How to play with rules and DynDNS objects

Although the Objects created only allow you to define IPs/MACs, I have tried a procedure to be able to define DynDNS in order to create rules with dynamic objects.

I explain it to you:

  1. We try to create the dynamic object, but we see that it won’t let us and it’s only limited to IP/MAC.
  2. So, we create an object with (for example).
  3. We edit the “customhost” file and see the corresponding line.
  4. We modify the line removing the IP/Mask and putting the dynamic object that interests us.
  5. In “HOST” we see that it is already modified.
  6. We can now create the corresponding rule using this dynamic object.

I’ve tested it and it seems to work fine. The interesting thing would be that from “HOST” it would allow adding these dynamic objects without having to modify the “customhost” file.

What do you think?.


iptables resolve a DNS entry to the IP address once at load of the rule so it will not reflect later changes.


Oh!!!. I mean, it works but not completely. This data is not updated/verified with each hit, right?

It is a pity.

There wouldn’t be a way to fix it, right?

Thank you Arne for explain it.

Could the same thing be done without making so many modifications to the “/etc/sysconfig/firewall.local” file and creating a cron task to do a reload every 10 minutes?.

Thanks again.

IPTables works with the raw packets. These do not contain any FQDNs.
Therefore the program for administration of the tables must resolve these names before adding the rule.
If you use names in your input to iptables, you have to assure that the relation name <—> IP is valid. This can be done by a firewall restart every 10 minutes. This is a conservative approach, because you cannot predict a possible change.

1 Like

Thanks to both of you. I already understand clearly.

Thank you.

Hi guys!!!.

I have tried to ask the Bing AI how to manage dynamic IPs with Iptables and this is what it has answered me:

An example shell script to update iptables with a dynamic IP would be the following:

IP_actual=$(host $HOSTNAME | cut -f4 -d' ')
if [ $LOGFILE = "" ] ; then
    iptables -I $CADENA -i eth1 -s $IP_actual -p tcp --dport ssh -j ACCEPT
    echo $IP_actual > $LOGFILE
    IP_anterior=$(cat $LOGFILE)
    if [ "$IP_actual" = "$IP_anterior" ] ; then
        echo la direccion IP no ha cambiado
        iptables -D $CADENA -i eth1 -s $IP_anterior -p tcp --dport ssh -j ACCEPT
        iptables -I $CADENA -i eth1 -s $IP_actual -p tcp --dport ssh -j ACCEPT
        echo $IP_actual > $LOGFILE
        echo iptables actualizadas

This script checks if the IP address associated with a hostname has changed, and if so, updates the iptables rules to allow access to port 22 (ssh) from the new IP address. Finally, you can add this script to the crontab so that it runs every 5 minutes:

* /5 * * * * /root/ > /dev/null 2>&1

What do you think of the answer? Is it viable?

Thank you for your wise answers.

@roberto I think there is a problem with the script. You assign the log files at the beginning of the scrpt, using LOGFILE=/tmp/dyndns.log, therefore

if [ $LOGFILE = "" ] 

will always be false.

maybe you can use the -s flag. instead The -s flag returns true if the file exists and has a size greater than zero and It returns false if the file does not exist or if the file exists but its size is zero (meaning it’s empty).

this would be the test:

if [ ! -s $LOGFILE ] ; then

About the next test, keep in mind that using = is for a generic shell while == is for bash, but both should work. Also a test in bash can be done with [[...]] which has more features than [...]. Again, both should work.

A final comment, the host command in line 5 can return more than one IP (like in load balancing). Your script assumes only one IP.

1 Like