iptables block ftp access based on hostname

Hello All,

I have a redhat 7.2 server running several websites on a single ip. I have a small percentage of clients who have ftp access to their sites. I would like to use iptables to drop / reject all ftp requests which are not destined for a specific host name.

I'm using the following command:
(this is a simplified version to drop all ftp except those destined form example.foo.com)

iptables -A INPUT -p tcp --destination-port 21 -d ! example.foo.com -j DROP

the problem is that "example.foo.com" is not the actual host name of the server, rather it is a virtual host name. When the rule is inserted into iptables, "example.foo.com" is changed to the host name of the server

any ideas on how I can keep the destination set to the virtual host name?

I don't think you can do this with iptables.

Why not just configure your FTP server not to let the people who don't have FTP access log in?

Thanks for the reply.

We do have ftp set up so that only registered users can login (anonymous access is disabled). But we have a block of 127 IP addresses, and lately we've been getting a number of spurious ftp attempts (probably scripted, up to 20/second) trying to login as anonymous to each of the ips. It's not caused much of a problem, except that the ftp daemon has to wake up each time to process and reject the login. Since we only have about 6 clients with ftp access I'd like to drop any login attempts not to those addresses. That way, the ftp daemon would only have to respond to about 5% of the spurious connection attempts

I can do it by ip right now, but we're moving to a name-based virtual host system in the near future, and so I'd like a solution which will be portable.

You won't be able to restrict ftp access via the hostname. The ftp server, or indeed the OS won't be able to determine the hostname connected to.

Do your clients have static ips? If so, why not set up ACLs?

We do have static ips (for now), and filtering based on those is not a problem. but we are preparing to move to virtual hosting based on host name.

If its not possible to filter correctly by host name for virtual hosts, then I'll probably, just create a single ip for all the clients to connect to, and just use iptables to deny ftp access to all ips execept that one.