The syntax from TFM, iptables(8):
--to-destination ipaddr[-ipaddr][:port-port]
Obviously if you are going to use a range of destinations only IP
addresses would suffice. But why can't this option accept a hostname
for a single destination?
This would be convenient for scripting, in that you maintain control of
the firewall through DNS. As it is, to use a hostname I have to use an
intermediate step to get the IP, like this:
DEST_IP=`dig +short ${DEST_HOST}.domain.tld.`
This is also less than ideal because if iptables resolved the name
itself, it would use the "search domain.tld" out of resolv.conf. For
dig I have to manually append it. And it's REALLY inconvenient in some
of my firewall machines where there is no BIND installed. It gets even
worse in sites which aren't running their own DNS ... AFAIK dig and
host only use DNS, not /etc/hosts, for resolving.
iptables DOES resolve hostnames used in other parameters, so why not
here? That should have been a question for the developer list, I guess,
but I'm not on that one.
But a good question for this list might be: "How have you handled this
need in iptables scripting?" I have used the dig trick where available
and hard-coded IP's elsewhere.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
