Solved

Dynamic IP and firewall

Posted on 2007-03-19
8
1,269 Views
Last Modified: 2008-08-13
Hello Experts,

We are running couple of web sites on our server for many different clients. We are also so kind/trustful that we allow our clients to login via ssh. Once the user wants to connect to server we add his/her IP address tu current rules for firewall( shorewall firewall ). The problem here is that some of our clients have dynamic IP addresses and we need to always change the firewall rules file with current IP address of client. This is very inefficient, and tedious work. Is that any way to do it more efficiently so the IP address in shorewall rules will be always current?

Couple things which can not be part of solution:
- ask client to get static IP
- change shorewall firewall
- create enormous traffic by querying ip address from domain name, etc..

Preferable things which are part of solution:
- easy to implement
- very low overhead on traffic
- efficient

thank you
0
Comment
Question by:Luxana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:nedvis
ID: 18754159
firewall rules for MAC address-based filtering
http://www.shorewall.net/manpages/shorewall-maclist.html
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18756096
It is next to impossible to do that. The only way that can be simplified is to understand the ip range that your clients *can* get through dhcp from their ISP and enable ssh for the whole subnet

*****High Security Risk*****

Cheers,
Rajesh
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18756853
> clients to login via ssh.

wrong.!!!! but if you need... the solution that i have implemented it is... :

for exmaple i have 10 clients with differents IP. i give a ssh port to anyclient to login and close the port 22 and you only redirect with iptables.

is a good solution, i was implmented in 2003 and is working still now in a ISP (my old job)
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 10

Author Comment

by:Luxana
ID: 18760462
nedvis,
your solution sounds very good !!!

maclist      - Connection requests from this interface
                    are compared against the contents of
                   /etc/shorewall/maclist. If this option
                   is specified, the interface must be
                   an ethernet NIC and must be up before
                  Shorewall is started.

What is meant by interface must be up before Shorewall is started? Is not maclist just for local interfaces?

--------------------
pablouruguay,

not sure if i understand. Are you saying that I should tell client to use for example port 9999 and open this port by shorewall to all connections and redirect everything to port 22?

---------------

what I'm thinking of is that I rather ask client to register No-IP.com and renew his IP every time he needs to connect . Then in shorewall I just specify client1.no-ip.com instead if IP address. However I'm not sure regarding to efficiency of this solution because there will be probably DNS query for each packet sent.  
 anyone have experience with using domain names instead of IPs in shorewall rules?

thank you all
0
 
LVL 20

Expert Comment

by:nedvis
ID: 18761334
I'm sorry Luxana I just learned this:
Shorewall firewall filtering and trafic shaping using MAC addresses pertains only to outgoing traffic and only to nodes on LAN :
http://www.shorewall.net/MAC_Validation.html
Please disregard my post.
I'm still learning along  the way.

good luck,
 nedvis
0
 
LVL 10

Author Comment

by:Luxana
ID: 18761470
no worries , we all learn every day:-))

my solution does not work eighter :-) The ip gets resovned from host name when shorewall starts so if client changes ip I will need to restart shorewall.

I already new about rsivanandan's solution I have using it on other server but not sure if this is the solution for me in this case...

and i'm not realy clear about pablouruguay's solution yet.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 18762375
>not sure if i understand. Are you saying that I should tell client to use for example port 9999 and >open this port by shorewall to all connections and redirect everything to port 22?

yep
0
 
LVL 10

Accepted Solution

by:
Luxana earned 0 total points
ID: 19823002
I have not find any appropriate solution in here... please close

thank you
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question