Dear Friends, When I execute below command iptables -A FORWARD -d chatenabled.mail.google.com -j DROP I have received follow messages. iptables v1.2.11: host/network `chatenabled.mail.google.com' not found Thanks Adriano Frare
Jason Bradley Nance
2006-Jul-08 14:06 UTC
[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3
> iptables -A FORWARD -d chatenabled.mail.google.com -j DROPIPTABLES doesn't filter based on hostname. You would need some special module (assuming it exists) and it for sure isn't part of RHEL/CentOS. j
William L. Maltby
2006-Jul-08 14:34 UTC
[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3
On Fri, 2006-07-07 at 23:16 -0300, Adriano Frare wrote:> Dear Friends, > > When I execute below command > > iptables -A FORWARD -d chatenabled.mail.google.com -j DROP > > > I have received follow messages. > > iptables v1.2.11: host/network `chatenabled.mail.google.com' not foundIf we can presume that the man page for iptables is correct that it can filter using hostname, we can also presume that it must have some method for doing a DNS-like resolution process. Since dig of "chatenabled..." shows it exists and is resolvable, is your iptables set up to use your resolution facility? If early in the boot procedure, maybe resolution is not yet available? As a test on my fully-updated-box-stock workstation, I did the following. [wild-bill at wlmlfs08 ~]$ dig chatenabled.mail.google.com ; <<>> DiG 9.2.4 <<>> chatenabled.mail.google.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38992 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 6 ;; QUESTION SECTION: ;chatenabled.mail.google.com. IN A ;; ANSWER SECTION: chatenabled.mail.google.com. 472028 IN CNAME b.googlemail.l.google.com. b.googlemail.l.google.com. 15 IN A 64.233.185.189 <snip the rest> So we know it exists. Then I did # iptables -A FORWARD -d chatenabled.mail.google.com -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere DROP all -- anywhere 64.233.185.189 So, on my WS it works. Conditions: I am fully up and running, private net w/local caching server and forwarding to ISP servers, DHCP assigned IPs, etc. Pretty much stock to the bone. Oh, gateway is IPCop, which also provides the DHCP and normal firewall services for my net. Have you tried doing the add after fully booted and being served?> > > > Thanks > > > Adriano Frare > <snip sig stuff>HTH -- Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060708/3c379ec7/attachment-0002.sig>
Aleksandar Milivojevic
2006-Jul-08 17:25 UTC
[CentOS] IPTABLES don't solve name HOST - CENTOS 4.3
William L. Maltby wrote:> If we can presume that the man page for iptables is correct that it can > filter using hostname, we can also presume that it must have some method > for doing a DNS-like resolution process. Since dig of "chatenabled..." > shows it exists and is resolvable, is your iptables set up to use your > resolution facility? If early in the boot procedure, maybe resolution is > not yet available?Iptables do not filter based on host names. The name gets resolved to the IP adress, and the rule is inserted using that IP address (as the output of iptables -L shows you). If IP address changes, the rule doesn't get automagically updated. DNS lookup can return more than one address. Do you know what iptables will do in that case? DNS lookup can also return a different address depending on which ISP you are using. For example, chatenabled.mail.google.com from the example can also resolv to 216.239.63.189 (queried from my hotel's network in California) or 66.102.11.189 (queried from host located in Croatia). If I were to query it from my home in Winnipeg, I'd probably get yet another IP address. Another example, try resolving www.google.com and you'll most likely get several IP addresses returned. Who knows, maybe resolving Google's chatenabled will also start returning multiple RR A records one day in the future. Check /etc/nsswitch.conf and /etc/resolv.conf. See if configuration inthere is correct. Note that utilities such as dig or nslookup use only resolv.conf file. During the boot, iptables script runs before network script. Or at least should run before network script. Therefore, you can't resolve names using DNS during boot (you can only use names that are in /etc/hosts). Check if firewall rules actually allow you to perform DNS query. Maybe your iptables rules are blocking themself. Said all this, as manual page says, using host names with iptables is really bad idea. You never know what you are going to get. And you always run a risk of somebody breaking into your network by spoofing DNS replies (or playing with your trust in DNS in some other way).