DDNS - Debian IPtables Update Script

Discussion in '3CX Phone System - General' started by hanshin, Jun 29, 2017.

Tags:
Thread Status:
Not open for further replies.
  1. hanshin

    Joined:
    Jun 22, 2017
    Messages:
    5
    Likes Received:
    0
    I am relatively new to Linux and PBX systems and have a question regarding security. With any system that is publicly accessible there is always a need to secure it as best as possible.

    As an example for SSH access it is desirable to lock down access to a single static IP if possible. However in some instances if you have a dynamic IP address this isn't possible. Ward Mundy @ nerdvittles offers some good scripts http://nerdvittles.com/?p=22469 but being new I am having trouble following the logic of how they all tie together.

    Out of all the concepts the two that appears the most useful are the ipchecker script letting this update the whitelist in the firewall and changing the port for SSH. The others are great but port knocker is difficult to get users to implement and the blocked countries appears to be redundant especially when your system is for all intents invisible. If you are a large high value company that is a target this might not hold true.

    My question is if all I wanted to run was a DDNS checker to update IP tables would the following script which I found work? @ https://unix.stackexchange.com/questions/91701/ufw-allow-traffic-only-from-a-domain-with-dynamic-ip-address

    Yes I know that relying on DDNS is a security risk in itself as someone could tamper with a DNS server and return a bad entry but for a small user without implementing a VPN solution there isn't much else we can do. IT administration is not my full time job.
    --------------------------------------------------
    #!/bin/bash

    DYNHOST=$1
    DYNHOST=${DYNHOST:0:28}
    DYNIP=$(host $DYNHOST | grep -iE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" |cut -f4 -d' '|head -n 1)

    # Exit if invalid IP address is returned
    case $DYNIP in
    0.0.0.0 )
    exit 1 ;;
    255.255.255.255 )
    exit 1 ;;
    esac

    # Exit if IP address not in proper format
    if ! [[ $DYNIP =~ (([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]) ]]; then
    exit 1
    fi

    # If chain for remote doesn't exist, create it
    if ! /sbin/iptables -L $DYNHOST -n >/dev/null 2>&1 ; then
    /sbin/iptables -N $DYNHOST >/dev/null 2>&1
    fi

    # Check IP address to see if the chain matches first; skip rest of script if update is not needed
    if ! /sbin/iptables -n -L $DYNHOST | grep -iE " $DYNIP " >/dev/null 2>&1 ; then


    # Flush old rules, and add new
    /sbin/iptables -F $DYNHOST >/dev/null 2>&1
    /sbin/iptables -I $DYNHOST -s $DYNIP -j ACCEPT

    # Add chain to INPUT filter if it doesn't exist
    if ! /sbin/iptables -C INPUT -t filter -j $DYNHOST >/dev/null 2>&1 ; then
    /sbin/iptables -t filter -I INPUT -j $DYNHOST
    fi

    fi
    ----------------------------------------------------

    If yes what would be the proper format to enter multiple DDNS entries into this script?

    How would I add this a cron job?

    Thanks for reading this!
     
Thread Status:
Not open for further replies.