Check the blog | Go to the home page
If your find something here useful, don’t hesitate to buy me a coffee!
- SSH (port 22).
- Web server (used for a private web page, port 8080).
INPUT chain is already set to DROP, we need to add these two rules : # Allow SSH service.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow private web page.
iptables -A INPUT -p tcp --dport 8080 -j ACCEPTYou can also set up password authentication to the private web server :
INPUT chain from iptables who accepts them. Although he is banned if he fails the form (let’s say five times as an exemple), he can still try to connect by using a VPN again and again. 
Dynamic DNS
First of all, if you don’t have one, assign a dynamic DNS to your home. I suggest freemyip since you don’t need to create an account and it is totally free :
Once your domain is claimed, you receive an url to update your IP :
Update my IP address automatically (from freemyip's help section)
Browser method
&redirectURL=www.google.com parameter at the end of the above URL, to automatically redirect you once your IP is updated (you can put any website you want) : https://freemyip.com/update?token=TOKEN&domain=DOMAIN&redirectURL=www.google.comLinux method
If you have an always-on Linux on your network, you can install a cron job that will automatically update your IP address every 20 minutes. Make sure you have the curl command installed, and then execute the following command :
(crontab -l; echo "*/19 * * * * curl \"https://freemyip.com/update?token=TOKEN&domain=DOMAIN.freemyip.com\" > /dev/null 2>&1") | crontab -More update methods here.
Hardening iptables rules
In order to define your new iptables rules, check your current IP (I suggest this website). Then, replace the initials rules with these :
# Allow SSH service.
iptables -A INPUT -p tcp -s [home_ip] --dport 22 -j ACCEPT
# Allow private web page.
iptables -A INPUT -p tcp -s [home_ip] --dport 8080 -j ACCEPTThey are pratically the same except the s parameter to filter the source IP.
Now, we will use the following bash script to dynamically update our iptables rules when the home public IP changes :
#!/bin/sh
#################### CONSTANTS ####################
NEW_IP=$(dig +short muratore-example.freemyip.com | head -n 1)
HOME_IP_FILE="/var/log/home-ip.log"
LOG_FILE="/var/log/change-ip-firewall.log"
#################### FUNCTIONS ####################
printNewIp() {
echo $NEW_IP > $HOME_IP_FILE
}
printLogs() {
echo "***** $(date) Iptables Rules $1 *****" >> $LOG_FILE
}
#################### SCRIPT #######################
# If the log ip file doesn't exist.
if [ ! -f "$HOME_IP_FILE" ]; then
# Create the log ip file.
touch $HOME_IP_FILE
# Print the ip.
printNewIp
fi
# If the log file doesn't exist.
if [ ! -f "$LOG_FILE" ]; then
# Create the log file.
touch $LOG_FILE
fi
# If the dig result is not empty.
if [ ! -z "$NEW_IP" ]; then
# Save the old ip.
OLD_IP=$(cat $HOME_IP_FILE)
# Print the new ip into the log ip file.
printNewIp
# If the ip has changed.
if [ "$OLD_IP" != "$NEW_IP" ]; then
iptables -R INPUT 1 -p tcp -s $NEW_IP --dport 22 -j ACCEPT
iptables -R INPUT 2 -p tcp -s $NEW_IP --dport 8080 -j ACCEPT
printLogs "updated, home ip : $NEW_IP"
else
printLogs "not updated, home ip unchanged : $OLD_IP"
fi
fiMake sure root is the owner of this script and save it to the desired location (/root is a valid one). Then, use it as a cron task :
*/10 * * * * root /root/update_firewall.shAnd that’s it ! It will be run every 10 minutes but you can of course change this value as desired.
Application Support Engineer