[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3

Aleksandar Milivojevic alex at milivojevic.org
Sat Jul 8 17:25:05 UTC 2006


William L. Maltby wrote:
> If we can presume that the man page for iptables is correct that it can
> filter using hostname, we can also presume that it must have some method
> for doing a DNS-like resolution process. Since dig of "chatenabled..."
> shows it exists and is resolvable, is your iptables set up to use your
> resolution facility? If early in the boot procedure, maybe resolution is
> not yet available?

Iptables do not filter based on host names.  The name gets resolved to 
the IP adress, and the rule is inserted using that IP address (as the 
output of iptables -L shows you).  If IP address changes, the rule 
doesn't get automagically updated.

DNS lookup can return more than one address.  Do you know what iptables 
will do in that case?

DNS lookup can also return a different address depending on which ISP 
you are using.  For example, chatenabled.mail.google.com from the 
example can also resolv to 216.239.63.189 (queried from my hotel's 
network in California) or 66.102.11.189 (queried from host located in 
Croatia).  If I were to query it from my home in Winnipeg, I'd probably 
get yet another IP address.

Another example, try resolving www.google.com and you'll most likely get 
several IP addresses returned.  Who knows, maybe resolving Google's 
chatenabled will also start returning multiple RR A records one day in 
the future.

Check /etc/nsswitch.conf and /etc/resolv.conf.  See if configuration 
inthere is correct.  Note that utilities such as dig or nslookup use 
only resolv.conf file.

During the boot, iptables script runs before network script.  Or at 
least should run before network script.  Therefore, you can't resolve 
names using DNS during boot (you can only use names that are in /etc/hosts).

Check if firewall rules actually allow you to perform DNS query.  Maybe 
your iptables rules are blocking themself.

Said all this, as manual page says, using host names with iptables is 
really bad idea.  You never know what you are going to get.  And you 
always run a risk of somebody breaking into your network by spoofing DNS 
replies (or playing with your trust in DNS in some other way).




More information about the CentOS mailing list