How can I use dns to update iptables for remote access with Linux router

Hello, I have a linux box that is a router/gateway running iptables rule sets. I have setup a dynamic dns account at This runs a client on my laptop that updates my record at with my current ip address (ie. =
What I would like to do of course, is have my iptables firewall update with my ip address from my resolved no-ip dns, and allow my laptop to connect to ssh and remote desktop from where ever I am. And have it update, every 5min? or so.  (Usually at my home or another office (but my concern is that my home ip might change and cause me a problem in the future (or if I am out of town))).  I realize that I would not want to do this from a cyber cafe, but I do not want to have the port open to the world full time either, and that IP would change as soon as I get to the office.
I looked a something called port-knocker, 
 that looked interesting, but I would rather have it more 'automatic' that I do not need to really do anything special to initiate this (aside from the stuff (which I already use for my home stuff))
Who is Participating?
Gabriel OrozcoSolution ArchitectCommented:
you need to write a watchdog script that can update your firewall for you.

there are some ways to do it but I will use the simplest I can think right now:

create a script and test it can
- add a new iptables rule allowing your current ip
- delete a previous iptable rule pointing to your previous ip

then you only need to add it to your crontab and have it working every minute. you will tie access to your ni-ip ip:
* * * * /usr/local/scripts/ >> /var/log/followmynoip.log 2>&1

the script can be something like (I will write a draft here. it may not work without testing and debugging)
#! /bin/sh
# here you need to put your no-ip address you are using:
# Get previous ip from file
STOREDIP=`cat $STOREDIPFILE 2>/dev/null`
#first run will have that STOREDIPFILE empty, so no ip. let's fix that (put a IP you really do not use)
[ "$STOREDIP" = "" ] && STOREDIP=
# Get ip from noip:
NEWIP=$(nslookup $DNSNAMETOFOLLOW | grep Address | tail -1 | awk '{print $2}')
# now compare both IPs. if equal do nothing. if different, update rules:
if [ $STOREDIP != $NEWIP ]; then
   # delete previous IP
   iptables -D INPUT -p tcp --dport 22 -s $STOREDIP -j ACCEPT
   # add the new IP
   iptables -I INPUT -p tcp --dport 22 -s $NEWIP -j ACCEPT
   # write the new ip to file

This is not debugged. it is only a guide. it can work but I have not tested it. ok?

hope that helps
Try this, its for Ubuntu, but it should apply to you
jcgreerAuthor Commented:
Thanks for the reply.  However, let me add some more detail. I am trying to go the other way around.
The server is at my office and has a static ip address already.
My current configuration is working with remote desktop to my windows boxes and ssh to the server from my house (fortunately they do not change my ip address that often (but when they do.. of course it is 2am and I have to drive into the office)).
I need to be able to connect to ssh on that server with my laptop from my house or out of town, or from my dynamic ip on a SprintPCS broadband card.
So all I need is the server to lookup my address and rewrite the iptables rules from my (now) current ip address. So I can use it from anywhere, but I do not want the server to accept ssh from just any ip address in the world.

Gabriel OrozcoSolution ArchitectCommented:
any news?
jcgreerAuthor Commented:
Very complete!, code worked first time without change (except for my noip address), also included instructions for adding to cron (nice, makes a complete answer, so readers would not have to then go look that up).
Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.