Re: host names and IPs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2003-04-18 at 07:57, Florian Effenberger wrote:
> Hi,
> 
> I have a question to the gurus on this list ;-)
> 
> I'm on Linux 2.4.20 with iptables 1.2.7a. I have a syntax as follows:
> 
> ===
> iptables -A INPUT -p tcp -s www.myhostname.com --dport 53 -j ACCEPT
> ===
> 
> Now it seems that www.myhostname.com is resolved only the first time the
> rule is set and that a fixed IP address is stored.

Correct.

> However, www.myhostname.com has a dynamically assigned address and I would
> like to have iptables resolve the IP address everytime.

Same here... :^(

> Is that possible? If yes, how? Or will it produce too much load?

Iptables/netfilter does not, AFAIK, support this at all.  I have a
similar situation, and found two solutions.

The one I implemented was to map out the range of dynamic IPs assigned
(ISP refused to disclose!) and ended up using a /22 netmask.  Not as
tight, but simpler and less overhead than:

The other approach was to write a script (cron scheduled) that would
extract the IP from 'dig' output and compare it against a stored value
from the last change (/tmp/myhostname.com.ip perhaps).  If the same do
nothing. If different, delete the original rule, insert a
newly-constructed one, and echo the new IP to the tmp file.  Depending
on the lease-length (or whatever other factor may determine lifespan of
a given IP for www.myhostname.com...) and frequency of expected
connections, you'd set the frequency of the job accordingly.

Depending on what services are being made available to
www.myhostname.com, the first solution is probably your best bet so long
as it doesn't open up anything critical.  For my case, the rule only
opens SSH, and only a single non-root user can login with SSH on that
box.  (and all SSH access is logged)

The third solution, of course, would be to dig into the source and write
a new match, or patch the "-s" match with a new flag like "--dynip" and
the obvious support to enable that... ;^)  Checking the current IP of a
named host for every packet would be impossible.  The only feasible
solution here would be to integrate the effect of the cron job approach
into the netfilter code, periodically confirming the IP and updating if
needed.

> Thanks
> Florian

j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux