How are iptables parameters combined?

I've searched and searched and can't find any information on how iptables parameters are combined.

If I want to match traffic to or from an IP address can I do -s a.b.c.d -d a.b.c.d? That is, are the -s and -d parameters combined as or (packet matches any) or and (packet matches all)?

Somewhat related, how do -m iprange and -s and -d interact? That is, can I use -m iprange --src-range 10.0.0.1-10.0.0.8 to specify a range then add -s !10.0.0.5 to make an exception?

The best way to learn is to test. Yes you can combine -s and -d, however if it makes sense depends on which table you use the rule in.

All parameters of one rule is AND. If you want OR, you can create a table that you send traffic to.

Some combinations will generate errors, again best is to try.

Let's say you policy is accept, and you only want to match if a rule matches. Add the rule iptables -A OUTPUT -s x.x.x.x -d x.x.x.x -j ACCEPT since the target will be same as default, it does not have any impact, but it will show up with iptables -vnL and have counters.

There is more advanced logging etc, but this is a quick and easy way to quick test rules. (and of course, tcpdump is your friend)

In regards to iprange I would again say the best thing is to test. In the worst case trying to add the rule will give you error. (hopefully someone else can give you better answers on this part of your question)