Using hostnames in iptables - Networking

This is a discussion on Using hostnames in iptables - Networking ; If I write an iptables rule with a hostname, when is the hostname resolved? For example: iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j ACCEPT I believe that "remoteoffice.company.com" is resolved at the time the "iptables" statement is ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Using hostnames in iptables

  1. Using hostnames in iptables

    If I write an iptables rule with a hostname, when is the hostname
    resolved? For example:

    iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j ACCEPT


    I believe that "remoteoffice.company.com" is resolved at the time the
    "iptables" statement is executed, rather than being stored in the chain
    as a hostname and resolved when packets are checked. Can anyone confirm
    that?

    If I wanted to have such a rule for a hostname whose address changed
    (say, a dynamic ADSL address), is there any way to do it?

    mvh.,

    David

  2. Re: Using hostnames in iptables

    "David Brown" wrote in message
    news:47dd77b4$0$8159$8404b019@news.wineasy.se...
    > If I write an iptables rule with a hostname, when is the hostname
    > resolved? For example:
    >
    > iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j

    ACCEPT
    >
    >
    > I believe that "remoteoffice.company.com" is resolved at the time the
    > "iptables" statement is executed, rather than being stored in the chain
    > as a hostname and resolved when packets are checked. Can anyone confirm
    > that?


    Correct. Resolved when the command is loaded.

    Watch out for names that resolve to more than one address.



  3. Re: Using hostnames in iptables

    D. Stussy wrote:
    > "David Brown" wrote in message
    > news:47dd77b4$0$8159$8404b019@news.wineasy.se...
    >> If I write an iptables rule with a hostname, when is the hostname
    >> resolved? For example:
    >>
    >> iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j

    > ACCEPT
    >>
    >> I believe that "remoteoffice.company.com" is resolved at the time the
    >> "iptables" statement is executed, rather than being stored in the chain
    >> as a hostname and resolved when packets are checked. Can anyone confirm
    >> that?

    >
    > Correct. Resolved when the command is loaded.
    >
    > Watch out for names that resolve to more than one address.
    >


    Thanks for confirming that for me. I'll only be using it for names that
    I have control over and which will resolve to a single address. I
    suppose that the most convenient way to update such rules when the ip
    address changed would be to put them into a separate chain, which could
    then be flushed and re-loaded without affecting other rules in the tables.

    mvh.,

    David



  4. Re: Using hostnames in iptables

    "David Brown" wrote in message
    news:47ddb5ae$0$8161$8404b019@news.wineasy.se...
    > D. Stussy wrote:
    > > "David Brown" wrote in message
    > > news:47dd77b4$0$8159$8404b019@news.wineasy.se...
    > >> If I write an iptables rule with a hostname, when is the hostname
    > >> resolved? For example:
    > >>
    > >> iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j

    ACCEPT
    > >>
    > >> I believe that "remoteoffice.company.com" is resolved at the time the
    > >> "iptables" statement is executed, rather than being stored in the chain
    > >> as a hostname and resolved when packets are checked. Can anyone

    confirm
    > >> that?

    > >
    > > Correct. Resolved when the command is loaded.
    > >
    > > Watch out for names that resolve to more than one address.

    >
    > Thanks for confirming that for me. I'll only be using it for names that
    > I have control over and which will resolve to a single address. I
    > suppose that the most convenient way to update such rules when the ip
    > address changed would be to put them into a separate chain, which could
    > then be flushed and re-loaded without affecting other rules in the tables.


    If you're using a script to set up multiple rules for your own server, it's
    better to use iptables-restore than individual iptables lines.




  5. Re: Using hostnames in iptables

    On Sun, 16 Mar 2008 17:37:54 -0800, D. Stussy wrote:

    > If you're using a script to set up multiple rules for your own server,
    > it's better to use iptables-restore than individual iptables lines.


    Even where the actual change is a relatively small part of the set of all
    rulesets? Is there some crossover point at which this isn't true, or is
    it true regardless of how large the entire set and how small the changes?

    - Andrew

+ Reply to Thread