When working with iptables, many admins encounter confusion around opening multiple ports. The syntax iptables -A INPUT -p tcp 1000:2000 -j ACCEPT appears logical but doesn't actually work in standard iptables implementations. This misconception stems from how port ranges are fundamentally handled in the netfilter framework.
The correct method involves using the --multiport module which supports three types of port specifications:
# Single port range
iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT
# Multiple discrete ports
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
# Mixed format
iptables -A INPUT -p tcp -m multiport --dports 20:23,80,443,1000:2000 -j ACCEPTSome newer kernel versions (3.7+) with specific iptables extensions may support direct range notation, but for maximum compatibility:
- Always use multiport for port ranges
- Verify module availability with
lsmod | grep xt_multiport - Check kernel docs for your specific version
Here's a complete example for opening common web ports plus a custom range:
# Load multiport module if not already present
modprobe xt_multiport
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Web ports + custom range
iptables -A INPUT -p tcp -m multiport --dports 80,443,1000:2000 -j ACCEPT
# Save rules (distribution-specific)
iptables-save > /etc/iptables.rulesFor complex scenarios, consider these methods:
# Using ipset for very large port lists
ipset create webports bitmap:port range 1000-2000
ipset add webports 80
ipset add webports 443
iptables -A INPUT -m set --match-set webports dst -j ACCEPT
# Shell loop (not recommended for production)
for port in {1000..2000}; do
iptables -A INPUT -p tcp --dport $port -j ACCEPT
doneAlways verify your rules with:
iptables -L -n -v
iptables -SCommon issues include missing multiport module or incorrect rule ordering. Remember that iptables processes rules sequentially.
Many administrators get confused when trying to open port ranges in iptables. The confusion stems from two different syntax approaches:
# Approach 1 (incorrect for ranges):
iptables -A INPUT -p tcp 1000:2000 -j ACCEPT
# Approach 2 (correct multiport method):
iptables -A INPUT -p tcp --match multiport --dports 1000:2000 -j ACCEPT
The colon syntax (1000:2000) only works for specific modules like --match tcp or --match udp when used with their respective port parameters. The bare syntax shown in Approach 1 will be interpreted as an invalid argument by iptables.
Here are three proper ways to implement port ranges:
# Method 1: Using multiport module
iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT
# Method 2: Using tcp module with port range
iptables -A INPUT -p tcp -m tcp --dport 1000:2000 -j ACCEPT
# Method 3: For multiple discrete ranges
iptables -A INPUT -p tcp -m multiport --dports 80,443,1000:2000 -j ACCEPT
The multiport module has a limit of 15 port ranges per rule. For extremely large ranges (500+ ports), consider:
# Using ipset for large port ranges
ipset create largeports bitmap:port range 1000-2000
iptables -A INPUT -p tcp -m set --match-set largeports dst -j ACCEPT
Here's a complete example for opening multiple service ports:
# Web services
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# SSH with rate limiting
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Custom application range
iptables -A INPUT -p tcp -m tcp --dport 8000:8100 -j ACCEPT