[Firewall] Custom-rules

Gustin Johnson gustin at meganerd.ca
Wed Jun 13 19:55:55 CEST 2012


Also it is even easier to parse IPv6 addresses:
host google.com |grep IPv6 |cut -f 5 -d " "

Yes there are more elegant ways to do this, but these examples should be
easier to follow :)

On Wed, Jun 13, 2012 at 11:53 AM, Gustin Johnson <gustin at meganerd.ca> wrote:

> iptables does accept domain names but it does a lookup, in a round robin
> dns situation you would end up with a rule that matches only one of the
> returned IPs.
>
> In the past I have used a cron job to periodically update the rules for
> that host.  Something like this:
>
> iparray=( host google.com |grep -E
> '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |cut -f 4 -d " " )
>
> for each in  "${array[@]}" ; do echo iptables -do -something $each ; done
>
> Of course replace google.com with the hostname you are interested in.
>  Also remove the echo from the loop line (for each ...).
>
> Hth,
>
> On Wed, Jun 13, 2012 at 7:01 AM, Arno van Amersfoort <
> arnova at rocky.eld.leidenuniv.nl> wrote:
>
>> I think the "easiest" solution would be modifying the DynDNS-plugin so it
>> opens up all IPs for a certain hostname + change the INPUT chains into
>> OUTPUT, although I doubt you can do this via the INPUT chain....
>>
>> a.
>>
>>
>> On 11-Jun-12 16:39, Michel van Dop wrote:
>>
>>> Hello,
>>>
>>> Default i block the server to get some contect of port 80 and port 443.
>>>  I
>>> use the custom-rules.
>>>
>>> But sometimes i must unblock ip some cms website must communicate to a
>>> other server on port 80 for spam black list etc so..
>>>
>>>  i use this:
>>>
>>> # exception to one webserver.
>>> /sbin/iptables -A OUTPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -p tcp --dport 80
>>> -j ACCEPT
>>>
>>> # now blokking the rest
>>> /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
>>> /sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
>>>
>>>
>>> This works great...  But now one DNS name have more ips (load balance)
>>> how
>>> to accept this?  I know iptables do not work for a domain name only ip.
>>> And sometimes the is a dns change and the iptable rule do not work.
>>>
>>> Do any one have a good solution?
>>>
>>> Best regards,
>>>
>>> Michel
>>>
>>>
>>>
>>>
>>> ______________________________**_________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
>>> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>  ______________________________**_________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
>> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120613/ddc7a7a6/attachment.html>


More information about the Firewall mailing list