Firewall rules based on Domain name instead of IP address
iptables doesn't work with domains but you can create a ipset and update its content periodically.
ipset create allowed hash:ip
iptables rule will look like
iptables -A INPUT -p tcp --dport 3128 -m set --match-set allowed src -j ACCEPT
Create a simple script that do domain lookup and update allowed list.
#!env /bin/bash
ip=`dig +short domain.com`
ipset flush allowed
ipset add allowed $ip
And add cronjob (Every 5 min in this example)
*/5 * * * * root /path/to/myscript.sh
Related videos on Youtube
JineshJK
Updated on September 18, 2022Comments
-
JineshJK over 1 year
I am running Guacamole remote desktop gateway test setup to manage access to cloud VM instances.
As I got one strange POC request from one client to restrict Guacamole RDG access to one specific domain which doesn't have static IP, I am out of options. Client might be using services like dynamic DNS to have their domain resolve back to whatever dynamic IP they get.
So basically I have to set inbound Firewall rules in my Guacamole RDG server based on one domain name instead of IP address. Apart from basic networking logic, is there any way to achieve this requirement?
I tried below command to set iptables rule based on domain name but upon execution, it actually resolve domain name and apply rule to iptables with resolved IP address.
iptables -A INPUT -p tcp --src domain.com --dport 3128 -j ACCEPT
-
roaima over 4 yearsI don't know of any way to do this easily. There's not only DDNS to consider but also the possibility that the domain name might resolve to multiple addresses.
-
Philip Couling over 4 yearsTo add my two cents worth... I think this is tricky and a little dangerous. It would effectively give someone else the ability to change your firewall rules because you don't control the domain name in question.
-
larsks over 4 yearsHaving to perform a reverse DNS lookup on every incoming packet would have terrible performance consequences.
-
-
JineshJK over 4 yearsI havent tried this tool yet. The domain with dynamic IP is not within my network, so all I have is the domain address, I just want to use that domain address to set rules in CSF to allow inbound traffic to the server that I host. Thanks for the update. I will try this tool and update.