If the new iprule match the existing .i would prefer to have one.. rather than having same entry more then once . can i have your suggestion how can the 2nd time same rule be neglected/avoided from adding in iptable.

Ex :
/sbin/iptables -t nat -A PREROUTING -p tcp -m mac --mac-source AA:BB:C1:11:EE:FF -d 192.168.10.103 --dport 80 -j REDIRECT --to 8080

if we enter twice.. the same appears twice.

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere 192.168.10.103 MAC AA:BB:C1:11:EE:FF tcp dpt:http redir ports 8080
REDIRECT tcp -- anywhere 192.168.10.103 MAC AA:BB:C1:11:EE:FF tcp dpt:http redir ports 8080

What application does add the same line then?


Ah. You do. Well, then don't!


BTW, AFAIK iptables rules are processed on a "first match" basis. Once a "decision" is reached for the packet it doesn't traverse the rules below unless there's something I forgot.

There are two kinds of targets in iptables. Terminating, and non terminating.

E.g. -j ACCEPT is terminating, that means that the packet is accepted and no rules in that chain are checked anymore.

-j LOG is non terminating, after this one more rules are checked. If you have multiple targets like this they would be all checked.

Having more equal rules with terminating targets does not do any harm. Although for keeping a clear view on functionality it is better to avoid duplicates though. If you have more of the same, it gets difficult to maintain. You might leave in a rule if you expect you have removed it, or it may remain in effect when you think you changed it. And that is an iptables nightmare, really.

jlinkels