host names and IPs

All of lore.kernel.org
 help / color / mirror / Atom feed

* host names and IPs
@ 2003-04-18 11:57 Florian Effenberger
  2003-04-18 15:41 ` Joel Newkirk
  2003-04-22 16:05 ` bill davidsen
  0 siblings, 2 replies; 4+ messages in thread
From: Florian Effenberger @ 2003-04-18 11:57 UTC (permalink / raw)
  To: netfilter

Hi,

I have a question to the gurus on this list ;-)

I'm on Linux 2.4.20 with iptables 1.2.7a. I have a syntax as follows:

===
iptables -A INPUT -p tcp -s www.myhostname.com --dport 53 -j ACCEPT
===

Now it seems that www.myhostname.com is resolved only the first time the
rule is set and that a fixed IP address is stored.

However, www.myhostname.com has a dynamically assigned address and I would
like to have iptables resolve the IP address everytime.

Is that possible? If yes, how? Or will it produce too much load?

Thanks
Florian

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: host names and IPs
  2003-04-18 11:57 host names and IPs Florian Effenberger
@ 2003-04-18 15:41 ` Joel Newkirk
  2003-04-22 16:05 ` bill davidsen
  1 sibling, 0 replies; 4+ messages in thread
From: Joel Newkirk @ 2003-04-18 15:41 UTC (permalink / raw)
  To: Florian Effenberger; +Cc: netfilter

On Fri, 2003-04-18 at 07:57, Florian Effenberger wrote:
> Hi,
> 
> I have a question to the gurus on this list ;-)
> 
> I'm on Linux 2.4.20 with iptables 1.2.7a. I have a syntax as follows:
> 
> ===
> iptables -A INPUT -p tcp -s www.myhostname.com --dport 53 -j ACCEPT
> ===
> 
> Now it seems that www.myhostname.com is resolved only the first time the
> rule is set and that a fixed IP address is stored.

Correct.

> However, www.myhostname.com has a dynamically assigned address and I would
> like to have iptables resolve the IP address everytime.

Same here... :^(

> Is that possible? If yes, how? Or will it produce too much load?

Iptables/netfilter does not, AFAIK, support this at all.  I have a
similar situation, and found two solutions.

The one I implemented was to map out the range of dynamic IPs assigned
(ISP refused to disclose!) and ended up using a /22 netmask.  Not as
tight, but simpler and less overhead than:

The other approach was to write a script (cron scheduled) that would
extract the IP from 'dig' output and compare it against a stored value
from the last change (/tmp/myhostname.com.ip perhaps).  If the same do
nothing. If different, delete the original rule, insert a
newly-constructed one, and echo the new IP to the tmp file.  Depending
on the lease-length (or whatever other factor may determine lifespan of
a given IP for www.myhostname.com...) and frequency of expected
connections, you'd set the frequency of the job accordingly.

Depending on what services are being made available to
www.myhostname.com, the first solution is probably your best bet so long
as it doesn't open up anything critical.  For my case, the rule only
opens SSH, and only a single non-root user can login with SSH on that
box.  (and all SSH access is logged)

The third solution, of course, would be to dig into the source and write
a new match, or patch the "-s" match with a new flag like "--dynip" and
the obvious support to enable that... ;^)  Checking the current IP of a
named host for every packet would be impossible.  The only feasible
solution here would be to integrate the effect of the cron job approach
into the netfilter code, periodically confirming the IP and updating if
needed.

