I had to do this once for an OpenVPN tunnel which had a dyndns address on the remote end. IIRC, I just flushed and reloaded the firewall from rc.local.
Then there was the issue of the remote end dropping off and coming back with a new dynamically allocated IP and not being able to re-establish the tunnel. So I had some script keep checking for any disconnects, and if the IP changed, reloaded the relevant iptables rules again (based on the latest dyndns lookup). Crispy. On 02/06/14 11:27, Wenjian Bill Yang wrote: > Thanks for your reply. > I just used Yahoo.com as an example. In fact, you cannot use any domain > names in iptables rules. I have come across a website stated that "the > iptables service starts before any DNS-related services when a Linux system > is booted. This means that firewall rules can only reference numeric IP > addresses (for example, 192.168.0.1). Domain names (for example, > host.example.com) in such rules produce errors." > However, many tutorials on websites nowadays have examples of using domain > names in iptables rules. > > -----Original Message----- > From: Russell Coker [mailto:[email protected]] > Sent: Monday, June 02, 2014 11:08 AM > To: [email protected] > Cc: Wenjian Bill Yang > Subject: Re: iptables rules cannot be loaded at boot time when domain names > are used in iptables rules > > On Mon, 2 Jun 2014, "Wenjian Bill Yang" <[email protected]> wrote: >> I have the following rule in my iptables, and all chains are empty >> when the server is booted. >> >> -A INPUT -s yahoo.com -j DROP >> >> Or >> >> -A INPUT -s yahoo.com -p tcp --dport 21 -j DROP > Firstly that sort of rule probably won't get the result you desire. Big > services such as yahoo tend to use different addresses for sending and > receiving. So any address they use for receiving data (in this case a web > server) probably won't be used for sending data (IE making port 21 > connections to your system). > >> if I manually run /etc/init.d/iptables start, all iptables rules can >> be loaded. >> >> Also if an IP address is used as follows, iptables can be loaded at >> boot time. >> >> -A INPUT -s 66.33.210.0/24 -j DROP > Probably DNS isn't available in the early stages of the boot process. What > is in /etc/resolv.conf? Does it point to something at the other end of a > PPP link (or any link that will take time to establish) or localhost > (iptables probably starts before BIND)? > _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
