Thanks for your reply. I just used Yahoo.com as an example. In fact, you cannot use any domain names in iptables rules. I have come across a website stated that "the iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors." However, many tutorials on websites nowadays have examples of using domain names in iptables rules.
-----Original Message----- From: Russell Coker [mailto:[email protected]] Sent: Monday, June 02, 2014 11:08 AM To: [email protected] Cc: Wenjian Bill Yang Subject: Re: iptables rules cannot be loaded at boot time when domain names are used in iptables rules On Mon, 2 Jun 2014, "Wenjian Bill Yang" <[email protected]> wrote: > I have the following rule in my iptables, and all chains are empty > when the server is booted. > > -A INPUT -s yahoo.com -j DROP > > Or > > -A INPUT -s yahoo.com -p tcp --dport 21 -j DROP Firstly that sort of rule probably won't get the result you desire. Big services such as yahoo tend to use different addresses for sending and receiving. So any address they use for receiving data (in this case a web server) probably won't be used for sending data (IE making port 21 connections to your system). > if I manually run /etc/init.d/iptables start, all iptables rules can > be loaded. > > Also if an IP address is used as follows, iptables can be loaded at > boot time. > > -A INPUT -s 66.33.210.0/24 -j DROP Probably DNS isn't available in the early stages of the boot process. What is in /etc/resolv.conf? Does it point to something at the other end of a PPP link (or any link that will take time to establish) or localhost (iptables probably starts before BIND)? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
