# iptables wildcard rules

## Valhlalla

Is there a way to make a host-wildcard rule (I have googled but so far havent found a way)

so instead of a specific host like this:

```
iptables -A INPUT -s comp1.xyz.net -j DROP
```

I want to stop all connections from xyz.net:

```
iptables -A INPUT -s *.xyz.net -j DROP
```

That dosnt work, is there a way to do it?

----------

## FloppyMaster0

In short, you can't do it easily with IPTables.

Netfilter resolves any hostnames to IP addresses when the rules are first loaded. It doesn't do reverse DNS lookups on hostnames every time the rule is evaluated. To have wildcard functionality, you'd have to have a script that would recursively get all of the A records for a given subdomain. This could involve several zone transfers, and you could end up with thousands of rules.

----------

## Valhlalla

I see, so I should use tcp wrappers instead I guess.

[edit] thanks for the reply

----------

## BCC

Yes, you can use tcp wrappers instead. But if you stick to iptables, you could block a network range (or subnet) belonging to society xyz.

```
iptables -A INPUT -s 192.168.0.0/24 -j DROP
```

----------

## Valhlalla

yes, I'm not sure of the ips they own though.

----------

