Solved

Dynamic IP and firewall

Posted on 2007-03-19
8
1,264 Views
Last Modified: 2008-08-13
Hello Experts,

We are running couple of web sites on our server for many different clients. We are also so kind/trustful that we allow our clients to login via ssh. Once the user wants to connect to server we add his/her IP address tu current rules for firewall( shorewall firewall ). The problem here is that some of our clients have dynamic IP addresses and we need to always change the firewall rules file with current IP address of client. This is very inefficient, and tedious work. Is that any way to do it more efficiently so the IP address in shorewall rules will be always current?

Couple things which can not be part of solution:
- ask client to get static IP
- change shorewall firewall
- create enormous traffic by querying ip address from domain name, etc..

Preferable things which are part of solution:
- easy to implement
- very low overhead on traffic
- efficient

thank you
0
Comment
Question by:Luxana
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:nedvis
ID: 18754159
firewall rules for MAC address-based filtering
http://www.shorewall.net/manpages/shorewall-maclist.html
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18756096
It is next to impossible to do that. The only way that can be simplified is to understand the ip range that your clients *can* get through dhcp from their ISP and enable ssh for the whole subnet

*****High Security Risk*****

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18756853
> clients to login via ssh.

wrong.!!!! but if you need... the solution that i have implemented it is... :

for exmaple i have 10 clients with differents IP. i give a ssh port to anyclient to login and close the port 22 and you only redirect with iptables.

is a good solution, i was implmented in 2003 and is working still now in a ISP (my old job)
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 10

Author Comment

by:Luxana
ID: 18760462
nedvis,
your solution sounds very good !!!

maclist      - Connection requests from this interface
                    are compared against the contents of
                   /etc/shorewall/maclist. If this option
                   is specified, the interface must be
                   an ethernet NIC and must be up before
                  Shorewall is started.

What is meant by interface must be up before Shorewall is started? Is not maclist just for local interfaces?

--------------------
pablouruguay,

not sure if i understand. Are you saying that I should tell client to use for example port 9999 and open this port by shorewall to all connections and redirect everything to port 22?

---------------

what I'm thinking of is that I rather ask client to register No-IP.com and renew his IP every time he needs to connect . Then in shorewall I just specify client1.no-ip.com instead if IP address. However I'm not sure regarding to efficiency of this solution because there will be probably DNS query for each packet sent.  
 anyone have experience with using domain names instead of IPs in shorewall rules?

thank you all
0
 
LVL 20

Expert Comment

by:nedvis
ID: 18761334
I'm sorry Luxana I just learned this:
Shorewall firewall filtering and trafic shaping using MAC addresses pertains only to outgoing traffic and only to nodes on LAN :
http://www.shorewall.net/MAC_Validation.html
Please disregard my post.
I'm still learning along  the way.

good luck,
 nedvis
0
 
LVL 10

Author Comment

by:Luxana
ID: 18761470
no worries , we all learn every day:-))

my solution does not work eighter :-) The ip gets resovned from host name when shorewall starts so if client changes ip I will need to restart shorewall.

I already new about rsivanandan's solution I have using it on other server but not sure if this is the solution for me in this case...

and i'm not realy clear about pablouruguay's solution yet.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18762375
>not sure if i understand. Are you saying that I should tell client to use for example port 9999 and >open this port by shorewall to all connections and redirect everything to port 22?

yep
0
 
LVL 10

Accepted Solution

by:
Luxana earned 0 total points
ID: 19823002
I have not find any appropriate solution in here... please close

thank you
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Automate the blocking off IP's from a list file in Ubuntu 9 55
Syslog-ng works. Now what? How to filter and manage? 8 89
rsyslog raw message 4 36
SMTP log file for IMSVA 5 28
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question