Re: [CentOS] IPTABLES don't solve name HOST - CENTOS 4.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

William L. Maltby wrote:

If we can presume that the man page for iptables is correct that it can
filter using hostname, we can also presume that it must have some method
for doing a DNS-like resolution process. Since dig of "chatenabled..."
shows it exists and is resolvable, is your iptables set up to use your
resolution facility? If early in the boot procedure, maybe resolution is
not yet available?
Iptables do not filter based on host names. The name gets resolved to the IP adress, and the rule is inserted using that IP address (as the output of iptables -L shows you). If IP address changes, the rule doesn't get automagically updated.
DNS lookup can return more than one address. Do you know what iptables will do in that case?
DNS lookup can also return a different address depending on which ISP you are using. For example, chatenabled.mail.google.com from the example can also resolv to 216.239.63.189 (queried from my hotel's network in California) or 66.102.11.189 (queried from host located in Croatia). If I were to query it from my home in Winnipeg, I'd probably get yet another IP address.
Another example, try resolving www.google.com and you'll most likely get several IP addresses returned. Who knows, maybe resolving Google's chatenabled will also start returning multiple RR A records one day in the future.
Check /etc/nsswitch.conf and /etc/resolv.conf. See if configuration inthere is correct. Note that utilities such as dig or nslookup use only resolv.conf file.
During the boot, iptables script runs before network script. Or at least should run before network script. Therefore, you can't resolve names using DNS during boot (you can only use names that are in /etc/hosts).
Check if firewall rules actually allow you to perform DNS query. Maybe your iptables rules are blocking themself.
Said all this, as manual page says, using host names with iptables is really bad idea. You never know what you are going to get. And you always run a risk of somebody breaking into your network by spoofing DNS replies (or playing with your trust in DNS in some other way). 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux