iptables and dynamic DNS

18 Feb 2011 by David (admin)
Tags: , , , , ,
I just found back an old note about using iptables in combination with dyndns to open up access from a remote location. For instance, if you have a laptop that you take everywhere and you want to connect to your home or office. The script the other site suggested was broken, so let's write a new one.

Step 1: Create a new chain in the firewall

Create a new chain in the firewall where we can plug in the dynamic rules. On my Fedora machine, the firewall is located in /etc/sysconfig/iptables. I added the bold lines to this example. 


*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

<b>:DYNAMIC

-A INPUT -j DYNAMIC</b>

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

Step 2: Write a script

#!/bin/bash
 
HOSTNAME=myname.dyndns.org
CHECK_INTERVAL=60 #once a minute
 
/sbin/iptables -F DYNAMIC #flush all existing rules
IP="" #initialize $IP
while [ true ]; do
    OIP=$IP
    IP=$(host $HOSTNAME | grep -iE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" |cut -f4 -d' '|head -n 1)
    if [ "$OIP" != "$IP" -a "$IP" != "" ]; then
         echo "Changing ip to $IP"
         /sbin/iptables -F DYNAMIC #flush all old rules
         /sbin/iptables -I DYNAMIC -s $IP -j ACCEPT #the new rule
    fi
    sleep $CHECK_INTERVAL
done
In this case, the firewall accepts all traffic from $IP, but of course you could restrict it to 1 port. Also, I focussed on IPv4, but you could easily rewrite this script to IPv6 using ip6tables. I saved the file to /usr/local/bin/dynfirewall.sh

Step 3: Run the script

I'd prefer running the script from inittab, but since Fedora doesn't work like this anymore, I put the following line in /etc/rc.d/rc.local: 
/usr/local/bin/dynfirewall.sh >>/var/log/dynfirewall 2>>/var/log/dynfirewall &
Please don't forget the ampersand at the end to fork the script!!© GeekLabInfo

Was this page useful?

Please rate this page and/or leave a comment.
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...

Leave a Reply

Pages

Search

Tags

3com 4250T 5216k access point acpi Acrobat Active Directory AD ad-hoc wifi Adobe Apache Asterisk Asterisk 1.8 autorepair backdoor barcode bash bat batch Belkin bios bootloader CentOS CentOS 5 CentOS 6 certificates checksum cmos console access cookies CUPS database databases Dead default password Dell dhcp digital invoice dns dnsmasq dovecot Dymo dynamic dns dyndns e-commerce EAN13 Esx Esx4 Exchange Exchange 2007 fax Fedora Fedora 13 Fedora 15 Fedora 16 Firefox firewall firmware fix FoIP fonts ftp fuckup ghostscript Google Google apps Google Chrome Google Maps Google Talk GPO grub gvfs-open H200 hibernation http hushlogin initrd internet explorer iproute2 iptables IPv6 jQuery KB953297 KB974417 KBsomething KDE Konsole layer8 LDAP ldifde Linux login Lovelock lpd magento mkinitrd mplayer ms office ms office 2010 mysql Nagios networking NetworkManager NoteToSelf NTLM nullmodem nvram Omniview OpenSSL openvpn password patch pcl pdf PERC PHP Postfix PostScript preload printer privacy proxy pstn pureftpd pxe rant reboot RedHat remote remote wipe reset password Review root root access route router rpm Samba Samsung Galaxy S2 scripting securit security SELinux Sendmail SEO Servicetag shutdown SMTP socat software deployment Spam speed-up SQL Server Express squid ssh SSL starttls stupid switch sysinternals syslinux talk tftp thawte Thunderbird Trend Micro updates v4l v4l2 vdr viclient video VMWare VMWare Data Recovery vnc voice voip vpn vSphere vsphere client wbinfo webapps webcam wf.msc wifi winbind Windows Windows 7 Windows 2003 Windows 2008 SBS windows internal database Windows Updates Windows XP wmic WordPress WordPress plugins wscript WSUS wsusutil WYukon