# Iptables DNS Resolve Problem....in CHROOT

## dashang

Hi Everyone 

i am trying to execute the the iptables rule

iptables -t mangle -I PREROUTING -d google.com -j ACCEPT

its give error...

```
[root@manage /root]#chroot /var/iptablespackaging/ sbin/iptables -t mangle -I PREROUTING -d google.com -j ACCEPT

iptables v1.4.10: host/network `google.com' not found

Try `iptables -h' or 'iptables --help' for more information.
```

for that my DNS is also correct 

```

[root@manage /root]# vi /etc/resolv.conf 

nameserver      203.88.135.194

nameserver      127.0.0.1

```

MY ALL IPTABLES RULES IS WORKING BUT just this rule is not going to work...

i have take STRACE command output...

```

[root@manage /root]# chroot /var/iptablespackaging/ sbin/iptables -t mangle -I PREROUTING -d google.com -j ACCEPT

iptables v1.4.10: host/network `google.com' not found

Try `iptables -h' or 'iptables --help' for more information.

[root@manage /root]# strace chroot /var/iptablespackaging/ sbin/iptables -t mangle -I PREROUTING -d google.com -j ACCEPT

execve("/usr/sbin/chroot", ["chroot", "/var/iptablespackaging/", "sbin/iptables", "-t", "mangle", "-I", "PREROUTING", "-d", "google.com", "-j", "ACCEPT"], [/* 19 vars */]) = 0

uname({sys="Linux", node="manage", ...}) = 0

brk(0)                                  = 0x804b000

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78ad000

open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=8840, ...}) = 0

old_mmap(NULL, 8840, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb78aa000

close(3)                                = 0

open("/lib/libc.so.6", O_RDONLY)        = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \304\1\0004\0\0\0"..., 1024) = 1024

fstat64(3, {st_mode=S_IFREG|0755, st_size=5737218, ...}) = 0

old_mmap(NULL, 1267240, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xb7774000

mprotect(0xb78a0000, 38440, PROT_NONE)  = 0

old_mmap(0xb78a0000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12b000) = 0xb78a0000

old_mmap(0xb78a6000, 13864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb78a6000

close(3)                                = 0

munmap(0xb78aa000, 8840)                = 0

brk(0)                                  = 0x804b000

brk(0x804b028)                          = 0x804b028

brk(0x804c000)                          = 0x804c000

open("/usr/share/locale/locale.alias", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=2601, ...}) = 0

old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb78ac000

read(3, "# Locale name alias data base.\n#"..., 4096) = 2601

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0xb78ac000, 4096)                = 0

open("/usr/lib/locale/en_US/LC_IDENTIFICATION", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=370, ...}) = 0

old_mmap(NULL, 370, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb78ac000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_MEASUREMENT", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=28, ...}) = 0

old_mmap(NULL, 28, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb78ab000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_TELEPHONE", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=64, ...}) = 0

old_mmap(NULL, 64, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb78aa000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_ADDRESS", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0

old_mmap(NULL, 160, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7773000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_NAME", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=82, ...}) = 0

old_mmap(NULL, 82, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7772000

brk(0x804d000)                          = 0x804d000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_PAPER", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=39, ...}) = 0

old_mmap(NULL, 39, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7771000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_MESSAGES", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0

old_mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7770000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_MONETARY", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=291, ...}) = 0

old_mmap(NULL, 291, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb776f000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_COLLATE", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=21499, ...}) = 0

old_mmap(NULL, 21499, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7769000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_TIME", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=2456, ...}) = 0

old_mmap(NULL, 2456, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7768000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_NUMERIC", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0

old_mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7767000

close(3)                                = 0

open("/usr/lib/locale/en_US/LC_CTYPE", O_RDONLY) = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=173408, ...}) = 0

old_mmap(NULL, 173408, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb773c000

close(3)                                = 0

chroot("/var/iptablespackaging/")       = 0

chdir("/")                              = 0

execve("sbin/iptables", ["sbin/iptables"..., "-t"..., "mangle"..., "-I"..., "PREROUTING"..., "-d"..., "google.com"..., "-j"..., "ACCEPT"...], [/* 19 vars */]) = 0

brk(0)                                  = 0x809c000

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb776c000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/usr/local/lib/tls/i686/sse2/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/tls/i686/sse2", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/tls/i686/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/tls/i686", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/tls/sse2/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/tls/sse2", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/tls/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/tls", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/i686/sse2/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/i686/sse2", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/i686/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/i686", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/sse2/libip4tc.so.0", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/local/lib/sse2", 0xbf99ca78) = -1 ENOENT (No such file or directory)

open("/usr/local/lib/libip4tc.so.0", O_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\r\0\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=68168, ...}) = 0

mmap2(NULL, 21252, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7766000

mmap2(0xb776b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb776b000

close(3)                                = 0

