LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-31-2002, 07:18 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
iptables and dynamic ip adresses (use of a dyndns service)


I'd like to do some form of allowing just a couple of hosts to connect to the SSH port, etc for instance. The ones connecting are dialup users with a dynamic ip address.

When you set up iptables like

iptables -A INPUT -s example.host.com/32 ...

it will look up that ip address and "hard code" it into the file. is it possible to refresh the ip address when a connection to that port arrives (using a dyndns service for instance)?
 
Old 08-31-2002, 12:09 PM   #2
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 56
I am putting this one line in hints and tricks in general as well, 'cause I see there is quite demand on it
Code:
EXTIF=eth0
IP=` /sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e s/.*://`
where EXTIF represents the external interface on which you obtain your dynamic IP, so it might differ, i.e. for ADSL connections using PPPoE it is ppp0, etc.
 
Old 08-31-2002, 12:15 PM   #3
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
well that wasn't really my question, maybe it was not well described, again:

there is a server with a very strict set of iptables rules on it, I'd like to open up a posibility to do some SSH connections for instance for people who do not have physical access to the server, like if they are working at another location. those people who should be able to get on the server are on dialup accounts though, so they have a dynamic ip address!

is there somekind of workaround like with a dyndns service that they get assigned a hostname like example.dyndns.org and then netfilter checks that on connection. as far as setting up iptables with iptables -A INPUT -s example.dyndns.org/32 ... the ip address will be looked up and saved, later like when the ip address changed (like when they re-dial their ISP) they won't be able to connect!

any solutions?
 
Old 08-31-2002, 01:53 PM   #4
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 56
Oh, I am sorry I misread it, you need a source IP, hmmm...
 
Old 09-01-2002, 07:59 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
I think dyndns takes about 30 mins to propagate changes so that may be too long to be workable if you're doing production or sorts. I can imagine two roads to walk, one is opening up the closest range you can track 'em clients on, the other is having some sort of notification from them to you.

Anyway, a dropper/notification app seems more creative to me... Could be anything ranging from updating their IP automagically by being able to login over SSL first, shooting off a packet at a predefined port to trigger a Snort rule/Portsentry cmd to simply mailing their IP (GPG signed?) when they get online. Filtering restrictions can be easier if you know for instance there's only one slot per range, so after login you can block the rest of the range *and* drop the range in hosts.deny. Also look into setting up sshd to have an Allow for names and/or groups.

Just my thoughts.
 
Old 09-04-2002, 10:34 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
I have my sshd listening on a non-standard port, one which has never been scanned, and will only accept connections from hosts which I have given my RSA key to, which changes periodically.
Works great for dynamic ssh clients.

Every connection is logged & so far no-one who shouldn't be there has visited.

Regards,
Peter
 
Old 09-02-2004, 09:27 AM   #7
adjman
LQ Newbie
 
Registered: Sep 2004
Location: Duncton, UK
Distribution: Lubuntu
Posts: 6

Rep: Reputation: 0
Quote:
Originally posted by neo77777
I am putting this one line in hints and tricks in general as well, 'cause I see there is quite demand on it
Code:
EXTIF=eth0
IP=` /sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e s/.*://`
where EXTIF represents the external interface on which you obtain your dynamic IP, so it might differ, i.e. for ADSL connections using PPPoE it is ppp0, etc.
Excellent stuff - exactly what I needed, had been mucking about with grep trying to get this working and kept getting stuck

Cheers

Adjman
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dyndns Service Setup shadz Linux - Networking 6 12-20-2004 05:20 PM
Virtual Hosts with Dynamic IP and dyndns.org lexton Linux - Networking 1 08-11-2004 04:06 AM
setting up a dyndns service markus1982 Linux - Software 0 05-29-2003 04:14 AM
dynamic IP without dyndns etc...? acid_kewpie Linux - Networking 7 07-29-2002 07:13 PM
Dynamic IP adressing with dyndns.org? philfighter Linux - Networking 0 08-06-2001 12:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration