Using IPTables edit rules with Dynamic IP hostnames like

Attention: open in a new window. PDFPrintE-mail


Whenever IPTables has a hostname in a rule it looks up the hostname’s IP address and uses that instead of the actual hostname – so it’s stuck with the IP until the next time IPTables is flushed/restarted. Here’s a quick little python script to stick in a crontab which checks the IP of your dynamic IP hostname (free ones provided by and will restart iptables if it catches a change in your hostname. The script was made for CentOS so should work on Red Hat based distributions – if you don’t have an /etc/init.d/iptables file you’ll have to modify the reload iptables command in the source. Viewable Source After Jump


I just set this up as root and in root’s crontab.

Download Source


import os
def gettextoutput(cmd):
    """Return (status, output) of executing cmd in a shell."""
    pipe = os.popen('{ ' + cmd + '; } 2>&1', 'r')
    pipe = os.popen(cmd + ' 2>&1', 'r')
    text =
    if text[-1:] == '\n': text = text[:-1]
    return text
home_dyndns = ""
log_dyndns = "./new_home_ip_check.log"
last_dyndns = gettextoutput("cat " + log_dyndns)
cur_dyndns = gettextoutput("host " + home_dyndns)
print "Log: "+ last_dyndns
print "Cur: "+ cur_dyndns
if last_dyndns == cur_dyndns:
    print "IPs match, no restart necessary"
    print "Updating last IP with current"
    os.system("echo '" + cur_dyndns + "' > " + log_dyndns)
    print "Restarting iptables to update"
    os.system("/etc/init.d/iptables restart")

Output looks like:

Log: has address
Cur: has address
IPs match, no restart necessary
Log: has address
Cur: has address
Updating last IP with current
Restarting iptables to update
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
Be Sociable, Share!

So I couldn’t get the dns name in the IP tables to work so I took your idea and wrtoe a bash script that looks up the host name adds it to the iptables and if the IP changes removes the old rule and adds a new one for the new ip.

#allow a dyndns name


Current_IP=$(host $HOSTNAME | cut -f4 -d' ')

if [ $LOGFILE = "" ] ; then
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
echo $Current_IP > $LOGFILE

Old_IP=$(cat $LOGFILE)

if [ "$Current_IP" = "$Old_IP" ] ; then
echo IP address has not changed
iptables -D INPUT -i eth1 -s $Old_IP -j ACCEPT
iptables -I INPUT -i eth1 -s $Current_IP -j ACCEPT
echo $Current_IP > $LOGFILE
echo iptables have been updated

then just add this line to your crontab and it will check every 5 mins and keep your iptables up-to-date.
*/5 * * * * /root/ > /dev/null 2>&1