How to use FQDN in firewall rules for GNU/Linux?

linux networking firewall iptables

9,703

Solution 1

As per Darren's suggestion, I wrote up the a shell script that looks up the IP, then adjusts firewall rules as necessary (and, by necessary, I meant delete everything from earlier and replace with the right IP). Here's the script:

#!/bin/bash

target_hosts="dynhost.does-not-exist.com another-host.does-not-exist.com"

if [ -f "/root/dynblock-curr" ]; then
    mv /root/dynblock-curr /root/dynblock-prev
fi

touch /root/dynblock-curr

if [ -f "/root/dynblock-prev" ]; then
    # Remove previously set firewall allows
    for prev_ip in `cat /root/dynblock-prev`; do
        ufw delete allow from $prev_ip to any app OpenSSH > /dev/null
    done
fi

for target_host in $target_hosts; do
    # Look up IP per host
    # echo "Looking up IP for host:" $target_host
    target_ip=`host $target_host | cut -d ' ' -f 4`
    if [ $? -eq 0 ]; then
        echo $target_ip >> /root/dynblock-curr
        ufw allow from $target_ip to any app OpenSSH > /dev/null
    fi
done

Obviously, I didn't intend to spend more than the required number of brain cells on this. This has been tested and guaranteed to Work For Me(tm). This is executed through cron every 15 minutes.

Another (just as obvious) note: I ended up using ufw to manage iptables rules for me (as I said, minimum brain cell count).

Solution 2

In your /etc/nsswitch.conf determine the order of host resolution.

If your hosts line is

hosts: files dns

Then it will check your /etc/hosts file first before DNS.

Put the FQDN within your /etc/hosts file.

The other option is to change from firewall blocking to using tcp_wrappers which can match via DNS lookup. DNS lookups in firewalls can be problematic and runs counter to security concepts. Another option is to run a daemon that queries the DynDNS name, determines whether it has changed then apply the change to your iptable.

9,703

Weasler

Updated on September 17, 2022

Comments

Weasler over 1 year

I'm trying to setup a firewall for one of GNU/Linux systems. AFAIK, iptables and its ilk cannot make use of FQDNs in their configuration, since they're expected to be operational before the network interface is setup and before access to DNSs are available.

However, from my experience with CentOS, I know of at least one solution: apf. However, I can't get it to work properly under Arch Linux. (iptables -nvL produces a clean-slate result; nothing like what I get when executing the same command on our development servers.)

I'm wondering if there's anybody here who's managed to get apf working on Arch Linux, or knows of another firewall frontend or another firewall altogether that can work with FQDNs in its rules.

Please note that the target FQDNs are from dynamic DNS services like DynDNS. I'd like to know if there's a way to get the firewall to do DNS lookups, the way (I think) apf does.

Reverse DNS lookups (which, AFAIK, is what happens when an FQDN is placed in /etc/hosts.allow and it can't be found in /etc/hosts) does not work in this case, because, for example, my IP will not resolve to my DynDNS FQDN.

(Also, please tell me if this is better asked on ServerFault.)
Darren Hall over 14 years

I had a perl script that was run from cron every 5 minutes. It would do a DNS lookup, save the name <> IP address pairing into a /var file, then compare that to existing iptables rules. I didn't look too hard to see if there something already written since what I needed was pretty simple.
Weasler over 14 years

Sweet! Thanks for the tip! I'm going to try and implement it the same way. :)
Darren Hall over 14 years

One thing I'll caution, whenever running any daemon style process via cron, use some form of locking to prevent it from doubling up. This is especially true when you're dependant upon outside sources like doing a DNS lookup.