DDNS entry being replaced to the actual IP on an iptables chain

Question

I have a rented dedicated server that I host certain services on.

For security reasons I made a rule chain that will check against listed DDNS addresses and only connect to the connections that match. It seemed to be better than block or accept by country.

Ex.

-A ACCEPT_PERSONAL -s xxx.dns.com -j ACCEPT
-A ACCEPT_PERSONAL -s yyy.dns.com -j ACCEPT

It worked well for a while, but after a few days all the sudden I couldn't access my server. After some support from the hosting I was able to access via webmin, and found that my DDNS addresses in the iptable have been replaced to actual IPs, and since they have changed for whatever reason.

Any ideas on to what has happened? I have checked the cron jobs, especially weekly but cannot find anything suspicious.

Also I am using Webmin to set the values

score 2 · Accepted Answer · answered Jan 19 '10 at 07:40

2

DNS resolution happens before the firewall rule is loaded into the kernel, so you can't do what you want to do using iptables.

answered Jan 19 '10 at 07:40

womble

95,029
29
173
228

it seems to be working while the IP is correct(before another IP is assinged for the DDNS). I have added an example and more description – Saifis Jan 19 '10 at 07:50
Yes, that's exactly the symptoms you'll see. – womble Jan 19 '10 at 08:11
1

womble is correct. if you view the chain using iptables -Lnv ACCEPT_PERSONAL you will see that the rules reference the IP, not the hostname. You can schedule a cronjob to replace the rules on a semi-regular basis, which would "freshen" the IP fairly well. – jeff Jan 21 '10 at 20:17
If you still need to do this, you could write yourself a script called by cron that periodically deletes the old rule(s) and adds a new one based on the DDNS name. – Zoredache Jan 23 '10 at 20:30

score 0 · Answer 2 · answered Jan 19 '10 at 07:14

You have mentioned that you are checking against listed DDNS addresses. Many a times I have seen that these lists are not reliable 100%. My own static IP in some lists is categorised as Dynamic. So may the public IP from where you tried to access your machine also got into the DDNS list. If you are trying to protect your system from SSH attacks I would suggest some think like DenyHosts

score 0 · Answer 3 · answered Jan 21 '10 at 20:51

0

As womble said, iptables does its name resolution when rules are loaded. You might want to manage access using hosts.allow, e.g.

sshd: xxx.dns.com
sshd: yyy.dns.com

You could also manage access using "AllowUsers" in sshd_config. Either method would look up your address at connection time.

answered Jan 21 '10 at 20:51

Gerald Combs

6,331
23
35

tried, but this does not work if the DDNS service does not support reverse lookup – Saifis Jan 22 '10 at 08:46

score -1 · Answer 4 · answered Jan 21 '10 at 19:40

fail2ban has worked great for me on my virtual server. It can be configured to work with multiple services, ssh, ftp, etc. I currently use it to block brute force attempts on SSH and FTPS. It will auto ban the IP for a time period using iptables after X failed attempts to log into your server.

DDNS entry being replaced to the actual IP on an iptables chain

4 Answers4