[Firewall] Custom-rules

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Jun 14 07:21:21 CEST 2012


Didn't know this either. Nice feature :-)

On 13-Jun-12 20:46, Gustin Johnson wrote:
> Cool,  I did not know this.   It has been more than a few years since I
> last looked at this.
>
> Sent from my Android device, please excuse my brevity.
>
> On Jun 13, 2012 12:09 PM, "Lonnie Abelbeck" <lists at lonnie.abelbeck.com
> <mailto:lists at lonnie.abelbeck.com>> wrote:
>
>     Hi Gustin,
>
>     'iptables' actually builds rules for each round-robin DNS entry, at
>     least iptables v1.4.13 does.
>
>     $ iptables -N TEST
>
>     $ iptables -A TEST -s google.com <http://google.com> -j ACCEPT
>
>     $ iptables -nvL TEST
>     Chain TEST (0 references)
>       pkts bytes target     prot opt in     out     source
>     destination
>         0     0 ACCEPT     all  --  *      *       74.125.227.98
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.105
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.102
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.99
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.96
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.104
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.97
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.101
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.110
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.103
>     0.0.0.0/0 <http://0.0.0.0/0>
>         0     0 ACCEPT     all  --  *      *       74.125.227.100
>     0.0.0.0/0 <http://0.0.0.0/0>
>
>
>     Lonnie
>
>
>     On Jun 13, 2012, at 12:53 PM, Gustin Johnson wrote:
>
>      > iptables does accept domain names but it does a lookup, in a
>     round robin dns situation you would end up with a rule that matches
>     only one of the returned IPs.
>      >
>      > In the past I have used a cron job to periodically update the
>     rules for that host.  Something like this:
>      >
>      > iparray=( host google.com <http://google.com> |grep -E
>     '[1-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |cut -f 4 -d " " )
>      >
>      > for each in "${array[@]}" ; do echo iptables -do -something $each
>     ; done
>      >
>      > Of course replace google.com <http://google.com> with the
>     hostname you are interested in.  Also remove the echo from the loop
>     line (for each ...).
>      >
>      > Hth,
>      >
>      > On Wed, Jun 13, 2012 at 7:01 AM, Arno van Amersfoort
>     <arnova at rocky.eld.leidenuniv.nl
>     <mailto:arnova at rocky.eld.leidenuniv.nl>> wrote:
>      > I think the "easiest" solution would be modifying the
>     DynDNS-plugin so it opens up all IPs for a certain hostname + change
>     the INPUT chains into OUTPUT, although I doubt you can do this via
>     the INPUT chain....
>      >
>      > a.
>      >
>      >
>      > On 11-Jun-12 16:39, Michel van Dop wrote:
>      > Hello,
>      >
>      > Default i block the server to get some contect of port 80 and
>     port 443.  I
>      > use the custom-rules.
>      >
>      > But sometimes i must unblock ip some cms website must communicate
>     to a
>      > other server on port 80 for spam black list etc so..
>      >
>      >  i use this:
>      >
>      > # exception to one webserver.
>      > /sbin/iptables -A OUTPUT -s xx.xx.xx.xx -d xx.xx.xx.xx -p tcp
>     --dport 80
>      > -j ACCEPT
>      >
>      > # now blokking the rest
>      > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j DROP
>      > /sbin/iptables -A OUTPUT -p tcp --dport 443 -j DROP
>      >
>      >
>      > This works great...  But now one DNS name have more ips (load
>     balance) how
>      > to accept this?  I know iptables do not work for a domain name
>     only ip.
>      > And sometimes the is a dns change and the iptable rule do not work.
>      >
>      > Do any one have a good solution?
>      >
>      > Best regards,
>      >
>      > Michel
>      >
>      >
>      >
>      >
>      > _______________________________________________
>      > Firewall mailing list
>      > Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      > Arno's (Linux IPTABLES Firewall) Homepage:
>      > http://rocky.eld.leidenuniv.nl
>      >
>      > _______________________________________________
>      > Firewall mailing list
>      > Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      > Arno's (Linux IPTABLES Firewall) Homepage:
>      > http://rocky.eld.leidenuniv.nl
>      >
>      > _______________________________________________
>      > Firewall mailing list
>      > Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>      > http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>      > Arno's (Linux IPTABLES Firewall) Homepage:
>      > http://rocky.eld.leidenuniv.nl
>
>     _______________________________________________
>     Firewall mailing list
>     Firewall at rocky.eld.leidenuniv.nl
>     <mailto:Firewall at rocky.eld.leidenuniv.nl>
>     http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>     Arno's (Linux IPTABLES Firewall) Homepage:
>     http://rocky.eld.leidenuniv.nl
>
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list