open("/usr/local/lib/libxtables.so.5", O_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\31\0\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=64549, ...}) = 0

mmap2(NULL, 26720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb775f000

mmap2(0xb7765000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb7765000

close(3)                                = 0

open("/usr/local/lib/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY)      = -1 ENOENT (No such file or directory)

open("/lib/tls/i686/sse2/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/tls/i686/sse2", 0xbf99ca40) = -1 ENOENT (No such file or directory)

open("/lib/tls/i686/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/tls/i686", 0xbf99ca40)     = -1 ENOENT (No such file or directory)

open("/lib/tls/sse2/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/tls/sse2", 0xbf99ca40)     = -1 ENOENT (No such file or directory)

open("/lib/tls/libm.so.6", O_RDONLY)    = -1 ENOENT (No such file or directory)

stat64("/lib/tls", 0xbf99ca40)          = -1 ENOENT (No such file or directory)

open("/lib/i686/sse2/libm.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/lib/i686/sse2", 0xbf99ca40)    = -1 ENOENT (No such file or directory)

open("/lib/i686/libm.so.6", O_RDONLY)   = -1 ENOENT (No such file or directory)

stat64("/lib/i686", 0xbf99ca40)         = -1 ENOENT (No such file or directory)

open("/lib/sse2/libm.so.6", O_RDONLY)   = -1 ENOENT (No such file or directory)

stat64("/lib/sse2", 0xbf99ca40)         = -1 ENOENT (No such file or directory)

open("/lib/libm.so.6", O_RDONLY)        = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\364K\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=206204, ...}) = 0

mmap2(0x4bc000, 159872, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4bc000

mmap2(0x4e2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25) = 0x4e2000

close(3)                                = 0

open("/usr/local/lib/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/lib/libc.so.6", O_RDONLY)        = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v6\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=1799176, ...}) = 0

mmap2(0x34a000, 1505576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x34a000

mmap2(0x4b4000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16a) = 0x4b4000

mmap2(0x4b7000, 10536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4b7000

close(3)                                = 0

open("/usr/local/lib/libdl.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/lib/libdl.so.2", O_RDONLY)       = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`jN\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=20464, ...}) = 0

mmap2(0x4e6000, 16500, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4e6000

mmap2(0x4e9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0x4e9000

close(3)                                = 0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb775e000

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb775d000

set_thread_area({entry_number:-1 -> 6, base_addr:0xb775d6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0

mprotect(0x4e9000, 4096, PROT_READ)     = 0

mprotect(0x4b4000, 8192, PROT_READ)     = 0

mprotect(0x4e2000, 4096, PROT_READ)     = 0

mprotect(0x346000, 4096, PROT_READ)     = 0

brk(0)                                  = 0x809c000

brk(0x80bd000)                          = 0x80bd000

open("/usr/local/libexec/xtables/libxt_standard.so", O_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\3\0\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=8723, ...}) = 0

mmap2(NULL, 6032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb775b000

mmap2(0xb775c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xb775c000

close(3)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ELOOP (Too many levels of symbolic links)

open("/usr/local/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/lib/libnss_dns.so.2", O_RDONLY)  = -1 ENOENT (No such file or directory)

open("/usr/lib/tls/i686/sse2/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/tls/i686/sse2", 0xbf99c594) = -1 ENOENT (No such file or directory)

open("/usr/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/tls/i686", 0xbf99c594) = -1 ENOENT (No such file or directory)

open("/usr/lib/tls/sse2/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/tls/sse2", 0xbf99c594) = -1 ENOENT (No such file or directory)

open("/usr/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/tls", 0xbf99c594)      = -1 ENOENT (No such file or directory)

open("/usr/lib/i686/sse2/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/i686/sse2", 0xbf99c594) = -1 ENOENT (No such file or directory)

open("/usr/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/i686", 0xbf99c594)     = -1 ENOENT (No such file or directory)

open("/usr/lib/sse2/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib/sse2", 0xbf99c594)     = -1 ENOENT (No such file or directory)

open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

stat64("/usr/lib", 0xbf99c594)          = -1 ENOENT (No such file or directory)

open("/usr/local/lib/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/lib/libnss_files.so.2", O_RDONLY) = 3

read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\32\0\0004\0\0\0"..., 512) = 512

fstat64(3, {st_mode=S_IFREG|0755, st_size=55540, ...}) = 0

mmap2(NULL, 49864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb774e000

mmap2(0xb7759000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa) = 0xb7759000

close(3)                                = 0

mprotect(0xb7759000, 4096, PROT_READ)   = 0

getpid()                                = 12441

open("/etc/resolv.conf", O_RDONLY)      = 3

fstat64(3, {st_mode=S_IFREG|0644, st_size=47, ...}) = 0

mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb774d000

read(3, "nameserver\t203.88.135.194\nnamese"..., 4096) = 47

read(3, "", 4096)                       = 0

close(3)                                = 0

munmap(0xb774d000, 4096)                = 0

uname({sys="Linux", node="manage", ...}) = 0

open("/etc/networks", O_RDONLY|0x80000 /* O_??? */) = -1 ENOENT (No such file or directory)

socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 3

connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_FILE, 0x80801 /* SOCK_??? */, 0) = 3

connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

close(3)                                = 0

open("/etc/nsswitch.conf", O_RDONLY)    = -1 ELOOP (Too many levels of symbolic links)

open("/etc/host.conf", O_RDONLY)        = -1 ENOENT (No such file or directory)

open("/etc/hosts", O_RDONLY|0x80000 /* O_??? */) = -1 ELOOP (Too many levels of symbolic links)

write(2, "iptables v1.4.10: ", 18iptables v1.4.10: )      = 18

write(2, "host/network `google.com\' not fo"..., 35host/network `google.com' not found) = 35

write(2, "\n", 1

)                       = 1

write(2, "Try `iptables -h\' or \'iptables -"..., 61Try `iptables -h' or 'iptables --help' for more information.

) = 61

exit_group(2)                           = ?

