For a different approach, consider this cisco-ish set of steps: Create an "Access" user: tom-acl, for example. Mod that users login script to exec iptables commands. (use commands like 'who' to retreive your source IP, to aid in setting up dynamic rules) use AT to close the ports after a given time: `at now + 1 minute -f /etc/scripts/prod/close_ports.sh (the above 'AT' would be ok for SSH, but hot http, as once ssh establishes closing the port doesn't kill SSH, but http for instance constantly sends syn packets while browsing. You can use this approach to mod .allow and .deny files or daemon user files, or anything else you can think of. Much more flexible if you looking to grant access based on user authentication. Have the script auto-logoff the acl user so a regular user is forced to connect...just a little more paranoia thrown in for good measure. > > From: Stephen Frost <sfrost@xxxxxxxxxxx> > Date: 2003/05/14 Wed AM 08:37:30 EDT > To: Calvin <calvinproject@xxxxxxxxxxx> > CC: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: dynamically update iptables with module ? > > * Calvin (calvinproject@xxxxxxxxxxx) wrote: > > I am a newbies in netfilter, just a question in my mind, would it be possible to dynamically changing the > > iptables from a module? For example, if i see a paticular message from a pc, then I update the iptable to allow outgoing communication frmo that pc. Or there is some other way to achieve > > > > Is it possible to do it? > > You should be able to do this with iptables and the ipt_recent module, > assuming the 'message' can be matched using other iptables modules/rules. > > > Or... is it possible that the iptables can be updated by a C++/C programe by executing a shell script to update the iptables? > > That can probably be done too... > > Stephen > >
Attachment:
replyAll
Description: PGP signature
