Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 06-01-2005, 10:06 PM   #1
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66

Rep: Reputation: 15
Question iptables firewall question...

I run an iptables script to firewall/NAT my linux box which acts as a router for my local network. The iptables script works perfectly as far as I can tell and correctly forwards ports. The only problem I have with it is that my external IP address is written in some of the port forwarding lines. This isnt really the best setup for me with a slighty dynamic IP. What could I change the following lines to so that I dont need to update anything when my IP changes? Here is some basic information about my setup.

ETH0 - Local Net -

$iptables -A FORWARD -i eth1 -p tcp --dport 59 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 59 -j DNAT --to-destination

$iptables -A FORWARD -i eth1 -p tcp --dport 113 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth1 -p tcp -d xx.219.201.xx --dport 113 -j DNAT --to-destination
What could I change these lines to so that my IP address doesnt have to be updated each time there is a change?

Thanks in advance for your assistance.


Last edited by Darvocet; 06-01-2005 at 11:38 PM.
Old 06-02-2005, 01:42 AM   #2
Registered: Apr 2004
Distribution: Debian
Posts: 143

Rep: Reputation: 15
Smile Glad You Posted

I'm glad you asked... I can finally contribute something other than questions to this forum! I use the following lines in my firewall script:

export EXT_IP=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export EXT_BROADCAST=`ifconfig $EXT_IFC | grep "inet addr" | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`
if [ -z "$EXT_IP" ]; then
    export EXT_IP=""
if [ -z "$EXT_BROADCAST" ]; then
    export EXT_BROADCAST=""
export INT_IP=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 1`
export INT_BROADCAST=`ifconfig $INT_IFC | grep "inet addr" | tail -n 1 | egrep -o -m 1 [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ | head -n 2 | tail -n 1`
Each of these lines (excepting the conditions in the middle) execute "ifconfig" and use the output to ascertain information about the network. The values $EXT_IFC and $INT_IFC are used to designate the names of the interfaces. For example, in my case, I have:

export EXT_IFC=`ifconfig | grep ppp | egrep -o ppp.`
export INT_IFC=eth1
INT_IFC is simply the interface I'm using as my internal interface. EXT_IFC is the first ppp interface, since a weird problem with my ADSL script was causing the ADSL connection to occasionally show up as either ppp0 or ppp1.

From the end of the code posted above, just use $EXT_IP and $INT_IP where you'd usually use your external and internal IP addresses. Every time you reconnect, just run (or have a script run) your firewall script and you're good to go.

BTW, you'll want to make sure you clean the firewall out each time (iptables -X and whatnot) or things will get ugly fast.

Hope this helps! Cheers,

Zachary Palmer
Old 06-02-2005, 01:35 PM   #3
Registered: Feb 2003
Location: United States
Distribution: RHEL, Slackware, Gentoo, Fedora, CentOS, Ubuntu, Debian
Posts: 66

Original Poster
Rep: Reputation: 15
Well I appreciate your response, it seems that could work. However, I have run basically this same script in the past, and I am pretty sure that I can just tell it to look to eth1 or something easy to change this. But I will give yours a shot, but if anyone knows the 'easier' way PLEASE let me know.




Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables syntax quick question abcampa Linux - Security 1 05-03-2005 08:03 AM
Quick iptables IP address ban? Davus Linux - Networking 2 11-18-2004 08:53 PM
quick iptables question peok Linux - Networking 6 11-11-2003 02:34 PM
Quick iptables question... FlyingMoose Linux - Networking 2 08-01-2003 11:35 PM
Quick Iptables question moger Linux - General 1 01-01-2003 02:23 PM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:52 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration