Re: IP Addresses Changed to Hostnames in IPTables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 28.06.21 um 22:58 schrieb Kerin Millar:

On Mon, 28 Jun 2021 16:47:46 -0400
slow_speed@xxxxxxx wrote:


On 6/28/21 4:36 PM, Kerin Millar wrote:

On Mon, 28 Jun 2021 15:57:30 -0400
slow_speed@xxxxxxx wrote:


I created a ruleset in iptables and it was saved in
/etc/iptables.up.rules as expected.  However, when viewing the file, all
IP addresses had been translated to hostnames.

Why would it ever do such a thing, when I had entered them as IP
addresses and they would have to be converted to IP addresses anyway?


Here's how it works. One may supply hostnames to iptables/iptables-restore but they will be resolved at the point that the rule/ruleset is loaded into the kernel. If using `iptables -L` to list the currently loaded ruleset, reverse DNS lookups will be performed upon IP addresses before displaying. This behaviour can be suppressed by also using the -n option. As for `iptables -S` and `iptables-save`, neither of these will perform reverse DNS lookups.

In summary, it's not at all clear how you ended up with hostnames in your iptables.up.rules file. Can you reduce this phenomonen to a simple, well-defined test case?



Okay, I was incorrect.  The viewing of the file showed just numbers.  It
was the iptables -L that caused the misinformation.  It should
definitely default to -n.  That is a big issue to the new person in this
area.  Bad programming strikes again.

Thank you so much for pointing that out.  I will add that to my
instructions.


The -L format is deficient in several respects. About the only thing it's good for is displaying counters (with -v), yet iptables-save already does this. My suggestion would be to avoid -L outright. If you want to list rules with iptables instead of iptables-save, the -S option is much more useful.

Also, please use Reply All next time. I am adding the list back to the CC field
the real problem is talking about "However, when viewing the file" when doing "iptables -L" in fact
"iptables --list --numeric --line-numbers --verbose" is no rocket science, documented and that you need "-n" is not that uncommon 

see "netstat-nat" or "route" as example
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux