iptables – How to Specify Multiple Rules in Linux Firewall

firewalliptableslinux

The manpage says (emphasis mine):

-A, --append chain rule-specification
        Append one *or more* rules to the end of the selected chain.
[...]
-D, --delete chain rule-specification
        Delete one *or more* rules from the selected chain.
[...]
-I, --insert chain [rulenum] rule-specification
       Insert one *or more* rules in the selected chain as the [...]

Does the manpage say that we can add more than one rule per invocation of iptables? Because I cannot find the right syntax to do it. This:

iptables -D INPUT -s 1.1.1.1 -p tcp -j DROP -s 1.1.1.2 -p tcp -j DROP

results in "multiple -s flags not allowed" error. This:

iptables -D INPUT -s 1.1.1.1 -p tcp -j DROP -D INPUT -s 1.1.1.2 -p tcp -j DROP

results in "Cannot use -D with -D" error. Adding "–" also doesn't help.

So can we add multiple rules per invocation?

Best Answer

You didn't quote the rest of the man page which clarifies this, i.e.:

       -A, --append chain rule-specification
          Append one or more rules to the end of the selected chain.  When the source  and/or  destina‐
          tion  names  resolve to more than one address, a rule will be added for each possible address
          combination.

This implies that multiple rules are added by virtue of using a source or destination hostname in a rule specification that resolves to multiple addresses, not that you can add multiple distinct rules in one invocation.

Related Solutions

Iptables – How to test if SYN and FIN are both dropped at the same time in hping3

I use nmap:

# nmap --scanflags SYN,FIN HOSTNAME
# iptables -nv -L
Chain INPUT (policy ACCEPT 866K packets, 457M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  120  5280 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03

Centos – Cannot modify iptables on CentOS

Your rules is listed, rtmp-port is port 3500 according to IANA port/service names. To get a listing of port numbers rather than their service names use the -n switch

iptables -L -n

You have also use the -A switch to add your rule to the INPUT chain. This has added after the packets have been sent to the RH-Firewall-1-INPUT chain, the last rule of which is a blanket REJECT so packets destined for port 3500 will be REJECTed before they get tested in the INPUT Chain.

You have a couple of possible solutions - use the -I switch to insert your rule to the INPUT chain or the RH-Firewall-1-INPUT chain

iptables -I INPUT -p tcp --dport 3500 -j ACCEPT

iptables -I RH-Firewall-1-INPUT -p tcp --dport 3500 -j ACCEPT

You should probably clean up your rules too, you can use

iptables -D INPUT -p tcp --dport 3500 -j ACCEPT

(several times) to delete the existing rules for port 3500 before adding the new rules.

Best Answer

Related Solutions

Iptables – How to test if SYN and FIN are both dropped at the same time in hping3

Centos – Cannot modify iptables on CentOS

Related Topic