Capturing IP address

All,

Is there a command to capture IP address of interface?

For example:

External_IP="the_command_to_capture eth0"

IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla

It will be helpful for me to put in the F/W script. If I change the IP
address (and re-start machine), the script will automatically protect the
new IP address.

Thx & Rgds,

Awie

Instead of using -d and specifying the IP address of the external interface,
you should use -i and specify the external interface by name, example:

IPTABLES -A INPUT -s 0/0 -i eth1 -p tcp.... bla..bla

If your external interface is eth1.

However, based on your statement of wanting to "protect" your "external IP,"
it seems to me that your approach is upside down. Instead of making specific
rules to prevent or "protect" access to the machine, you should deny all
traffic and then make specific rules to allow the traffic you want.

for example:

# default policy drop ALL packets to the INPUT chain
iptables -P INPUT DROP

#expressly allow all traffic from my internal network:
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT

#expressly allow web traffic:
iptables -A INPUT -p tcp --dport 80 -J ACCEPT

and so on.... That way you don't need to worry about what your external IP
address is. The only time you should need to worry about what your current
external IP address is is with SNAT targets.

Note that the above doesn't include rules for the OUTPUT and FORWARD chains.

Hope this helps.


"Awie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> All,
>
> Is there a command to capture IP address of interface?
>
> For example:
>
> External_IP="the_command_to_capture eth0"
>
> IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
>
> It will be helpful for me to put in the F/W script. If I change the IP
> address (and re-start machine), the script will automatically protect the
> new IP address.
>
> Thx & Rgds,
>
> Awie

"Awie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> All,
>
> Is there a command to capture IP address of interface?
>
> For example:
>
> External_IP="the_command_to_capture eth0"
>
> IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
>
> It will be helpful for me to put in the F/W script. If I change the IP
> address (and re-start machine), the script will automatically protect the
> new IP address.

In my firewall script (a bash script), I have:

WANIP=`/sbin/ifconfig $WANIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
where $WANIF is the interface name.


HTH

Nathan

"Awie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om

> Is there a command to capture IP address of interface?
>
> For example:
>
> External_IP="the_command_to_capture eth0"
>
> IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
>
> It will be helpful for me to put in the F/W script. If I change the IP
> address (and re-start machine), the script will automatically protect
> the new IP address.

pppd returns your connection speed ip-address etc as arguments to your
ip-up script.

I add specific External_IP rules from ip-up and $4 tells those rules
the new address every time pppd comes up. I just put

/etc/firewall/rules_ip-up $4 into pppd's ip-up


and this is rules_ip-up

################################################## ########################
#
# Modify Rules for Current IP
#
################################################## ########################

# Source the configuration file
/etc/firewall/config

$IPTABLES --replace INPUT 5 -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES --replace INPUT 6 -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES --replace OUTPUT 5 -p ALL -s $INET_IP -j ACCEPT

----------------------------------------------------------------------------


Note the use of (--replace) ---- replace input rule 5, replace input
rule 6, replace output rule 5


config assigns the variables used in rules_ip-up and the rest of my
firewall rules

config is just
# The Loopback interface defines should not be
# edited unless your Linux distribution defines
# these differently.

LO_IFACE="lo" # The loopback interface
LO_IP_RANGE="127.0.0.0/8" # Reserved Loopback Address Range
LO_IP="127.0.0.1"

#------------------------
# your setup
#------------------------

IPTABLES="/usr/local/sbin/iptables"
INET_IFACE="ppp0"

# Local Area Network configuration.
LAN_IFACE="eth0"
LAN_IP_RANGE="192.168.7.0/24"
LAN_IP="192.168.7.1"

INET_IP=$1

ynotssor wrote:
> "Awie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om
>
>
>>Is there a command to capture IP address of interface?
>>
>>For example:
>>
>>External_IP="the_command_to_capture eth0"
>>
>>IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
>>
>>It will be helpful for me to put in the F/W script. If I change the IP
>>address (and re-start machine), the script will automatically protect
>>the new IP address.
>
>
> Why not use the "-i $Interface_name" (e.g., -i ppp0) option and let the
> machine sort it?
>

Because then your accepting input for any ip-address from the external
interface ie not rejecting/dropping anything your sorting everything
that's out there and not just packets directed to your assigned ip-address.

I have tried to put the Interface and got problem. However, I need IP
address instead interface in the script.

"Art Garret" <(E-Mail Removed)> wrote in message news:<3f104fc4$0$48983$(E-Mail Removed)>...
> Instead of using -d and specifying the IP address of the external interface,
> you should use -i and specify the external interface by name, example:
>
> IPTABLES -A INPUT -s 0/0 -i eth1 -p tcp.... bla..bla
>
> If your external interface is eth1.
>
> However, based on your statement of wanting to "protect" your "external IP,"
> it seems to me that your approach is upside down. Instead of making specific
> rules to prevent or "protect" access to the machine, you should deny all
> traffic and then make specific rules to allow the traffic you want.
>
> for example:
>
> # default policy drop ALL packets to the INPUT chain
> iptables -P INPUT DROP
>
> #expressly allow all traffic from my internal network:
> iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
>
> #expressly allow web traffic:
> iptables -A INPUT -p tcp --dport 80 -J ACCEPT
>
> and so on.... That way you don't need to worry about what your external IP
> address is. The only time you should need to worry about what your current
> external IP address is is with SNAT targets.
>
> Note that the above doesn't include rules for the OUTPUT and FORWARD chains.
>
> Hope this helps.
>
>
> "Awie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > All,
> >
> > Is there a command to capture IP address of interface?
> >
> > For example:
> >
> > External_IP="the_command_to_capture eth0"
> >
> > IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
> >
> > It will be helpful for me to put in the F/W script. If I change the IP
> > address (and re-start machine), the script will automatically protect the
> > new IP address.
> >
> > Thx & Rgds,
> >
> > Awie

"Nathan" <(E-Mail Removed)> wrote in message news:<xL4Qa.420379$(E-Mail Removed) .ca>...
> "Awie" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > All,
> >
> > Is there a command to capture IP address of interface?
> >
> > For example:
> >
> > External_IP="the_command_to_capture eth0"
> >
> > IPTABLES -A INPUT -s 0/0 -d $External_IP -p tcp.... bla..bla
> >
> > It will be helpful for me to put in the F/W script. If I change the IP
> > address (and re-start machine), the script will automatically protect the
> > new IP address.
>
> In my firewall script (a bash script), I have:
>
> WANIP=`/sbin/ifconfig $WANIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
> where $WANIF is the interface name.
>
>
> HTH
>
> Nathan


I am thanking so much for all of you. Suggestion from Nathan is very
effective, smart and works as I expect.

Thx

Awie