What is the correct way to open a range of ports in iptables

Solution 1:

This is the correct way:

iptables -A INPUT -p tcp --match multiport --dports 1024:3000 -j ACCEPT

As an example. Source here.

Solution 2:

What you've been told is right, although you've written it wrong (you've forgotten --dport).

iptables -A INPUT -p tcp --dport 1000:2000 will open up inbound traffic to TCP ports 1000 to 2000 inclusive.

-m multiport --dports is only needed if the range you want to open is not continuous, eg -m multiport --dports 80,443, which will open up HTTP and HTTPS only - not the ones in between.

Note that the ordering of rules is important, and (as Iain alludes to in his comment elsewhere) it's your job to make sure that any rule you add is in a place where it will be effective.

Solution 3:

TL;DR but...

Pure port range without multiport module: iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Equivalent multiport example: iptables -A INPUT -p tcp -m multiport --dports 1000:2000 -j ACCEPT

...and variation about multi port with multi ranges (yes, this is also possible): iptables -A INPUT -p tcp -m multiport --dports 1000,1001,1002:1500,1501:2000 -j ACCEPT

...and equivalent multi port multi range example with negation: iptables -A INPUT -p tcp -m multiport ! --dports 0:999,2001:65535 -j ACCEPT

Have phun.