Dynamic IP address in a rule?

Dynamic IP address in a rule?

[Paddie O'Brien]

Hi,

My IP is dynamically assigned and I want a rule like this one:

iptables -I INPUT 1 -d my_ip_address  -m state --state NEW -j ULOG

Can a rule work out the IP address of its host?

Thanks,
P

Re: Dynamic IP address in a rule?

[Jorge Bastos]

> Hi,
>
> My IP is dynamically assigned and I want a rule like this one:
>
> iptables -I INPUT 1 -d my_ip_address  -m state --state NEW -j ULOG
>
> Can a rule work out the IP address of its host?

That's a nice question, instead of the dynamic IP on the rule, having a
dynamic host on it like:

Iptables -I INPUT -I eth0 -d myhost.dyndns.org -p tcp --dport 80 -j ACCEPT

When this run's, the rule will stay with the IP address that was grabbed
from the dynamic host, and when the IP changes, the rule won't work
anymore.
My question is, there's no way to make iptables to check always the host
instead of translation the host do IP on the rule apply stage?

Re: Dynamic IP address in a rule?

[Bruno Moreira Guedes]

2009/4/26 Jorge Bastos <mysql.jorge@decimal.pt>
>
> > Hi,
> >
> > My IP is dynamically assigned and I want a rule like this one:
> >
> > iptables -I INPUT 1 -d my_ip_address  -m state --state NEW -j ULOG
> >
> > Can a rule work out the IP address of its host?
>
> That's a nice question, instead of the dynamic IP on the rule, having a
> dynamic host on it like:
>
> Iptables -I INPUT -I eth0 -d myhost.dyndns.org -p tcp --dport 80 -j ACCEPT
>
> When this run's, the rule will stay with the IP address that was grabbed
> from the dynamic host, and when the IP changes, the rule won't work
> anymore.

Just because of that I don't like dynamic IPs. But, are you using more
than one IP on that interface?? So, if you use more than one, there
are only one you don't know(probably), specify the rules for the ones
you know first!!
If you have only one IP address, try simply doing the rule for the
incoming interface and be happy ;)

Another way is to set your after-dhcp script to reload your firewall!!

> My question is, there's no way to make iptables to check always the host
> instead of translation the host do IP on the rule apply stage?
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- Bruno M. Guedes

RE: Dynamic IP address in a rule?

[lists]

> That's a nice question, instead of the dynamic IP on the rule,
> having a dynamic host on it like:
> 
> Iptables -I INPUT -I eth0 -d myhost.dyndns.org -p tcp --dport 80 -j
> ACCEPT
> 
> When this run's, the rule will stay with the IP address that was
> grabbed from the dynamic host, and when the IP changes, the rule
> won't work anymore.
> My question is, there's no way to make iptables to check always the
> host instead of translation the host do IP on the rule apply stage?

If iptables would have to perform a DNS lookup everytime a packet
passes, I think it would be terribly slow and probably not usable for
packetfiltering.


Grts,
Rob

Re: Dynamic IP address in a rule?

[Ivan Petrushev]

> If iptables would have to perform a DNS lookup everytime a packet
> passes, I think it would be terribly slow and probably not usable for
> packetfiltering.
Actually the DNS lookup is performed only once - in the time the rule
is inserted/appended. If the DNS returns more than one IP per name, a
number of rules is inserted with each IP returned.

RE: Dynamic IP address in a rule?

[lists]

> > If iptables would have to perform a DNS lookup everytime a packet
> > passes, I think it would be terribly slow and probably not usable
> > for packetfiltering.
> 
> Actually the DNS lookup is performed only once - in the time the
> ruleis inserted/appended. If the DNS returns more than one IP per
> name, a number of rules is inserted with each IP returned.

Yes, that's more or less what Jorge described. My point was that if the
Netfilter framework had to perform a DNS lookup for each (new?) packet
that it has to check, I think it would be quite slow (think about DNS
query timeouts, etc) and not so usable as it is now.


Grts,
Rob

Re: Dynamic IP address in a rule?

[Ivan Petrushev]

Yes, ofcourse it won't work in that way :)
I can't think of a solution that does not include ruleset reloading
after X time... It would be best if you can bypass the changeable
"address" part of the rules with something else - like in/out
interface. It would work if your station doesn't have aliases and the
rules are not targetting specific host if the machine is a router.

On Mon, Apr 27, 2009 at 9:56 AM,  <lists@sterenborg.info> wrote:
>> > If iptables would have to perform a DNS lookup everytime a packet
>> > passes, I think it would be terribly slow and probably not usable
>> > for packetfiltering.
>>
>> Actually the DNS lookup is performed only once - in the time the
>> ruleis inserted/appended. If the DNS returns more than one IP per
>> name, a number of rules is inserted with each IP returned.
>
> Yes, that's more or less what Jorge described. My point was that if the
> Netfilter framework had to perform a DNS lookup for each (new?) packet
> that it has to check, I think it would be quite slow (think about DNS
> query timeouts, etc) and not so usable as it is now.
>
>
> Grts,
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Dynamic IP address in a rule?

[Jorge Bastos]

> Just because of that I don't like dynamic IPs. But, are you using more
> than one IP on that interface?? So, if you use more than one, there
> are only one you don't know(probably), specify the rules for the ones
> you know first!!
> If you have only one IP address, try simply doing the rule for the
> incoming interface and be happy ;)
>
> Another way is to set your after-dhcp script to reload your firewall!!

