Firewall rules based on Domain name instead of IP address

ubuntu iptables firewall
11,845

iptables doesn't work with domains but you can create a ipset and update its content periodically. 

ipset create allowed hash:ip

iptables rule will look like

iptables -A INPUT -p tcp --dport 3128  -m set --match-set allowed src -j ACCEPT

Create a simple script that do domain lookup and update allowed list.

#!env /bin/bash

ip=`dig +short domain.com`

ipset flush allowed
ipset add allowed $ip

And add cronjob (Every 5 min in this example)

*/5 * * * * root /path/to/myscript.sh
Share:
11,845

Related videos on Youtube

JineshJK
Author by

JineshJK

Updated on September 18, 2022

Comments

  • JineshJK
    JineshJK over 1 year

    I am running Guacamole remote desktop gateway test setup to manage access to cloud VM instances.

    As I got one strange POC request from one client to restrict Guacamole RDG access to one specific domain which doesn't have static IP, I am out of options. Client might be using services like dynamic DNS to have their domain resolve back to whatever dynamic IP they get.

    So basically I have to set inbound Firewall rules in my Guacamole RDG server based on one domain name instead of IP address. Apart from basic networking logic, is there any way to achieve this requirement?

    I tried below command to set iptables rule based on domain name but upon execution, it actually resolve domain name and apply rule to iptables with resolved IP address.

    iptables -A INPUT -p tcp --src domain.com --dport 3128 -j ACCEPT
    • roaima
      roaima over 4 years
      I don't know of any way to do this easily. There's not only DDNS to consider but also the possibility that the domain name might resolve to multiple addresses.
    • Philip Couling
      Philip Couling over 4 years
      To add my two cents worth... I think this is tricky and a little dangerous. It would effectively give someone else the ability to change your firewall rules because you don't control the domain name in question.
    • larsks
      larsks over 4 years
      Having to perform a reverse DNS lookup on every incoming packet would have terrible performance consequences.
  • JineshJK
    JineshJK over 4 years
    I havent tried this tool yet. The domain with dynamic IP is not within my network, so all I have is the domain address, I just want to use that domain address to set rules in CSF to allow inbound traffic to the server that I host. Thanks for the update. I will try this tool and update.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to allow port 8443 in iptables?
How can I add rule to iptables on ubuntu to enable redis on local ip but not external
Allow SFTP in iptables
How can I reload IPTables without interrupting existing connections?
Error applying iptables rules using iptables-restore
How do you setup egress rules with iptables (on Ubuntu)?
How to block IPs that cause excessive 404 errors with Fail2ban?
Ubuntu ufw: set a rule on a per interface basis
Iptables v1.6.1 can't initialize iptables table `filter' Ubuntu 18.04 Bash Windows
What is the best practice of docker + ufw under Ubuntu