Bug 123276 - iptables-restore does not handle hostname with DNAT
iptables-restore does not handle hostname with DNAT
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
i686 Linux
medium Severity low
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2004-05-15 10:21 EDT by Doncho N. Gunchev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-07-21 15:50:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Doncho N. Gunchev 2004-05-15 10:21:49 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040124

Description of problem:
    In /etc/sysconfig/iptables I can specify hostnames as target (from
/etc/hosts), but when used with DNAT this fails with 'Bad IP address'
error message.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. edit /etc/hosts and add
<some.ip.address.here> workstation1

2. edit /etc/sysconfig/iptables and add:
--- cut ---
# this one works
[0:0] -A PREROUTING -d workstation1 -j DROP
# this one fails
[0:0] -A PREROUTING -p tcp -m tcp --dport 5930 -j DNAT
--to-destination workstation1:5930
--- cut ---

3. type 'iptables start'

Actual Results:  Applying iptables firewall rules: iptables-restore
v1.2.9: Bad IP address `workstation1'

Expected Results:  iptables-restore using /etc/hosts to resolve
hostnames with DNAT, just it uses it with simple -p tcp -d hostname
for example.

Additional info:

See Steps to Reproduce. The idea is to have same iptables firewall on
diferent firewall machines that do the same job and only diferent
/etc/hosts file. This scenario works for simple firewall rules where
host from hosts file is specified as source/destination (-s/-d) but
not with SNAT/DNAT. The workaround is to replace all hostnames in this
file for every firewall machine, but this makes multiple machines
management harder.

Note You need to log in before you can comment on or make changes to this bug.