Using hostnames in iptables

If I write an iptables rule with a hostname, when is the hostname
resolved? For example:

iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j ACCEPT


I believe that "remoteoffice.company.com" is resolved at the time the
"iptables" statement is executed, rather than being stored in the chain
as a hostname and resolved when packets are checked. Can anyone confirm
that?

If I wanted to have such a rule for a hostname whose address changed
(say, a dynamic ADSL address), is there any way to do it?

mvh.,

David

"David Brown" <david.brown@hesbynett.removethisbit.no> wrote in message
news:47dd77b4$0$8159$8404b019@news.wineasy.se...
> If I write an iptables rule with a hostname, when is the hostname
> resolved? For example:
>
> iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j
ACCEPT
>
>
> I believe that "remoteoffice.company.com" is resolved at the time the
> "iptables" statement is executed, rather than being stored in the chain
> as a hostname and resolved when packets are checked. Can anyone confirm
> that?

Correct. Resolved when the command is loaded.

Watch out for names that resolve to more than one address.

D. Stussy wrote:
> "David Brown" <david.brown@hesbynett.removethisbit.no> wrote in message
> news:47dd77b4$0$8159$8404b019@news.wineasy.se...
>> If I write an iptables rule with a hostname, when is the hostname
>> resolved? For example:
>>
>> iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j
> ACCEPT
>>
>> I believe that "remoteoffice.company.com" is resolved at the time the
>> "iptables" statement is executed, rather than being stored in the chain
>> as a hostname and resolved when packets are checked. Can anyone confirm
>> that?
>
> Correct. Resolved when the command is loaded.
>
> Watch out for names that resolve to more than one address.
>

Thanks for confirming that for me. I'll only be using it for names that
I have control over and which will resolve to a single address. I
suppose that the most convenient way to update such rules when the ip
address changed would be to put them into a separate chain, which could
then be flushed and re-loaded without affecting other rules in the tables.

mvh.,

David

"David Brown" <david.brown@hesbynett.removethisbit.no> wrote in message
news:47ddb5ae$0$8161$8404b019@news.wineasy.se...
> D. Stussy wrote:
> > "David Brown" <david.brown@hesbynett.removethisbit.no> wrote in message
> > news:47dd77b4$0$8159$8404b019@news.wineasy.se...
> >> If I write an iptables rule with a hostname, when is the hostname
> >> resolved? For example:
> >>
> >> iptables -A INPUT -p tcp --src remoteoffice.company.com --dport 25 -j
ACCEPT
> >>
> >> I believe that "remoteoffice.company.com" is resolved at the time the
> >> "iptables" statement is executed, rather than being stored in the chain
> >> as a hostname and resolved when packets are checked. Can anyone
confirm
> >> that?
> >
> > Correct. Resolved when the command is loaded.
> >
> > Watch out for names that resolve to more than one address.
>
> Thanks for confirming that for me. I'll only be using it for names that
> I have control over and which will resolve to a single address. I
> suppose that the most convenient way to update such rules when the ip
> address changed would be to put them into a separate chain, which could
> then be flushed and re-loaded without affecting other rules in the tables.

If you're using a script to set up multiple rules for your own server, it's
better to use iptables-restore than individual iptables lines.

On Sun, 16 Mar 2008 17:37:54 -0800, D. Stussy wrote:

> If you're using a script to set up multiple rules for your own server,
> it's better to use iptables-restore than individual iptables lines.

Even where the actual change is a relatively small part of the set of all
rulesets? Is there some crossover point at which this isn't true, or is
it true regardless of how large the entire set and how small the changes?

- Andrew