How do we handle dyanmic IP addresses assigned by cable / DSL provider?

[steveharman]

In the iptables section of the setup instructions there's a step which says "your ISP address provided by Cable or DSL" - but this changes regularly unless the cable provider supplies a fixed IP (unlikely). As a result I have a dyndns address configured so I can reach my home IP regardless of how often the ISP changes it.

So is it possible to specify:

iptables -A INPUT -i venet0 -s 173.x.x.x -d MYDYNDNS.ADDRESS.HERE -p tcp -m tcp --dport 80 -j ACCEPT

Or will iptables require a dot address in there ^^ ? If it does then I'm not sure how that will be possible with a regularly changing IP from my ISP.

Thanks,

Steve

[Skorfulose]

Hey Steve,

Same problem here. In Germany most of the DSL ISPs do a daily reconnect (with new IP). I did not implement a solution for myself yet. But my idea was to create a password-protected webpage that I visit once after receiving a new IP (or e.g. in a hotel). It recognizes the external IP and then sets the iptables rules dynamically. unblock.us etc must work the same way in my opinion.

Your idea of using the DDNS hostname in the rules will not work AFAIK. Investigated that a while ago and iptables has no name resolution support if I remember correctly.

So, anyone good in coding a small admin website? Or other ideas?

Regards, Thomas

[wedge-kc]

Yes, you can use DYNDNS. That is what I use to update my ip on my vps. However, you will need to add a cron job on your vps to to refresh your iptable rules every 5-10 minutes, this will force iptables to resolve your Dyndns and pick up the new ip.

[Emredrum]

@wedge-kc Can you help us out with an example of your script? I found this example http://www.cyberciti.biz/faq/linux-iptables-firewall-flushout-configuration-every-5minutes/

Also found this http://ubuntuforums.org/showthread.php?t=1655443

[wedge-kc]

Sure. My setup might be different from yours but hopefully it will you going in the right direction.

1. I assume your dyndns is updated on home router or pc
2. create something like the following script on your vps

#!/bin/bash

IPTABLES=/sbin/iptables

# flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

#setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

#allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# #Block ips # #
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

#allowing ssh on port 56241"
${IPTABLES} -A INPUT -p tcp --dport 56241 -m state --state NEW -s example.duckdns.org -j ACCEPT

# allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -s example.duckdns.org -j ACCEPT

#allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -s example.duckdns.org -j ACCEPT

# drop everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

1. chmod +x scriptname.sh
2. crontab -e (you might need to install it first.. apt-get update && apt-get install cron)
3. add a job, for example, no quotes "/2 * * * \ /home/iptables.sh"
4. check using iptables -L

That should do it. I have been using this for while with no issues, however I am no iptables expert.

[steveharman]

Thanks to you both, much obliged! :-)

Regards,

Steve

[invisan]

You could also use a cron job and write the IP itself into the bind Whitelist. Which is imho simpler then iptables.