How to specify multiple rules in iptables?

Posted on

How to specify multiple rules in iptables? – A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about How to specify multiple rules in iptables? was one problem in server stack that need for a solution. Below are some tips in manage your linux server when you find problem about linux, iptables, firewall, , .

The manpage says (emphasis mine):

-A, --append chain rule-specification
        Append one *or more* rules to the end of the selected chain.
[...]
-D, --delete chain rule-specification
        Delete one *or more* rules from the selected chain.
[...]
-I, --insert chain [rulenum] rule-specification
       Insert one *or more* rules in the selected chain as the [...]

Does the manpage say that we can add more than one rule per invocation of iptables? Because I cannot find the right syntax to do it. This:

iptables -D INPUT -s 1.1.1.1 -p tcp -j DROP -s 1.1.1.2 -p tcp -j DROP

results in “multiple -s flags not allowed” error. This:

iptables -D INPUT -s 1.1.1.1 -p tcp -j DROP -D INPUT -s 1.1.1.2 -p tcp -j DROP

results in “Cannot use -D with -D” error. Adding “–” also doesn’t help.

So can we add multiple rules per invocation?

You didn’t quote the rest of the man page which clarifies this, i.e.:

       -A, --append chain rule-specification
          Append one or more rules to the end of the selected chain.  When the source  and/or  destina‚Äź
          tion  names  resolve to more than one address, a rule will be added for each possible address
          combination.

This implies that multiple rules are added by virtue of using a source or destination hostname in a rule specification that resolves to multiple addresses, not that you can add multiple distinct rules in one invocation.

Leave a Reply

Your email address will not be published.