On Friday 17 May 2002 12:52 pm, Axel Heinrici wrote: > > iptables -A icq -p tcp --dport 5190 -d login.icq.com -j ACCEPT > > iptables -A icq -p tcp --dport 5190 -s login.icq.com -m state > > --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A icq -p tcp --dport 5190 -s icq.com ! --syn -i > > Is this allowed. I thought ippables/netfilter does not make a DNS > lookup. Or did you mean: "look it you yourself and replace it"
Yes, this is perfectly okay - however you must remember that the lookup is done once, when you enter the rule, and the machine then stores the IP address which results from the lookup. You are correct in thinking that it's not possible to enter a hostname in an iptables rule and then get the system to resolve it every time it sees a packet come through (thankfully). Antony.