That is no solution. it may be for your cenario but not for the most of
people. Just think, if who makes the connection is a modem, and you have
your *unix machine on nat, that won't work.
Second, imagine that you have Fixed IP, and want to allow for a situation
somebody that has a dynamic IP, and allow it with it's dynamic host, how
would you? You wouldn't, the best was is to write some sort of script to
check when the IP on the host changes, and remove/reinsert the rule with
the dynamic host.

For iptables to do a DNS query every time a packet comes, that's a disaster.
But other thing cames in mind, when doing: "iptables -L" it does a reverse
lookup on the IP's, is iptables doing a reverse lookup on every packet? or
only when listing the rules?

Re: Dynamic IP address in a rule?

[Daniel Huhardeaux]

Jorge Bastos a écrit :
>> [...]
>>
>> Another way is to set your after-dhcp script to reload your firewall!!
>>     
>
> That is no solution. it may be for your cenario but not for the most of
> people. Just think, if who makes the connection is a modem, and you have
> your *unix machine on nat, that won't work
It works. You can:

a) run a script to connect to your modem via http (eg wget), extract 
your IP and reload iptables rules
b) if you can't connect to your modem, run a script to go to 
http://www.whatismyip.com/tools/ip-address-lookup.asp and do the same 
that above

-- 
Daniel Huhardeaux       _____ ____ ____ _____ _____ _
enum   +33 368 460 088 (_  __) _  ) _  (_  __) _  _(_)  +48 222 472 472
iaxtel  1-700-849-6983  / / / // / // / / / / /_/ / /  GIZMO,SKYPE,GTALK
sip/iax:callto 101@sip./_/ ( ___( ___/ /_/ (_/ (_/_/.net   tootaiNET

Re: Dynamic IP address in a rule?

[Jorge Bastos]

>> That is no solution. it may be for your cenario but not for the most of
>> people. Just think, if who makes the connection is a modem, and you have
>> your *unix machine on nat, that won't work
> It works. You can:
>
> a) run a script to connect to your modem via http (eg wget), extract
> your IP and reload iptables rules
> b) if you can't connect to your modem, run a script to go to
> http://www.whatismyip.com/tools/ip-address-lookup.asp and do the same
> that above
>

It's pretty much what i said, a script to do the job.

Re: Dynamic IP address in a rule?

[Pascal Hambourg]

Hello,

Jorge Bastos a écrit :
> 
> That is no solution. it may be for your cenario but not for the most of
> people. Just think, if who makes the connection is a modem, and you have
> your *unix machine on nat, that won't work.

Whether the host is behind a NAT device or not is irrelevant. If there 
is a NAT device, its address is irrelevant to the iptables running on 
the host behind it.

> For iptables to do a DNS query every time a packet comes, that's a disaster.
> But other thing cames in mind, when doing: "iptables -L" it does a reverse
> lookup on the IP's, is iptables doing a reverse lookup on every packet? or
> only when listing the rules?

Only when adding/removing/listing rules.
iptables comes in two parts :
1) A userland part, usually the iptables command, adds/removes/lists 
rules into the kernel. Before doing so it may do DNS lookups to resolve 
names into addresses.
2) A kernel part which enforces the ruleset for every packet. It does 
not do DNS lookups, as the kernel itself does not even know about DNS 
(/etc/resolv.conf et al. are userland stuff).

Re: Dynamic IP address in a rule?

[Pascal Hambourg]

Hello,

Paddie O'Brien a écrit :
> 
> My IP is dynamically assigned and I want a rule like this one:
> 
> iptables -I INPUT 1 -d my_ip_address  -m state --state NEW -j ULOG

Why ? What do you want to achieve exactly ?

> Can a rule work out the IP address of its host?

What address ? A node may have more than one single address, and usually 
does : typically the loopback address range 127.0.0.0/8 and one or more 
addresses assigned to each "real" interface. If a packets arrives in the 
INPUT chain, it implies that its destination address is assigned to the 
node. Otherwise the packet is discarded if the node is a simple host, or 
sent in the FORWARD chain if the node is a router.

Re: Dynamic IP address in a rule?

[Bruno Moreira Guedes]

2009/4/27  <lists@sterenborg.info>:
>> That's a nice question, instead of the dynamic IP on the rule,
>> having a dynamic host on it like:
>>
>> Iptables -I INPUT -I eth0 -d myhost.dyndns.org -p tcp --dport 80 -j
>> ACCEPT
>>
>> When this run's, the rule will stay with the IP address that was
>> grabbed from the dynamic host, and when the IP changes, the rule
>> won't work anymore.
>> My question is, there's no way to make iptables to check always the
>> host instead of translation the host do IP on the rule apply stage?
>
> If iptables would have to perform a DNS lookup everytime a packet
> passes, I think it would be terribly slow and probably not usable for
> packetfiltering.
>
>
> Grts,
> Rob
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Would you imagine what's the netfilter's behaviour if you add a rule like:
iptables -A OUTPUT -p udp --dport 53 -s myhost.mydomain.ext -j ACCEPT

I really don't know even if kernel is able to resolve a DNS, because
in the most common cases libc does it for us. So, the DNS resolution
is done by the iptables user-space tool, at the moment you add the
rule, and it sends the resolved IP(s) to the kernel.

This is because iptables won't perform a DNS lookup everytime a packet passes.