iptables modification

All of lore.kernel.org
 help / color / mirror / Atom feed

* iptables modification
@ 2004-08-04  0:49 Ben Alabaster
  2004-08-04  8:25 ` m
  2004-08-04 14:42 ` Phil Oester
  0 siblings, 2 replies; 4+ messages in thread
From: Ben Alabaster @ 2004-08-04  0:49 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I need to modify my iptables module so that it will store FQDN's in the
routing tables but I have no clue where to start.  I will give you an
example of what I'm trying to do to better help explain.

We have (currently) about 150 devices in the field that are assigned
their IP addresses via DHCP from the telephone provider servicing those
devices.  These devices poll our DNS server to update their host record
when their IP address changes so that our DNS server always has their
current IP address.

Also, we have about 80 clients who need to be able to poll these devices
in the field for data.  The software the clients must be preconfigured
with the IP addresses of these devices in the field (meaning that DHCP
is no good to them, they must use static IP) and don't have the ability
to use FQDN's only IP addresses.

Currently my iptables are configured using the following command:

iptables -t nat -A OUTPUT -d <static_ip> -j DNAT --to-destination
<Dynamic_IP>

This is great while the IP address of the remote device doesn't change,
but when it changes, we then have to update the NAT table.

Ideally, I need to be able to do this:

iptables -t nat -A OUTPUT -d <static_ip> -j DNAT --to-destination
<Remote_FQDN>

This will then not resolve the ip address of the remote host until the
packet is being sent out.

I know that I need to modify the command so that I can input an FQDN and
I also need to modify the service so that it will resolve the IP address
when it is actually NAT'ing the packet.

Can you give me some pointers on how I can achieve this please?

Many thanks in advance,

Ben Alabaster
Scorpio Computer & Consulting

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables modification
  2004-08-04  0:49 iptables modification Ben Alabaster
@ 2004-08-04  8:25 ` m
  2004-08-04 14:42 ` Phil Oester
  1 sibling, 0 replies; 4+ messages in thread
From: m @ 2004-08-04  8:25 UTC (permalink / raw)
  To: ben; +Cc: netfilter-devel

Ben Alabaster writes: 

> Hi, 
> 
> I need to modify my iptables module so that it will store FQDN's in the
> routing tables but I have no clue where to start.  I will give you an
> example of what I'm trying to do to better help explain.
 

You are going about it the wrong way. What you want to do is nearly 
impossible, incompatible with how things are designed and a /lot/ of work (I 
would guess manyears). 


Much easier to use a mobile IP solution which was designed to assigne a 
static IP to something which changes IP addresses underneath. I would say 
better options are:
 - Use IPv6, it has mobile IP build in.
 - Use a mobile IPV4 solution. Use google, there are many options, or simply 
write your own using ipip.
 - Use a VPN solution. Optionally leave out encryption so you end up with a 
VN solution. OpenVPN can meet your needs, others probably as well. 


HTH,
M4
-- 
Courier-mta rocks! 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables modification
  2004-08-04  0:49 iptables modification Ben Alabaster
  2004-08-04  8:25 ` m
@ 2004-08-04 14:42 ` Phil Oester
  2004-08-19 11:47   ` Harald Welte
  1 sibling, 1 reply; 4+ messages in thread
From: Phil Oester @ 2004-08-04 14:42 UTC (permalink / raw)
  To: Ben Alabaster; +Cc: netfilter-devel

On Tue, Aug 03, 2004 at 06:49:36PM -0600, Ben Alabaster wrote:
> Hi,
> 
> I need to modify my iptables module so that it will store FQDN's in the
> routing tables but I have no clue where to start.  I will give you an
> example of what I'm trying to do to better help explain.

I think you're better off just running a cron every 5 minutes which 
flushes then repopulates the rules.  Trying to hack netfilter so
it does DNS lookups for every rule hit doesn't sound efficient.

Phil

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: iptables modification
  2004-08-04 14:42 ` Phil Oester
@ 2004-08-19 11:47   ` Harald Welte
  0 siblings, 0 replies; 4+ messages in thread
From: Harald Welte @ 2004-08-19 11:47 UTC (permalink / raw)
  To: Phil Oester; +Cc: Ben Alabaster, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 745 bytes --]

On Wed, Aug 04, 2004 at 07:42:01AM -0700, Phil Oester wrote:
> I think you're better off just running a cron every 5 minutes which 
> flushes then repopulates the rules.  Trying to hack netfilter so
> it does DNS lookups for every rule hit doesn't sound efficient.

neither is it feasible, since you would need to write an in-kernel dns
resolver first ;)

> Phil

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2004-08-19 11:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-08-04  0:49 iptables modification Ben Alabaster
2004-08-04  8:25 ` m
2004-08-04 14:42 ` Phil Oester
2004-08-19 11:47   ` Harald Welte

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.