I'd like to accomplish an egress filter on Linux using Netfilter (iptables) and the DNS hostname of the destination. The problem is, writing the rules using the hostname will only resolove the IP addresses when the rules are loaded.
To further complicate the matter, if the destination is load balanced or redirects to a cluster, these IP addresses are not allowed egress.
For instance, If I add an allowed egress rule for a Ubuntu package repo such as:
iptables -A OUTPUT -p tcp -d packages.project.org -m multiport --dports 80,443 -j ACCEPT
Netfilter will add several IPs such as packages.project.org.herokudns.com which resolve to something like 34.x.x.x, 35.x.x.x, 44.x.x.x, 38.x.x.x
when I perform an apt update on this host, it fails with:
100% [Connecting to project-package-repository.s3.eu-west-1.amazonaws.com (51.xxx.xxx.xxx)] and is quickly blocked.
Is there a way to make Netfilter see this destinations as "allowed" when connecting to the original repo?
packages.project.orgresolves to the single IP address206.188.192.100. No matter which root server(s) I use, that seems to be the only address I'm offeredpackages.project.orgwas just an example. Probably didn't need to be redacted but just a habit.dig _http._tcp.deb.debian.org. -t srv=>_http._tcp.deb.debian.org. 294 IN SRV 10 1 80 debian.map.fastlydns.net. In some cases the final IP result with -t srv might differ from the result ofdig some.debian.url -t a(or -t aaaa).