On Mon, 28 Jun 2021 16:47:46 -0400 slow_speed@xxxxxxx wrote: > On 6/28/21 4:36 PM, Kerin Millar wrote: > > On Mon, 28 Jun 2021 15:57:30 -0400 > > slow_speed@xxxxxxx wrote: > > > >> I created a ruleset in iptables and it was saved in > >> /etc/iptables.up.rules as expected. However, when viewing the file, all > >> IP addresses had been translated to hostnames. > >> > >> Why would it ever do such a thing, when I had entered them as IP > >> addresses and they would have to be converted to IP addresses anyway? > > > > Here's how it works. One may supply hostnames to iptables/iptables-restore but they will be resolved at the point that the rule/ruleset is loaded into the kernel. If using `iptables -L` to list the currently loaded ruleset, reverse DNS lookups will be performed upon IP addresses before displaying. This behaviour can be suppressed by also using the -n option. As for `iptables -S` and `iptables-save`, neither of these will perform reverse DNS lookups. > > > > In summary, it's not at all clear how you ended up with hostnames in your iptables.up.rules file. Can you reduce this phenomonen to a simple, well-defined test case? > > > > Okay, I was incorrect. The viewing of the file showed just numbers. It > was the iptables -L that caused the misinformation. It should > definitely default to -n. That is a big issue to the new person in this > area. Bad programming strikes again. > > Thank you so much for pointing that out. I will add that to my > instructions. The -L format is deficient in several respects. About the only thing it's good for is displaying counters (with -v), yet iptables-save already does this. My suggestion would be to avoid -L outright. If you want to list rules with iptables instead of iptables-save, the -S option is much more useful. Also, please use Reply All next time. I am adding the list back to the CC field. -- Kerin Millar
