The multiport extension has a limit (15) for the ports that can be specified.
But I need to specify much more port numbers in a single rule, so I tried to use several multiport in one rule like:
iptables -A INPUT -p tcp -m multiport --destination-ports 59100 -m multiport --destination-ports 3000 -m state --state NEW -j REJECT --reject-with tcp-reset
The result of iptables -L INPUT -n
is
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 59100 multiport dports 3000 state NEW reject-with tcp-reset
But it turns out that both of the ports are not rejected when I try to connect from a client.
The version is v1.4.2-rc1.
Is there a workaround, or what should I do when I need to specify more than 15 ports in one rule.
This question is related to
iptables
enable_boxi_poorten
}
enable_boxi_poorten() {
SRV="boxi_poorten"
boxi_ports="427 5666 6001 6002 6003 6004 6005 6400 6410 8080 9321 15191 16447 17284 17723 17736 21306 25146 26632 27657 27683 28925 41583 45637 47648 49633 52551 53166 56392 56599 56911 59115 59898 60163 63512 6352 25834"
case "$1" in
"LOCAL")
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
# multiports gaat maar tot 15 maximaal :((
# daarom maar for loop maken
# $IPT -A tcp_inbound -p TCP -s $LOC_SUB -m state --state NEW -m multiport --dports $MULTIPORTS -j ACCEPT -m comment --comment "boxi specifieke poorten"
echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
;;
"WEB")
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s 0/0 --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
echo "${RED}Allowing $SRV for all hosts.....${NORMAL}"
;;
*)
for port in $boxi_ports; do $IPT -A tcp_inbound -p TCP -s $LOC_SUB --dport $port -j ACCEPT -m comment --comment "boxi specifieke poorten";done
echo "${GREEN}Allowing $SRV for local hosts.....${NORMAL}"
;;
esac
}
As far as i know, writing multiple matches is logical AND operation; so what your rule means is if the destination port is "59100" AND "3000" then reject connection with tcp-reset; Workaround is using -mport option. Look out for the man page.
You need to use multiple rules to implement OR-like semantics, since matches are always AND-ed together within a rule. Alternatively, you can do matching against port-indexing ipsets (ipset create blah bitmap:port
).
As a workaround to this limitation, I use two rules to cover all the cases.
For example, if I want to allow or deny these 18 ports:
465,110,995,587,143,11025,20,21,22,26,80,443,3000,10000,7080,8080,3000,5666
I use the below rules:
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 465,110,995,587,143,11025,20,21,22,26,80,443 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m multiport --dports 3000,10000,7080,8080,3000,5666 -j ACCEPT
The above rules should work for your scenario also. You can create another rule if you hit 15 ports limit on both first and second rule.
Source: Stackoverflow.com