LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-23-2012, 12:38 AM   #1
windstory
Member
 
Registered: Nov 2008
Posts: 443

Rep: Reputation: 31
iptables and dyndns


I found the program for iptables and dyndns at http://www.geeklab.info/2011/02/ipta...d-dynamic-dns/

Please let me know the script I added some lines. If this could not work, I cannot log in office at this weekend.


Code:
#!/bin/bash
 
HOSTNAME=myname.dyndns.org
CHECK_INTERVAL=60 #once a minute
 
/sbin/iptables -F DYNAMIC #flush all existing rules
IP="" #initialize $IP
while [ true ]; do
    OIP=$IP
    IP=$(host $HOSTNAME | grep -iE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" |cut -f4 -d' '|head -n 1)
    if [ "$OIP" != "$IP" -a "$IP" != "" ]; then
         echo "Changing ip to $IP"
         /sbin/iptables -F DYNAMIC #flush all old rules
         /sbin/iptables -I DYNAMIC -s $IP -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
		/sbin/iptables -I DYNAMIC -s $IP -p tcp -m state --state NEW -m tcp --dport 5769 -j ACCEPT 
		/sbin/iptables -I DYNAMIC -s $IP -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
		/sbin/iptables -I DYNAMIC -s $IP -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
		/sbin/iptables -I DYNAMIC -s $IP -m state --state NEW -m tcp -p tcp --dport 5903 -j ACCEPT
		/sbin/iptables -I DYNAMIC -s $IP -p udp -m udp --dport 177 -j ACCEPT
		/sbin/iptables -I DYNAMIC -s $IP -m state --state NEW -m tcp -p tcp --dport 7100 -j ACCEPT
    fi
    sleep $CHECK_INTERVAL
done
Thanks in advance.
 
Old 11-23-2012, 04:03 AM   #2
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 602

Rep: Reputation: 49
Hi windostory,

What are you trying to achieve with this script?

As I read it, it periodically check for IP address of a dyndns host and allows access to some tcp and udp ports on your machine coming from this IP address.

Are you intending to run it on your office server to allow access from your home PC?

If yes, I wouldn't recommend this from a security point of view. Just set up sshd, set a good password (or, even better, ssh keys) and allow it on the office firewall as a general rule.

Kind regards,
Robert
 
1 members found this post helpful.
Old 11-23-2012, 04:29 AM   #3
windstory
Member
 
Registered: Nov 2008
Posts: 443

Original Poster
Rep: Reputation: 31
r0b0/ Thanks for your kind comment.

This iptables has sshd.



Quote:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [79607639:73945058465]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p tcp -m state --state NEW -m tcp --dport 5769 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 5903 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -p udp -m udp --dport 177 -j ACCEPT
-A RH-Firewall-1-INPUT -s xxx.xxx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 7100 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Whenever I log in office server through ssh, I should check my ip. So I am studying this kind of method.
 
Old 11-23-2012, 05:04 AM   #4
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 602

Rep: Reputation: 49
Quote:
Originally Posted by windstory View Post
This iptables has sshd.
No, in fact it doesn't. SSH runs on port 22, so your script should contain an ACCEPT for TCP port 22. Something like:
-s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT

Quote:
Originally Posted by windstory View Post
Whenever I log in office server through ssh, I should check my ip. So I am studying this kind of method.
If your source IP address was fixed, I would understand this would increase your overall security.

But relying on (unsecure) DNS entries hosted by (an untrusted) third party and running random scripts you found on the internet as root on your server to populate iptables rules would probably not increase your overall security. No offence meant.

So I still suggest you don't do that.
 
1 members found this post helpful.
Old 11-23-2012, 04:12 PM   #5
windstory
Member
 
Registered: Nov 2008
Posts: 443

Original Poster
Rep: Reputation: 31
r0b0/ I changed the port from 22 to 5769.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DynDns anyone?? malak33 Linux - Server 6 05-15-2012 08:18 PM
Is it possible to open dyndns port at iptables? windstory Linux - Newbie 2 01-25-2011 03:00 AM
allowing dyndns client - update iptables frequently? jeff_k Linux - Security 3 09-12-2010 06:50 PM
iptables dyndns etc.. satrix Linux - Newbie 1 04-26-2009 04:00 PM
iptables and dynamic ip adresses (use of a dyndns service) markus1982 Linux - Security 6 09-02-2004 09:27 AM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration