33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# dyniptables
|
|
|
|
rebuild dynamic IPtables chain with DNS lookups of named hosts
|
|
|
|
### Server prep and usage:
|
|
|
|
1. Place script in /usr/local/sbin/dyniptables.sh (root:root, 0744)
|
|
2. Add to system on-boot iptables rules a new filter chain and (j)ump:
|
|
```
|
|
:DYNAMIC - [0:0]
|
|
-A INPUT -j DYNAMIC
|
|
```
|
|
...where DYNAMIC is the name of the $DCHAIN in dyniptables.conf
|
|
3. Add to root's crontab a refresh every 6 hours:
|
|
```
|
|
5 */6 * * * /usr/local/sbin/dyniptables.sh
|
|
```
|
|
4. Add an override.conf to systemd iptables startup:
|
|
```
|
|
DEB clones: `systemctl edit netfilter-persistent.service`
|
|
or
|
|
RPM clones: `systemctl edit iptables.service` (IPv4)
|
|
`systemctl edit ip6tables.service` (IPv6)
|
|
|
|
[Service]
|
|
ExecStartPost=/usr/local/sbin/dyniptables.sh # (DEB, all rules)
|
|
or
|
|
ExecStartPost=/usr/local/sbin/dyniptables.sh -4 # (RPM, IPv4 only)
|
|
ExecStartPost=/usr/local/sbin/dyniptables.sh -6 # (RPM, IPv6 only)
|
|
```
|
|
|
|
SPDX-License-Identifier: MIT
|
|
|