IPtables WhiteList Updater for Remote Sites NOT hotels
Good idea. You and MichiganTelephone are on the same page. We're going to write this up in coming weeks on Nerd Vittles, but here's a first cut at the script. Once set up at both ends, it's all automagic. :sorcererb:
PREREQUISITES
First, create a FQDN for your remote phone/site using a service that supports automatic updating of dynamic IP addresses. We would recommend DynDNS primarily because we've always used them and they have good tools.
At the remote end, you'll need either a router or a PC, Mac, or Linux box that keeps the IP address of the FQDN up to date using a service such as DynDNS. Here are the
clients. Simply stated, you're setting up a FQDN for each site that has one or more remote phones, and you're putting an auto-update system in place to keep the FQDN current.
At your server, you add shell scripts like the one below for each location. Name them so you can remember which script goes with which phone. In each script, you specify the FQDN and phone name (no punctuation or spaces in the phone name because this becomes a temporary file!) for each remote phone or site. Then add an entry in /etc/crontab to run the script every 5 or 10 minutes.
Code:
#!/bin/bash
fqdn="mundy.org"
phone="ipremote"
#iptest=`ping -c 1 $fqdn | head -1 | cut -f 2 -d "(" | cut -f 1 -d ")"`
iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
echo "Don't match"
/sbin/iptables -D INPUT -s $iplast/32 -p udp -m udp --dport 5000:5082 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp -s $iptest --dport 5000:5082 -j ACCEPT
echo "Dropped: $iplast"
echo "Added : $iptest ($phone: $fqdn)"
service iptables save
echo $iptest > $phone
# iptables -nL
exit 1;
else
echo "Matched: $iptest"
fi
We recommend you continue to use Travelin' Man for traveling to hotels and temporary stays at remote sites.
P.S. I liked Dad311's nslookup idea. Works much better than ping which may not always be available on a remote site or phone.