Making iptables easier to maintain
Solution 1:
- DNS Names are resolved when the rules are added, not, when packets are checked. This violates the expectations most people have.
- The rule does not get updated to reflect changed DNS results. It is resolved when added and that is it. You will need to either periodically reload rules, or some sites may break.
- There is a bit of a security issue in that you are basically delegating control of your firewall rules to an external entity.
- What if your parent DNS server is compromised and returns false data.
If your purpose is to block HTTP access, then you are usually far better of setting up a piece of software designed to filter at that level (e.g. squid+squidquard).
Solution 2:
If you use hostnames in your firewall, your firewall is now dependent on DNS. This opens the firewall to a number of issues:
- DNS lookups under high volumes could cause latency.
- DNS changes do not propagate instantly. So your firewall could be using cached IPs.
- DNS can be spoofed, hijacked, hacked.
- DNS can fail - meaning your firewall fails.
- Your firewall rules are now controlled by a 3rd party.
If you use hostnames and you do not control the DNS, then someone else effectively controls your IPtables rules. Mistakes, errors or security issues on their end become problems for you.
The only time I've seen hostnames used well is for internal operations. I've worked in an office where IPs and hostnames were assigned via DHCP. The firewalls used hostnames to put barriers between different groups. Since this was all internally controlled it worked well.
Solution 3:
You could use a wrapper around iptables like shorewall to make your rules easier to mantain.