IPTables HowTo at netfilter.org: http://www.netfilter.org/documentation/index.html#documentation-howto
IPTables HowTo at CentOS.org: http://wiki.centos.org/HowTos/Network/IPTables
If you run publicly accessible servers, you may want to have a more fine grained control over the IP addresses from which you manage the server, e.g. for SSH access or Webmin.
While this is no problem if you always work form a location with a fixed IP address (like your company network), it cannot be done with dynamic addresses as you get them from the DHCP service of your internet provider.
In this article I describe how you can set up a flexible IPTables firewall which updates itself whenever one of your dynamic addresses changes.
As a server should not have a GUI installed, I provide just the commands working in console mode.
The procedure described here can lock yourself out from your server. Do not paste the IPTables configuration below blindly to your system. Do not apply any changes to the firewall configuration unless you have a working knowledge about IPTables.
Sign up to a Dynamic DNS Provider
To achieve this, you have to sign up to a Dynamic DN
If you always work from places where you have control over the DSL router, you can set up the routers to advertise their current address to the dynamic DNS provider. Most routers support a small number of providers only, so you have to check the documentation of you DSL router, or login to its management console. I have found that DynDNS is supported in most, if not all, routers.
As an alternative, you can advertise your current external address, as it can be found out using services like VPN Mentor. Some dynamic DNS provides supply a client for your workstations which updates the address automatically. An example is the DynDNS Updater.
Let's assume that you have applied for the dynamic DNS name "my-ip.dyndns.org". In the following examples you must replace this name by your actual dynamic DNS name.
Install and activate IPTables
Check if there is a file "/etc/sysconfig/iptables". If this is not yet the case, you can set it up using system-config-firewall:
yum install system-config-firewall-tui
Check the output of "chkconfig" to see if IPTables is launch during the system startup.
Install required packages
yum install bind-utils perl
As this approach relies on fast and reliable DNS lookups, you should consider using a different DNS server. I found that Google DNS is much faster than those of most hosting providers.
Insert the line
before all other nameserver directives.
Create the script "update-firewall.pl"
This script captures changes to the addresses represented by IP names in /etc/sysconfig/iptables. It restarts the firewall and fail2ban as required.
Login as root.
mkdir -p ~/scripts
The script must be made root-executable:
chmod 700 ~/scripts/update-firewall.pl
Add the script to cron
* * * * * /root/scripts/update-firewall.pl > /tmp/update-firewall.log 2>&1
Let's assume that you have allowed HTTP and SSH access to your system. Then your firewall configuration in /etc/sysconfig/iptables looks like this:
To block SSH access from all sites except your company network and your workstations, add the following lines:
-A INPUT -m state --state NEW -m tcp -p tcp -s lbc.gutzmann.com --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp s myip.dyndns.org --dport 22 -j ACCEPT
and remove /comment out the original line referring to port 22. Replace "lbc.gutzmann.com" with the actual DNS name of your company, and "myip.dyndns.org" with your actual dynamic DNS name.
As an option, you could leave the original line for port 22 intact and remove it after the script has run successfully.
Now /etc/sysconfig/iptables should look like this:
Check the results
After one minute, the script "update-firewall.pl" should have modified your firewall rules:
If this is not the case, check
/tmp/update-firewall.log and fix whatever's gone wrong.