LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-20-2006, 02:19 PM   #1
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
How set new ip address int firewall script


Hi all,
I have DNS client installed on my debian box ....ez-ipupdate
I made firewall to my home network and put it to /etc/init.d/firewall.sh
using update-rc.d firewall.sh defaults I made it to start during startup.
But firewall.sh script starts before ez-ipupdate and use old ip address before I rebooted machine ,,,,so I can use ssh sarajevo@my_server because in firtewall script I have rule
ACCEPT tcp -- 0.0.0.0/0 12.65.72.25 tcp dpt:15222
and 12.65.72.25 is old address and not one I can find after rebooting using ifconfig ...

how push new ip address I got from isp into firewall script
Thanks in advance
 
Old 11-20-2006, 03:20 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by sarajevo
Hi all,
I have DNS client installed on my debian box ....ez-ipupdate
I made firewall to my home network and put it to /etc/init.d/firewall.sh
using update-rc.d firewall.sh defaults I made it to start during startup.
But firewall.sh script starts before ez-ipupdate and use old ip address before I rebooted machine ,,,,so I can use ssh sarajevo@my_server because in firtewall script I have rule
ACCEPT tcp -- 0.0.0.0/0 12.65.72.25 tcp dpt:15222
and 12.65.72.25 is old address and not one I can find after rebooting using ifconfig ...

how push new ip address I got from isp into firewall script
Thanks in advance
if that rule you posted is part of your INPUT chain, and your box only has one external IP at a time, then i'd say just eliminate the IP from the rule... in other words, the rule would look like:
Code:
iptables -A INPUT -p TCP -i $WAN_IFACE --dport 15222 -j ACCEPT
the reasoning for this is that you don't need to specify your IP in your iptables script when you only have one external IP... also, it's good to have your firewall in place BEFORE your network cards are brought online, so that you don't provide the net's bad elements a window of opportunity...

having said that, if for whatever reason you still want to have your firewall script get the IP and run after the NIC has been configured, you'd just need to do a little scripting... i put this together for you (granted, it's not very elegant, but it works):
Code:
ifconfig | grep -A 1 eth0 | tail -n 1 | \
awk '{print $2}' | awk -F':' '{print $2}'
replace "eth0" with whatever interface name yours has... as you can see, this will provide you with the IP of the NIC... to use it in your script, do something like:
Code:
WAN_IFACE="eth0"

GETIP=`ifconfig | grep -A 1 $WAN_IFACE | tail -n 1 | \
awk '{print $2}' | awk -F':' '{print $2}'`

iptables -A INPUT -p TCP -i $WAN_IFACE -d $GETIP --dport 15222 -j ACCEPT
but like i said: if you only have one external IP, then using a destination IP in an INPUT rule is kinda pointless, and your best bet would be to just eliminate the IP from the rule in your current script and leave everything else alone...

Last edited by win32sux; 11-20-2006 at 03:49 PM.
 
Old 11-21-2006, 02:49 AM   #3
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228

Original Poster
Blog Entries: 1

Rep: Reputation: 31
Thank you, I will try this I come home later.

And of course I will post output here.

Best wishes

Sarajevo
 
Old 11-21-2006, 02:19 PM   #4
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228

Original Poster
Blog Entries: 1

Rep: Reputation: 31
I did as you suggested me and it works perfectly

thanks
 
Old 07-22-2007, 10:11 PM   #5
fhleung
Member
 
Registered: Aug 2004
Distribution: Lubuntu Live OS
Posts: 432

Rep: Reputation: 30
Startup script access right

I put iptables script in /init.d in ubuntu and update the runlevel with
update-rc.d filename defaults
The script with system command iptables inside.

How can I start up the script when non-root users login? The things can not procede after user and password entered.

Edit /etc/rc.local script and add the path of scriptfile /etc/init.d/name

Last edited by fhleung; 07-23-2007 at 05:36 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
invalid types ‘int[int]’ for array subscript medha Programming 16 08-25-2006 08:30 AM
Problem with sending a signed int to another signed int. Almost random number given. RHLinuxGUY Programming 8 08-15-2006 11:38 AM
How to set a static IP address? dx0r515t Slackware 12 04-17-2005 01:33 PM
invalid types int[int] for array subscript scuzzman Programming 2 11-16-2004 09:34 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration