iptables dynamic source ip

[pokey909]

Hi!

Basic problem: I'm trying to open a port of box A just for one other box B which has a dynamic IP but can be identified via dyndns,

I was trying to specify a rule with a source coming from a dynamic dns (like bla.dyndns.org). When I type iptables -L this name is substituted with the dynamic dns of my provider and it remains there! So if my box (the one with the dynamic dns) does down and up again, the bla.dyndns.org show the correct ip. But since iptables stored the dns from the provider it doesnt resolve to my box anymore.

Any solution how to fix that?

[Randseed]

I have similar problems with my network setup. Probably the best way to deal with it is to have one box ping the dynamic box on some kind of specialty protocol. For example, just write a daemon that you can connect to through stunnel that just returns its IP address. If one box can't connect to the dynamic box, then a script resets the firewall rules.

A simpler option is to run a script on the first machine that periodically compares the dynamic address resolution to the stored IP. If it is different, it kills the old rules and inserts new ones reflecting the new address.

Unfortunately, the Internet was never really designed for dynamic IP addresses in the first place, so in general they're just a royal pain in the ass.

[pokey909]

poor iptables

maybe now its the time to think about a vpn...

[Randseed]

[thebigslide]

You need to make a cron job that digs the hostname to get the IP. Then use sed to run an iptables command that updates that rule (they are numbered and you can just update that one.

What is the iptables rule you're doing right now and it's rule number and the hostname and I'll write the script for you. Just remember the script may need updating (to update the rule number) if you update your firewall at any time.

[teknomage1]

you can also set your system to email you the ip address every time it reboots.
Here's a perl script:

[CriminalMastermind]

you could use the tcpd wraper to restrict access to this service, wrather then using iptables. it's in sys-apps/tcp-wrappers. the app you are using would have to be tcpd enabled. there is a USE flag for this, so you may need to re-compiling the app.

there is no iptable match function that resolves dns name at the time of access. at least not to my knowledge. the name is resolved by the iptables command and the ip address is put into the table, not the dns name.

as thebigslide suggested, a cron job would also work, but if you had bad luck, you may still get locked out of your box while you wait for your cron job to run. i'd be very careful with any automated script that modified my firewall. it could be quite bad if it deleted the wrong rule by accident. you may want to check out this

last but not least, you could use port knocking to only accept connections to the service from those that know the right "knock". i've never used this, but i'm sure there is plenty of info and scripts to do it.

hope that helped
_________________
"I can picture a perfect world that knows of no war... and I can picture me attacking that world, because they'd never expect it."

[urcindalo]