```

Please tell me the solution....

----------

## Sadako

Looks like you're missing libnss_dns.so.2 within the chroot, which I'm guessing is the issue.

Can you ping google.com from within the chroot?

Did you build everything within the chroot, or are you just copying files from a full installation?

If it's the latter, glibc dynamically loads a number of libraries for dns lookups which are not listed by ldd or similar.

Anyways, what you're trying to do is generally a bad idea, and even more so with a domain like google.com; there will only be one dns lookup when loading the rule, and the ip address returned will be what iptables uses for as long as the rule is in effect.

Problem is when something else makes a request for something from google.com, (after a while) a new dns request will be made and a different ip address may be returned, but the ip tables rule will still use the old address.

This is especially true for something as large as google.com, which will have many ip addresses for that domain for load balancing and the like.

If you really want to do this, a better method would be to obtain an ip address for google.com once via ping or similar, than add that address to /etc/hosts or whatever dns cache/server you're using, and add that ip address to the iptables rule rather than the domain name as you have currently.

Even that has potential issues though, and I'm not sure it would do what you're looking for...

Speaking of which, what are you actually trying to accomplish with that rule in the first place, if you don't mind me asking?

----------

## dashang

yes sir ..you are great ....its works now......i miss two libraries for dns...

thank you sir for replaying............

----------

