[Firewall] Custom-rules

Gustin Johnson gustin at meganerd.ca
Wed Jun 13 19:53:15 CEST 2012


iptables does accept domain names but it does a lookup, in a round robin
dns situation you would end up with a rule that matches only one of the
returned IPs.

In the past I have used a cron job to periodically update the rules for
that host.  Something like this:

iparray=( host google.com |grep -E
'[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |cut -f 4 -d " " )

for each in  "${array[@]}" ; do echo iptables -do -something $each ; done

Of course replace google.com with the hostname you are interested in.  Also
remove the echo from the loop line (for each ...).

Hth,

On Wed, Jun 13, 2012 at 7:01 AM, Arno van Amersfoort <
arnova at rocky.eld.leidenuniv.nl> wrote:

> I think the "easiest" solution would be modifying the DynDNS-plugin so it
> opens up all IPs for a certain hostname + change the INPUT chains into
> OUTPUT, although I doubt you can do this via the INPUT chain....
>
> a.
>
>
> On 11-Jun-12 16:39, Michel van Dop wrote:
>
>> Hello,
>>
>> Default i block the server to get some contect of port 80 and port 443.  I
>> use the custom-rules.
>>
>> But sometimes i must unblock ip some cms website must communicate to a
>> other server on port 80 for spam black list etc so..
>>
>>  i use this:
>>
>> # exception to one webserver.
>> /sbin/iptables -A OUTPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -p tcp --dport 80
>> -j ACCEPT
>>
>> # now blokking the rest
>> /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
>> /sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
>>
>>
>> This works great...  But now one DNS name have more ips (load balance) how
>> to accept this?  I know iptables do not work for a domain name only ip.
>> And sometimes the is a dns change and the iptable rule do not work.
>>
>> Do any one have a good solution?
>>
>> Best regards,
>>
>> Michel
>>
>>
>>
>>
>> ______________________________**_________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
>> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>  ______________________________**_________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120613/fe9e0370/attachment.html>


More information about the Firewall mailing list