Ip tables rules block specific range

I need help writing iptables rules that will allow a certain range of private address (  outgoing access to one or two specific named sites and nothing else.

Here is my current setup
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Thank you
Who is Participating?
skullnobrainsConnect With a Mentor Commented:
-A INPUT --src-range -m tcp -p tcp --dport 22 -j ACCEPT

would restrict your rule that allows ssh to the corresponding source range


you can remove the rule
and also " -m state --state NEW"
as all this is implicit in netfilter


don't freak, not understanding it quickly does not mean you are out of your league : netfilter uses a crazy syntax and it's documentation is far from complete, not to mention all the other reasons i have to hate it but that would probably start a useless flame war. if you can use pf or ipf, do so, it you're stuck with linux, you may consider installing one of the numerous so called "firewalls" that actually have simpler rule syntaxes and generate configs for netfilter so you don't have to learn the syntax yourself
Jordan MedlenConnect With a Mentor Commented:
You would use the following syntax...

-m iprange --src-range -j ACTION

You can read more in the following article.

santasvillageAuthor Commented:
Could you give more specific help?  This really is not my forte..

Thank you
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Jordan MedlenCommented:
What are the two named sites that you want the IP addresses internally to be able to get to?
santasvillageAuthor Commented:
I do not know the exact domain names as of yet, will know soon, they are for a credit card processor.


we could use any site as an example:
so are allowed to go to google.com and no where else?

A proxy server is not a viable alternative right now

Thank you
santasvillageAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.