How can I use dns to update iptables for remote access with Linux router

Posted on 2007-10-11
Last Modified: 2010-04-21
Hello, I have a linux box that is a router/gateway running iptables rule sets. I have setup a dynamic dns account at This runs a client on my laptop that updates my record at with my current ip address (ie. =
What I would like to do of course, is have my iptables firewall update with my ip address from my resolved no-ip dns, and allow my laptop to connect to ssh and remote desktop from where ever I am. And have it update, every 5min? or so.  (Usually at my home or another office (but my concern is that my home ip might change and cause me a problem in the future (or if I am out of town))).  I realize that I would not want to do this from a cyber cafe, but I do not want to have the port open to the world full time either, and that IP would change as soon as I get to the office.
I looked a something called port-knocker,
 that looked interesting, but I would rather have it more 'automatic' that I do not need to really do anything special to initiate this (aside from the stuff (which I already use for my home stuff))
Question by:jcgreer
    LVL 6

    Expert Comment

    Try this, its for Ubuntu, but it should apply to you

    Author Comment

    Thanks for the reply.  However, let me add some more detail. I am trying to go the other way around.
    The server is at my office and has a static ip address already.
    My current configuration is working with remote desktop to my windows boxes and ssh to the server from my house (fortunately they do not change my ip address that often (but when they do.. of course it is 2am and I have to drive into the office)).
    I need to be able to connect to ssh on that server with my laptop from my house or out of town, or from my dynamic ip on a SprintPCS broadband card.
    So all I need is the server to lookup my address and rewrite the iptables rules from my (now) current ip address. So I can use it from anywhere, but I do not want the server to accept ssh from just any ip address in the world.

    LVL 19

    Accepted Solution

    you need to write a watchdog script that can update your firewall for you.

    there are some ways to do it but I will use the simplest I can think right now:

    create a script and test it can
    - add a new iptables rule allowing your current ip
    - delete a previous iptable rule pointing to your previous ip

    then you only need to add it to your crontab and have it working every minute. you will tie access to your ni-ip ip:
    * * * * /usr/local/scripts/ >> /var/log/followmynoip.log 2>&1

    the script can be something like (I will write a draft here. it may not work without testing and debugging)
    #! /bin/sh
    # here you need to put your no-ip address you are using:
    # Get previous ip from file
    STOREDIP=`cat $STOREDIPFILE 2>/dev/null`
    #first run will have that STOREDIPFILE empty, so no ip. let's fix that (put a IP you really do not use)
    [ "$STOREDIP" = "" ] && STOREDIP=
    # Get ip from noip:
    NEWIP=$(nslookup $DNSNAMETOFOLLOW | grep Address | tail -1 | awk '{print $2}')
    # now compare both IPs. if equal do nothing. if different, update rules:
    if [ $STOREDIP != $NEWIP ]; then
       # delete previous IP
       iptables -D INPUT -p tcp --dport 22 -s $STOREDIP -j ACCEPT
       # add the new IP
       iptables -I INPUT -p tcp --dport 22 -s $NEWIP -j ACCEPT
       # write the new ip to file
       echo $NEWIP > $STOREDIPFILE

    This is not debugged. it is only a guide. it can work but I have not tested it. ok?

    hope that helps
    LVL 19

    Expert Comment

    any news?

    Author Closing Comment

    Very complete!, code worked first time without change (except for my noip address), also included instructions for adding to cron (nice, makes a complete answer, so readers would not have to then go look that up).
    Thank you!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video discusses moving either the default database or any database to a new volume.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now