Re: How to filter packets resulting from hosts with dynamic IP-address

[Frank Petran <frank.petran@inpho.de>]

Thank you for your reply.

On Tuesday 06 February 2007 15:55, Grant Taylor wrote:
> Use some sort of port knocking setup that will trigger some 
> process on your firewall 
Port knocking is in my opinion a little bit clumsy to use especially if the 
users involved are no experts and something goes wrong.

> Another option might be to look at writing some sort of user space
> daemon that you could have IPTables pass the packets to and return a yes
> / no to the kernel.
I suspected that. 

> However, this would be duplicating some of / a lot 
> of the effort that has gone in to IPTables and thus again sub optimal as
> far as development is concerned.
Well, hooking up to the ip_queue module using the QUEUE target does not seem 
to be a too bad idea. I can still use iptables mechanisms to send only 
packets destined for a special port to the queue target. All that needs to be 
done by the user space deamon is to do a hostname lookup for allowed 
hostnames, compare the looked up IP with the incoming IP and return 
true/false depending on the match.

I know, that this method will not be usefull in very busy routers since 
hostname lookups generate additional traffic and CPU load. Traffic and CPU 
load however is usually not a problem on typical small business or home 
setups on a DSL line with dynamic IP assignment.

Frank
-- 
INPHO GmbH   *   Smaragdweg 1   *   70174 Stuttgart   *   Germany
phone: +49 711 2288 10  *  fax: +49 711 2288 111  *  web: www.inpho.de
place of business: Stuttgart    *   managing director: Johannes Saile
commercial register: Stuttgart, HRB 9586