Hi *,

I try to use a hostname (in place of an IP address) in an iptables command (iptables 1.4.20, slackware64-14.1):
while (e.g.)
works fine. Is there something that I missed ? Is it a feature ? Do I have some chance ?

Thanks for help, Jan

Hostnames don't necessarily translate into a single IP so when a function takes an IP there is no reason for it to accept a hostname instead. That said, good luck trying to find detailed, up to date docs on iptables.

I'm probably being a bit dumb here, but I have no reason to think that should work... I'm not sure when iptables would do the name resolution.

If it happened at rule initialisation/instantiation, the you are assuming that DNS resolution can happen (potentially) that early on, which it probably can't (you know, you are assuming that enough of networking works for DNS to be ok, and as you are setting uop part of networking at the time, that seems optimistic, and if you have a DNS caching service, that may not be up yet, either).

If you assume that it happens when the rule is actually used, that could be problematic, too. Depending on what exactly you are doing, a lot of traffic might hit this rule, and if it does a resolve every time, that would probably bring the box to its knees quite easily with high levels of traffic. On the other hand that would at least avoid the issue of the IP <-> hostname mapping changing partway through, an issue that can't really be ignored if there is a long uptime (and shouldn't really be ignored, even with a short uptime - what would you expect to happen if this changed (and could that happen, and would it be what most people expect)?).

If I am surprised by anything, it is that this works. Presumably, it stops working as soon as the IP changes (ie, it still holds on to the old IP).

One possibility could be, if you create your iptables rules from a bash scriipt, to try to look up the translation from there. Of course, you'd still have to concern yourself about the potential problems listed earlier. But, you would have the chance to set up a basic set of rules early, and set up the myhost stuff later, if that helps.

@smallpond
Not sure about up-to-date-ness, but this is pretty detailed on iptables. Modules are another matter, however. The man page ought to be up to date (it is a bug if it isn't), and is one of the better manpages. But, sometimes, a man page isn't enough, or is just too dense...

Thanks to both smallpond & salasi for their interest.

Not that bad (I think): cf. http://ipset.netfilter.org/iptables.man.html.

Why not ? As long as I know what I'm doing :-) - cf. sections on -s, -d and -A in iptables documentation linked above.
In my case, I'm simply lazy to remember the IP addresses that are normally resolved through /etc/hosts. It's no big deal, but I did expect name resolution to work here.

Yes - it does exactly that: it resolves the hostname and introduces a rule with the IP address.


Thanks, Jan

I stand corrected. I have bookmarked the tutorial by Oskar Andreasson which seems quite complete.