Search This Blog

Tuesday, January 27, 2009

Iprange module in Iptables

IP range match

The IP range match is used to match IP ranges, just as the --source and --destination matches are able to do as well. However, this match adds a different kind of matching in the sense that it is able to match in the manner of from IP - to IP, which the --source and --destination matches are unable to. This may be needed in some specific network setups, and it is rather a bit more flexible. The IP range match is loaded by using the -m iprange keyword.

Table 10-18. IP range match options

Match--src-range
Kernel2.4, 2.5 and 2.6
Exampleiptables -A INPUT -p tcp -m iprange --src-range 192.168.1.13-192.168.2.19
Explanation

This matches a range of source IP addresses. The range includes every single IP address from the first to the last, so the example above includes everything from 192.168.1.13 to 192.168.2.19. The match may also be inverted by adding an !. The above example would then look like -m iprange ! --src-range 192.168.1.13-192.168.2.19, which would match every single IP address, except the ones specified.

Match--dst-range
Kernel2.4, 2.5 and 2.6
Exampleiptables -A INPUT -p tcp -m iprange --dst-range 192.168.1.13-192.168.2.19
Explanation

The --dst-range works exactly the same as the --src-range match, except that it matches destination IP's instead of source IP's.

No comments: