CentOS - Jul 2006 - IPTABLES don't solve name HOST - CENTOS 4.3

Dear Friends,

When I execute below command

iptables -A FORWARD -d chatenabled.mail.google.com -j DROP


I have received follow messages.

iptables v1.2.11: host/network `chatenabled.mail.google.com' not found




Thanks


Adriano Frare

> iptables -A FORWARD -d chatenabled.mail.google.com -j DROP
IPTABLES doesn't filter based on hostname.  You would need some special 
module (assuming it exists) and it for sure isn't part of RHEL/CentOS.

j

On Fri, 2006-07-07 at 23:16 -0300, Adriano Frare wrote:
> Dear Friends,
> 
> When I execute below command
> 
> iptables -A FORWARD -d chatenabled.mail.google.com -j DROP
> 
> 
> I have received follow messages.
> 
> iptables v1.2.11: host/network `chatenabled.mail.google.com' not found
If we can presume that the man page for iptables is correct that it can
filter using hostname, we can also presume that it must have some method
for doing a DNS-like resolution process. Since dig of "chatenabled..."
shows it exists and is resolvable, is your iptables set up to use your
resolution facility? If early in the boot procedure, maybe resolution is
not yet available?

As a test on my fully-updated-box-stock workstation, I did the
following.

[wild-bill at wlmlfs08 ~]$ dig chatenabled.mail.google.com

; <<>> DiG 9.2.4 <<>> chatenabled.mail.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38992
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;chatenabled.mail.google.com.   IN      A

;; ANSWER SECTION:
chatenabled.mail.google.com. 472028 IN  CNAME
b.googlemail.l.google.com.
b.googlemail.l.google.com. 15   IN      A       64.233.185.189
<snip the rest>

So we know it exists. Then I did

# iptables -A FORWARD -d chatenabled.mail.google.com -j DROP
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
DROP       all  --  anywhere             64.233.185.189

So, on my WS it works. Conditions: I am fully up and running, private
net w/local caching server and forwarding to ISP servers, DHCP assigned
IPs, etc. Pretty much stock to the bone. Oh, gateway is IPCop, which
also provides the DHCP and normal firewall services for my net.

Have you tried doing the add after fully booted and being served?
> 
> 
> 
> Thanks
> 
> 
> Adriano Frare
> <snip sig stuff>
HTH
-- 
Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060708/3c379ec7/attachment-0002.sig>

William L. Maltby wrote:
> If we can presume that the man page for iptables is correct that it can
> filter using hostname, we can also presume that it must have some method
> for doing a DNS-like resolution process. Since dig of
"chatenabled..."
> shows it exists and is resolvable, is your iptables set up to use your
> resolution facility? If early in the boot procedure, maybe resolution is
> not yet available?
Iptables do not filter based on host names.  The name gets resolved to 
the IP adress, and the rule is inserted using that IP address (as the 
output of iptables -L shows you).  If IP address changes, the rule 
doesn't get automagically updated.

DNS lookup can return more than one address.  Do you know what iptables 
will do in that case?

DNS lookup can also return a different address depending on which ISP 
you are using.  For example, chatenabled.mail.google.com from the 
example can also resolv to 216.239.63.189 (queried from my hotel's 
network in California) or 66.102.11.189 (queried from host located in 
Croatia).  If I were to query it from my home in Winnipeg, I'd probably 
get yet another IP address.

Another example, try resolving www.google.com and you'll most likely get 
several IP addresses returned.  Who knows, maybe resolving Google's 
chatenabled will also start returning multiple RR A records one day in 
the future.

Check /etc/nsswitch.conf and /etc/resolv.conf.  See if configuration 
inthere is correct.  Note that utilities such as dig or nslookup use 
only resolv.conf file.

During the boot, iptables script runs before network script.  Or at 
least should run before network script.  Therefore, you can't resolve 
names using DNS during boot (you can only use names that are in /etc/hosts).

Check if firewall rules actually allow you to perform DNS query.  Maybe 
your iptables rules are blocking themself.

Said all this, as manual page says, using host names with iptables is 
really bad idea.  You never know what you are going to get.  And you 
always run a risk of somebody breaking into your network by spoofing DNS 
replies (or playing with your trust in DNS in some other way).