tag:blogger.com,1999:blog-791076047259453257.post1462297737936408369..comments2023-07-30T15:34:35.689+02:00Comments on The howto blog: Allow host with dynamic ip through iptables firewallJon Skarpeteighttp://www.blogger.com/profile/14065966931844045213noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-791076047259453257.post-6571400883662599852018-08-04T13:28:16.969+02:002018-08-04T13:28:16.969+02:00Could I run the script twice with different hostna...Could I run the script twice with different hostnamrs? Martijnhttps://www.blogger.com/profile/07438122642409976727noreply@blogger.comtag:blogger.com,1999:blog-791076047259453257.post-78273429488878016362016-02-11T03:53:14.889+01:002016-02-11T03:53:14.889+01:00Where exactly do you add this part> At the end?...Where exactly do you add this part> At the end?Luishttps://www.blogger.com/profile/10030744493157087223noreply@blogger.comtag:blogger.com,1999:blog-791076047259453257.post-84391235694151994072014-07-04T02:11:23.997+02:002014-07-04T02:11:23.997+02:00Also it appears that iptables will not accept chai...Also it appears that iptables will not accept chains with names longer than 28 characters. So I also used this to truncate the chain name:<br /><br /># Truncate $DYNHOST to 28 characters<br />DYNHOST=${DYNHOST:0:28}<br /><br />Anonymoushttps://www.blogger.com/profile/11235512092064928041noreply@blogger.comtag:blogger.com,1999:blog-791076047259453257.post-11277943776704423072014-07-04T00:18:36.182+02:002014-07-04T00:18:36.182+02:00Thanks for posting this. I have added some of my ...Thanks for posting this. I have added some of my own tweaks to this script and am sharing in case anyone can find it beneficial. I added a couple of sanity checks to make sure we don't try to update iptables with an invalid IP. I also added a check that prevents iptables from being updated if there hasn't been a change to the dynamic IP address. This way we can run the script in a cron job and it automatically updates iptables as needed. Also, I'm no expert scripter, so any improvements are welcome.<br /><br />Script:<br /><br />#!/bin/bash<br /><br />DYNHOST=$1<br />DYNIP=$(host $DYNHOST | grep -iE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" |cut -f4 -d' '|head -n 1)<br /><br /># Exit if invalid IP address is returned<br />case $DYNIP in<br /> 0.0.0.0 )<br /> exit 1 ;;<br /> 255.255.255.255 )<br /> exit 1 ;;<br />esac<br /><br /># Exit if IP address not in proper format<br />if ! [[ $DYNIP =~ (([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]) ]]; then<br /> exit 1<br />fi<br /><br /># If chain for remote doesn't exist, create it<br />if ! /sbin/iptables -L $DYNHOST -n >/dev/null 2>&1 ; then<br /> /sbin/iptables -N $DYNHOST >/dev/null 2>&1<br />fi<br /><br /># Check IP address to see if the chain matches first; skip rest of script if update is not needed<br />if ! /sbin/iptables -n -L $DYNHOST | grep -iE " $DYNIP " >/dev/null 2>&1 ; then<br /><br /><br /> # Flush old rules, and add new<br /> /sbin/iptables -F $DYNHOST >/dev/null 2>&1<br /> /sbin/iptables -I $DYNHOST -s $DYNIP -j ACCEPT<br /><br /> # Add chain to INPUT filter if it doesn't exist<br /> if ! /sbin/iptables -C INPUT -t filter -j $DYNHOST >/dev/null 2>&1 ; then<br /> /sbin/iptables -t filter -I INPUT -j $DYNHOST<br /> fi<br /><br />fi<br />Anonymoushttps://www.blogger.com/profile/11235512092064928041noreply@blogger.comtag:blogger.com,1999:blog-791076047259453257.post-52652489981260725712013-10-12T06:17:00.254+02:002013-10-12T06:17:00.254+02:00hey i had a couple questions:
1 - does using &quo...hey i had a couple questions:<br /><br />1 - does using "$HOSTNAME" in the script mess anything up since that's a system variable too?<br /><br />2 - assuming the answer to #1 is "no", i think you can simplify the second line a bit by making it:<br /><br />IP=$(dig +short $HOSTNAME)Unknownhttps://www.blogger.com/profile/02598554954662182691noreply@blogger.com