On Sat, 2006-07-08 at 12:25 -0500, Aleksandar Milivojevic wrote: > William L. Maltby wrote: > > If we can presume that the man page for iptables is correct that it can > > filter using hostname, we can also presume that it must have some method > > for doing a DNS-like resolution process. Since dig of "chatenabled..." > > shows it exists and is resolvable, is your iptables set up to use your > > resolution facility? If early in the boot procedure, maybe resolution is > > not yet available? > > Iptables do not filter based on host names. The name gets resolved to > the IP adress, and the rule is inserted using that IP address (as the > output of iptables -L shows you). If IP address changes, the rule > doesn't get automagically updated. AHA! And there shows the difference between "high-level dumb user view", like mine, and real world operations. Thanks. Added another small nugget to my learning. > <snip the rest of some good stuff too> > During the boot, iptables script runs before network script. Or at > least should run before network script. Therefore, you can't resolve > names using DNS during boot (you can only use names that are in /etc/hosts). So if his output was from boot, he can't yet resolve the name->IP. And that is why mine worked. I was booted and added it after services were started. > > Check if firewall rules actually allow you to perform DNS query. Maybe > your iptables rules are blocking themself. > > Said all this, as manual page says, using host names with iptables is > really bad idea. You never know what you are going to get. And you > always run a risk of somebody breaking into your network by spoofing DNS > replies (or playing with your trust in DNS in some other way). From rom all you explain, and considering CentOS base/update, it sounds to me like the better solution includes 1) adding local iptables changes into a local script that *might* run after desired services are available and (desirable?) 2) do something like a dig to get the addresses and use them instead of names. This could be set up to periodically check IP addresses and send you a note that you must (again) update your rules in your on-going battle? > <snip sig stuff> Thanks for taking the time. It help folks like me progress. -- Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060708/a8400746/attachment-0005.sig>