IPTABLES - a real mans firewall |
| Sunday, 24 April 2005 23:21 | |||
|
Update Mar-25-2007: Code can now be downloaded from IPOpener package under the dynhosts folder. (some ppl have complained about copy/paste problems) IPOpener is available [here] There are many reason to like iptables. For one, it is free and you can modify it. But mostly I like it because I can write scripts to modify the rules dynamically. Dynamic firewall rules give you A LOT of power. For instance, I want to block everyone from access the port for ssh on my box. But I DO want to be able to access it from my dynamic IP address @ my home box. To do this, I created an account with a dynamic dns service provider (someone like http://www.dyndns.com) that will resolve a name to my home machine. My home machine will tell the dynamic dns service what my home machine's external ip address is. Now I need to add rules on my firewall for the hostname. However, since iptables does a single lookup when adding rules, you need a script to repeatedly lookup the IP for the home machine. Here are some script to do such a thing. The script below lookups up a hostname's ip address, caches it to a directory, and adds a rule to allow it. When the script observes that the host's ip address has changed, the old ip is remove from iptables and the new one is added. #!/bin/bash # filename: firewall-dynhosts.sh # # A script to update iptable records for dynamic dns hosts. # Written by: Dave Horner (http://dave.thehorners.com) # Released into public domain. # # Run this script in your cron table to update ips. # # You might want to put all your dynamic hosts in a sep. chain. # That way you can easily see what dynamic hosts are trusted. # # create the chain in iptables. # /sbin/iptables -N dynamichosts # insert the chain into the input chain @ the head of the list. # /sbin/iptables -I INPUT 1 -j dynamichosts # flush all the rules in the chain # /sbin/iptables -F dynamichosts HOST=$1 HOSTFILE="/root/dynhosts/host-$HOST" CHAIN="dynamichosts" # change this to whatever chain you want. IPTABLES="/sbin/iptables" # check to make sure we have enough args passed. if [ "${#@}" -ne "1" ]; then echo "$0 hostname" echo "You must supply a hostname to update in iptables." exit fi # lookup host name from dns tables IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1` if [ "${#IP}" = "0" ]; then echo "Couldn't lookup hostname for $HOST, failed." exit fi OLDIP="" if [ -a $HOSTFILE ]; then OLDIP=`cat $HOSTFILE` # echo "CAT returned: $?" fi # save off new ip. echo $IP>$HOSTFILE echo "Updating $HOST in iptables." if [ "${#OLDIP}" != "0" ]; then echo "Removing old rule ($OLDIP)" `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT` fi echo "Inserting new rule ($IP)" `$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT` Now all you have to do to use this script is run: firewall-dynhosts.sh theremotename.dyndns.orgThis would insert a rule for theremotename.dyndns.org into your firewall. I usally create a large script of trusted ddns hosts that I setup to be called many times throughout the day(using cron.d). I do this using cron.d in the /etc/cron.d. # Run the dynamic firewall script every 5 minutes */5 * * * * root /root/dynamic-firewall > /dev/null 2>& Done! Now you have a firewall that adds rules dynamically every five minutes so your trusted friends with dynamic IP addresses can access the machine. MyDNS Dynamic HostsIf you are looking to actually broadcast the ip change to others...and you have mydns in place... you can use the following.Simple Dynamic DNS with MyDNS - Blink - provides a web php script for updating mydns records from a wget shell script on the remote server. Userspace filtering with libipq and iptablesManpage of LIBIPQQuick Intro to libipq SuperHac.com » LIBIPQ - a few articles about libipq and example C code. iptables libipq: DNS payload inspection - using libipq and perl's Net::DNS::Packet module to perform payload inspection. 4J: Passing packets from kernel land to userland - libipq and Perl Magic Jack SIP auth proxy | 0xdecafbad.com
|
|||
| Last Updated on Thursday, 24 December 2009 03:54 |