Re: How to filter packets resulting from hosts with dynamic IP-address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Frank Petran wrote:
As far as I have understood it, filters can act on IP-addresses but not on hostnames. Since the originating IP-address changes, all I am left with is the known hostname. As far as I have understood it, filters can act on IP-addresses but not on hostnames. I would like to do a hostname lookup based on the name registered at dyndns.org and compare that with the IP-address of the incoming traffic.
You are correct in the fact that IPTables will not use host names during normal operations. This is because the in kernel rules only support IP addresses. The IPTables command will translate names to IPs for you when you add the rules to the kernel though.
With this in mind, my best bet is for you to create a sub chain that is for each specific client. Use some sort of port knocking setup that will trigger some process on your firewall to re-run that user's portion of the IPTables script. This script would need to flush the user's sub chain and repopulate it with current IP addresses. I know that this is sub optimal, but I think it would work.
Another option might be to look at writing some sort of user space daemon that you could have IPTables pass the packets to and return a yes / no to the kernel. However, this would be duplicating some of / a lot of the effort that has gone in to IPTables and thus again sub optimal as far as development is concerned. 



Grant. . . .
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux