iptables rules cannot be loaded at boot time when domain names are used in iptables rules
Hi, I have the following rule in my iptables, and all chains are empty when the server is booted. -A INPUT -s yahoo.com -j DROP Or -A INPUT -s yahoo.com -p tcp --dport 21 -j DROP if I manually run /etc/init.d/iptables start, all iptables rules can be loaded. Also if an IP address is used as follows, iptables can be loaded at boot time. -A INPUT -s 66.33.210.0/24 -j DROP I have checked a few books and websites, they all show that domain names can be used in iptables rules. Thanks.
On Mon, 2 Jun 2014, "Wenjian Bill Yang" <byang_32@yahoo.com> wrote:
I have the following rule in my iptables, and all chains are empty when the server is booted.
-A INPUT -s yahoo.com -j DROP
Or
-A INPUT -s yahoo.com -p tcp --dport 21 -j DROP
Firstly that sort of rule probably won't get the result you desire. Big services such as yahoo tend to use different addresses for sending and receiving. So any address they use for receiving data (in this case a web server) probably won't be used for sending data (IE making port 21 connections to your system).
if I manually run /etc/init.d/iptables start, all iptables rules can be loaded.
Also if an IP address is used as follows, iptables can be loaded at boot time.
-A INPUT -s 66.33.210.0/24 -j DROP
Probably DNS isn't available in the early stages of the boot process. What is in /etc/resolv.conf? Does it point to something at the other end of a PPP link (or any link that will take time to establish) or localhost (iptables probably starts before BIND)? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Thanks for your reply. I just used Yahoo.com as an example. In fact, you cannot use any domain names in iptables rules. I have come across a website stated that "the iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors." However, many tutorials on websites nowadays have examples of using domain names in iptables rules. -----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Monday, June 02, 2014 11:08 AM To: luv-main@luv.asn.au Cc: Wenjian Bill Yang Subject: Re: iptables rules cannot be loaded at boot time when domain names are used in iptables rules On Mon, 2 Jun 2014, "Wenjian Bill Yang" <byang_32@yahoo.com> wrote:
I have the following rule in my iptables, and all chains are empty when the server is booted.
-A INPUT -s yahoo.com -j DROP
Or
-A INPUT -s yahoo.com -p tcp --dport 21 -j DROP
Firstly that sort of rule probably won't get the result you desire. Big services such as yahoo tend to use different addresses for sending and receiving. So any address they use for receiving data (in this case a web server) probably won't be used for sending data (IE making port 21 connections to your system).
if I manually run /etc/init.d/iptables start, all iptables rules can be loaded.
Also if an IP address is used as follows, iptables can be loaded at boot time.
-A INPUT -s 66.33.210.0/24 -j DROP
Probably DNS isn't available in the early stages of the boot process. What is in /etc/resolv.conf? Does it point to something at the other end of a PPP link (or any link that will take time to establish) or localhost (iptables probably starts before BIND)? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
I had to do this once for an OpenVPN tunnel which had a dyndns address on the remote end. IIRC, I just flushed and reloaded the firewall from rc.local. Then there was the issue of the remote end dropping off and coming back with a new dynamically allocated IP and not being able to re-establish the tunnel. So I had some script keep checking for any disconnects, and if the IP changed, reloaded the relevant iptables rules again (based on the latest dyndns lookup). Crispy. On 02/06/14 11:27, Wenjian Bill Yang wrote:
Thanks for your reply. I just used Yahoo.com as an example. In fact, you cannot use any domain names in iptables rules. I have come across a website stated that "the iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors." However, many tutorials on websites nowadays have examples of using domain names in iptables rules.
-----Original Message----- From: Russell Coker [mailto:russell@coker.com.au] Sent: Monday, June 02, 2014 11:08 AM To: luv-main@luv.asn.au Cc: Wenjian Bill Yang Subject: Re: iptables rules cannot be loaded at boot time when domain names are used in iptables rules
On Mon, 2 Jun 2014, "Wenjian Bill Yang" <byang_32@yahoo.com> wrote:
I have the following rule in my iptables, and all chains are empty when the server is booted.
-A INPUT -s yahoo.com -j DROP
Or
-A INPUT -s yahoo.com -p tcp --dport 21 -j DROP Firstly that sort of rule probably won't get the result you desire. Big services such as yahoo tend to use different addresses for sending and receiving. So any address they use for receiving data (in this case a web server) probably won't be used for sending data (IE making port 21 connections to your system).
if I manually run /etc/init.d/iptables start, all iptables rules can be loaded.
Also if an IP address is used as follows, iptables can be loaded at boot time.
-A INPUT -s 66.33.210.0/24 -j DROP Probably DNS isn't available in the early stages of the boot process. What is in /etc/resolv.conf? Does it point to something at the other end of a PPP link (or any link that will take time to establish) or localhost (iptables probably starts before BIND)?
On Mon, 2 Jun 2014, "Wenjian Bill Yang" <byang_32@yahoo.com> wrote:
I just used Yahoo.com as an example. In fact, you cannot use any domain names in iptables rules. I have come across a website stated that "the iptables service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors." However, many tutorials on websites nowadays have examples of using domain names in iptables rules.
It looks like you are using the RHEL/CentOS init scripts. You can change the order of them, look at the start of the init.d script for comments which determine the order. Or you could just reload from /etc/rc.local. On Mon, 2 Jun 2014, Tony Crisp <supervoc@arc.net.au> wrote:
Then there was the issue of the remote end dropping off and coming back with a new dynamically allocated IP and not being able to re-establish the tunnel. So I had some script keep checking for any disconnects, and if the IP changed, reloaded the relevant iptables rules again (based on the latest dyndns lookup).
OpenVPN supports running scripts on various events. You could make it launch a script when it gets a connection. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Wenjian Bill Yang wrote:
I have the following rule in my iptables, and all chains are empty when the server is booted. -A INPUT -s yahoo.com -j DROP
If you're using iptables-restore[0] before the network comes up[1], then obviously only local resolution methods are available. This applies to protocols, hosts and services -- though nsswitch.conf is only configured for remote resolution of hosts (viz. DNS). Further, the names are resolved once, at ruleset load time. So the simple answer is to bake them into /etc/hosts, and to find a different way to manage access to hosts like "yahoo.com" -- e.g. an l7 proxy like squid. Because ruleset loading is atomic (per table), and resolution failures will abort the whole commit, I start my iptables-restore with a DENY ALL ruleset, so that if the "real" ruleset fails, the users will complain, and I'll investigate, and then I'll fix it. (If it failed to ALLOW ALL, I might not hear about it for a long time, which would be BAAAAD.) This also makes it easier to spot when you accidentally add a remote resolution -- because the ruleset will fail closed immediately, rather than the next time you reboot the router. I strongly recommend reading TPR: http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf Here are some examples I prepared earlier: http://www.cyber.com.au/~twb/doc/iptab http://www.cyber.com.au/~twb/doc/iptab.nat http://www.cyber.com.au/~twb/doc/iptab.ips [0] as you should, to avoid race conditions if the script runs more than once concurrently -- e.g. if you have a four-port ethernet card and you rerun your script when each of them come up. [1] as you should, to avoid a window when you are accepting traffic but have no firewall.
participants (4)
-
Russell Coker -
Tony Crisp -
trentbuck@gmail.com -
Wenjian Bill Yang