plice Tux's lil' helper
Joined: 09 Nov 2009 Posts: 84 Location: Poland
|
Posted: Tue Apr 15, 2014 7:53 am Post subject: iptables + resolve domain name |
|
|
Hi,
I'm using dynamic IP to access a PC. I have a dynamic domain etc.
I've got a simple script that checks the domain, if differs it will restart iptables, that's working fine.
What I'm stuck at is that iptables is dropping that domain:
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID STATE " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
allow few IPs in other than home net. eg:
$IPTABLES -A INPUT -p tcp -i eth0 -s xxxx.xxx.xx.xx --match multiport --dports xxx --syn -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 -m string --string "domain.name" --algo bm -j ACCEPT <-- works ok
up to this point iptables are able to resolve domain.name and use it.
.
.
.
$IPTABLES -A INPUT -i eth0 -m iprange ! --src-range $HOME_NET -j LOG --log-prefix "IPs out of range "
$IPTABLES -A INPUT -i eth0 -m iprange ! --src-range $HOME_NET -j DROP <-- domain name is dropped.
If I change the domain name to IP, it works fine; the line above won't block it. I've tried:
$IPTABLES -A INPUT -i eth0 -m iprange ! --src-range $HOME_NET -j -m string ! --string "domain.name" --algo bm LOG --log-prefix "IPs out of range "
Whatever I do, the domain name is being dropped.
Is it possible to refer in iptables to a bash variable? I can drop the IP instead of resolving it.
Thanks! |
|