Hi, Le samedi 23 septembre 2006 15:20, Lars Staun Knudsen a écrit : > Thank you for the reply, the lines works fine. But I've still got a > dynamic problem, the ip can change with dhcp and therefore it would > be perfect if i could use a domain name. DDns (bind9) is working > along with dhcp3-server. > The PREROUTING line is complaining if I write pc.dom.dk instead of > 172.16.0.30, is there a way to bypass this problem? > > And another problem i just though of, if the iptables-script is > executed at a time where pc.dom.dk hasn't got a dhcp-release yet, > there will be no answer in the dns-lookup. So any experience on what > behavior iptables have when there is not ip resolved from the domain > name. Is the rule just set or will the rule return an error.
The fact is that the kernel can't be wait for a DNS response which might arrive sometime (or never at all), while dealing with a packet. So you could fix the IP address (easy if you manage the dhcp server), or devise a way to regularely "update" your ruleset with the appropriate IP. A script could get the IP from the DNS, and to an iptables if it happens to be different from the previous one. Hope this helps, Sebastien
