on
dns
technitium
ubuntu
- Get link
- Other Apps
In my previous blog I create cron job to auto update iptables firewall rules based on your single DDNS hostname. Today I will be using ipset utility to filter iptables firewall rules with multiple IP addresses.
1. First, install ipset utility using package manager.
sudo apt-get install ipset iputils-ping2. Let configure iptables to allow DNS and HTTP connection.
3. Create a script named /home/ubuntu/iptables_ddns_update.sh. It will update your iptables rules to only allow your dynamic IP to access DNS and HTTP service.
#!/bin/bash
IPTABLES="/usr/sbin/iptables"
IPSET="/usr/sbin/ipset"
PING="/usr/bin/ping"
IPSET_NAME="myddnslist"
# your ddns hostname or IP
ddns_host="xxx.ddns.net"
# Create the ipset set if it does not exist
$IPSET list -n | grep -q $IPSET_NAME || $IPSET create $IPSET_NAME hash:ip
$IPSET list -n | grep -q temp || $IPSET create temp hash:ip
# extract your latest dynamic IP from the ddns hostname
# and add to the ipset temp group
if [ ! -z "$ddns_host" ]; then
for x in $ddns_host; do
y=`$PING -c 1 -t 1 $x | head -1 | cut -d ' ' -f 3 | tr -d '()'`
$IPSET add temp $y
done
fi
# swap temp to actual ipset group
ipset swap temp $IPSET_NAME
ipset destroy temp
# update iptables rules
$IPTABLES -R INPUT 5 -p tcp --dport 53 -m set --match-set $IPSET_NAME src -j ACCEPT
$IPTABLES -R INPUT 6 -p udp --dport 53 -m set --match-set $IPSET_NAME src -j ACCEPT
$IPTABLES -R INPUT 7 -p tcp -m state --state NEW --dport 80 -m set --match-set $IPSET_NAME src -j ACCEPT
3. Create a cron job /etc/cron.d/iptables_ddns_update to schedule run/check for dynamic IP changes. Below cron job will run at startup and every 10 min. Change the timing according to your preference.
# create /etc/cron.d/iptables_ddns_update with below line...
MAILTO=""
@reboot root /home/ubuntu/iptables_ddns_update.sh > /dev/null 2>&1
*/10 * * * * root /home/ubuntu/iptables_ddns_update.sh > /dev/null 2>&1
4. Double check the iptables rules again after the scheduled cron job has ran.
Comments