iptables add rule case

The man page of iptables says in the explanation to add a rule (-A)
that "When the source and/or destination names resolve to more than
one address, a rule will be added for each possible address
combination" ...Can anyone please give an example of this type of a
rule? When will this condition be true?

Hello,

jeniffer a écrit :
> The man page of iptables says in the explanation to add a rule (-A)
> that "When the source and/or destination names resolve to more than
> one address, a rule will be added for each possible address
> combination" ...

Yes.

>Can anyone please give an example of this type of a rule?

# host security.debian.org
security.debian.org has address 128.101.240.212
security.debian.org has address 212.211.132.32
security.debian.org has address 212.211.132.250
# iptables -N dummy
# iptables -A dummy -s security.debian.org
# iptables -L dummy
Chain dummy (0 references)
target prot opt source destination
all -- 212.211.132.250 0.0.0.0/0
all -- 128.101.240.212 0.0.0.0/0
all -- 212.211.132.32 0.0.0.0/0

> When will this condition be true?

Which condition ?

"jeniffer" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) ups.com:

> The man page of iptables says in the explanation to add a rule (-A)
> that "When the source and/or destination names resolve to more than
> one address, a rule will be added for each possible address
> combination" ...Can anyone please give an example of this type of a
> rule? When will this condition be true?
>

I presume that the DNS server has multiple A records for the same name.
Ditto if the names are being resolved via a host file a name can resolve to
multiple ip addresses.

Klamzon.

Pascal Hambourg wrote:
> Hello,
>
> jeniffer a écrit :
> > The man page of iptables says in the explanation to add a rule (-A)
> > that "When the source and/or destination names resolve to more than
> > one address, a rule will be added for each possible address
> > combination" ...
>
> Yes.
>
> >Can anyone please give an example of this type of a rule?
>
> # host security.debian.org
> security.debian.org has address 128.101.240.212
> security.debian.org has address 212.211.132.32
> security.debian.org has address 212.211.132.250
> # iptables -N dummy
> # iptables -A dummy -s security.debian.org
> # iptables -L dummy
> Chain dummy (0 references)
> target prot opt source destination
> all -- 212.211.132.250 0.0.0.0/0
> all -- 128.101.240.212 0.0.0.0/0
> all -- 212.211.132.32 0.0.0.0/0
>
> > When will this condition be true?
>
> Which condition ?


Thanks for the answer.I understood that if names resolve to multiple IP
addresses then number of rules that will be added would be more than
1.Is this the only case (-s hostname/-d hostname) when multiple rules
are added for a single rule?

jeniffer a écrit :
>
> Thanks for the answer.I understood that if names resolve to multiple IP
> addresses then number of rules that will be added would be more than 1.

You understood well. In my example the source hostname resolves to three
IP addresses, and the iptables command created three rules.

>Is this the only case (-s hostname/-d hostname) when multiple rules
> are added for a single rule?

There is no other case I can think of. You cannot use hostnames in
DNAT/SNAT targets. However I don't know what would happen when you use a
service name in --sport or --dport which "resolves" to more than one
port number in /etc/services (is this legal ?).