Using iptables to redirect traffic to a dynamic DNS name instead of an IP address?

linux networking dns iptables

5,239

Solution 1

IPTables does not support on-the-fly DNS resolution, because it involves security, performance and implementation issues.

If someone was able to modify DNS records for your domain, it would affect IPTables rules.

If IPTables did a DNS lookup on every incoming packet or even connection initiation packet, it would be really slow.

Also, if there are multiple A records for a domain name, which one would IPTables use?

To accomplish what you are looking for, you would need to implement a system where the host running IPTables would periodically check what is the IP address for your dynamic host name, and then change its rules accordingly.

Another alternative would be to have a software on your computer on your home network, which monitors current public IP address, and then sends it to your IPTables server, which reconfigures the IPTables.

I don't know any particular software that could do this for you.

Solution 2

For the reasons well explained by Tero Kikanen, iptables is not the tool to do what you wish. You should use ssh instead.

Let's call:

hostA your local pc;
hostB your Debian server;
hostC your home pc.

If you want to forward your ssh session, for instance, you need to add, on pc hostA, the following line to your file .ssh/config:

Host hostC
ProxyCommand ssh hostB -W %h:%p

and make sure you have login credentials to hostC on hostA. Now, from hostA, you may connect to hostC as follows:

ssh me@hostc

In this, you do not need to use IP addresses, unresolved names are just fine. Also, you may add all sorts of options (things like port, crypto key file, user, and so on) either on the Proxy Command file or on the CLI (it depends on whether the option is for B->C connection, or for A->B connection respectively).

By the same token, you can forward a given port (portA) on hostA to a different port (portC) on hostC thru the intermediary of hostB, as follows:

ssh -L portA:hostC:portC me@hostB

Once again, no need to use IP addresses, simple names will do. Another major advantage of ssh is that all communications are automatically encrypted, so no one will be able to see what you are doing.

Lastly, if you do not know how to give a (free!) name to a pc without a static IP address (hostC), just check noip, it is trivial.

5,239

Bri Bri

Updated on September 18, 2022

Comments

Bri Bri over 1 year
I have a Debian server with a static IP address. I want to set it up so that if I connect to this server using a specific port, it will redirect that traffic to my home network.

I've got that working using iptables like so:
```
iptables -t nat -A PREROUTING -p tcp --dport [port] -j DNAT --to [home-ip]:[port]
iptables -t nat -A POSTROUTING -d [home-ip] -j MASQUERADE
```
The trouble is, my home network has a dynamic IP. As soon as it changes (which happens frequently enough) this will stop working.

However, I have a dynamic DNS name set up for my home IP address.

Is there anyway to use iptables so that it will always redirect this traffic to the IP that my dynamic DNS name resolves to?
Bri Bri about 7 years

Unfortunately this solution is not usable for me, because hostA is an iOS device and as such doesn't have the capability to do any kind of sophisticated forwarding with ssh. The redirection has to happen transparently to hostA.
MariusMatutiae about 7 years

@GuyGizmo What I suggested can be done on iOS, read here, apple.stackexchange.com/questions/69163/…
Bri Bri about 7 years

I should also mention that what I'm setting up is meant to be a "one click" operation, especially for users who are not computer literate, so I don't see asking them to download an SSH client and configure it for tunneling to be a viable solution. It's pretty much a hard requirement that the redirection be transparent to iOS. That all said your solution is a good one. It's just not the right one for me in this instance.