Making iptables easier to maintain

domain-name-system firewall iptables ip-address hostname

Solution 1:

  • DNS Names are resolved when the rules are added, not, when packets are checked. This violates the expectations most people have.
    • The rule does not get updated to reflect changed DNS results. It is resolved when added and that is it. You will need to either periodically reload rules, or some sites may break.
  • There is a bit of a security issue in that you are basically delegating control of your firewall rules to an external entity.
    • What if your parent DNS server is compromised and returns false data.

If your purpose is to block HTTP access, then you are usually far better of setting up a piece of software designed to filter at that level (e.g. squid+squidquard).

Solution 2:

If you use hostnames in your firewall, your firewall is now dependent on DNS. This opens the firewall to a number of issues:

  • DNS lookups under high volumes could cause latency.
  • DNS changes do not propagate instantly. So your firewall could be using cached IPs.
  • DNS can be spoofed, hijacked, hacked.
  • DNS can fail - meaning your firewall fails.
  • Your firewall rules are now controlled by a 3rd party.

If you use hostnames and you do not control the DNS, then someone else effectively controls your IPtables rules. Mistakes, errors or security issues on their end become problems for you.

The only time I've seen hostnames used well is for internal operations. I've worked in an office where IPs and hostnames were assigned via DHCP. The firewalls used hostnames to put barriers between different groups. Since this was all internally controlled it worked well.

Solution 3:

You could use a wrapper around iptables like shorewall to make your rules easier to mantain.

Related

Mongodb - proper way to rotate logs
SSH into NAT'd servers on the same public IP address
Is there a standard method of proving password security to non-mathematicians?
How to use find command to delete files matching a pattern?
Using rsync to only delete extraneous files
Do Dual CPUs Provide Fault Tolerance?
Determine Location of Inode Usage
IT Services: In House or Outsource?
What does @ mean in a hostname in DNS configuration?
DNS MX/SPF/DMARC records without actuall emails on domain
Why is there a difference with Unix date between 2 and 3 months
Low-end hardware RAID vs Software RAID [closed]