Quoting Cameron Nikitiuk <[EMAIL PROTECTED]>:
My work wants me to set up remote administration to the office, but there are a couple cha;lenges and I am hoping you cguys can help.My former boss was doing this before & I know I can write rules based on my IP address and such, but to complicate things, there is an appliance that provides failover for our WAN connections. My boss confirmed that once that was installed, he was not able to remote in anymore.These are the questions/challenges I see myself facing and any input would be welcome: 1) Being on SHaw I have a dynamic IP and as such I may lose remote capability if my IP changes. WOuld I be able use one of those free DNS services and then reference that name in the IPTables rules to provide connectivity based on that name? IIRC, there are programs available for these services, that will run in the background and will keep the IP address of your router (in my case a D-Link DI-604) updated with the DNS service.
I use an iptables script called gshield. I simply run it in a cron job everycouple of hours as it autodetects your ip (it parses the output from ifconfig I
believe).I use dyndns.org for updating the ip and name of dynamicaly connected hosts. Then in our DNS server I use a CNAME to point to the dynamic name.
Eg. vpn IN CNAME hostname.somedyn.dns. then vpn.mydomain.tld never has to be updated. Fortunatly Shaw IPs don't change too often, usually once every 1-1.5 years.
2) WOuld the IPTables rules work with a domain name? Example: computer.dnsservice.com (which has a public IP of 1.2.3.4)
Sure, here is an example for external rsync access: iptables -A IN_EXT -p tcp --dport 873 -s hostname.foo.bar -j ACCEPT
3) What would need to be done with the appliance to ensure that I could connect through it? WOuld I need to establish a VPN tunnel or would I need to do something with port forwarding?
Depends on the appliance. Maybe all you need is to port forward ssh or rdp. What is the appliance?
4) If I change any IPTables rules, would I need to reboot the firewall? Restart the service?
No. A good script will flush all previous rules before running its own. Do this
at the beginning of your own iptables script. No reboot neccesary. #Flush rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -t nat -F OUTPUT iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
5) ANything else anyone can think of? Would like to get this resolved ASAP so if anyone can come up with any ideas?
--No trees were harmed in the transmission of this message, however a large number
of electrons were seriously inconvenienced. --------------------------------------------------- This message was sent using Echostar Secure Webmail
pgpKmNZGcGFk2.pgp
Description: PGP Digital Signature
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
