule is needed - I have to change it for all the machines...
if I was able to define multiple machines in one rule, when a change is needed I'll have to change only one rule... :-)

I was told something for multiple usage of "-s" or "-d" in the rule, like:

iptables -A INPUT -s 192.168.0.15 -s 192.168.0.31 -s 192.168.0.134 -j ACCEPT

...but I haven't been able to test it yet, so I don't know if it actually works and if there's some impact on the performace of the firewall...

any ideas will be appreciated... :-)

scottman · 09-16-2004, 11:48 AM

I tried the multiple -s and -d flags and it gave me a message saying it
wasn't allowed. The way I currently load specific ips or ports is by
having a seperate file, and reading the entries out of there with awk.
Here is a quick example.

Code:

# Drops packets from specific IP's, and rejects outgoing
# communication to them
function black_list()
{
      awk '!/c/{print $3}' $FIREFILE | \
      while read i;do
	    $IPT -A BLACKHOLE -d $i -j REJECT \
	             --reject-with tcp-reset
	     $IPT -A BLACKHOLE -s $i -j DROP
      done
}

This would read everything from the third column of $FIREFILE (just a variable for
the path to the file), and then put it into the variable $i. I put the !/c/ in the awk to stop
it from reading rows that contain the letter c in it. Here's an example file

Code:

a=tcp   b=udp   c=spy         d=lanallow
80	b	 IP_ADD    IP_ADD
20	68	IP_ADD	 d
21	67	c	        d
110   b 	c	        d
25	b	 IP_ADD	  d
a	b	c	        d
a	b	 c	         d
a	b	 c	          d

I know this isn't a very efficient way to do things, but it's what I came up with when I started
my firewall script, just started learning a few months ago. If anyone else has any other ideas or if there's an easier way I'd love to learn about it.

Sorry about the way firefile looks, it should be straight columns...

TheHellsMaster · 09-20-2004, 10:06 AM

I'll see if this will work for me...
10x for the help anyway... :-)