How to filter packets resulting from hosts with dynamic IP-address

How to filter packets resulting from hosts with dynamic IP-address

[Frank Petran]

I want to allow incoming traffic from hosts that run on changing IP-addresses 
supplied by the ISP. These hosts have their current IP-address registered 
with dyndns.org as soon as they connect to the internet.

As far as I have understood it, filters can act on IP-addresses but not on 
hostnames. Since the originating IP-address changes, all I am left with is 
the known hostname. As far as I have understood it, filters can act on 
IP-addresses but not on hostnames. I would like to do a hostname lookup based 
on the name registered at dyndns.org and compare that with the IP-address of 
the incoming traffic.
-- 
INPHO GmbH   *   Smaragdweg 1   *   70174 Stuttgart   *   Germany
phone: +49 711 2288 10  *  fax: +49 711 2288 111  *  web: www.inpho.de
place of business: Stuttgart    *   managing director: Johannes Saile
commercial register: Stuttgart, HRB 9586

Re: How to filter packets resulting from hosts with dynamic IP-address

[Grant Taylor]

Frank Petran wrote:
> As far as I have understood it, filters can act on IP-addresses but not 
> on hostnames. Since the originating IP-address changes, all I am left 
> with is the known hostname. As far as I have understood it, filters can 
> act on IP-addresses but not on hostnames. I would like to do a hostname 
> lookup based on the name registered at dyndns.org and compare that with 
> the IP-address of the incoming traffic.


You are correct in the fact that IPTables will not use host names during 
normal operations.  This is because the in kernel rules only support IP 
addresses.  The IPTables command will translate names to IPs for you 
when you add the rules to the kernel though.

With this in mind, my best bet is for you to create a sub chain that is 
for each specific client.  Use some sort of port knocking setup that 
will trigger some process on your firewall to re-run that user's portion 
of the IPTables script.  This script would need to flush the user's sub 
chain and repopulate it with current IP addresses.  I know that this is 
sub optimal, but I think it would work.

Another option might be to look at writing some sort of user space 
daemon that you could have IPTables pass the packets to and return a yes 
/ no to the kernel.  However, this would be duplicating some of / a lot 
of the effort that has gone in to IPTables and thus again sub optimal as 
far as development is concerned.



Grant. . . .

Re: How to filter packets resulting from hosts with dynamic IP-address

[Petr Pisar]

On 2007-02-06, Frank Petran <frank.petran@inpho.de> wrote:
> I want to allow incoming traffic from hosts that run on changing IP-addresses 
> supplied by the ISP. These hosts have their current IP-address registered 
> with dyndns.org as soon as they connect to the internet.
>
As you can see, relaing on IP address is not secure. You should consider
using some type of authentication (e.g. IPsec).

-- Petr

Re: How to filter packets resulting from hosts with dynamic IP-address

[Frank Petran]

Thank you for your reply.

On Tuesday 06 February 2007 15:55, Grant Taylor wrote:
> Use some sort of port knocking setup that will trigger some 
> process on your firewall 
Port knocking is in my opinion a little bit clumsy to use especially if the 
users involved are no experts and something goes wrong.

> Another option might be to look at writing some sort of user space
> daemon that you could have IPTables pass the packets to and return a yes
> / no to the kernel.
I suspected that. 

> However, this would be duplicating some of / a lot 
> of the effort that has gone in to IPTables and thus again sub optimal as
> far as development is concerned.
Well, hooking up to the ip_queue module using the QUEUE target does not seem 
to be a too bad idea. I can still use iptables mechanisms to send only 
packets destined for a special port to the queue target. All that needs to be 
done by the user space deamon is to do a hostname lookup for allowed 
hostnames, compare the looked up IP with the incoming IP and return 
true/false depending on the match.

I know, that this method will not be usefull in very busy routers since 
hostname lookups generate additional traffic and CPU load. Traffic and CPU 
load however is usually not a problem on typical small business or home 
setups on a DSL line with dynamic IP assignment.

Frank
-- 
INPHO GmbH   *   Smaragdweg 1   *   70174 Stuttgart   *   Germany
phone: +49 711 2288 10  *  fax: +49 711 2288 111  *  web: www.inpho.de
place of business: Stuttgart    *   managing director: Johannes Saile
commercial register: Stuttgart, HRB 9586

Re: How to filter packets resulting from hosts with dynamic IP-address

[Frank Petran]

On Tuesday 06 February 2007 16:31, Petr Pisar wrote:
> As you can see, relaing on IP address is not secure. You should consider
> using some type of authentication (e.g. IPsec).
Yes, you are perfectly right. But authetication is only one part of the 
solution. I have pretty bad experience with an open ssh port, although no one 
has managed so far to break in, considerable amount of traffic was generated 
on my connection trying to brute force their way in almost resulting in a 
DOS. Preselecting who I would like to allow access, will reduce those attacs 
to virtually zero.

Frank
-- 
INPHO GmbH   *   Smaragdweg 1   *   70174 Stuttgart   *   Germany
phone: +49 711 2288 10  *  fax: +49 711 2288 111  *  web: www.inpho.de
place of business: Stuttgart    *   managing director: Johannes Saile
commercial register: Stuttgart, HRB 9586

Re: How to filter packets resulting from hosts with dynamic IP-address

[Grant Taylor]

Frank Petran wrote:
> Port knocking is in my opinion a little bit clumsy to use especially if the 
> users involved are no experts and something goes wrong.

I was thinking that the port knocking would be for nothing more than a 
request for the router to initiate an update with the information that 
it found, not with any thing that is provided by the port knock. I.e. 
the only thing that a port knock will do is request an update, NOT 
provide the information for the update.



Grant. . . .