The iptables module multiport lets you match a range of port numbers in a single rule, simplifying your firewall configurations.
Here’s iptables matching traffic on TCP ports 80 and 443, allowing it:
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
This rule allows incoming TCP traffic destined for either port 80 or port 443.
The Problem multiport Solves
Without multiport, you’d need separate rules for each port:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
As you add more ports, this quickly becomes unmanageable, increasing rule complexity and processing overhead.
How multiport Works
The multiport module intercepts the standard port matching mechanism and allows it to accept a comma-separated list of ports or a range. It doesn’t change how iptables processes packets; it just provides a more concise way to express multiple port matches.
The core of multiport is its ability to parse the --dports (destination ports) or --sports (source ports) argument. When it sees a comma, it understands that you’re specifying multiple individual ports. When it sees a hyphen, it interprets it as a range.
Using multiport
You can specify ports in several ways:
1. Comma-separated list:
sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
This rule allows traffic to ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
2. Port ranges:
sudo iptables -A INPUT -p tcp -m multiport --dports 6000-6010 -j ACCEPT
This allows traffic to ports 6000 through 6010.
3. Combined lists and ranges:
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,8000-8010 -j ACCEPT
This is a powerful combination, allowing traffic to ports 80, 443, and the range from 8000 to 8010.
4. Specifying source ports:
You can also use --sports to match a range of source ports, though this is less common for typical server firewalling.
sudo iptables -A OUTPUT -p tcp -m multiport --sports 50000-60000 -j ACCEPT
This rule would allow outgoing TCP traffic originating from ports 50000 through 60000.
5. Using with UDP:
The multiport module works identically for UDP traffic:
sudo iptables -A INPUT -p udp -m multiport --dports 53,123,161 -j ACCEPT
This allows UDP traffic to DNS (53), NTP (123), and SNMP (161).
Important Considerations
- Order Matters:
iptablesrules are processed sequentially. Place yourmultiportrules appropriately within your chain to ensure they are evaluated before any generalDROPorREJECTrules. - Module Loading: The
multiportmodule is typically loaded automatically wheniptablesis invoked. If you encounter issues, you might need to ensure thext_multiport.kokernel module is loaded. You can check withlsmod | grep xt_multiportand load it withsudo modprobe xt_multiport. - Performance: While
multiportsimplifies rules, it doesn’t magically make your firewall faster. Each port listed or included in a range is still checked. For very large ranges or many individual ports, performance can degrade. However, for typical use cases (a few dozen ports), it’s an excellent trade-off for readability and maintainability.
The multiport module is part of the xtables-addons package, which might need to be installed separately on some distributions.
Once you’ve mastered matching multiple destination ports, the next logical step is to explore how to match combinations of ports and IP addresses using the conntrack module for stateful firewalling.