How to use FQDN in firewall rules for GNU/Linux?
Solution 1
As per Darren's suggestion, I wrote up the a shell script that looks up the IP, then adjusts firewall rules as necessary (and, by necessary, I meant delete everything from earlier and replace with the right IP). Here's the script:
#!/bin/bash
target_hosts="dynhost.does-not-exist.com another-host.does-not-exist.com"
if [ -f "/root/dynblock-curr" ]; then
mv /root/dynblock-curr /root/dynblock-prev
fi
touch /root/dynblock-curr
if [ -f "/root/dynblock-prev" ]; then
# Remove previously set firewall allows
for prev_ip in `cat /root/dynblock-prev`; do
ufw delete allow from $prev_ip to any app OpenSSH > /dev/null
done
fi
for target_host in $target_hosts; do
# Look up IP per host
# echo "Looking up IP for host:" $target_host
target_ip=`host $target_host | cut -d ' ' -f 4`
if [ $? -eq 0 ]; then
echo $target_ip >> /root/dynblock-curr
ufw allow from $target_ip to any app OpenSSH > /dev/null
fi
done
Obviously, I didn't intend to spend more than the required number of brain cells on this. This has been tested and guaranteed to Work For Me(tm). This is executed through cron
every 15 minutes.
Another (just as obvious) note: I ended up using ufw
to manage iptables
rules for me (as I said, minimum brain cell count).
Solution 2
In your /etc/nsswitch.conf determine the order of host resolution.
If your hosts line is
hosts: files dns
Then it will check your /etc/hosts file first before DNS.
Put the FQDN within your /etc/hosts file.
The other option is to change from firewall blocking to using tcp_wrappers which can match via DNS lookup. DNS lookups in firewalls can be problematic and runs counter to security concepts. Another option is to run a daemon that queries the DynDNS name, determines whether it has changed then apply the change to your iptable.
Related videos on Youtube
Weasler
Updated on September 17, 2022Comments
-
Weasler over 1 year
I'm trying to setup a firewall for one of GNU/Linux systems. AFAIK,
iptables
and its ilk cannot make use of FQDNs in their configuration, since they're expected to be operational before the network interface is setup and before access to DNSs are available.However, from my experience with CentOS, I know of at least one solution:
apf
. However, I can't get it to work properly under Arch Linux. (iptables -nvL
produces a clean-slate result; nothing like what I get when executing the same command on our development servers.)I'm wondering if there's anybody here who's managed to get
apf
working on Arch Linux, or knows of another firewall frontend or another firewall altogether that can work with FQDNs in its rules.Please note that the target FQDNs are from dynamic DNS services like DynDNS. I'd like to know if there's a way to get the firewall to do DNS lookups, the way (I think)
apf
does.Reverse DNS lookups (which, AFAIK, is what happens when an FQDN is placed in
/etc/hosts.allow
and it can't be found in/etc/hosts
) does not work in this case, because, for example, my IP will not resolve to my DynDNS FQDN.(Also, please tell me if this is better asked on ServerFault.)
-
Darren Hall over 14 yearsI had a perl script that was run from cron every 5 minutes. It would do a DNS lookup, save the name <> IP address pairing into a /var file, then compare that to existing iptables rules. I didn't look too hard to see if there something already written since what I needed was pretty simple.
-
Weasler over 14 yearsSweet! Thanks for the tip! I'm going to try and implement it the same way. :)
-
Darren Hall over 14 yearsOne thing I'll caution, whenever running any daemon style process via cron, use some form of locking to prevent it from doubling up. This is especially true when you're dependant upon outside sources like doing a DNS lookup.