I'm interested in blocking a service from running outside of the LAN except to myself. Since my ISP uses a dynamic IP I use no-ip to give myself a static name I can use to SSH into my system. For those unaware, no-ip.com offers a client service that runs on your system and updates there DNS servers anytime your IP changes. You can register for a surname.no-ip.com or from a selection of others as a way to run a website off a dynamic IP system. This also works with VNC, SSH, etc. I was thinking if I can put surname.no-ip.com as an allowed IP in my server's xinetd directory for SSH, VNC, etc. only my home PC can get to SSH from outside the network no matter what my IP address changes to. Would this work? How can I write this? I was thinking I can put in a cron job on the server to get the IP of surname.no-ip.com on a set interval (say 15 minutes) and parse it to a string or environment variable so that in the file I could write $adminip and it would check against it's system.

While I have never used xinetd, I imagine it works the same as every other Linux program I have ever used.

In which case, you just give it the hostname, and it will resolve that when it needs to.

As long as the machine can resolve the hostname to an IP through it's DNS server, there shouldn't be a problem.

I've never seen either a hostname OR an IP address in inetd setups. It is uses to allow the SERVICE not the address. Your configuration file for the SERVICE itself should deal with the address.

Rather than a cron job you might want to setup an init script (/etc/init.d) to do the setup you're looking for right after DHCP has started. As far as that goes it may be you can edit /etc/dhclient.conf (assuming you're using dhclient) to do what you want.

Thanx for your help. What I ended up doing was using the hosts.allow hosts.deny files. For some reason you can't just use the noip domain with a DNS lookup like others. Luckily, I found someone who wrote out a solution when looking through google. What he did was create a file that did an nslookup for the no-ip DNS files and parsed the IP. The file would then recreate the hosts.allow file with the IP of the last known IP at that noip address. The script would execute whenever something tried to connect to the machine not in the allow list. So the first time it would drop the connection but the next time you'd be able to get in. The allow list also allowed for anyone on the LAN and local machine to connect. So I can run any service without a firewall (still do though) and the only people who could get to it is me and anyone in the subnet. Here's the script for hostupdate and the hosts.deny file if anyone wants it.

[/etc/hostupdate]
DNSA="fakename.noip.com"
NSIPA=`nslookup $DNSA | grep -A 1 $DNSA | awk '/Address:/ { print $2 }'`
echo -n "# hosts.allow file, updated " > /etc/hosts.allow
date >> /etc/hosts.allow
echo "ALL: 127.0.0.1" >> /etc/hosts.allow
echo "ALL: localhost" >> /etc/hosts.allow
echo "ALL: 192.168.0." >> /etc/hosts.allow
echo "ALL: "$NSIPA >> /etc/hosts.allow
[end file]

[/etc/hosts.deny]
ALL:ALL: spawn (/bin/sh < /etc/hostupdate) &
[end file]

I'm not too fond of having it recreate the file each time. I do something like this on my server at work so I can get in from home and if someone kept pinging it who wasn't in the list it would constantly be recreating the file and potentially locking out people on the subnet. At least this is a theory. What I'm thinking about doing is setting up a DNS on the machine and having it update the servers every 15 minutes. I know you can use DNS names through the hosts.allow and hosts.deny files it just can't with no-ip because TCP wrappers won't recognize them. This way I can just have it look on the local machine and I just check the local DNS and I won't have to worry about any issues. What do you think?