Solved

Dynamic IP and firewall

Posted on 2007-03-19
8
1,260 Views
Last Modified: 2008-08-13
Hello Experts,

We are running couple of web sites on our server for many different clients. We are also so kind/trustful that we allow our clients to login via ssh. Once the user wants to connect to server we add his/her IP address tu current rules for firewall( shorewall firewall ). The problem here is that some of our clients have dynamic IP addresses and we need to always change the firewall rules file with current IP address of client. This is very inefficient, and tedious work. Is that any way to do it more efficiently so the IP address in shorewall rules will be always current?

Couple things which can not be part of solution:
- ask client to get static IP
- change shorewall firewall
- create enormous traffic by querying ip address from domain name, etc..

Preferable things which are part of solution:
- easy to implement
- very low overhead on traffic
- efficient

thank you
0
Comment
Question by:Luxana
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:nedvis
ID: 18754159
firewall rules for MAC address-based filtering
http://www.shorewall.net/manpages/shorewall-maclist.html
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18756096
It is next to impossible to do that. The only way that can be simplified is to understand the ip range that your clients *can* get through dhcp from their ISP and enable ssh for the whole subnet

*****High Security Risk*****

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18756853
> clients to login via ssh.

wrong.!!!! but if you need... the solution that i have implemented it is... :

for exmaple i have 10 clients with differents IP. i give a ssh port to anyclient to login and close the port 22 and you only redirect with iptables.

is a good solution, i was implmented in 2003 and is working still now in a ISP (my old job)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Author Comment

by:Luxana
ID: 18760462
nedvis,
your solution sounds very good !!!

maclist      - Connection requests from this interface
                    are compared against the contents of
                   /etc/shorewall/maclist. If this option
                   is specified, the interface must be
                   an ethernet NIC and must be up before
                  Shorewall is started.

What is meant by interface must be up before Shorewall is started? Is not maclist just for local interfaces?

--------------------
pablouruguay,

not sure if i understand. Are you saying that I should tell client to use for example port 9999 and open this port by shorewall to all connections and redirect everything to port 22?

---------------

what I'm thinking of is that I rather ask client to register No-IP.com and renew his IP every time he needs to connect . Then in shorewall I just specify client1.no-ip.com instead if IP address. However I'm not sure regarding to efficiency of this solution because there will be probably DNS query for each packet sent.  
 anyone have experience with using domain names instead of IPs in shorewall rules?

thank you all
0
 
LVL 20

Expert Comment

by:nedvis
ID: 18761334
I'm sorry Luxana I just learned this:
Shorewall firewall filtering and trafic shaping using MAC addresses pertains only to outgoing traffic and only to nodes on LAN :
http://www.shorewall.net/MAC_Validation.html
Please disregard my post.
I'm still learning along  the way.

good luck,
 nedvis
0
 
LVL 10

Author Comment

by:Luxana
ID: 18761470
no worries , we all learn every day:-))

my solution does not work eighter :-) The ip gets resovned from host name when shorewall starts so if client changes ip I will need to restart shorewall.

I already new about rsivanandan's solution I have using it on other server but not sure if this is the solution for me in this case...

and i'm not realy clear about pablouruguay's solution yet.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18762375
>not sure if i understand. Are you saying that I should tell client to use for example port 9999 and >open this port by shorewall to all connections and redirect everything to port 22?

yep
0
 
LVL 10

Accepted Solution

by:
Luxana earned 0 total points
ID: 19823002
I have not find any appropriate solution in here... please close

thank you
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wifi not working on Raspberry Pi 3? 2 56
How to learn Linux? 10 61
cannot rename datastore 3 48
SUSE Linux Enterprise 11.x Ensure tftp server is not enabled 1 25
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question