2

I have a Debian 6.0.7 x64 AWS EC2 server that I'm running a couple QEMU virtual machines on (don't ask.. long story).

I have some IPTables rules to NAT/Forward any traffic (on ports 8080 and 8081) from the AWS server to the VM internal IPs at 192.168.122.150/151 respectively.

When I restore my iptables rules (from an iptables dump), or I manually append an IPTables rule to a chain (FORWARD, for example), the source/destination subnet is getting automatically converted to a .ec2.internal hostname, and I can't seem to figure out why.

For example, the IPTables append command:

iptables -A FORWARD -s 0.0.0.0 -d 192.168.122.0/24 -j ACCEPT

Nets the following rule (notice the destination subnet was converted):

ACCEPT     all  --  ip-192-168-122-0.ec2.internal/24  anywhere

I've asked on the EC2 forums Here but with no response.. anyone have any thoughts on what could be causing this conversion?

The conversion occurs when I import using iptables-restore from a file as well. If I use a non-192.168.x.x subnet, the conversion isn't performed. I'm pretty certain this is breaking a few NAT/FORWARD rules that I have in place, but can't really figure out what's going on.

Thanks!

Gregor
  • 23
  • 2

1 Answers1

4

DNS resolution. Pass the -n option to iptables to disable DNS resolution when listing your rules (ie iptables -nvL). I doubt this is breaking anything. The DNS resolution is only performed when the rules are displayed, supposedly for your convenience, but I have no idea who actually finds this useful.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Thanks a ton! I thought that might be the case, and the packets were being blocked elsewhere.. I'd upvote you if I could, but since I'm such a noob I can't :( Cheers! – Gregor Oct 06 '14 at 23:16
  • Reverse resolution is helpful when trying to identify which host is what. If you have an application that's restricted to a few dozen IPs in various subnets it helps to see the name rather than the IP. Granted, I prefer to use a comment to identify the host the rule is for. :) – Gene Oct 07 '14 at 02:19
  • 1
    @Gene, ok, it might be occasionally useful, but I wish the defaults would have been the other way around. No DNS by default, and name resolution with an option. – Zoredache Oct 07 '14 at 05:54
  • I would prefer that as well, but I imagine it's to keep in line with other utilities that provide reverse resolution by default (e.g. netstat, lsof, arp, traceroute, etc). – Gene Oct 07 '14 at 06:01