I''ve found that under Fedora Core 2, iptables-save writes out hostnames
instead of IP addresses, (in some cases only). Fedora Core 3 seems to
have fixed this.
This causes problems for me, since shorewall is linked from
/etc/rc3.d/S25shorewall, and named is linked from /etc/rc3.d/S55named.
Hence, shorewall starts before named. My /etc/resolv.conf only points at
127.0.0.1, so when shorewall starts, iptables-restore can''t resolve the
hostnames, and hence fails to operate.
Note: iptables-save seems to only write hostnames for the
"--ctorigdst"
parameter, eg.:
-A vpn2fw -p tcp -m tcp --dport 25 -m conntrack \
--ctorigdst pub-linode-wye-1.wwwdotorg.org -j ACCEPT
Other locations, such as the -d flag work as expected:
-A vpn2fw -d 70.85.31.133 -p tcp ...
So, does anyone know how to make iptables-save only write out IP
addresses? The -n and --numeric options described in "man iptables"
don''t seem to affect iptables-save (although they are accepted without
error).
I guess I could just write a script to munge hostnames back to IPs after
running "shorewall save", but no doubt I won''t always
remember to do that!
--
Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO
swarren@wwwdotorg.org http://www.wwwdotorg.org/pgp.html
Stephen Warren wrote:> I''ve found that under Fedora Core 2, iptables-save writes out hostnames > instead of IP addresses, (in some cases only). Fedora Core 3 seems to > have fixed this.I''m guessing that I need to get this patch applied by the Fedoray-legacy people: http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/extensions/libipt_conntrack.c?r1=1316&r2=1382 (or build my own hacked rpm...) -- Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO swarren@wwwdotorg.org http://www.wwwdotorg.org/pgp.html
On Sunday 13 November 2005 17:06, Stephen Warren wrote:> Stephen Warren wrote: > > I''ve found that under Fedora Core 2, iptables-save writes out hostnames > > instead of IP addresses, (in some cases only). Fedora Core 3 seems to > > have fixed this. > > I''m guessing that I need to get this patch applied by the Fedoray-legacy > people: > > http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/extensions/libi >pt_conntrack.c?r1=1316&r2=1382 > > (or build my own hacked rpm...)Yes -- you need to patch iptables (I wrote the patch to fix this problem that went into the Netfilter source tree :-) ) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Sunday 13 November 2005 17:06, Stephen Warren wrote: > >>Stephen Warren wrote: >> >>>I''ve found that under Fedora Core 2, iptables-save writes out hostnames >>>instead of IP addresses, (in some cases only). Fedora Core 3 seems to >>>have fixed this. >> >>I''m guessing that I need to get this patch applied by the Fedoray-legacy >>people: >> >>http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/iptables/extensions/libi >>pt_conntrack.c?r1=1316&r2=1382 >> >>(or build my own hacked rpm...) > > > Yes -- you need to patch iptables (I wrote the patch to fix this problem that > went into the Netfilter source tree :-) )Another alternative: Add the hostnames to /etc/hosts, then they''re always resolvable. That''s nasty, since I then have to remember to fix /etc/hosts if anything changes, but at least it''ll work until I/RedHat patch iptables:-) -- Stephen Warren, Software Engineer, NVIDIA, Fort Collins, CO swarren@wwwdotorg.org http://www.wwwdotorg.org/pgp.html