I had written some rules to do some port forwarding on the iptables nat table, but may have found a
problem with the routing as running 'up2date' no longer works.
I found some rules that should allow connections from rhn.redhat.com, where up2date needs to connect to in order to run properly, but they had the ip address hard coded. While this probably will be ok for a while, the ip address could easily change so I wanted something more dynamic.
All of the following is in a bash script that builds my iptable rules. I've only included the relevent parts below. This is what I came up with:
...
redhatip=`host rhn.redhat.com | head -n 1 | awk '{print $4}' | awk -F "\." ' $1 <= 255 && $2 <=255 && $3 <= 255 && $4 <= 255'`
if [ -z "$redhatip" ]
then
echo "invalid IP address for rhn.redhat.com! Please double check the script for correctness."
exit
fi
iptables -A OUTPUT -o eth0 -p tcp -d $redhatip -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s $redhatip -m state --state ESTABLISHED -j ACCEPT
I've included the rules in the iptables just for completeness incase anybody else needs to know how to get up2date to start working again.
Please note that I haven't had a chance to test the iptable rules yet, so you are on your own as far as that is concerned, but as far as getting the ip address from using host and then checking it for correctness, that all works. Enjoy!
No comments:
Post a Comment