DNS, iptables and dropping.

jzono1 · Tux's lil' helper Joined: 01 Feb 2004 Posts: 128

My apache serves different pages depending on the dns adress resolved to get to it. Would it be possible to only allow ssh, IF ssh was innitiated by ssh some.host.my.domain.com, but NOT some.other.host.my.domain.com?

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

Certainly, you can filter by source and/or target address. However, as it's called ipfilter and not dnsfilter, you cannot create rules by dns names if that was your question.

alex
_________________
ALT-F4

jzono1 · Tux's lil' helper Joined: 01 Feb 2004 Posts: 128

Well, dns names is what i'd want.
Like, run a public http server on my.example.domain.com, with just letting through port 80 when someone scans my.example.domain.com, but allow ssh on another dns.
Is it even possible?

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

You can always try to resolve these dns names to IP addresses. However, things will break with dynamic IPs.
_________________
ALT-F4

HAL_9000 · Posted: Wed Jan 25, 2006 1:16 pm Post subject:

/sbin/iptables -A INPUT -i $iface -p tcp -s $youralloweddnsentry --sport 1024: -d $ip --dport 22 -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -o $iface -p tcp ! --syn -s $ip --sport 22 -d $youralloweddnsentry--dport 1024: -j ACCEPT

with $iface being the network device in question, $ip being the IP of that network device in question
$youralloweddnsentry for the hostname you want to connect from...

(written for a DROP the rest policy :> )
_________________
We are the keepers of the sacred words: Ni peng and Nee wom!