• linux
• iptables
• dyndns

Using DNS names in iptables

• Usage: ADSL with dynamic ip can be allowed through a iptables Firewall.

• From: http://muzso.hu/2009/02/22/dynamic-firewall-rules-for-iptables dynamic_address_rules-1.1.sh

• From: http://dave.thehorners.com/content/view/86/65/

  • '''#!/bin/bash'''
    # filename: firewall-dynhosts.sh
    #
    # A script to update iptable records for dynamic dns hosts.
    # Written by: Dave Horner (http://dave.thehorners.com)
    # Released into public domain.
    #
    # Run this script in your cron table to update ips.
    #
    # You might want to put all your dynamic hosts in a sep. chain.
    # That way you can easily see what dynamic hosts are trusted.
    #
    # create the chain in iptables.
    # /sbin/iptables -N dynamichosts
    # insert the chain into the input chain @ the head of the list.
    # /sbin/iptables -I INPUT 1 -j dynamichosts
    # flush all the rules in the chain
    # /sbin/iptables -F dynamichosts
     
    HOST=$1
    HOSTFILE="/root/dynhosts/host-$HOST"
    CHAIN="dynamichosts"  # change this to whatever chain you want.
    IPTABLES="/sbin/iptables"
     
    # check to make sure we have enough args passed.
    if [ "${#@}" -ne "1" ]; then
        echo "$0 hostname"
        echo "You must supply a hostname to update in iptables."
        exit
    fi
     
    # lookup host name from dns tables
    IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1`
    if [ "${#IP}" = "0" ]; then
        echo "Couldn't lookup hostname for $HOST, failed."
        exit
    fi
     
    OLDIP=""
    if [ -a $HOSTFILE ]; then
        OLDIP=`cat $HOSTFILE`
        # echo "CAT returned: $?"
    fi
     
    # save off new ip.
    echo $IP>$HOSTFILE
     
    echo "Updating $HOST in iptables."
    if [ "${#OLDIP}" != "0" ]; then
        echo "Removing old rule ($OLDIP)"
        `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT`
    fi
    echo "Inserting new rule ($IP)"
    `$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT`
     
    
    
    
    Now all you have to do to use this script is run:
    
     
    firewall-dynhosts.sh theremotename.dyndns.org
     
    
    This would insert a rule for theremotename.dyndns.org into your firewall.
    
    I usally create a large script of trusted ddns hosts that I setup to be called many times throughout the day(using cron.d).  I do this using cron.d in the /etc/cron.d.
    
     
    # Run the dynamic firewall script every 5 minutes
    */5 * * * * root /root/dynamic-firewall > /dev/null  2>&

...