Using DNS names in iptables
- Usage: ADSL with dynamic ip can be allowed through a iptables Firewall.
From: http://muzso.hu/2009/02/22/dynamic-firewall-rules-for-iptables dynamic_address_rules-1.1.sh
From: http://dave.thehorners.com/content/view/86/65/
'''#!/bin/bash''' # filename: firewall-dynhosts.sh # # A script to update iptable records for dynamic dns hosts. # Written by: Dave Horner (http://dave.thehorners.com) # Released into public domain. # # Run this script in your cron table to update ips. # # You might want to put all your dynamic hosts in a sep. chain. # That way you can easily see what dynamic hosts are trusted. # # create the chain in iptables. # /sbin/iptables -N dynamichosts # insert the chain into the input chain @ the head of the list. # /sbin/iptables -I INPUT 1 -j dynamichosts # flush all the rules in the chain # /sbin/iptables -F dynamichosts HOST=$1 HOSTFILE="/root/dynhosts/host-$HOST" CHAIN="dynamichosts" # change this to whatever chain you want. IPTABLES="/sbin/iptables" # check to make sure we have enough args passed. if [ "${#@}" -ne "1" ]; then echo "$0 hostname" echo "You must supply a hostname to update in iptables." exit fi # lookup host name from dns tables IP=`/usr/bin/dig +short $HOST | /usr/bin/tail -n 1` if [ "${#IP}" = "0" ]; then echo "Couldn't lookup hostname for $HOST, failed." exit fi OLDIP="" if [ -a $HOSTFILE ]; then OLDIP=`cat $HOSTFILE` # echo "CAT returned: $?" fi # save off new ip. echo $IP>$HOSTFILE echo "Updating $HOST in iptables." if [ "${#OLDIP}" != "0" ]; then echo "Removing old rule ($OLDIP)" `$IPTABLES -D $CHAIN -s $OLDIP/32 -j ACCEPT` fi echo "Inserting new rule ($IP)" `$IPTABLES -A $CHAIN -s $IP/32 -j ACCEPT` Now all you have to do to use this script is run: firewall-dynhosts.sh theremotename.dyndns.org This would insert a rule for theremotename.dyndns.org into your firewall. I usally create a large script of trusted ddns hosts that I setup to be called many times throughout the day(using cron.d). I do this using cron.d in the /etc/cron.d. # Run the dynamic firewall script every 5 minutes */5 * * * * root /root/dynamic-firewall > /dev/null 2>&
...