Hi Kevin -
On Sat, 2005-02-19 at 00:49 -0500, Kevin Old wrote:
...
1) Is there I can allow a dynamic hostname to have unlimited access to
the server? For example, if I'm a Comcast subscriber the hostname to
my cable modem is 12-134345-112.nashville.comcast.com or something
like that. Is there a way I can create a firewall rule to allow all
*.nashville.comcast.com requests for any port rather than a static IP?
One way to do this is to determine the WAN mac address of your cable
modem - the one associated with the 12-134345-112.nashville.comcast.com
hostname. Then, inside your iptables script, filter based on -m tcp --
mac-source 00:11:22:33:44:55 to match any packets from your home.
To take this even further, you can also use the source ip filter (-s
111.222.333.444). Determine the WAN IP associated with your cable
modem. I know you said this is dynamic, but *usually* the changes in IP
are only in the host number, not the network/subnet number.
So, if your current host IP is 111.222.333.444, then the 444 might
change between dhcp leases, but most cable providers leave you on the
same subnet (.333). An example iptables line
from /etc/sysconfig/iptables is below (this allows incoming ssh requests
from any host on the 111.222.333.0 network with the appropriate mac
address):
-A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:55 -m tcp -s
111.222.333.0/24 --dport 22 -j ACCEPT
Of course, this would lock it down specifically to your home modem and
not the entire *.nashville.comcast.com network.
This is my first post to this list, so pardon any assumptions my reply
makes - feel free to contact me with any questions or comments regarding
this reply.
Gina Montgomery (gmontgomery@gapsinc.com)
System Administrator
Global Anti-Piracy Systems, Inc.
