rc.firewall script and dns names

nass · 10-29-2010, 12:51 PM

Hello everyone!
I would actually check to verify that, but I'm not anywhere near my internal network and i guess its my never-ending curiosity that needs to have an answer right here right now to plan its next steps, so here it goes:

So far In order to avoid excessive work in my rc.firewall with my dhcp'd servers (like torrent and such) i would use variable when DNAT'ing.

for example:

Quote:

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 62411:62511 -j DNAT --to-destination $LIN_SRV

But recently I set up bind along with dhcpd. So now, is it possible that I use dns names (like myTorServer.homeintranet.home) instead of bash variables for my roaming servers?

such as:

Quote:

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 62411:62511 -j DNAT --to-destination myTorServer.homeintranet.home

i.e. do iptables do name resolution (or use resolv.conf for that etcetc?)

thank you!

mRgOBLIN · 10-30-2010, 03:42 PM

Yes iptables does resolve hostnames.

There could be security implications if this was an external facing firewall and you didn't have complete control over the DNS but in this case it should be fine.

wildwizard · 10-31-2010, 03:29 AM

The DNS look-ups only occur when you run the iptables tool, the firewall rules will then stay with whatever IP address the look-up gave originally and is thus no good if your after dynamic updates.

nass · 10-31-2010, 05:52 AM

hmmm thats true, perhaps reloading the firewall script through a cron job would solve that..
The only way I know to reload the script is by stop/starting the rc.firewall.

but then, there is a small security hole if some attacks are persistent.
Q1: Is there a way to make IP tables reload the 'new' settings from the script, without stop it?
I guess, I could modify the rc.firewall script to block ALL traffic when stopped instead of allowing it all. That would brake all connections.
Q2: But would that brake be momentary or continuous? Obviously, I would prefer if remote administration ssh connections are not be halted for more than few seconds...

Thats pretty much on the reloading side of the firewall. But the trigger mechanisms would ideally not be a cron job, but some signal emitted by dhcpd when a new roaming user comes in, much like the dhcpd deamon updates the bind dns server. Similarly the firewall would be rerun and if the roaming user is present the in the intranet, the iptables rule would be loaded.
Q3: IS it possible to catch this signal from dhcpd server?

Thank you very much for your time.