Dynamic IP and firewall

Hello Experts,

We are running couple of web sites on our server for many different clients. We are also so kind/trustful that we allow our clients to login via ssh. Once the user wants to connect to server we add his/her IP address tu current rules for firewall( shorewall firewall ). The problem here is that some of our clients have dynamic IP addresses and we need to always change the firewall rules file with current IP address of client. This is very inefficient, and tedious work. Is that any way to do it more efficiently so the IP address in shorewall rules will be always current?

Couple things which can not be part of solution:
- ask client to get static IP
- change shorewall firewall
- create enormous traffic by querying ip address from domain name, etc..

Preferable things which are part of solution:
- easy to implement
- very low overhead on traffic
- efficient

thank you
LVL 10
LuxanaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nedvisCommented:
firewall rules for MAC address-based filtering
http://www.shorewall.net/manpages/shorewall-maclist.html
0
rsivanandanCommented:
It is next to impossible to do that. The only way that can be simplified is to understand the ip range that your clients *can* get through dhcp from their ISP and enable ssh for the whole subnet

*****High Security Risk*****

Cheers,
Rajesh
0
pablouruguayCommented:
> clients to login via ssh.

wrong.!!!! but if you need... the solution that i have implemented it is... :

for exmaple i have 10 clients with differents IP. i give a ssh port to anyclient to login and close the port 22 and you only redirect with iptables.

is a good solution, i was implmented in 2003 and is working still now in a ISP (my old job)
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

LuxanaAuthor Commented:
nedvis,
your solution sounds very good !!!

maclist      - Connection requests from this interface
                    are compared against the contents of
                   /etc/shorewall/maclist. If this option
                   is specified, the interface must be
                   an ethernet NIC and must be up before
                  Shorewall is started.

What is meant by interface must be up before Shorewall is started? Is not maclist just for local interfaces?

--------------------
pablouruguay,

not sure if i understand. Are you saying that I should tell client to use for example port 9999 and open this port by shorewall to all connections and redirect everything to port 22?

---------------

what I'm thinking of is that I rather ask client to register No-IP.com and renew his IP every time he needs to connect . Then in shorewall I just specify client1.no-ip.com instead if IP address. However I'm not sure regarding to efficiency of this solution because there will be probably DNS query for each packet sent.  
 anyone have experience with using domain names instead of IPs in shorewall rules?

thank you all
0
nedvisCommented:
I'm sorry Luxana I just learned this:
Shorewall firewall filtering and trafic shaping using MAC addresses pertains only to outgoing traffic and only to nodes on LAN :
http://www.shorewall.net/MAC_Validation.html
Please disregard my post.
I'm still learning along  the way.

good luck,
 nedvis
0
LuxanaAuthor Commented:
no worries , we all learn every day:-))

my solution does not work eighter :-) The ip gets resovned from host name when shorewall starts so if client changes ip I will need to restart shorewall.

I already new about rsivanandan's solution I have using it on other server but not sure if this is the solution for me in this case...

and i'm not realy clear about pablouruguay's solution yet.
0
pablouruguayCommented:
>not sure if i understand. Are you saying that I should tell client to use for example port 9999 and >open this port by shorewall to all connections and redirect everything to port 22?

yep
0
LuxanaAuthor Commented:
I have not find any appropriate solution in here... please close

thank you
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.