iptables can filter by hostname and not ip address ?

iptables can filter by hostname and not ip address ?

Post by cdt_sylvestr » Tue, 08 Oct 2002 18:32:49



hi,
i d like to if it s possible to filter by hostname and not by ip address for
iptables.

the fact is that i want to administer my server from my machine at home which
has a dynamic address (ADSL)

thx

--
Use our news server 'news.foorum.com' from anywhere.
More details at: http://nnrpinfo.go.foorum.com/

 
 
 

iptables can filter by hostname and not ip address ?

Post by Sybre » Tue, 08 Oct 2002 18:24:02



> i d like to if it s possible to filter by hostname and not by ip address
> for iptables.

It's very possible. Just ploink in the hostname (afaik)

Quote:> the fact is that i want to administer my server from my machine at home
> which has a dynamic address (ADSL)

You can also use the following line to get your current IP-address:

export MY_IP=`ifconfig eth0 | grep 'inet addr' | awk '{ print $2 }' | sed -e
's/.*://g'`

This should all be on one line, btw.

Sybren
--
Do you think I'm rude, or don't you understand my answers? Read this page
[http://www.tuxedo.org/~esr/faqs/smart-questions.html#intro] and you'll
understand. You'll also see that I'm not rude in this
(http://www.tuxedo.org/~esr/faqs/smart-questions.html#rtfm) section.

 
 
 

iptables can filter by hostname and not ip address ?

Post by Jim Levi » Tue, 08 Oct 2002 22:22:44



> hi,
> i d like to if it s possible to filter by hostname and not by ip address
> for iptables.

> the fact is that i want to administer my server from my machine at home
> which has a dynamic address (ADSL)

When building rules, you can specify a hostname rather than an IP. In
that case iptables converts the hostname to an IP via a lookup in the
local hosts file or DNS in order to build the internal representation of
the rule. And that's because all iptables sees is the source and
destination IP when a packet arrives.

Since you have a changing IP, the hostname associated with that IP (as
found in your provider's DNS) will change along with the IP. And it's
that hostname, not the one you have configured locally on your home
machine that matters.

You can do this relatively safely. In all likelyhood the IP that
you'll get on your ADSL connection is going to lie within a relatively
small range, probably a Class C address space. You could tell iptables to
allow ssh only from hosts in that range and then configure ssh to
restrict itself to those connections that offer the correct pre-shared
key or to restrict itself to connections from a particular user.
--
The instructions said to use Windows 98 or better, so I installed RedHat.

 
 
 

iptables can filter by hostname and not ip address ?

Post by D. Stuss » Wed, 09 Oct 2002 05:26:35



Quote:>hi,
>i d like to if it s possible to filter by hostname and not by ip address for
>iptables.

>the fact is that i want to administer my server from my machine at home which
>has a dynamic address (ADSL)

No.

If you input a rule with a hostname, it translates it to all that host's IP
addresses (if multihomed).

IP packets themselves do not have hostnames.

However, one may filter by INTERFACE....

 
 
 

iptables can filter by hostname and not ip address ?

Post by Vunderkin » Wed, 09 Oct 2002 07:23:30


Quote:

> If you input a rule with a hostname, it translates it to all that host's IP
> addresses (if multihomed).

> IP packets themselves do not have hostnames.

> However, one may filter by INTERFACE....

I prefer to do both.  I have a line in my script

iptables -A protect -m state --state NEW -i eth0 -s 192.168.1.0/24 -j ACCEPT

I have been able to find a few programs (on windows machines on my
network) broadcasting packets with source IP's I didn't assign.  The
offending programs were swiftly removed.

 
 
 

iptables can filter by hostname and not ip address ?

Post by Duncan Thomso » Wed, 09 Oct 2002 22:26:59



> hi,
> i d like to if it s possible to filter by hostname and not by ip address for
> iptables.

> the fact is that i want to administer my server from my machine at home which
> has a dynamic address (ADSL)

Wait a minute, there's something confusing here.  You have a
dynamic address but you have a DNS hostname?  You're using
dynamic DNS here?  You must have a more sophisticated ISP
than I do!

Duncan

 
 
 

iptables can filter by hostname and not ip address ?

Post by Tim Hayne » Wed, 09 Oct 2002 22:43:22



>> the fact is that i want to administer my server from my machine at home
>> which has a dynamic address (ADSL)

> Wait a minute, there's something confusing here. You have a dynamic
> address but you have a DNS hostname? You're using dynamic DNS here? You
> must have a more sophisticated ISP than I do!

Free dyndns sites abound. (C.f. cjb.net, dyndns.org.)

However, you have to pay a small amount of attention to your firewall
script before doing anything with DNS names in it - specifically, it helps
if you can guaranteably get to your nameserver to resolve the name first.
And given that nameservers are not 100% reliable, don't expect anything
relying on using a DNS name in a firewall script to work all the time - put
it right down the bottom of the rules in a chain all its own, I would.

~Tim
--
   14:39:20 up 4 days, 19:26,  9 users,  load average: 0.01, 0.11, 0.15

http://piglet.is.dreaming.org     |Memories twist in the rain

 
 
 

iptables can filter by hostname and not ip address ?

Post by Tim Pailthorp » Thu, 10 Oct 2002 01:48:11


As an alternative you could setup a VPN between the 2 systems using a
RoadWarrior config. see www.freeswan.org
that way you can communicate securely whatever your IP address changes to



> > hi,
> > i d like to if it s possible to filter by hostname and not by ip address
> > for iptables.

