Quick iptables Question...

Darvocet · 06-01-2005, 10:06 PM

I run an iptables script to firewall/NAT my linux box which acts as a router for my local network. The iptables script works perfectly as far as I can tell and correctly forwards ports. The only problem I have with it is that my external IP address is written in some of the port forwarding lines. This isnt really the best setup for me with a slighty dynamic IP. What could I change the following lines to so that I dont need to update anything when my IP changes? Here is some basic information about my setup.

ETH0 - Local Net - 192.168.1.0/24
ETH1 - WAN

Code:

$iptables -A FORWARD -i eth1 -p tcp --dport 59 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 59 -j DNAT --to-destination 192.168.1.4:59

$iptables -A FORWARD -i eth1 -p tcp --dport 113 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 113 -j DNAT --to-destination 192.168.1.4:113

What could I change these lines to so that my IP address doesnt have to be updated each time there is a change?

Thanks in advance for your assistance.

Darvocet
darvocet@dndns.net

tvynr · 06-02-2005, 01:42 AM

I'm glad you asked... I can finally contribute something other than questions to this forum!

I use the following lines in my firewall script:

Code:

export EXT_IP=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export EXT_BROADCAST=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`
if [ -z "$EXT_IP" ]; then
    export EXT_IP="10.0.0.0"
fi
if [ -z "$EXT_BROADCAST" ]; then
    export EXT_BROADCAST="10.255.255.255"
fi
export INT_IP=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export INT_BROADCAST=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`

Each of these lines (excepting the conditions in the middle) execute "ifconfig" and use the output to ascertain information about the network. The values $EXT_IFC and $INT_IFC are used to designate the names of the interfaces. For example, in my case, I have:

Code:

export EXT_IFC=`ifconfig | grep ppp | egrep -o ppp.`
export INT_IFC=eth1

INT_IFC is simply the interface I'm using as my internal interface. EXT_IFC is the first ppp interface, since a weird problem with my ADSL script was causing the ADSL connection to occasionally show up as either ppp0 or ppp1.

From the end of the code posted above, just use $EXT_IP and $INT_IP where you'd usually use your external and internal IP addresses. Every time you reconnect, just run (or have a script run) your firewall script and you're good to go.

BTW, you'll want to make sure you clean the firewall out each time (iptables -X and whatnot) or things will get ugly fast.

Hope this helps!

Cheers,

Zachary Palmer

Darvocet · 06-02-2005, 01:35 PM

Well I appreciate your response, it seems that could work. However, I have run basically this same script in the past, and I am pretty sure that I can just tell it to look to eth1 or something easy to change this. But I will give yours a shot, but if anyone knows the 'easier' way PLEASE let me know.

Thanks,

Darvocet