LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 06-01-2005, 11:06 PM   #1
Darvocet
Member
 
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66

Rep: Reputation: 15
Question iptables firewall question...


I run an iptables script to firewall/NAT my linux box which acts as a router for my local network. The iptables script works perfectly as far as I can tell and correctly forwards ports. The only problem I have with it is that my external IP address is written in some of the port forwarding lines. This isnt really the best setup for me with a slighty dynamic IP. What could I change the following lines to so that I dont need to update anything when my IP changes? Here is some basic information about my setup.

ETH0 - Local Net - 192.168.1.0/24
ETH1 - WAN

Code:
$iptables -A FORWARD -i eth1 -p tcp --dport 59 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 59 -j DNAT --to-destination 192.168.1.4:59

$iptables -A FORWARD -i eth1 -p tcp --dport 113 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 113 -j DNAT --to-destination 192.168.1.4:113
What could I change these lines to so that my IP address doesnt have to be updated each time there is a change?

Thanks in advance for your assistance.

Darvocet
darvocet@dndns.net

Last edited by Darvocet; 06-02-2005 at 12:38 AM.
 
Old 06-02-2005, 02:42 AM   #2
tvynr
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 143

Rep: Reputation: 15
Smile Glad You Posted

I'm glad you asked... I can finally contribute something other than questions to this forum! I use the following lines in my firewall script:

Code:
export EXT_IP=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export EXT_BROADCAST=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`
if [ -z "$EXT_IP" ]; then
    export EXT_IP="10.0.0.0"
fi
if [ -z "$EXT_BROADCAST" ]; then
    export EXT_BROADCAST="10.255.255.255"
fi
export INT_IP=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export INT_BROADCAST=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`
Each of these lines (excepting the conditions in the middle) execute "ifconfig" and use the output to ascertain information about the network. The values $EXT_IFC and $INT_IFC are used to designate the names of the interfaces. For example, in my case, I have:

Code:
export EXT_IFC=`ifconfig | grep ppp | egrep -o ppp.`
export INT_IFC=eth1
INT_IFC is simply the interface I'm using as my internal interface. EXT_IFC is the first ppp interface, since a weird problem with my ADSL script was causing the ADSL connection to occasionally show up as either ppp0 or ppp1.

From the end of the code posted above, just use $EXT_IP and $INT_IP where you'd usually use your external and internal IP addresses. Every time you reconnect, just run (or have a script run) your firewall script and you're good to go.

BTW, you'll want to make sure you clean the firewall out each time (iptables -X and whatnot) or things will get ugly fast.

Hope this helps! Cheers,

Zachary Palmer
 
Old 06-02-2005, 02:35 PM   #3
Darvocet
Member
 
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66

Original Poster
Rep: Reputation: 15
Well I appreciate your response, it seems that could work. However, I have run basically this same script in the past, and I am pretty sure that I can just tell it to look to eth1 or something easy to change this. But I will give yours a shot, but if anyone knows the 'easier' way PLEASE let me know.

Thanks,

Darvocet
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables syntax quick question abcampa Linux - Security 1 05-03-2005 09:03 AM
Quick iptables IP address ban? Davus Linux - Networking 2 11-18-2004 09:53 PM
quick iptables question peok Linux - Networking 6 11-11-2003 03:34 PM
Quick iptables question... FlyingMoose Linux - Networking 2 08-02-2003 12:35 AM
Quick Iptables question moger Linux - General 1 01-01-2003 03:23 PM


All times are GMT -5. The time now is 01:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration