On Tue, Jun 04, 2002 at 09:51:31AM -0700, Brian Ugie wrote:
> Hi,
>
> I am hoping that someone can explain the role that DNS has in
> relation to iptables and if there is a way to stop iptables from
> resolving.
>
> I have a network where a netscreen firewall sits in front or our
> servers. We map public IPs to the servers and do initial port filtering
> from the netscreen. We also want to have each machine filter just in
> case the windows box gets compromised ;). It has seemed to me that
> iptables will not first use /etc/hosts to resolve but will go straight
> to the DNS server. Is this a valid statement?
No. gethostbyaddr would go through the preference list in nsswitch.conf.
This is part of a library and iptables uses it. #include <netdb.h>
> nsswitch.conf lists file
> first. Since DNS will resolve the server to a public address but it is
> actually on a private address, iptables get confused and the net result
> is long delays on ssh and ftp logins and server time outs on DNS
> queries.
Do you have "hosts: files dns" in your nsswitch.conf and have the
correct setup in /etc/hosts?
>
> To test my theory I set the DNS record to the private ip and that
> worked like a champ. I feel that I am left with only the option to
> create views in bind.
>
> Has anyone else out there seen this or know of a better solution?
You can also provide "-n" to the iptables command to avoid names:
man iptables:
...
-n, --numeric
Numeric output. IP addresses and port numbers will
be printed in numeric format. By default, the pro�
gram will try to display them as host names, net�
work names, or services (whenever applicable).
...
Ramin
>
> Thanks in advance,
>
> Brian
