Re: How can I get rules with all resolved IPs for FQDN?

Lu Brian <lyt0112@xxxxxxxxx> · Fri, 22 Apr 2011 15:19:13 +0800

Hi Jan
My prolem is when I type the command :

[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.3.0/24
-d www.google.com -j SNAT --to-source 192.168.3.254

I can get all resolved ips for the domain name :
[root@localhost ~]# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
3855  213K SNAT       all  --  *      *       192.168.2.0/24
0.0.0.0/0           to:192.168.1.20
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.147       to:192.168.3.254
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.99        to:192.168.3.254
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.103       to:192.168.3.254
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.104       to:192.168.3.254
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.105       to:192.168.3.254
   0     0 SNAT       all  --  *      *       192.168.3.0/24
72.14.203.106       to:192.168.3.254

when i type the command :
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 192.168.3.0/24
-d www.facebook.com -j SNAT --to-source 192.168.3.254

I can only get 1 new rule for the domain www.facebook.com

[root@localhost ~]# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
3855  213K SNAT       all  --  *      *       192.168.2.0/24
0.0.0.0/0           to:192.168.1.20
   0     0 SNAT       all  --  *      *       192.168.3.0/24
69.171.224.42       to:192.168.3.254

iptables command can resolve the domain name..www.google.com and
www.facebook.com can be resolved to many ips,but I can only get 1 rule
for www.facebook.com when i type an iptable command ....

2011/4/21 Jan Engelhardt <jengelh@xxxxxxxxxx>:
>
> On Thursday 2011-04-21 11:04, Brian Lu wrote:
>
>> [root@localhost iptables-1.3.5]# nslookup www.facebook.com
>> Server:         168.95.1.1
>> Address:        168.95.1.1#53
>>
>> Non-authoritative answer:
>> Name:   www.facebook.com
>> Address: 66.220.146.25
>>
>> How can I get rules with all resolved IPs for this kind of FQDN?
>
> Using modern tools like iptables 1.4.10 - and host(8) FWIW.
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html