Re: How to filter packets resulting from hosts with dynamic IP-address
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Frank Petran wrote:
As far as I have understood it, filters can act on IP-addresses but not
on hostnames. Since the originating IP-address changes, all I am left
with is the known hostname. As far as I have understood it, filters can
act on IP-addresses but not on hostnames. I would like to do a hostname
lookup based on the name registered at dyndns.org and compare that with
the IP-address of the incoming traffic.
You are correct in the fact that IPTables will not use host names during
normal operations. This is because the in kernel rules only support IP
addresses. The IPTables command will translate names to IPs for you
when you add the rules to the kernel though.
With this in mind, my best bet is for you to create a sub chain that is
for each specific client. Use some sort of port knocking setup that
will trigger some process on your firewall to re-run that user's portion
of the IPTables script. This script would need to flush the user's sub
chain and repopulate it with current IP addresses. I know that this is
sub optimal, but I think it would work.
Another option might be to look at writing some sort of user space
daemon that you could have IPTables pass the packets to and return a yes
/ no to the kernel. However, this would be duplicating some of / a lot
of the effort that has gone in to IPTables and thus again sub optimal as
far as development is concerned.
Grant. . . .
[Index of Archives]
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Netem]
[Berkeley Packet Filter]
[Linux Kernel Development]
[Advanced Routing & Traffice Control]
[Bugtraq]