iptables and dynamic ip adresses (use of a dyndns service)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables and dynamic ip adresses (use of a dyndns service)
I'd like to do some form of allowing just a couple of hosts to connect to the SSH port, etc for instance. The ones connecting are dialup users with a dynamic ip address.
When you set up iptables like
iptables -A INPUT -s example.host.com/32 ...
it will look up that ip address and "hard code" it into the file. is it possible to refresh the ip address when a connection to that port arrives (using a dyndns service for instance)?
where EXTIF represents the external interface on which you obtain your dynamic IP, so it might differ, i.e. for ADSL connections using PPPoE it is ppp0, etc.
well that wasn't really my question, maybe it was not well described, again:
there is a server with a very strict set of iptables rules on it, I'd like to open up a posibility to do some SSH connections for instance for people who do not have physical access to the server, like if they are working at another location. those people who should be able to get on the server are on dialup accounts though, so they have a dynamic ip address!
is there somekind of workaround like with a dyndns service that they get assigned a hostname like example.dyndns.org and then netfilter checks that on connection. as far as setting up iptables with iptables -A INPUT -s example.dyndns.org/32 ... the ip address will be looked up and saved, later like when the ip address changed (like when they re-dial their ISP) they won't be able to connect!
I think dyndns takes about 30 mins to propagate changes so that may be too long to be workable if you're doing production or sorts. I can imagine two roads to walk, one is opening up the closest range you can track 'em clients on, the other is having some sort of notification from them to you.
Anyway, a dropper/notification app seems more creative to me... Could be anything ranging from updating their IP automagically by being able to login over SSL first, shooting off a packet at a predefined port to trigger a Snort rule/Portsentry cmd to simply mailing their IP (GPG signed?) when they get online. Filtering restrictions can be easier if you know for instance there's only one slot per range, so after login you can block the rest of the range *and* drop the range in hosts.deny. Also look into setting up sshd to have an Allow for names and/or groups.
I have my sshd listening on a non-standard port, one which has never been scanned, and will only accept connections from hosts which I have given my RSA key to, which changes periodically.
Works great for dynamic ssh clients.
Every connection is logged & so far no-one who shouldn't be there has visited.
where EXTIF represents the external interface on which you obtain your dynamic IP, so it might differ, i.e. for ADSL connections using PPPoE it is ppp0, etc.
Excellent stuff - exactly what I needed, had been mucking about with grep trying to get this working and kept getting stuck
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.