Yakov Lerner wrote:
Allow me rewrite and clarify my question, I was not clear: I need to setup iptables on system A to drop packets from all IPs except packets coming from system B. System B has dynamic IP (dynip.sh). B's DNS name is known but B's IP is not fixed. What are my options to setup iptables on A ?
iptables only deals with IP addresses, although it will convert a DNS name in the command to an IP (or series of IP's if the lookup returns multiple A records.) As such, you can use any method you prefer in userland to check for and update your rules when the DNS resolution changes.
Is there better solution than crontab-script, that every 10 minutes resolves this domain and reinstalls iptables rule if IP changed ?
If you have a script that works when called from cron, why use a different method? Depending on your specific scenario, various options might be available. As an example, if you happened to be using a VPN between A and B, you could have a monitor script that checks for valid authentication from system B and updates the iptables rule if the address has changed (of course, then you wouldn't need to restrict inbound traffic - see below.) Regardless of what you use, the basic principle is always the same; you need a way to check the IP (such as by resolving it) and update the rule if the IP has changed.
I'll also point out that this isn't a replacement for proper IP security between hosts A and B; a possible attack vector on your setup would be another user of the subnet on the WAN side of host A executing a MAC-spoofing attack between you and the ISP's default gateway and then spoofing the IP of host B, thus enabling 2-way communication between the attacker and host A. Using TLS or a VPN to secure the traffic will eliminate this problem, and allow you to listen on the secure port from anywhere also solving the dynamic DNS update problem you described above.
-- Josh
Attachment:
signature.asc
Description: OpenPGP digital signature
