> a cron job can run the 'host' and 'iptables' commands in a script
> such as rc.local.
>
> This script is an example only. Iptables will have to flushed/
> # variable for some smtp relay servers address. Edit the hostname.
> SMTPADDRESS=`host smtp.some-isp.co.nz | awk -F " " '{print $4}'`
>
> # allow smtp access to that server only.
> iptables -A OUTPUT -p tcp -d $SMTPADDRESS --dport 25 -o ppp0 -j ACCEPT
> iptables -A OUTPUT -p tcp -d ! $SMTPADDRESS --dport 25 -o ppp0 -j DROP
This isn't good enough, depending on the way your iptables scripts are
generated. At that point in your script, you are relying on the
assumption that when the host command runs, the rest of the iptables
rules are already set up, especially the DNS related ones. You can not
rely on this (as I mentioned in my original post), and if you do and get
it wrong, your whole iptables startup with dead-lock for a rather long
time. Don't do it.
You will have to keep the IP numbers you wish to look up for your
iptables script in a file, which is updated independently of your
iptables service, at a time when the iptables service is guaranteed to
be already up. This may cost you 2 iterations - start iptables, look up
your variable IP numbers, restart iptables.
And none of the firewalls can do anything like it...
Volker
--
Volker Kuhlmann is list0570 with the domain in header
http://volker.dnsalias.net/ Please do not CC list postings to me.
