Kamal Nasser

IP Tables and Dynamic DNS

Having a dynamic IP address sucks. I always lock down my servers and allow SSH access only from trusted sources. Since I have a dynamic IP address, I need to automatically have my IP Tables rules updated everytime my IP address changes.

I use No-IP for my dynamic DNS hostname, you can use any service you like (you can even cook up your own dynamic dns client that utilizes your DNS provider's API, just make sure it points to your IP address all the time).

I have my IP Tables set up like this:

# SSH Chain
iptables -N SSH # Create the SSH chain
iptables -A INPUT -p tcp -m tcp --dport 22 -j SSH # Jump to the SSH chain on connection to port 22/tcp
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP # If it doesn't match the SSH chain, DROP the packet.

iptables -N DYNAMIC # Create the DYNAMIC chain
iptables -A SSH -j DYNAMIC # Jump from the SSH chain to the DYNAMIC chain

I have also created a bash script that updates the DYNAMIC chain every minute:


iptables -F DYNAMIC # Flush the DYNAMIC chain
iptables -A DYNAMIC -s my-dynamic-dns-hostname.com -j ACCEPT # Accept packets from my-dynamic-dns-hostname.com

I saved it in /root/dyndns.sh and added it to crontab as a cronjob that runs every minute (* * * * *).