How to create an Iptables rule using domain name

iptables

Can anyone please suggest a way to use a domain name in iptables rules.


If it is all possible please consider setting up a transparent application-level proxy. An application proxy will probably be much easier to do this type of filtering with.

If you must do it with iptables a kludgy option would be to create a chain, create a command line script that periodically updates that particular chain with the results from DNS for the name you need to use.

If someone was going to attempt to create such a thing that truly did packet-filtering based DNS it would almost certainly have to be done via userspace. Specifically you would use something like libnetfilter_queue. I have never used it, but Packetbl may be close to do this, but it doesn't appear to be very well maintained.

Another alternative might be to setup Layer 7 filtering. You might be able to filter a portion of the request if DNS name is being transmuted as part of the payload of the packet.


I needed iptables to allow ssh access based on domain name from my home ip but wanted to keep it closed for all other addresses. Since I have a dynamic ip that changes occasionally, I wrote a script to update the rules based on the ip of my dynamic dns entry. I'm new at this so I'm sure there is a better way. Replace "yourname" with your dynamic dns hostname.

#!/bin/sh

/usr/bin/nslookup yourname.dynalias.org > temp
found=0
address=""
while read LINE
do
 if [[ "$LINE" == Address* ]]; then
        let found++
        if [[ $found == 2 ]]; then
                address=${LINE:8};
                /sbin/iptables-save > /root/rulesdump
                while read LINE2
                do
                        if [[ "$LINE2" == *$address* ]]; then
                                ruleexists=1;
                        fi
                done < /root/rulesdump;
                if [[ "$ruleexists" != 1 ]]; then
                        /sbin/iptables -D INPUT -j LOG_DROP
                        /sbin/iptables -A INPUT -s $address -p tcp -m tcp --dport 22 -j LOG_ACCEPT
                        /sbin/iptables -A INPUT -j LOG_DROP
                fi
        fi
 fi
done < /root/temp;

Put the above script in crontab to run every so often.


Short answer, if you are sure the IP is static forever:

iptables -A INPUT -s `dig host.your-domain-name.com +short`/32 -p tcp -m tcp --dport 22 -j ACCEPT

Related

What's the best platform to publish documentation to internal users?
Hosting a server for websites, ftp and random use at home? [closed]
CDN vs own apache servers?
Bridging Network Devices with Multiple IPs
How to do an automated installation of Ubuntu on 100 Remote machines?
"Account locked out" security event at midnight
Memory Usage on Linux box does not match up with `free`
Do large folder sizes slow down IO performance?
How do I upgrade the kernel in Ubuntu Server 10.04?
Can a RAID array be rebuilt through DRAC? [closed]
My dns works when I do a “dig @mynameserver hostname” but not when I do a “dig hostname”
MAC address spoofing - why doesn't this work? [closed]