[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3

Sat Jul 8 19:25:13 UTC 2006
Jay Leafey <jay.leafey at mindless.com>

I had something like this come up a while back for dynamic hosts accessing a specific service.  What I did, generally speaking, is 
set up an input rule to redirect all incoming requests for that service to a new chain, then dynamically rebuild the chain 
periodically to "refresh" the IP addresses via a cron job.

The initial setup would be something along the lines of this, substituting the service you want to control for 'fubar':

iptables --new-chain fubar-chain
iptables --append fubar-chain --jump DROP
iptables --insert RH-Firewall-1-INPUT --in-interface ! lo \
     --protocol tcp --dport fubar --jump fubar-chain

This sets up the initial state so that any requests for service fubar get dropped.  You could add the following to 
/etc/sysconfig/iptables (just before the line saying "COMMIT") to accomplish the same thing when iptables gets started:

--BEGIN
:fubar-chain - [0:0]
-A fubar-chain -j DROP
-I RH-Firewall-1-INPUT -i ! lo -p tcp --dport fubar -j fubar-chain
--END

Now you need to flush the chain and put the correct rules in to allow them to work, using a shell script something like this to make 
it go:

--BEGIN
#!/bin/bash
iptables --flush fubar-chain
iptables --append fubar-chain --jump DROP
for ipaddr in $( host chatenabled.google.com | \
awk '( / has address / ) { print $NF }' )
do
     iptables --insert fubar-chain --source ${ipaddr} \
         --protocol tcp --dport fubar --jump ACCEPT
done
--END

There might be some disruption of service while this is running, so a little tweaking might be necessary to NOT remove the rules 
unless the DNS translation has actually changed.  Set this script up to run as a cron job with whatever frequency makes sense.

This is pretty generic and will have to be adapted to your specific needs, altering the service names and protocols as appropriate. 
  Since this was basically from memory, make DARNED sure you make backup copies of any files you modify before trying this out!

Your mileage may vary!
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4011 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20060708/c889048a/attachment-0005.bin>