allowing packets from dynamic-dns IP

allowing packets from dynamic-dns IP

[Yakov Lerner]

How can I have a rule that's bound to a semi-dynamic external IP (IP changes
several times a week) that's bound to known fixed domain name (dynamic-dns) ?

Is there better solution than crontab-script, that every 10 minutes
resolves this domain and reinstalls iptables rule if IP changed ?

Thanks
Y.L.

Re: allowing packets from dynamic-dns IP

[Jan Engelhardt]

On Saturday 2008-04-26 18:34, Yakov Lerner wrote:

>How can I have a rule that's bound to a semi-dynamic external IP (IP changes
>several times a week) that's bound to known fixed domain name (dynamic-dns) ?
>
>Is there better solution than crontab-script, that every 10 minutes
>resolves this domain and reinstalls iptables rule if IP changed ?

The best solution is a script that runs after the interface
was brought up. Usually this is -- depending on distro --
in /etc/sysconfig/network/if-up.d/.

Re: allowing packets from dynamic-dns IP

[Grant Taylor]

On 4/26/2008 1:16 PM, Jan Engelhardt wrote:
> The best solution is a script that runs after the interface was 
> brought up. Usually this is -- depending on distro -- in 
> /etc/sysconfig/network/if-up.d/.

I took the OP's question to be how does the static IP destination system 
adjust rules to allow a dynamic IP source system in based on the dynamic 
IP, not how does the dynamic IP system update its rules.  If the latter 
is the case, what you suggest will work great.

I think I would be tempted to use port knocking to initiate updating the 
IPTables rules.  I.e. have the dynamic system connect on a range of 
ports that will then trigger the firewall to do a DNS query and then 
update the firewall rules if need be.  I would never update the firewall 
rules based on the source IP of the knock.  I would be much more 
comfortable initiating a DNS query and trusting the query results than I 
would the arbitrary source of the port knock.

I also would be tempted to check the result of the DNS query against the 
currently allowed IP address and only change the IPTables rule if the IP 
changes.



Grant. . . .

Re: allowing packets from dynamic-dns IP

[Jan Engelhardt]

On Saturday 2008-04-26 21:25, Grant Taylor wrote:

> On 4/26/2008 1:16 PM, Jan Engelhardt wrote:
>
>> The best solution is a script that runs after the interface was
>> brought up. Usually this is -- depending on distro -- in
>> /etc/sysconfig/network/if-up.d/.
>
> I took the OP's question to be how does the static IP destination
> system adjust rules to allow a dynamic IP source system in based on
> the dynamic IP, not how does the dynamic IP system update its
> rules.  If the latter is the case, what you suggest will work
> great.

It is the same -- the dynamic system runs a custom script in ifup
that notifies the static one. Can be portknocking, or a http,
or a netcat.

> I think I would be tempted to use port knocking to initiate
> updating the IPTables rules.  I.e. have the dynamic system connect
> on a range of ports that will then trigger the firewall to do a DNS
> query and then update the firewall rules if need be.  I would never
> update the firewall rules based on the source IP of the knock.  I
> would be much more comfortable initiating a DNS query and trusting
> the query results than I would the arbitrary source of the port
> knock.
>
> I also would be tempted to check the result of the DNS query against the
> currently allowed IP address and only change the IPTables rule if the IP
> changes.

So why not just set up an ipsec tunnel... :^)

Re: allowing packets from dynamic-dns IP

[Grant Taylor]

On 4/26/2008 2:29 PM, Jan Engelhardt wrote:
> It is the same -- the dynamic system runs a custom script in ifup 
> that notifies the static one. Can be portknocking, or a http, or a 
> netcat.

Presuming that the dynamic system is a Linux box, sure.  However there 
are a LOT of devices that can utilize dynamic DNS that do not have the 
capability (through the provided interface(s)) to make those types of 
changes.

> So why not just set up an ipsec tunnel... :^)

Not everything can do an IPSec tunnel, nor will all devices in between 
play well with IPSec tunnels.  We don't know enough about the endpoints 
and / or what is in between to know if any thing like this will work. 
If this will work, this may indeed be better.



Grant. . . .

Re: allowing packets from dynamic-dns IP

[Yakov Lerner]

Allow me rewrite and clarify my question, I was not clear:

I need to setup iptables on system A to drop packets
from all IPs except packets coming from system B.
System B has dynamic IP (dynip.sh).  B's DNS name
is known but B's IP is not fixed. What are my options to setup iptables on A ?

Y.L.

Re: allowing packets from dynamic-dns IP

[Josh Cepek]

[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]

Yakov Lerner wrote:
> Allow me rewrite and clarify my question, I was not clear:
>
> I need to setup iptables on system A to drop packets
> from all IPs except packets coming from system B.
> System B has dynamic IP (dynip.sh).  B's DNS name
> is known but B's IP is not fixed. What are my options to setup iptables on A ?
>   

iptables only deals with IP addresses, although it will convert a DNS 
name in the command to an IP (or series of IP's if the lookup returns 
multiple A records.)  As such, you can use any method you prefer in 
userland to check for and update your rules when the DNS resolution changes.

> Is there better solution than crontab-script, that every 10 minutes
> resolves this domain and reinstalls iptables rule if IP changed ?

If you have a script that works when called from cron, why use a 
different method?  Depending on your specific scenario, various options 
might be available.  As an example, if you happened to be using a VPN 
between A and B, you could have a monitor script that checks for valid 
authentication from system B and updates the iptables rule if the 
address has changed (of course, then you wouldn't need to restrict 
inbound traffic - see below.)  Regardless of what you use, the basic 
principle is always the same; you need a way to check the IP (such as by 
resolving it) and update the rule if the IP has changed.

I'll also point out that this isn't a replacement for proper IP security 
between hosts A and B; a possible attack vector on your setup would be 
another user of the subnet on the WAN side of host A executing a 
MAC-spoofing attack between you and the ISP's default gateway and then 
spoofing the IP of host B, thus enabling 2-way communication between the 
attacker and host A.  Using TLS or a VPN to secure the traffic will 
eliminate this problem, and allow you to listen on the secure port from 
anywhere also solving the dynamic DNS update problem you described above.

-- 
Josh



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: allowing packets from dynamic-dns IP

[Jan Engelhardt]

On Sunday 2008-04-27 00:07, Josh Cepek wrote:
> Yakov Lerner wrote:
>>
>> I need to setup iptables on system A to drop packets from all IPs
>> except packets coming from system B. System B has dynamic IP
>> (dynip.sh).  B's DNS name is known but B's IP is not fixed. What
>> are my options to setup iptables on A ?
>
> iptables only deals with IP addresses, although it will convert a
> DNS name in the command to an IP (or series of IP's if the lookup
> returns multiple A records.)

iptables will error out if it resolves to more than one and the
specific option (= most) only takes one.