LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-14-2007, 10:46 AM   #1
cbidwell
LQ Newbie
 
Registered: Feb 2007
Posts: 3

Rep: Reputation: 0
Simple iptables quesiton


Hi all, I've got a simple iptables question.

Is there a way that I can enter an entire "domain" into iptables to either allow or deny over a specific port?

Similar to this in hosts.allow:
sshd : .qwest.net : allow

An iptables rule?
-A RH-Firewall-1-INPUT -s .qwest.net -m tcp -p tcp --dport 22 -j ACCEPT

But this is not accepted in iptables. I'd like to use the name and not the ip that way it will deny
a client that is not in our DNS records.

Any ideas?

Thanks,
Chris
 
Old 02-14-2007, 11:12 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Try the rule without the '.' in front of the domain name:
Code:
-A RH-Firewall-1-INPUT -s qwest.net -m tcp -p tcp --dport 22 -j ACCEPT
 
Old 02-16-2007, 12:36 PM   #3
cbidwell
LQ Newbie
 
Registered: Feb 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Hi all again,

That doesn't seem to work the same. It assumes one IP address. I'd like to be able to include a whole class B or class C subnet without denoting the actual subnet. As I mentioned previously in the hosts.allow

.qwest.net

or

.gps.caltech.edu

etc.
 
Old 02-17-2007, 12:19 PM   #4
friendklay
Member
 
Registered: Jan 2003
Posts: 36

Rep: Reputation: 15
Quote:
Originally Posted by cbidwell
Hi all again,

That doesn't seem to work the same. It assumes one IP address. I'd like to be able to include a whole class B or class C subnet without denoting the actual subnet. As I mentioned previously in the hosts.allow

.qwest.net

or

.gps.caltech.edu

etc.
I have a similar query, so I am hijacking on your thread. What I have is apache listening on port 443, and I have only one IP. I also need to get SSH on port 443 (ISP blocks 22 and any other ports). What I tried was the following rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d shell.mydomain.com --dport 443 -j REDIRECT --to-port 22
However, the rule is working on the IP and not on the name (that is shell.mydomain.com). I need IP table to port forward based on name rather than IP. Any solutions?

Last edited by friendklay; 02-17-2007 at 12:20 PM.
 
Old 02-18-2007, 04:24 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by friendklay
I have a similar query, so I am hijacking on your thread. What I have is apache listening on port 443, and I have only one IP. I also need to get SSH on port 443 (ISP blocks 22 and any other ports). What I tried was the following rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d shell.mydomain.com --dport 443 -j REDIRECT --to-port 22
However, the rule is working on the IP and not on the name (that is shell.mydomain.com). I need IP table to port forward based on name rather than IP. Any solutions?
friendklay, please start your own thread for this question.

I'd suggest the Linux - Networking forum. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
(Un)simple iptables question branden_burger Linux - Security 3 11-19-2006 03:25 PM
Simple iptables question deleted/ Linux - Security 4 05-11-2006 11:31 AM
Simple IPTABLES problem zahoo Linux - Networking 2 03-09-2005 09:43 PM
simple Iptables line enrique_arong Linux - Networking 1 06-09-2004 07:14 AM
Simple iptables help- Newbie ldahn Linux - Networking 3 03-06-2003 09:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration