I want to host a website at home but I only want certain users to have access to it, but I can't use username/password or certificates to authenticate them. Can I configure iptables (or some other linux firewall) to use rules based on a dynamic hostname?

Regards,
Ptah

I can't use username/password or certificates to authenticate them
Why not?

Because not all the devices that connect can use these. Some om them can't use any of them.

iptables doesn't work with hostnames, it only works with IP addresses...

of course you might be able to find some patch or something which grants your iptables the hostname functionality... keep in mind that it would be a very ridiculous thing to do, as the security you would aquire would be completely imaginary, and plus the overhead added to your iptables rules (DNS/reverse-DNS resolution) would suck...

just my ...

@win32sux: iptables doesn't work with hostnames
Iptables will take hostnames by default. No POM necessary.


Can I configure iptables (or some other linux firewall) to use rules based on a dynamic hostname?
Yes, but like Win32sux says it doesn't offer *anything* that can be used for proper authentication and authorization.


Because not all the devices that connect can use these. Some om them can't use any of them.
Now this gets interesting. So they have a network stack but no access to regular validation methods?
I'm willing to think along, but you will have to come up with more details.
So please elaborate: what types of devices are we talking about?
What protocols or applications will they use to access the server?
Aprox how many devices are you talking about?
Will the site or application work with information that should be transfered securely?

sorry, my bad...

yeah, so i looked at the manpage and here it is:BTW, is there some kinda special syntax for this?? cuz i tried (just out of curiosity - i would never do this for real) with a "-s cnn.com" and a "-s www.cnn.com" and i'd only get errors...

I don't like to see this thread go OT, but what errors do you get? "-s cnn.com" should not work (no single CIDR type address/mask), "-s www.cnn.com" should.

the error was:but i figured it out... since i was doing it by editing my iptables script, there was no OUTPUT rules at the moment of execution allowing outgoing DNS queries... this is due to the fact that i have my INPUT rules written first and of course all chains are flushed and policies set to DROP at the beginning of the script...

so the error is totally understandable and when i execute the command with "-s www.cnn.com" from the command line while my OUTPUT rules are already in place there is no error since the DNS query goes out without being filtered...

curiously, both ways work fine on my box: i'll google about this and figure out why both ways work, don't worry... i also have some other questions about this iptables hostnames thing but like you said, the thread is getting off topic and stuff so i will abstain...

for ptah_be and anyone else reading this thread: it's important to point-out once again that using hostnames in your iptables for this kinda thing is a VERY BAD IDEA AND IS VERY DISCOURAGED (i was simply trying it out for experimentation and would never do it seriously)...

so to get back on topic, ptah_be, i will re-post the latest on-topic questions which were asked by unSpawn so you can answer them please:
remember that the more details and information you provide, the easier it will be to assist you...

The devices are sat-tuners (and most of them have no validation method) and they use TCP/IP to connect. I don't know the exact protocol (but that doesn't mather anyway). There will be about 100 devices that need to connect.