From: Reindl Harald <h.reindl@thelounge.net>
To: Kerin Millar <kfm@plushkava.net>, slow_speed@att.net
Cc: netfilter@vger.kernel.org
Subject: Re: IP Addresses Changed to Hostnames in IPTables
Date: Mon, 28 Jun 2021 23:06:13 +0200 [thread overview]
Message-ID: <ebd2e4e4-0fb1-77bf-3e5d-373d4c61d85f@thelounge.net> (raw)
In-Reply-To: <20210628215811.55a87828961dcd87ae1f4612@plushkava.net>
Am 28.06.21 um 22:58 schrieb Kerin Millar:
> On Mon, 28 Jun 2021 16:47:46 -0400
> slow_speed@att.net wrote:
>
>> On 6/28/21 4:36 PM, Kerin Millar wrote:
>>> On Mon, 28 Jun 2021 15:57:30 -0400
>>> slow_speed@att.net wrote:
>>>
>>>> I created a ruleset in iptables and it was saved in
>>>> /etc/iptables.up.rules as expected. However, when viewing the file, all
>>>> IP addresses had been translated to hostnames.
>>>>
>>>> Why would it ever do such a thing, when I had entered them as IP
>>>> addresses and they would have to be converted to IP addresses anyway?
>>>
>>> Here's how it works. One may supply hostnames to iptables/iptables-restore but they will be resolved at the point that the rule/ruleset is loaded into the kernel. If using `iptables -L` to list the currently loaded ruleset, reverse DNS lookups will be performed upon IP addresses before displaying. This behaviour can be suppressed by also using the -n option. As for `iptables -S` and `iptables-save`, neither of these will perform reverse DNS lookups.
>>>
>>> In summary, it's not at all clear how you ended up with hostnames in your iptables.up.rules file. Can you reduce this phenomonen to a simple, well-defined test case?
>>>
>>
>> Okay, I was incorrect. The viewing of the file showed just numbers. It
>> was the iptables -L that caused the misinformation. It should
>> definitely default to -n. That is a big issue to the new person in this
>> area. Bad programming strikes again.
>>
>> Thank you so much for pointing that out. I will add that to my
>> instructions.
>
> The -L format is deficient in several respects. About the only thing it's good for is displaying counters (with -v), yet iptables-save already does this. My suggestion would be to avoid -L outright. If you want to list rules with iptables instead of iptables-save, the -S option is much more useful.
>
> Also, please use Reply All next time. I am adding the list back to the CC field
the real problem is talking about "However, when viewing the file" when
doing "iptables -L" in fact
"iptables --list --numeric --line-numbers --verbose" is no rocket
science, documented and that you need "-n" is not that uncommon
see "netstat-nat" or "route" as example
next prev parent reply other threads:[~2021-06-28 21:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bda96448-fbd7-0c99-1bff-c3776bdfafff.ref@att.net>
2021-06-28 19:57 ` IP Addresses Changed to Hostnames in IPTables slow_speed
2021-06-28 20:36 ` Kerin Millar
[not found] ` <cb8649b5-a2aa-8101-7701-9fc13e2f5db0@att.net>
2021-06-28 20:58 ` Kerin Millar
2021-06-28 21:06 ` Reindl Harald [this message]
2021-06-28 21:06 ` slow_speed
2021-06-28 20:56 ` Reindl Harald
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ebd2e4e4-0fb1-77bf-3e5d-373d4c61d85f@thelounge.net \
--to=h.reindl@thelounge.net \
--cc=kfm@plushkava.net \
--cc=netfilter@vger.kernel.org \
--cc=slow_speed@att.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.