LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-02-2006, 06:39 AM   #1
ptah_be
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Rep: Reputation: 0
firewall using dynamic dns for inbound connections


I want to host a website at home but I only want certain users to have access to it, but I can't use username/password or certificates to authenticate them. Can I configure iptables (or some other linux firewall) to use rules based on a dynamic hostname?

Regards,
Ptah
 
Old 02-02-2006, 10:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
I can't use username/password or certificates to authenticate them
Why not?
 
Old 02-03-2006, 02:11 AM   #3
ptah_be
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn
I can't use username/password or certificates to authenticate them
Why not?
Because not all the devices that connect can use these. Some om them can't use any of them.
 
Old 02-03-2006, 02:20 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
iptables doesn't work with hostnames, it only works with IP addresses...

of course you might be able to find some patch or something which grants your iptables the hostname functionality... keep in mind that it would be a very ridiculous thing to do, as the security you would aquire would be completely imaginary, and plus the overhead added to your iptables rules (DNS/reverse-DNS resolution) would suck...

just my ...
 
Old 02-03-2006, 08:12 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
@win32sux: iptables doesn't work with hostnames
Iptables will take hostnames by default. No POM necessary.


Can I configure iptables (or some other linux firewall) to use rules based on a dynamic hostname?
Yes, but like Win32sux says it doesn't offer *anything* that can be used for proper authentication and authorization.


Because not all the devices that connect can use these. Some om them can't use any of them.
Now this gets interesting. So they have a network stack but no access to regular validation methods?
I'm willing to think along, but you will have to come up with more details.
So please elaborate: what types of devices are we talking about?
What protocols or applications will they use to access the server?
Aprox how many devices are you talking about?
Will the site or application work with information that should be transfered securely?
 
Old 02-03-2006, 08:21 AM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by unSpawn
Iptables will take hostnames by default. No POM necessary.
sorry, my bad...

yeah, so i looked at the manpage and here it is:
Quote:
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a
hostname (please note that specifying any name to be resolved
with a remote query such as DNS is a really bad idea)
, a network
IP address (with /mask), or a plain IP address. The mask can be
either a network mask or a plain number, specifying the number
of 1's at the left side of the network mask. Thus, a mask of 24
is equivalent to 255.255.255.0. A "!" argument before the
address specification inverts the sense of the address. The flag
--src is an alias for this option.
BTW, is there some kinda special syntax for this?? cuz i tried (just out of curiosity - i would never do this for real) with a "-s cnn.com" and a "-s www.cnn.com" and i'd only get errors...
 
Old 02-03-2006, 09:42 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
I don't like to see this thread go OT, but what errors do you get? "-s cnn.com" should not work (no single CIDR type address/mask), "-s www.cnn.com" should.
 
Old 02-03-2006, 12:43 PM   #8
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by unSpawn
I don't like to see this thread go OT, but what errors do you get?
the error was:
Code:
iptables v1.3.4: host/network `www.cnn.com' not found
Try `iptables -h' or 'iptables --help' for more information.
but i figured it out... since i was doing it by editing my iptables script, there was no OUTPUT rules at the moment of execution allowing outgoing DNS queries... this is due to the fact that i have my INPUT rules written first and of course all chains are flushed and policies set to DROP at the beginning of the script...

so the error is totally understandable and when i execute the command with "-s www.cnn.com" from the command line while my OUTPUT rules are already in place there is no error since the DNS query goes out without being filtered...

Quote:
"-s cnn.com" should not work (no single CIDR type address/mask), "-s www.cnn.com" should.
curiously, both ways work fine on my box:
Code:
iptables -I INPUT -p TCP -s cnn.com -j DROP
Code:
iptables -I INPUT -p TCP -s www.cnn.com -j DROP
i'll google about this and figure out why both ways work, don't worry... i also have some other questions about this iptables hostnames thing but like you said, the thread is getting off topic and stuff so i will abstain...

for ptah_be and anyone else reading this thread: it's important to point-out once again that using hostnames in your iptables for this kinda thing is a VERY BAD IDEA AND IS VERY DISCOURAGED (i was simply trying it out for experimentation and would never do it seriously)...

so to get back on topic, ptah_be, i will re-post the latest on-topic questions which were asked by unSpawn so you can answer them please:
Quote:
So please elaborate: what types of devices are we talking about?
What protocols or applications will they use to access the server?
Aprox how many devices are you talking about?
Will the site or application work with information that should be transfered securely?
remember that the more details and information you provide, the easier it will be to assist you...
 
Old 02-06-2006, 04:44 AM   #9
ptah_be
LQ Newbie
 
Registered: Feb 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn
Because not all the devices that connect can use these. Some om them can't use any of them.
Now this gets interesting. So they have a network stack but no access to regular validation methods?
I'm willing to think along, but you will have to come up with more details.
So please elaborate: what types of devices are we talking about?
What protocols or applications will they use to access the server?
Aprox how many devices are you talking about?
Will the site or application work with information that should be transfered securely?
The devices are sat-tuners (and most of them have no validation method) and they use TCP/IP to connect. I don't know the exact protocol (but that doesn't mather anyway). There will be about 100 devices that need to connect.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall that automatically changes inbound rules massysett Linux - Security 3 11-24-2005 11:31 AM
Dynamic DNS exy123 Linux - Software 1 09-22-2005 02:25 AM
No Shorewall/IPtables: not inbound connections allowed psychobyte Mandriva 3 05-25-2005 02:29 AM
Dynamic DNS sporkit Linux - Networking 3 04-28-2004 09:07 AM
Dynamic DNS and stale firewall lookups socom Linux - Networking 2 02-28-2004 09:21 PM


All times are GMT -5. The time now is 12:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration