|
-
March 18th, 2005, 01:07 PM
#8
I think cacosapo has hit the nail right on the head! Kudos!
First, some background on my understanding thus far: I was under the impression that iptables would ( from prior searching and readings ) look up the host-name each time the rule was called. This apparently is not correct ( found through testing because of this post. I think this may also answer Maestr0’s post. But even if it was so, using the new chain as I did you could mitigate most of the problems. ) What I found was that when the ruleset is loaded it does the DNS lookup, and holds that IP address until the rule is loaded again. ( *2 note quirk below )
God I love this site: posts like this make me learn!
Anyway, if that is the case, then to get the new IP address if it changed you would have to reload iptables ( bad idea, could slow things, jam things, or even open holes momentarily every time the entire ruleset reloaded ) or you could just reload that rule as cacosapo said.
So, for the example given ( notice I removed the logging for your.com )
echo create ssh_entries table
iptables -N ssh_entries
# allow entries from your.com to log in via ssh
iptables -A ssh_entries -p tcp -i eth0 --dport 22 -s your.com -j ACCEPT
iptables -A ssh_entries -j LOG --log-level info --log-prefix "ssh_in_drop: "
iptables -A ssh_entries -j DROP
# -----------
# send all ssh requests coming in to ssh_entries table
iptables -A INPUT -p all -i eth0 --dport 22 -j ssh_entries
in a CRON job, just replace the chain rule where you call your.com: in doing so it should reread the DNS and replace as necessary.
So, in the above example, the rule to change the rule would be
iptables -R ssh_entries 1 -p tcp -o eth0 –dport 22 -d your.com -j ACCEPT
In above, the “ -R” tells iptables to replace a rule, “ ssh_entries” says what chain the rule is in, “ 1 “ is the rule number in the chain, the rest is the rule to replace the old.
to get the rule number once the chain is loaded the first time, use
“ iptables –list –line-numbers -v “
If you need special treatment for the lookup ( I do not know how no-ip.com works ) you could still include that lookup in the CRON job, placing it in your /etc/hosts file.
One other note here, and someone may run into this so be mindful. The reason I used the /etc/hosts file initially, not only because of using no-ip.com, but also because, thinking that it would look up the host name each time the rule was called I thought it easier because you would not have to worry about placement of the rule in the table.
If you place a host name in a ruleset which requires a DNS lookup before the rule which allows DNS look-ups, the rule will fail and will not be loaded!
Hope this has helped, it helped me.
*1 Note here, if the host name resolves to multiple addresses the " -R " command will fail ( from the iptables man pages, and yes, I tried it )
*2 quirk: ( this worked for me )
run a ruleset with a destination host name, then do
“ iptables –list -v “
you will see the host name in the ruleset. Now run
“ iptables –list -n -v “
Since the “ -n “ tells iptables not to display host names, but use the IP address, you will see the IP address of the host name in the rule.
Now, again try
“ iptables –list -v “
no “ -n” but the IP address is still there!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote