Dave Horner's Website - Yet another perspective on things...
Home Tech Talk Unix/Linux/BSD/etc IPTABLES - a real mans firewall
85 guests
Rough Hits : 2928447
moon and stars
how did u find my site?





 
morning or night person?


 
The power of ideas to transform the world is itself accelerating. -Ray Kurzeweil, The Singularity is Near
1=0.999...

IPTABLES - a real mans firewall

Sunday, 24 April 2005 23:21
Update Mar-25-2007: Code can now be downloaded from IPOpener package under the dynhosts folder. (some ppl have complained about copy/paste problems)
IPOpener is available [here]
There are many reason to like iptables.  For one, it is free and you can modify it.  But mostly I like it because I can write scripts to modify the rules dynamically.  Dynamic firewall rules give you A LOT of power.

For instance, I want to block everyone from access the port for ssh on my box.  But I DO want to be able to access it from my dynamic IP address @ my home box.  To do this, I created an account with a dynamic dns service  provider (someone like http://www.dyndns.com) that will resolve a name to my home machine.  My home machine will tell the dynamic dns service what my home machine's external ip address is.

Now I need to add rules on my firewall for the hostname.  However, since iptables does a single lookup when adding rules, you need a script to repeatedly lookup the IP for the home machine.  Here are some script to do such a thing.

The script below lookups up a hostname's ip address, caches it to a directory, and adds a rule to allow it.  When the script observes that the host's ip address has changed, the old ip is remove from iptables and the new one is added.
#!/bin/bash
# filename: firewall-dynhosts.sh
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
# /sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
# /sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
# /sbin/iptables -F dynamichosts
 
HOST=$1
HOSTFILE="/root/dynhosts/host-$HOST"
CHAIN="dynamichosts"  # change this to whatever chain you want.
IPTABLES="/sbin/iptables"
 
# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
    echo "$0 hostname"
    echo "You must supply a hostname to update in iptables."
    exit
fi
 
# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
    echo "Couldn't lookup hostname for $HOST, failed."
    exit
fi
 
OLDIP=""
if [ -a $HOSTFILE ]; then
    OLDIP=`cat $HOSTFILE`
    # echo "CAT returned: $?"
fi
 
# has address changed?
if [ "$OLDIP" == "$IP" ]; then
    echo "Old and new IP addresses match."
    exit
fi
 
# save off new ip.
echo $IP>$HOSTFILE
 
echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
    echo "Removing old rule ($OLDIP)"
    `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`


Now all you have to do to use this script is run:
firewall-dynhosts.sh theremotename.dyndns.org
This would insert a rule for theremotename.dyndns.org into your firewall.

I usally create a large script of trusted ddns hosts that I setup to be called many times throughout the day(using cron.d).  I do this using cron.d in the /etc/cron.d.
# Run the dynamic firewall script every 5 minutes
*/5 * * * * root /root/dynamic-firewall > /dev/null  2>&

Done!  Now you have a firewall that adds rules dynamically every five minutes so your trusted friends with dynamic IP addresses can access the machine.


MyDNS Dynamic Hosts

If you are looking to actually broadcast the ip change to others...and you have mydns in place... you can use the following.
Simple Dynamic DNS with MyDNS - Blink - provides a web php script for updating mydns records from a wget shell script on the remote server.

Userspace filtering with libipq and iptables

Manpage of LIBIPQ
Quick Intro to libipq
SuperHac.com » LIBIPQ - a few articles about libipq and example C code.
iptables libipq: DNS payload inspection - using libipq and perl's Net::DNS::Packet module to perform payload inspection.
4J: Passing packets from kernel land to userland - libipq and Perl
Magic Jack SIP auth proxy | 0xdecafbad.com


iptables – auto-allow user using dyndns.org source dns « Papa Delta Sierra - blog of paul suela, thanks for the link!
DynDNS with iptables | www.ryanbowlby.com - thank you to Joe and ryanbowlby blog for mention and link!
shell script: update ufw rules for the hosts with dynamic ip addresses
Automatically Update IPTables on DDWRT with Dynamic IP Address | DevinCollier.com
Last Updated on Wednesday, 16 July 2014 19:55