Quote:
Originally Posted by janve
I try to use a hostname (in place of an IP address) in an iptables command (iptables 1.4.20, slackware64-14.1):
[CODE]me@here:~# iptables -t nat -A PREROUTING -p tcp --dport 5678 -j DNAT --to myhost
iptables v1.4.20: Bad IP address "myhost"
|
I'm probably being a bit dumb here, but I have no reason to think that should work... I'm not sure when iptables would do the name resolution.
If it happened at rule initialisation/instantiation, the you are assuming that DNS resolution can happen (potentially) that early on, which it probably can't (you know, you are assuming that enough of networking works for DNS to be ok, and as you are setting uop part of networking at the time, that seems optimistic, and if you have a DNS caching service, that may not be up yet, either).
If you assume that it happens when the rule is actually used, that could be problematic, too. Depending on what exactly you are doing, a lot of traffic might hit this rule, and if it does a resolve every time, that would probably bring the box to its knees quite easily with high levels of traffic. On the other hand that would at least avoid the issue of the IP <-> hostname mapping changing partway through, an issue that can't really be ignored if there is a long uptime (and shouldn't really be ignored, even with a short uptime - what would you expect to happen if this changed (and could that happen, and would it be what most people expect)?).
Quote:
Originally Posted by janve
Code:
me@here:~# iptables -A FORWARD -d myhost
works fine.
|
If I am surprised by anything, it is that this works. Presumably, it stops working as soon as the IP changes (ie, it still holds on to the old IP).
One possibility could be, if you create your iptables rules from a bash scriipt, to try to look up the translation from there. Of course, you'd still have to concern yourself about the potential problems listed earlier. But, you would have the chance to set up a basic set of rules early, and set up the myhost stuff later, if that helps.
@smallpond
Quote:
That said, good luck trying to find detailed, up to date docs on iptables.
|
Not sure about up-to-date-ness, but
this is pretty detailed on iptables. Modules are another matter, however. The man page
ought to be up to date (it is a bug if it isn't), and is one of the better manpages. But, sometimes, a man page isn't enough, or is just too dense...