On Fri, May 17, 2002 at 01:02:04PM +0100, Antony Stone wrote: > On Friday 17 May 2002 12:52 pm, Axel Heinrici wrote: > > > > iptables -A icq -p tcp --dport 5190 -d login.icq.com -j ACCEPT > > > iptables -A icq -p tcp --dport 5190 -s login.icq.com -m state > > > --state ESTABLISHED,RELATED -j ACCEPT > > > iptables -A icq -p tcp --dport 5190 -s icq.com ! --syn -i > > > > Is this allowed. I thought ippables/netfilter does not make a DNS > > lookup. Or did you mean: "look it you yourself and replace it" > > Yes, this is perfectly okay - however you must remember that the lookup is > done once, when you enter the rule, and the machine then stores the IP > address which results from the lookup.
What happens if a name resolves in several IP's? Is it not wiser to look it up manually and add multiple rules according to the number of A-RR? Ramin > > You are correct in thinking that it's not possible to enter a hostname in an > iptables rule and then get the system to resolve it every time it sees a > packet come through (thankfully). > > > Antony.
