Solved

Dynamic IP and firewall

Posted on 2007-03-19
8
1,261 Views
Last Modified: 2008-08-13
Hello Experts,

We are running couple of web sites on our server for many different clients. We are also so kind/trustful that we allow our clients to login via ssh. Once the user wants to connect to server we add his/her IP address tu current rules for firewall( shorewall firewall ). The problem here is that some of our clients have dynamic IP addresses and we need to always change the firewall rules file with current IP address of client. This is very inefficient, and tedious work. Is that any way to do it more efficiently so the IP address in shorewall rules will be always current?

Couple things which can not be part of solution:
- ask client to get static IP
- change shorewall firewall
- create enormous traffic by querying ip address from domain name, etc..

Preferable things which are part of solution:
- easy to implement
- very low overhead on traffic
- efficient

thank you
0
Comment
Question by:Luxana
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:nedvis
ID: 18754159
firewall rules for MAC address-based filtering
http://www.shorewall.net/manpages/shorewall-maclist.html
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18756096
It is next to impossible to do that. The only way that can be simplified is to understand the ip range that your clients *can* get through dhcp from their ISP and enable ssh for the whole subnet

*****High Security Risk*****

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18756853
> clients to login via ssh.

wrong.!!!! but if you need... the solution that i have implemented it is... :

for exmaple i have 10 clients with differents IP. i give a ssh port to anyclient to login and close the port 22 and you only redirect with iptables.

is a good solution, i was implmented in 2003 and is working still now in a ISP (my old job)
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 10

Author Comment

by:Luxana
ID: 18760462
nedvis,
your solution sounds very good !!!

maclist      - Connection requests from this interface
                    are compared against the contents of
                   /etc/shorewall/maclist. If this option
                   is specified, the interface must be
                   an ethernet NIC and must be up before
                  Shorewall is started.

What is meant by interface must be up before Shorewall is started? Is not maclist just for local interfaces?

--------------------
pablouruguay,

not sure if i understand. Are you saying that I should tell client to use for example port 9999 and open this port by shorewall to all connections and redirect everything to port 22?

---------------

what I'm thinking of is that I rather ask client to register No-IP.com and renew his IP every time he needs to connect . Then in shorewall I just specify client1.no-ip.com instead if IP address. However I'm not sure regarding to efficiency of this solution because there will be probably DNS query for each packet sent.  
 anyone have experience with using domain names instead of IPs in shorewall rules?

thank you all
0
 
LVL 20

Expert Comment

by:nedvis
ID: 18761334
I'm sorry Luxana I just learned this:
Shorewall firewall filtering and trafic shaping using MAC addresses pertains only to outgoing traffic and only to nodes on LAN :
http://www.shorewall.net/MAC_Validation.html
Please disregard my post.
I'm still learning along  the way.

good luck,
 nedvis
0
 
LVL 10

Author Comment

by:Luxana
ID: 18761470
no worries , we all learn every day:-))

my solution does not work eighter :-) The ip gets resovned from host name when shorewall starts so if client changes ip I will need to restart shorewall.

I already new about rsivanandan's solution I have using it on other server but not sure if this is the solution for me in this case...

and i'm not realy clear about pablouruguay's solution yet.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18762375
>not sure if i understand. Are you saying that I should tell client to use for example port 9999 and >open this port by shorewall to all connections and redirect everything to port 22?

yep
0
 
LVL 10

Accepted Solution

by:
Luxana earned 0 total points
ID: 19823002
I have not find any appropriate solution in here... please close

thank you
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question