Hi, I've written a bash Skript, which do that. I know that this configuration ist not really Secure. I do this what Nick Drage said: > look up IP address for hostname.dyndns.net > write that IP address to a file > start an infinite loop here > wait for a period of time > look up IP address for hostname.dyndns.net > if the IP address matches that in the file, do nothing > otherwise do the following: > - write the new IP address to a file > - run the firewall script again > go back to the beginning of the infinite loop maybe somebody can look at the Skript and give me a feedback. (I attached it) Before the Skript starts, you have to add a rule like this (In your normal Firewall Skript) iptables -N $rulename iptables -A INPUT --destination $ext_ip -i ppp0 -j $rulename sebi On Wed, Mar 09, 2005 at 10:35:43AM +0000, Nick Drage wrote: > On Wed, Mar 09, 2005 at 10:07:22AM +0100, Jose Maria Lopez Hernandez wrote: > > El mi?, 09-03-2005 a las 07:25 +0100, Sebastian Docktor escribi?: > > > > I want to allow a Dynamic DNS Client to Access the SSH-Server on my > > > Firewall. But I don't want to open SSH for all IPs, Is it possible > > > that iptables always looks up the ip address from the hostname, so > > > that only the ip has access which is registrated under the dyndns? > > > > I don't understand your problem. If you know your IP you can block > > based on that IP. > > The OP's problem is that the DNS will stay the same, say > hostname.dyndns.net, but that the IP address associated with that name > will change. So as soon as the IP address changes, his rulebase is out > of date. > > > DNS, dynamic or not, has nothing to do with that. Just everytime you > > change your IP use the scripts used to to that to update the iptables > > rules, it can be even done if you are using DHCP to get the IP. > > This means the rulebase administrator has to know when the IP address > changes and has to be able to run the script to deal with that change. > And if the change is to *their* IP address, that means they can no > longer access their firewall host. > > Sebastian, I'd suggest two solutions, the easy one is to run your > firewall script every minute, or two minutes, or five minutes, whatever > suits. That way your firewall will look up the IP address for the > hostname and change its rulebase accordingly. > > The harder but more elegant solution is to write a script in your > favourite programming language that does the following: > > look up IP address for hostname.dyndns.net > write that IP address to a file > start an infinite loop here > wait for a period of time > look up IP address for hostname.dyndns.net > if the IP address matches that in the file, do nothing > otherwise do the following: > - write the new IP address to a file > - run the firewall script again > go back to the beginning of the infinite loop > > And seeing as its sshd, watch hosts.allow and your sshd_config as well. > > -- > http://www.bash.org/?quote=29355 > > -- Sebastian Docktor <sebi@xxxxxxxxxxxx>
Attachment:
update-netfilter-rule.sh
Description: Bourne shell script
