ACL and Firewall Automation
CIDR to Firewall Rules
Turn IPv4 and IPv6 CIDRs into iptables, nftables, ipset, nginx, or UFW rules so network policy can move from spreadsheet to deployable config faster.
Multi-Target Output
One CIDR list can be transformed into several firewall or ACL syntaxes.
IPv4 and IPv6 Aware
Mixed address families are normalized and emitted in the correct command form.
Ops-Friendly
Useful for firewall rollouts, IP allowlists, maintenance windows, and emergency blocks.
Presets
Rule Settings
Generates iptables and ip6tables commands. Useful for host firewalls and automation scripts.
Generated Rules
Review the output before applying it in production.
iptables -A INPUT -s 203.0.113.0/24 -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -s 2001:db8::/32 -p tcp --dport 443 -j ACCEPTNormalized networks
Why generators help
They reduce copy-paste mistakes when the same policy must be expressed across Linux firewalls, reverse proxies, and sets.
Best fit use case
They are especially useful when a clean CIDR list already exists and the slow part is translating it into the right syntax.
When to use ipset
For long lists, ipset or nftables sets are usually easier to maintain and faster to evaluate than hundreds of individual rules.
About This Tool
How to Use
- Paste one CIDR or IP per line, or separate them with commas.
- Choose the target format such as iptables, nftables, ipset, nginx, or ufw.
- Set the action, direction, protocol, and optional port.
- Review the generated rules, invalid inputs, and normalization notes.
- Apply the output in your infrastructure only after verifying it matches the intended policy and environment.
Features
- Supports iptables, nftables, ipset, nginx, and ufw output
- Normalizes IPv4, IPv6, and single host IP addresses
- Preserves mixed-family input lists
- Provides notes when protocol and port combinations do not make sense
- Designed as both a working tool and an SEO-friendly landing page
Common Use Cases
- Building reverse proxy allowlists
- Generating temporary maintenance firewall rules
- Blocking hostile IP ranges during abuse response
- Preparing onboarding rules for vendors or office egress IPs
- Converting policy documents into deployable firewall syntax
Technical Details
Firewall syntax differs by platform, but the core translation is usually the same: normalize each input network, determine whether it should match source or destination addresses, then emit target-specific syntax.
Examples:
- iptables:
iptables -A INPUT -s 203.0.113.0/24 -j ACCEPT - nftables:
add rule inet filter input ip saddr 203.0.113.0/24 accept - nginx:
allow 203.0.113.0/24; - ipset: reusable set definitions such as
create corp-allow-v4 hash:net family inet
Large address lists are usually better represented as sets rather than hundreds of individual match rules.
Firewall Rule FAQ
Should I use iptables or ipset for large lists?
For large or frequently changing lists, ipset is usually cleaner and more efficient because the firewall can reference a reusable set.
Why are single IPs converted to /32 or /128?
The generator normalizes hosts into explicit CIDR notation so the output is unambiguous across different targets.
Why was my port ignored?
Ports only apply when the protocol is TCP or UDP. If protocol is set to “all”, the generator intentionally drops the port match.
Can I paste both IPv4 and IPv6 together?
Yes. The generator keeps both families and emits the correct rule format for each target.