temporary IP addition to firewall rules
Mike Wright
xktnniuymlla at mailinator.com
Sun Feb 4 18:53:11 UTC 2007
Nathaniel Hall wrote:
> Noah wrote:
>
>>Does anybody have a recommendation for a program out there that would
>>allow somebody to enter an account and password on my website, their
>>IP address is cached, and the cached IP address is added temporarily
>>to the firewall ruleset to be allowed.
>
> I have actually considered doing almost exactly the same thing. What I
> was planning on doing was writing a php page that the user would log in
> with. When they do, then php would run a system command using their IP
> to add a netfilter (iptables) firewall rule. There would then be a cron
> job that runs daily to restart the firewall, thus the added rules would
> be removed.
>
Hi All,
This sounds like a perfect match for ipset.
A single iptables rule could refer to the set and the firewall wouldn't
have to be restarted. Addresses could be added and removed from the set
to provide dynamic access control. (I use this technique to block
miscreants automatically; their own actions put them into the set
without any manual intervention on my part.)
Note that it would require rolling your own kernel.
http://ipset.netfilter.org
:m)
More information about the fedora-list
mailing list