article in Tech linux-unix-and-friends

IPTABLES - a real mans firewall

Update Mar-25-2007: Code can now be downloaded from IPOpener package under the dynhosts folder. (some ppl have complained about copy/paste problems)
IPOpener is available [here]

There are many reason to like iptables. For one, it is free and you can modify it. But mostly I like it because I can write scripts to modify the rules dynamically. Dynamic firewall rules give you A LOT of power.

For instance, I want to block everyone from access the port for ssh on my box. But I DO want to be able to access it from my dynamic IP address @ my home box. To do this, I created an account with a dynamic dns service provider (someone like http://www.dyndns.com) that will resolve a name to my home machine. My home machine will tell the dynamic dns service what my home machine's external ip address is.

Now I need to add rules on my firewall for the hostname. However, since iptables does a single lookup when adding rules, you need a script to repeatedly lookup the IP for the home machine. Here are some script to do such a thing.

The script below lookups up a hostname's ip address, caches it to a directory, and adds a rule to allow it. When the script observes that the host's ip address has changed, the old ip is remove from iptables and the new one is added.

#!/bin/bash
# filename: firewall-dynhosts.sh
#
# A script to update iptable records for dynamic dns hosts.
# Written by: Dave Horner (http://dave.thehorners.com)
# Released into public domain.
#
# Run this script in your cron table to update ips.
#
# You might want to put all your dynamic hosts in a sep. chain.
# That way you can easily see what dynamic hosts are trusted.
#
# create the chain in iptables.
# /sbin/iptables -N dynamichosts
# insert the chain into the input chain @ the head of the list.
# /sbin/iptables -I INPUT 1 -j dynamichosts
# flush all the rules in the chain
# /sbin/iptables -F dynamichosts

HOST=$1
HOSTFILE="/root/dynhosts/host-$HOST"
CHAIN="dynamichosts"  # change this to whatever chain you want.
IPTABLES="/sbin/iptables"

# check to make sure we have enough args passed.
if [ "${#@}" -ne "1" ]; then
    echo "$0 hostname"
    echo "You must supply a hostname to update in iptables."
    exit
fi

# lookup host name from dns tables
IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
if [ "${#IP}" = "0" ]; then
    echo "Couldn't lookup hostname for $HOST, failed."
    exit
fi

OLDIP=""
if [ -a $HOSTFILE ]; then
    OLDIP=`cat $HOSTFILE`
    # echo "CAT returned: $?"
fi

# has address changed?
if [ "$OLDIP" == "$IP" ]; then
    echo "Old and new IP addresses match."
    exit
fi

# save off new ip.
echo $IP>$HOSTFILE

echo "Updating $HOST in iptables."
if [ "${#OLDIP}" != "0" ]; then
    echo "Removing old rule ($OLDIP)"
    `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
fi
echo "Inserting new rule ($IP)"
`$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`

Now all you have to do to use this script is run:

firewall-dynhosts.sh theremotename.dyndns.org

This would insert a rule for theremotename.dyndns.org into your firewall.

I usally create a large script of trusted ddns hosts that I setup to be called many times throughout the day(using cron.d). I do this using cron.d in the /etc/cron.d.

# Run the dynamic firewall script every 5 minutes
*/5 * * * * root /root/dynamic-firewall > /dev/null  2>&

Done! Now you have a firewall that adds rules dynamically every five minutes so your trusted friends with dynamic IP addresses can access the machine.

MyDNS Dynamic Hosts

If you are looking to actually broadcast the ip change to others...and you have mydns in place... you can use the following.
Simple Dynamic DNS with MyDNS - Blink - provides a web php script for updating mydns records from a wget shell script on the remote server.

Userspace filtering with libipq and iptables

Manpage of LIBIPQ
Quick Intro to libipq
SuperHac.com » LIBIPQ - a few articles about libipq and example C code.
iptables libipq: DNS payload inspection - using libipq and perl's Net::DNS::Packet module to perform payload inspection.
4J: Passing packets from kernel land to userland - libipq and Perl
Magic Jack SIP auth proxy | 0xdecafbad.com

iptables – auto-allow user using dyndns.org source dns « Papa Delta Sierra - blog of paul suela, thanks for the link!
DynDNS with iptables | www.ryanbowlby.com - thank you to Joe and ryanbowlby blog for mention and link!
shell script: update ufw rules for the hosts with dynamic ip addresses
Automatically Update IPTables on DDWRT with Dynamic IP Address | DevinCollier.com

Remove all iptables PREROUTING nat rules - Lubos Rendek

for i in $( iptables -t nat --line-numbers -L | grep ^[0-9] | awk '{ print $1 }' | tac ); do echo $i; iptables -t nat -D POSTROUTING $i; done
iptables --flush
iptables -L -t nat --line-numbers

Created: 2005-04-25 04:21:35 Modified: 2017-10-13 15:48:54