> Thanks
> Florian

j

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: host names and IPs
  2003-04-18 11:57 host names and IPs Florian Effenberger
  2003-04-18 15:41 ` Joel Newkirk
@ 2003-04-22 16:05 ` bill davidsen
  2003-04-22 20:11   ` Michael K
  1 sibling, 1 reply; 4+ messages in thread
From: bill davidsen @ 2003-04-22 16:05 UTC (permalink / raw)
  To: netfilter

In article <003301c305a1$c04ab1a0$0500a8c0@effenberger>,
Florian Effenberger <floeff@arcor.de> wrote:

| I'm on Linux 2.4.20 with iptables 1.2.7a. I have a syntax as follows:
| 
| ===
| iptables -A INPUT -p tcp -s www.myhostname.com --dport 53 -j ACCEPT
| ===

What is it you're trying to do here? A packet with your source address
would be going through the OUTPUT table, no? An INPUT packet with your
own IP would be spoofed. Are you trying to accept DNS requests from
yourself, in tcp (instead of normal udp) mode?

| Now it seems that www.myhostname.com is resolved only the first time the
| rule is set and that a fixed IP address is stored.
| 
| However, www.myhostname.com has a dynamically assigned address and I would
| like to have iptables resolve the IP address everytime.
| 
| Is that possible? If yes, how? Or will it produce too much load?

There are several ways to re-resolve it, but I'm not clear on why you
don't just specify by interface.

How about some clarification on what you're trying to do, rather than
how you want to do it?
-- 
bill davidsen <davidsen@tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: host names and IPs
  2003-04-22 16:05 ` bill davidsen
@ 2003-04-22 20:11   ` Michael K
  0 siblings, 0 replies; 4+ messages in thread
From: Michael K @ 2003-04-22 20:11 UTC (permalink / raw)
  To: netfilter

What you could do is to create a crontab with the following bash script

--start---
#!/bin/bash
NEWIP=`host klintan.cjb.net | awk '{print $4}'`

if [ -f /etc/current_ip ]
then
        OLDIP=`cat /etc/current_ip`
else
        # 1st time run
        OLDIP="255.255.255.255/32"
fi

if [ "$NEWIP" != "$OLDIP" ]
then
        RULENUM=`iptables -L INPUT --line-numbers | grep "$OLDIP" | grep
"tcp dpt:domain" | awk '{print $1'}`
        if [ -z "$RULENUM" ]
        then
                iptables -A INPUT -p tcp -s $NEWIP --dport 53 -j ACCEPT
        else
                iptables -R INPUT $RULENUM -p tcp -s $NEWIP --dport 53
-j ACCEPT
        fi
        echo $NEWIP > /etc/current_ip
fi
--end---

But I'm sure that there are other (and better) ways

/Klintan

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> bill davidsen
> Sent: Tuesday, April 22, 2003 6:05 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: host names and IPs
> 
> 
> In article <003301c305a1$c04ab1a0$0500a8c0@effenberger>,
> Florian Effenberger <floeff@arcor.de> wrote:
> 
> | I'm on Linux 2.4.20 with iptables 1.2.7a. I have a syntax 
> as follows:
> | 
> | ===
> | iptables -A INPUT -p tcp -s www.myhostname.com --dport 53 -j ACCEPT 
> | ===
> 
> What is it you're trying to do here? A packet with your 
> source address would be going through the OUTPUT table, no? 
> An INPUT packet with your own IP would be spoofed. Are you 
> trying to accept DNS requests from yourself, in tcp (instead 
> of normal udp) mode?
> 
> | Now it seems that www.myhostname.com is resolved only the 
> first time 
> | the rule is set and that a fixed IP address is stored.
> | 
> | However, www.myhostname.com has a dynamically assigned 
> address and I 
> | would like to have iptables resolve the IP address everytime.
> | 
> | Is that possible? If yes, how? Or will it produce too much load?
> 
> There are several ways to re-resolve it, but I'm not clear on 
> why you don't just specify by interface.
> 
> How about some clarification on what you're trying to do, 
> rather than how you want to do it?
> -- 
> bill davidsen <davidsen@tmr.com>
>   CTO, TMR Associates, Inc
> Doing interesting things with little computers since 1979.
> 
> 




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-04-22 20:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-18 11:57 host names and IPs Florian Effenberger
2003-04-18 15:41 ` Joel Newkirk
2003-04-22 16:05 ` bill davidsen
2003-04-22 20:11   ` Michael K

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.