Is it possible to use computer name in iptables

13.3k views Asked by At

I want to redirect some port from WAN to my laptop. The problem is, that the laptop has different IP on wireless as on cable LAN. Is there a way to use the computer name in iptables?

Iptables port forwarding rule (using IPs) should be:

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22

Can I write something like

iptables -t nat -A PREROUTING -p tcp -d mycomputername --dport 422 -j DNAT --to mycomputername:22

and the computer name will be resolved in current IP?

Thank you.

2

There are 2 answers

0
davidgo On BEST ANSWER

No - Attempting this gives a "Bad IP address" (at least in v 1.4.7)

It appears that iptables does not like the destination address and port combination. (You can get away with specifying a host name for a simple IP, but not, it seems, when you append a port).

The IPTables manual also recommends against specifying a domain name.

0
AudioBubble On

That is a terrible idea (but there are solutions (IP specific and also MAC specific), see below). As the other answer states, the man page recommends against this. But it is more than security (DNS is inherently insecure) - it is also that there is a performance penalty.Granted you could have a hosts mapping but still, specifying IP is best (but even then: you can override or rather specify which is used first - dns or hosts and in general using names instead of IP is risky business).

Two possible solutions (IP related - if you can't do this, see the third), however: First, allocating an IP (or if necessary IPs) based on the MAC address(es).

Alternatively, you could have two different rules: it is, after all, a chain; it continues until it has the answer. So simply specify two rules each with the proper IPs. This is probably the ideal solution (and arguably the first solution is much the same). Ah, and I see just now that someone commented about static IPs. That's really the answer - you don't dynamically assign IPs. But if you have to have dynamic IPs, there is still a way:

IF you cannot assign IPs yourself (e.g. not under your control), you can use the mac module of iptables. See the man page for more information.