[Firewall] Custom-rules

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Jun 13 20:09:06 CEST 2012


Hi Gustin,

'iptables' actually builds rules for each round-robin DNS entry, at least iptables v1.4.13 does.

$ iptables -N TEST

$ iptables -A TEST -s google.com -j ACCEPT

$ iptables -nvL TEST
Chain TEST (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       74.125.227.98        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.105       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.102       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.99        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.96        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.104       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.97        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.101       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.110       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.103       0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       74.125.227.100       0.0.0.0/0           


Lonnie


On Jun 13, 2012, at 12:53 PM, Gustin Johnson wrote:

> iptables does accept domain names but it does a lookup, in a round robin dns situation you would end up with a rule that matches only one of the returned IPs.
> 
> In the past I have used a cron job to periodically update the rules for that host.  Something like this:
> 
> iparray=( host google.com |grep -E '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |cut -f 4 -d " " )
> 
> for each in  "${array[@]}" ; do echo iptables -do -something $each ; done
> 
> Of course replace google.com with the hostname you are interested in.  Also remove the echo from the loop line (for each ...).
> 
> Hth,
> 
> On Wed, Jun 13, 2012 at 7:01 AM, Arno van Amersfoort <arnova at rocky.eld.leidenuniv.nl> wrote:
> I think the "easiest" solution would be modifying the DynDNS-plugin so it opens up all IPs for a certain hostname + change the INPUT chains into OUTPUT, although I doubt you can do this via the INPUT chain....
> 
> a.
> 
> 
> On 11-Jun-12 16:39, Michel van Dop wrote:
> Hello,
> 
> Default i block the server to get some contect of port 80 and port 443.  I
> use the custom-rules.
> 
> But sometimes i must unblock ip some cms website must communicate to a
> other server on port 80 for spam black list etc so..
> 
>  i use this:
> 
> # exception to one webserver.
> /sbin/iptables -A OUTPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -p tcp --dport 80
> -j ACCEPT
> 
> # now blokking the rest
> /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
> /sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
> 
> 
> This works great...  But now one DNS name have more ips (load balance) how
> to accept this?  I know iptables do not work for a domain name only ip.
> And sometimes the is a dns change and the iptable rule do not work.
> 
> Do any one have a good solution?
> 
> Best regards,
> 
> Michel
> 
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list