# add a Dynamic ip to firewall exception - linux/ubuntu



## james137 (Aug 11, 2009)

I have google-ed quite a bit on this problem and have come up with solutions with problems.

Is it possible to add a Dynamic address like somthing.noip.org to linux firewall? i'm assuming you would use IPTABLES somewhere along the lines.


I thought of an idea by using the host command on Linux host Command- To find ip address, domain name, cmd Example but this would mean making some script. the Dynamic address is constantly changing and is not static in any way.

I have no clue how to solve this problem or whether there is just some simple way to do this.

Thanks

james137


----------



## SteveThePirate (Jan 12, 2012)

Hi,

I'm not entirely sure if this is what your wanting but as soon as i read that then i thought you could add the rule to IPTABLES by specifying a range. Found this example if this is what you need;


```
iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
```
This is specifying a range of ip addresses for access through SSH. Thought the same idea might apply for yourself?

Steve


----------



## james137 (Aug 11, 2009)

Thanks for your idea but I don't think this quite fits to what I want.

is there a way to add a single address like somthing.noip.org? 
as the range would be from 115.xxx.xxx.xxx to 202.xxx.xxx.xxx which would be too large

also just to make sure we are on the same page (just incase) i'm talking about the WAN ip like the IP result from What Is My IP Address | Shows Your IP Address


----------



## SteveThePirate (Jan 12, 2012)

I thought that might have been the case :grin: I'm not too sure then other than a script such as the one using hostname you mentioned above. Maybe someone else will have a better idea of how its done, i'm curious myself now :lol:


----------



## james137 (Aug 11, 2009)

well I would have no idea how to make a script.
the pseudo code would be the following


```
schedule the following to run to run every 15-1hour

//start of script

obtain IP address of "somthing.noip.org"
Store the IP into variable : "thisip"
if thisIP is equal to old IP of somthing.noip.org then replace oldIP with ThisIP

//end of script
```


----------



## james137 (Aug 11, 2009)

ok i thought of an idea that sounds possible

could you have some script that does the following

host somthing.noip.org

print output to file output.txt

run a java file doing the following

find the line containing somthing.noip.org has address ##.##.###.###
obtain the new IP ##.##.###.###
if old add ip script exist
obtain the old IP
edit the to the new IP
iptables -A INPUT -p tcp --destination-port 22 -d ##.##.###.### -j ACCEPT //add new ip
iptables -D INPUT -p tcp --destination-port 22 -d ##.##.###.### -j ACCEPT //delete old IP

end of java program

run add ip script


----------



## james137 (Aug 11, 2009)

ok it seems to be possible to do:

iptables -A INPUT -p tcp --destination-port 22 -d somthing.noip.org -j ACCEPT

question is how do I renew it and does it really work?


----------



## SteveThePirate (Jan 12, 2012)

I've asked Hal8000 to have a look if he's available. He's our resident expert in Linux :grin:


----------



## james137 (Aug 11, 2009)

ok here is an idea I think might work.

have a script to run every 5min

iptables --flush INPUT
iptables -A INPUT -p tcp --destination-port 22 -d somthing.noip.org -j ACCEPT

//end of script

problem is it would remove all rules so therfore my question is.

how do i make all rules but 1 unflushable?
either that or i do.

iptables --flush INPUT
add all old ones
iptables -A INPUT ....
iptables -A INPUT ....
iptables -A INPUT ....
iptables -A INPUT -p tcp --destination-port 22 -d somthing.noip.org -j ACCEPT


but I think could be risky if someone is trying to access the server as they will get cut off. 

so my question is:


how do i make all rules but 1 unflushable?

Thanks


James137

P.S. Thank-you Steve for all your help so far


----------



## james137 (Aug 11, 2009)

ok I think I how a way to make a script.

I found it on Using IPTables with Dynamic IP hostnames like dyndns.org | diginc

#!/bin/bash
#allow a dyndns name
HOSTNAME=HOST_NAME_HERE
LOGFILE=LOGFILE_NAME_HERE
Current_IP=$(host $HOSTNAME | cut -f4 -d' ')
if [ $LOGFILE = "" ] ; then
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
echo $Current_IP > $LOGFILE
else
Old_IP=$(cat $LOGFILE)
if [ "$Current_IP" = "$Old_IP" ] ; then
echo IP address has not changed
else
iptables -D INPUT -i eth1 -s $Old_IP -j ACCEPT
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
echo $Current_IP > $LOGFILE
echo iptables have been updated
fi
fi


it seems to work, all you would have to do is make it run every so often...


I guess this might be the best option.

is there a better option where I can just add the Dynamic ip without needing to update the IP with a script?


----------

