IPSet Updater is a Bash script designed to resolve hostnames with dynamic DNS and update IPs via ipset to whitelist in iptables. The net result is that you're effectively able to whitelist by hostname, which is quite helpful for clients with dynamic IPs. A good use case for this is locking down a Web server's SSH access by using iptables as a firewall, while having the ability to allow the legitimate owner of the server to access it via whitelist. By monitoring the result of resolving our dynamic DNS hostname(s), we get the IP(s) that must be whitelisted for access.
If you're not already using iptables as a firewall nor dynamic DNS and have no wish to start, then you probably won't get much use out of this script.
Word of Caution
The script immediately flushes the
ipsetafter resolving configured hostnames to keep it clean of stale entries. However, if you run this on any of your servers with a large amount of time between executions, you'll need to either run it more frequently (I use every 5 minutes incrontab) or manually check the whitelist regularly & remove stale entries for IPs from which you no longer connect.Note that connecting to your server from an untrusted/public network like a cafe or library while using this utility can create significant security risks. Use your brain.
- Resolves hostnames with dynamic DNS
- Updates IPs using
ipsetfor use iniptables(whitelisting, blacklisting, routing rules, etc.) - Designed for use in
crontab - Requires root access
If you've ever wanted to do the following in iptables but for hostnames with dynamic IPs, you've come to the right place.
- Whitelisting
- Blacklisting
- Routing rules
- Create your
ipset& whitelist it in youriptablessetup. - Adjust the configurable parameters as instructed below, add the
lynyx-ipset-updaterscript to yourcrontab(e.g. every 5 min), and you're done!
Create your ipset as a hash:ip type revision 4. All of the following assumes root.
ipset create my-whitelist hash:ip family inet hashsize 1024 maxelem 65536Assuming a restrictive firewall is already in place via iptables, add the following entry to whitelist your ipset for port 22 (SSH).
-A INPUT -p tcp -m tcp --dport 22 -m set --match-set my-whitelist src -j ACCEPT
Set the environment variables while adding to a new .liu_bashrc for persistence with crontab.
cat << EOF >> ~/.liu_bashrc
> export LIU_IPSET_NAME="my-whitelist"
> export LIU_DOMAIN="dyndns.com"
> export LIU_SUB1="alpha"
> export LIU_SUB2="beta"
> # Add any more subdomains you need
> EOFAdd the script to crontab. This example runs every 5 minutes and redirects console output to a log file. Logging is optional but recommended.
*/5 * * * * BASH_ENV=/root/lynyx-custom-tools/.liu_bashrc /root/lynyx-custom-tools/lynyx-ipset-updater >> /var/log/lynyx-custom-tools/lynyx-ipset-updater.log 2>&1`All done. Sit back and let the magic happen.
read -r ipsetname domain <<<$(echo "${LIU_IPSET_NAME}" "${LIU_DOMAIN}") && read -a subdomains <<< "${LIU_SUB1} ${LIU_SUB2} ${LIU_SUB3}"Set the environment variables with your desired values according to the guide below. Don't forget to add them to appropriate .*rc file so they persist for the user under whom you'll be running lynyx-ipset-updater. Keep in mind you typically need root privileges in order to use ipset.
| Variable | Description |
|---|---|
LIU_IPSET_NAME |
Name of the ipset used specifically for your whitelisted hosts. Doesn't matter what it is but use a name you'll recognize. |
LIU_DOMAIN |
The script is simple and assumes you'll connect from a single domain... but you can use as many subdomains as you like. See below. |
LIU_SUB1 / LIU_SUB2 / LIU_SUB3 |
Set these to match only the subdomain portion of your whitelisted hostnames. If you don't need more than one, just delete the excess. |
The script logs its activity. The log format is:
[timestamp] | [logger] | [status] | [message]
resolve_cmd() { dig +short $1; }ipsetflush_cmd() { ipset flush $ipsetname; }ipsetadd_cmd() { ipset add $ipsetname $1; }ipsetlist_cmd() { ipset list $ipsetname; }This project is licensed under the MIT License.
- EnzanNoMetsuke 3458546+EnzanNoMetsuke@users.noreply.github.com - author of the original script