[Firewall] Custom-rules

Gustin Johnson gustin at meganerd.ca
Wed Jun 13 20:46:54 CEST 2012


Cool,  I did not know this.   It has been more than a few years since I
last looked at this.

Sent from my Android device, please excuse my brevity.
On Jun 13, 2012 12:09 PM, "Lonnie Abelbeck" <lists at lonnie.abelbeck.com>
wrote:

> Hi Gustin,
>
> 'iptables' actually builds rules for each round-robin DNS entry, at least
> iptables v1.4.13 does.
>
> $ iptables -N TEST
>
> $ iptables -A TEST -s google.com -j ACCEPT
>
> $ iptables -nvL TEST
> Chain TEST (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    0     0 ACCEPT     all  --  *      *       74.125.227.98
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.105
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.102
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.99
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.96
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.104
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.97
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.101
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.110
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.103
> 0.0.0.0/0
>    0     0 ACCEPT     all  --  *      *       74.125.227.100
> 0.0.0.0/0
>
>
> Lonnie
>
>
> On Jun 13, 2012, at 12:53 PM, Gustin Johnson wrote:
>
> > iptables does accept domain names but it does a lookup, in a round robin
> dns situation you would end up with a rule that matches only one of the
> returned IPs.
> >
> > In the past I have used a cron job to periodically update the rules for
> that host.  Something like this:
> >
> > iparray=( host google.com |grep -E
> '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |cut -f 4 -d " " )
> >
> > for each in  "${array[@]}" ; do echo iptables -do -something $each ; done
> >
> > Of course replace google.com with the hostname you are interested in.
>  Also remove the echo from the loop line (for each ...).
> >
> > Hth,
> >
> > On Wed, Jun 13, 2012 at 7:01 AM, Arno van Amersfoort <
> arnova at rocky.eld.leidenuniv.nl> wrote:
> > I think the "easiest" solution would be modifying the DynDNS-plugin so
> it opens up all IPs for a certain hostname + change the INPUT chains into
> OUTPUT, although I doubt you can do this via the INPUT chain....
> >
> > a.
> >
> >
> > On 11-Jun-12 16:39, Michel van Dop wrote:
> > Hello,
> >
> > Default i block the server to get some contect of port 80 and port 443.
>  I
> > use the custom-rules.
> >
> > But sometimes i must unblock ip some cms website must communicate to a
> > other server on port 80 for spam black list etc so..
> >
> >  i use this:
> >
> > # exception to one webserver.
> > /sbin/iptables -A OUTPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -p tcp --dport 80
> > -j ACCEPT
> >
> > # now blokking the rest
> > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
> > /sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
> >
> >
> > This works great...  But now one DNS name have more ips (load balance)
> how
> > to accept this?  I know iptables do not work for a domain name only ip.
> > And sometimes the is a dns change and the iptable rule do not work.
> >
> > Do any one have a good solution?
> >
> > Best regards,
> >
> > Michel
> >
> >
> >
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
> >
> > _______________________________________________
> > Firewall mailing list
> > Firewall at rocky.eld.leidenuniv.nl
> > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> > Arno's (Linux IPTABLES Firewall) Homepage:
> > http://rocky.eld.leidenuniv.nl
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120613/7937121c/attachment-0001.html>


More information about the Firewall mailing list