If it is all possible please consider setting up a transparent application-level proxy. An application proxy will probably be much easier to do this type of filtering with.
If you must do it with iptables a kludgy option would be to create a chain, create a command line script that periodically updates that particular chain with the results from DNS for the name you need to use.
If someone was going to attempt to create such a thing that truly did packet-filtering based DNS it would almost certainly have to be done via userspace. Specifically you would use something like libnetfilter_queue. I have never used it, but Packetbl may be close to do this, but it doesn't appear to be very well maintained.
Another alternative might be to setup Layer 7 filtering. You might be able to filter a portion of the request if DNS name is being transmuted as part of the payload of the packet.
I needed iptables to allow ssh access based on domain name from my home ip but wanted to keep it closed for all other addresses. Since I have a dynamic ip that changes occasionally, I wrote a script to update the rules based on the ip of my dynamic dns entry. I'm new at this so I'm sure there is a better way. Replace "yourname" with your dynamic dns hostname.
#!/bin/sh
/usr/bin/nslookup yourname.dynalias.org > temp
found=0
address=""
while read LINE
do
if [[ "$LINE" == Address* ]]; then
let found++
if [[ $found == 2 ]]; then
address=${LINE:8};
/sbin/iptables-save > /root/rulesdump
while read LINE2
do
if [[ "$LINE2" == *$address* ]]; then
ruleexists=1;
fi
done < /root/rulesdump;
if [[ "$ruleexists" != 1 ]]; then
/sbin/iptables -D INPUT -j LOG_DROP
/sbin/iptables -A INPUT -s $address -p tcp -m tcp --dport 22 -j LOG_ACCEPT
/sbin/iptables -A INPUT -j LOG_DROP
fi
fi
fi
done < /root/temp;
Put the above script in crontab to run every so often.
If it is all possible please consider setting up a transparent application-level proxy. An application proxy will probably be much easier to do this type of filtering with.
If you must do it with iptables a kludgy option would be to create a chain, create a command line script that periodically updates that particular chain with the results from DNS for the name you need to use.
If someone was going to attempt to create such a thing that truly did packet-filtering based DNS it would almost certainly have to be done via userspace. Specifically you would use something like libnetfilter_queue. I have never used it, but Packetbl may be close to do this, but it doesn't appear to be very well maintained.
Another alternative might be to setup Layer 7 filtering. You might be able to filter a portion of the request if DNS name is being transmuted as part of the payload of the packet.
I needed iptables to allow ssh access based on domain name from my home ip but wanted to keep it closed for all other addresses. Since I have a dynamic ip that changes occasionally, I wrote a script to update the rules based on the ip of my dynamic dns entry. I'm new at this so I'm sure there is a better way. Replace "yourname" with your dynamic dns hostname.
Put the above script in crontab to run every so often.
Short answer, if you are sure the IP is static forever:
Same thing in ruby and shorter: