From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: How to filter packets resulting from hosts with dynamic IP-address
Date: Tue, 06 Feb 2007 08:55:35 -0600 [thread overview]
Message-ID: <45C896E7.3010105@riverviewtech.net> (raw)
In-Reply-To: <200702061042.21497.frank.petran@inpho.de>
Frank Petran wrote:
> As far as I have understood it, filters can act on IP-addresses but not
> on hostnames. Since the originating IP-address changes, all I am left
> with is the known hostname. As far as I have understood it, filters can
> act on IP-addresses but not on hostnames. I would like to do a hostname
> lookup based on the name registered at dyndns.org and compare that with
> the IP-address of the incoming traffic.
You are correct in the fact that IPTables will not use host names during
normal operations. This is because the in kernel rules only support IP
addresses. The IPTables command will translate names to IPs for you
when you add the rules to the kernel though.
With this in mind, my best bet is for you to create a sub chain that is
for each specific client. Use some sort of port knocking setup that
will trigger some process on your firewall to re-run that user's portion
of the IPTables script. This script would need to flush the user's sub
chain and repopulate it with current IP addresses. I know that this is
sub optimal, but I think it would work.
Another option might be to look at writing some sort of user space
daemon that you could have IPTables pass the packets to and return a yes
/ no to the kernel. However, this would be duplicating some of / a lot
of the effort that has gone in to IPTables and thus again sub optimal as
far as development is concerned.
Grant. . . .
next prev parent reply other threads:[~2007-02-06 14:55 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-06 9:42 How to filter packets resulting from hosts with dynamic IP-address Frank Petran
2007-02-06 14:55 ` Grant Taylor [this message]
2007-02-06 15:52 ` Frank Petran
2007-02-06 16:30 ` Grant Taylor
2007-02-06 15:31 ` Petr Pisar
2007-02-06 16:07 ` Frank Petran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45C896E7.3010105@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.