[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3

Sat Jul 8 14:34:09 UTC 2006
William L. Maltby <BillsCentOS at triad.rr.com>

On Fri, 2006-07-07 at 23:16 -0300, Adriano Frare wrote:
> Dear Friends,
> 
> When I execute below command
> 
> iptables -A FORWARD -d chatenabled.mail.google.com -j DROP
> 
> 
> I have received follow messages.
> 
> iptables v1.2.11: host/network `chatenabled.mail.google.com' not found

If we can presume that the man page for iptables is correct that it can
filter using hostname, we can also presume that it must have some method
for doing a DNS-like resolution process. Since dig of "chatenabled..."
shows it exists and is resolvable, is your iptables set up to use your
resolution facility? If early in the boot procedure, maybe resolution is
not yet available?

As a test on my fully-updated-box-stock workstation, I did the
following.

[wild-bill at wlmlfs08 ~]$ dig chatenabled.mail.google.com

; <<>> DiG 9.2.4 <<>> chatenabled.mail.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38992
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;chatenabled.mail.google.com.   IN      A

;; ANSWER SECTION:
chatenabled.mail.google.com. 472028 IN  CNAME
b.googlemail.l.google.com.
b.googlemail.l.google.com. 15   IN      A       64.233.185.189
<snip the rest>

So we know it exists. Then I did

# iptables -A FORWARD -d chatenabled.mail.google.com -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
DROP       all  --  anywhere             64.233.185.189

So, on my WS it works. Conditions: I am fully up and running, private
net w/local caching server and forwarding to ISP servers, DHCP assigned
IPs, etc. Pretty much stock to the bone. Oh, gateway is IPCop, which
also provides the DHCP and normal firewall services for my net.

Have you tried doing the add after fully booted and being served?

> 
> 
> 
> Thanks
> 
> 
> Adriano Frare
> <snip sig stuff>

HTH
-- 
Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060708/3c379ec7/attachment-0005.sig>