Hack3r.com has a vast set of Firewall instructions to monitor/drop all sorts of traffic and to allow only certain information from specific IP's.

We need an application that will read from a template firewall rules file, and replace variables with new IPs based on a ping.

Pseudo code would be

Scan file for dns names such as ocyrus.mine.nu
Grab ips of all dns names
Scan through beginning of template file finding and replacing hostnames with ips
save to temp file
run temp file

Example of beginning of firewall script template


After the scan, the template file that has been created would look like this:


and then commands in our firewall script that run like this:

iptables -A INPUT -i eth0 -p tcp -s $OCYRUS --dport 3306 -j ACCEPT

will work.

The reason we need this is because not everyone has a static IP. And people who need to be able to get to things like SVN (port 81) trac (port 8000), its very difficult to keep trac of this. Id much rather users provide us with a DNS and then it is their job to keep their DNS up to date.

The template file can be formatted in anyway shape or form that makes it easier to search and replace. I would prefer this to be a script rather than compiled application, however if it is compiled, I will need to see the source and be able to compile it myself.

Whoever gets this app done will get a hack3r.com t-shirt with there name on it.

If you have any questions ask them here.

Well I knocked up a really simple script that does what you want:

=================== Firewall.sh ===========================



# iterate through the dns.conf file
for client in `cat dns.conf`; do
# Lets get the IP address for each host. If the FQDN has more than one IP address
# just take the first one
ClientIP=`dig $client | grep -v ";" | grep -i $client | awk '{ print $5 }' | head -n 1`

$IPTABLES -A INPUT -i eth0 -p tcp -s $ClientIP --dport 3306 -j ACCEPT


Just put that script in a cron job and it should work fine. There also needs to be
a configuration file in the same directory called "dns.conf". DNS names should be
entered on individual lines e.g.


Sorry rpag hit me up with the script the other day, but hopefully anyone wishing to solve this problem will use yours since its public :) Thanks mate.