> > the fact is that i want to administer my server from my machine at home
> > which has a dynamic address (ADSL)

> When building rules, you can specify a hostname rather than an IP. In
> that case iptables converts the hostname to an IP via a lookup in the
> local hosts file or DNS in order to build the internal representation of
> the rule. And that's because all iptables sees is the source and
> destination IP when a packet arrives.

> Since you have a changing IP, the hostname associated with that IP (as
> found in your provider's DNS) will change along with the IP. And it's
> that hostname, not the one you have configured locally on your home
> machine that matters.

> You can do this relatively safely. In all likelyhood the IP that
> you'll get on your ADSL connection is going to lie within a relatively
> small range, probably a Class C address space. You could tell iptables to
> allow ssh only from hosts in that range and then configure ssh to
> restrict itself to those connections that offer the correct pre-shared
> key or to restrict itself to connections from a particular user.
> --
> The instructions said to use Windows 98 or better, so I installed RedHat.

 
 
 

iptables can filter by hostname and not ip address ?

Post by Duncan Thomso » Thu, 10 Oct 2002 22:11:25



> Free dyndns sites abound. (C.f. cjb.net, dyndns.org.)

Cool!  I didn't know those sites existed.  Have those been around
for a while?  It'll be real handy to have a DNS name for my home
machine.

Duncan

 
 
 

iptables can filter by hostname and not ip address ?

Post by Sybre » Thu, 10 Oct 2002 22:33:59



> Cool!  I didn't know those sites existed.  Have those been around
> for a while?

Been around for years ;-)

Sybren
--
Do you think I'm rude, or don't you understand my answers? Read this page
[http://www.tuxedo.org/~esr/faqs/smart-questions.html#intro] and you'll
understand. You'll also see that I'm not rude in this
(http://www.tuxedo.org/~esr/faqs/smart-questions.html#rtfm) section.

 
 
 

iptables can filter by hostname and not ip address ?

Post by Tim Hayne » Thu, 10 Oct 2002 22:55:04




>> Free dyndns sites abound. (C.f. cjb.net, dyndns.org.)

> Cool! I didn't know those sites existed. Have those been around for a
> while?

Dyndns has been around since at least the last 5 years. Before then, I
remember ml.org as well.

Quote:> It'll be real handy to have a DNS name for my home machine.

Take your pick from
<http://directory.google.com/Top/Computers/Software/Internet/Servers/A...>
- I use cjb.net, others use dyndns. Either way, just look at the domain-
names you can choose from - either fixed `cjb.net' or `shacknet.nu' and
ath.cx (via dyndns), whatever makes you happiest :)

~Tim
--

All our roads are waiting / To be revealed  |http://spodzone.org.uk/

 
 
 

iptables can filter by hostname and not ip address ?

Post by pont.. » Fri, 11 Oct 2002 05:03:26





>> Free dyndns sites abound. (C.f. cjb.net, dyndns.org.)

> Cool!  I didn't know those sites existed.  Have those been around
> for a while?  It'll be real handy to have a DNS name for my home
> machine.

But don't forget that none of these will properly reverse-resolve
for you. Only your ISP can do that. But at the moment, aside from
maybe helping track down attackers or spammers, the only good
reason I can come up with is using the "oportunistic encryption"
feature of FreeS/WAN.

Dale Pontius
NOT speaking for IBM

 
 
 

iptables can filter by hostname and not ip address ?

Post by /dev/rob » Sun, 20 Oct 2002 23:30:56




Quote:> If you input a rule with a hostname, it translates it to all that host's IP
> addresses (if multihomed).

> IP packets themselves do not have hostnames.

> However, one may filter by INTERFACE....

This is perhaps a related question ... I am running a small dedicated
firewall system with no significant external services available. I run a
few external services on an internal machine. Here's the rule I used:

#v+
for PORT in $FWDPORTS ; do
  $IPT -A PREROUTING -t nat -p tcp -d $EXTIP --dport $PORT -j DNAT \
    --to $FWDHOST:$PORT
done
#v-

where of course $IPT is /usr/sbin/iptables, $FWDPORTS are the TCP ports
which I send to the internal $FWDHOST, and $EXTIP is the external IP
address. Could I use "-i $EXTIF" (external interface) in place of the
"-d $EXTIP" above? If such an example is in the HOWTOs and docs, I
missed it.

My problem is similar to the OP's in that the $EXTIP is dynamic. I'd
prefer to have a firewall script which would run once and be forgotten.
As it is I have to rerun it if the $EXTIP should happen to change, and
if not for this DNAT stuff I wouldn't even need to know the $EXTIP for
my script.

--

  or put "not-spam" or "/dev/rob0" in Subject header to reply

 
 
 

1. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

I have the following error when I try to use iptables...
Any idea? Thanks.


Linux gw2 2.4.10 #1 Sun Sep 30 00:09:25 EEST 2001 i586 unknown

Module                  Size  Used by
ip_conntrack           12784   0  (unused)
ip_tables              10752   0  (unused)
8139too                11040   1
dmfe                   12640   1

iptables v1.2.2: can't initialize iptables table `filter': Table does not
exist
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

2. Linux doesn't see CyberParallel PCI card

3. sorting output of ps

4. Why can I only ping the ip address, not the hostname?

5. EIDE install problem (not in FAQ)

6. Xterminals accepts only IP addresses, not hostnames

7. [2.4.21-pre7] fix genksyms core dump in drivers/char/joystick

8. 'mount -t cifs' only works with IP addresses, not with hostnames

9. using mac address instead of an IP address of hostname

10. Canned Proxy URLs to Filter

11. script for filtering mac addresses in dnsmasq.conf with iptables

12. Help? iptables + mac address filtering