Iptables setting multiple multiports in one rule

Question

The multiport extension has a limit  15  for the ports that can be specified   But I need to specify much more port numbers in a single rule  so I tried to use several multiport in one rule like   iptables -A INPUT -p tcp -m multiport --destination-ports 59100 -m multiport --destination-ports 3000 -m state --state NEW -j REJECT --reject-with tcp-reset   The result of iptables -L INPUT -n is  Chain INPUT  policy ACCEPT  target     prot opt source               destination          REJECT     tcp  --  0 0 0 0 0            0 0 0 0 0           multiport dports 59100 multiport dports 3000 state NEW reject-with tcp-reset   But it turns out that both of the ports are not rejected when I try to connect from a client   The version is v1 4 2-rc1   Is there a workaround  or what should I do when I need to specify more than 15 ports in one rule

User · Answer

enable boxi poorten     enable boxi poorten     SRV  boxi poorten  boxi ports  427 5666 6001 6002 6003 6004 6005 6400 6410 8080 9321 15191 16447 17284 17723 17736 21306 25146 26632 27657 27683 28925 41583 45637 47648 49633 52551 53166 56392 56599 56911 59115 59898 60163 63512 6352 25834    case   1  in    LOCAL            for port in  boxi ports  do  IPT -A tcp inbound -p TCP -s  LOC SUB --dport  port -j ACCEPT -m comment --comment  boxi specifieke poorten  done        multiports gaat maar tot 15 maximaal            daarom maar for loop maken         IPT -A tcp inbound -p TCP -s  LOC SUB -m state --state NEW -m multiport --dports  MULTIPORTS -j ACCEPT -m comment --comment  boxi specifieke poorten       echo    GREEN Allowing  SRV for local hosts       NORMAL             WEB        for port in  boxi ports  do  IPT -A tcp inbound -p TCP -s 0 0 --dport  port -j ACCEPT -m comment --comment  boxi specifieke poorten  done      echo    RED Allowing  SRV for all hosts       NORMAL                    for port in  boxi ports  do  IPT -A tcp inbound -p TCP -s  LOC SUB --dport  port -j ACCEPT -m comment --comment  boxi specifieke poorten  done      echo    GREEN Allowing  SRV for local hosts       NORMAL           esac

User · Answer

As a workaround to this limitation  I use two rules to cover all the cases   For example  if I want to allow or deny these 18 ports   465 110 995 587 143 11025 20 21 22 26 80 443 3000 10000 7080 8080 3000 5666   I use the below rules   iptables -A INPUT -p tcp -i eth0 -m multiport --dports 465 110 995 587 143 11025 20 21 22 26 80 443 -j ACCEPT  iptables -A INPUT -p tcp -i eth0 -m multiport --dports 3000 10000 7080 8080 3000 5666 -j ACCEPT   The above rules should work for your scenario also  You can create another rule if you hit 15 ports limit on both first and second rule

User · Answer

You need to use multiple rules to implement OR-like semantics  since matches are always AND-ed together within a rule  Alternatively  you can do matching against port-indexing ipsets  ipset create blah bitmap port

User · Answer

As far as i know  writing multiple matches is logical AND operation  so what your rule means is if the destination port is  59100  AND  3000  then reject connection with tcp-reset  Workaround is using -mport option  Look out for the man page

[iptables] Iptables setting multiple multiports in one rule

Examples related to iptables