On Sat, 2006-07-08 at 12:25 -0500, Aleksandar Milivojevic wrote:
William L. Maltby wrote:
If we can presume that the man page for iptables is correct that it can filter using hostname, we can also presume that it must have some method for doing a DNS-like resolution process. Since dig of "chatenabled..." shows it exists and is resolvable, is your iptables set up to use your resolution facility? If early in the boot procedure, maybe resolution is not yet available?
Iptables do not filter based on host names. The name gets resolved to the IP adress, and the rule is inserted using that IP address (as the output of iptables -L shows you). If IP address changes, the rule doesn't get automagically updated.
AHA! And there shows the difference between "high-level dumb user view", like mine, and real world operations. Thanks. Added another small nugget to my learning.
<snip the rest of some good stuff too>
During the boot, iptables script runs before network script. Or at least should run before network script. Therefore, you can't resolve names using DNS during boot (you can only use names that are in /etc/hosts).
So if his output was from boot, he can't yet resolve the name->IP. And that is why mine worked. I was booted and added it after services were started.
Check if firewall rules actually allow you to perform DNS query. Maybe your iptables rules are blocking themself.
Said all this, as manual page says, using host names with iptables is really bad idea. You never know what you are going to get. And you always run a risk of somebody breaking into your network by spoofing DNS replies (or playing with your trust in DNS in some other way).
From rom all you explain, and considering CentOS base/update, it sounds to me like the better solution includes 1) adding local iptables changes into a local script that *might* run after desired services are available and (desirable?) 2) do something like a dig to get the addresses and use them instead of names. This could be set up to periodically check IP addresses and send you a note that you must (again) update your rules in your on-going battle?
<snip sig stuff>
Thanks for taking the time. It help folks like me progress.