From: Josh Cepek <josh.cepek@usa.net>
To: Yakov Lerner <iler.ml@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: allowing packets from dynamic-dns IP
Date: Sat, 26 Apr 2008 17:07:46 -0500 [thread overview]
Message-ID: <4813A7B2.8020401@usa.net> (raw)
In-Reply-To: <f36b08ee0804261302ubcc568fyab0d42e5645e3eab@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]
Yakov Lerner wrote:
> Allow me rewrite and clarify my question, I was not clear:
>
> I need to setup iptables on system A to drop packets
> from all IPs except packets coming from system B.
> System B has dynamic IP (dynip.sh). B's DNS name
> is known but B's IP is not fixed. What are my options to setup iptables on A ?
>
iptables only deals with IP addresses, although it will convert a DNS
name in the command to an IP (or series of IP's if the lookup returns
multiple A records.) As such, you can use any method you prefer in
userland to check for and update your rules when the DNS resolution changes.
> Is there better solution than crontab-script, that every 10 minutes
> resolves this domain and reinstalls iptables rule if IP changed ?
If you have a script that works when called from cron, why use a
different method? Depending on your specific scenario, various options
might be available. As an example, if you happened to be using a VPN
between A and B, you could have a monitor script that checks for valid
authentication from system B and updates the iptables rule if the
address has changed (of course, then you wouldn't need to restrict
inbound traffic - see below.) Regardless of what you use, the basic
principle is always the same; you need a way to check the IP (such as by
resolving it) and update the rule if the IP has changed.
I'll also point out that this isn't a replacement for proper IP security
between hosts A and B; a possible attack vector on your setup would be
another user of the subnet on the WAN side of host A executing a
MAC-spoofing attack between you and the ISP's default gateway and then
spoofing the IP of host B, thus enabling 2-way communication between the
attacker and host A. Using TLS or a VPN to secure the traffic will
eliminate this problem, and allow you to listen on the secure port from
anywhere also solving the dynamic DNS update problem you described above.
--
Josh
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-04-26 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-26 16:34 allowing packets from dynamic-dns IP Yakov Lerner
2008-04-26 18:16 ` Jan Engelhardt
2008-04-26 19:25 ` Grant Taylor
2008-04-26 19:29 ` Jan Engelhardt
2008-04-26 19:42 ` Grant Taylor
2008-04-26 20:02 ` Yakov Lerner
2008-04-26 22:07 ` Josh Cepek [this message]
2008-04-26 22:23 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4813A7B2.8020401@usa.net \
--to=josh.cepek@usa.net \
--cc=iler.ml@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.