Necessary, if the IP changes very often.
That's the idea.
Precisely.
Safer, probably, but likely unnecessary. I am technically on a dynamic IP
with my ADSL, although it rarely changes unless the ADSL modem is reset. I
have found the following to work well for me, and probably would be quite
suitable for your situation.

# PPPIP set to the IP of EXTIF, assumes it remains unchanged until
# reboot (or firewall restart) but is not truly static
PPPIP=$(/sbin/ifconfig "$EXTIF" | grep inet | cut -d":" -f 2 | cut -d" " -f 1)
# If PPPIP is different from the IP in our SNAT, issue warning
if !($IPTABLES -t nat -L | grep SNAT | cut -d":" -f 2 | grep -q $PPPIP)
then echo "IP has changed to "$PPPIP", Please issue restart."
fi

The only part you would need is the PPPIP assignment, which extracts the
current IP from "ifconfig ppp0". (EXTIF="ppp0" earlier in my script) The
remainder is useful for me because my firewall is a fully parameterized
script, so each time I call it (ie service firewall list, or actually "fw
list" since I have a shell alias set up) it checks the setting and notifies
me if the IP has changed from what my current rules use.
j

This is not always the case, i have a xDSL connection that is Dynamic and
always changing
(unlike Joel Newkirk's Internet Connection) & i also require more than one
SNAT / Masquerade Rule

Example: I have many different Clients on my interenal network that are
untrusted and i like to block them at both the
forward chain & postrouting chain.(it has been proven that you can overload
firewalls and they can skip rules)
to make this easy i went and removed all the Comments From -->
/etc/hosts.allow so that it only states ip address's .. like so ...
in '/etc/hosts/allow'
-----SOF After Line-----
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.111
192.168.0.123
-----EOF Before Line----

So with a bash sequence like such we can perform all these entries in one go
...

if [ -f /etc/hosts.allow ]; then
while read ALLOW; do

$IPTABLES -A INPUT -i $LANIF -s $ALLOW -d $LANIP -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -s $ALLOW -d 0.0.0.0/0 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d $ALLOW -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat A POSTROUTING -o $WANIF -s $ALLOW -d 0.0.0.0/0 -j SNAT --to
$WANIP
done < /etc/hosts.allow
fi
Exactly what Joel said .. ;-D " That's the idea."
your on the right track ...
well that is really up to you, but what you can do is have a script in your
ppp config directory
called ' /etc/ppp/ip-up.local ' that gets executed right after
'/etc/ppp/ip-up ', you most likely wont
have this file and you will have to create it ...... In there its just like
a bash script
(except you dont have to declare the Shell at the Top), So becuase this file
will be run everytime
you reconnect to your ADSL or when your (DHCP lease expires / renews) you
will be able to launch
your firewall with the new inserted address each time.. Now make sure if
your going to use a Firewall script like this
you must make the script clear all chains including users chains &
predefined chains . Also what need to be done is detrmine your
Wan / PPP IP Address so we can use it in our script as a Variable, e.g.
$WANIP
So all we need to do is add a line to your /etc/ppp/ip-up.local thats runs
your Firewall Script e.g. /etc/rc.firewall

Firewall Examples:

--------- Start of Example------------
WANIF="ppp0"
LANIF="eth0"

IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk

# Determine the external IP automatically:
# ----------------------------------------
WANIP="`/sbin/ifconfig $WANIF | grep 'inet addr' | awk '{print $2}' | sed -e
's/.*://'`"
# For STATIC IP addresses: #
# Please Comment the WANIP line above if using the line below .. :D
# WANIP="192.168.0.253"
# ----------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING DROP
$IPTABLES -t nat -P POSTROUTING DROP
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
### Flush the user chain.. if it exists ###
if [ -n "`$IPTABLES -L | $GREP dandgit`" ]; then
$IPTABLES -F dandgit
fi

if [ -n "`$IPTABLES -L | $GREP SMB`" ]; then
$IPTABLES -F SMB
fi

### This Grabs the New IP Via $WANIP Becuase we already know its been set
via /etc/ppp/ip-up
### otherwise /etc/ppp/ip-up.local would not of launched, meaning we are not
connected yet ...

$IPTABLES -t nat -A POSTROUTING -o $WANIF -j SNAT --to $WANIP

-------------End OF Example-------------

did you get all that :-P ....

Anyway i hope some of this is usefull, see yas ..

Hard__warE

Slightly off-topic?

Try burning at a slower rate. When you download the ISO images get the MD5
checksums and confirm that the download is intact before burning an image.

-----Original Message-----
From: Elgene C. Castaneda [mailto:***@dap.edu.ph]
Sent: 02 December 2002 08:56
To: Tom Diehl; Louie
Cc: iptables-list
Subject: Re: Red Hat 8


Hello all!

I've downloaded RH8 on redhat site but the disk 2 got an error when
installing, also the disk can't passed the "disk test" of RH. I already
wasted 3 cdr for disc 2.

Anyone know wher to download RH8?

Thanks
----- Original Message -----
From: "Tom Diehl" <***@rogueind.com>
To: "Louie" <***@pacbell.net>
Cc: "iptables-list" <***@lists.samba.org>
Sent: Sunday, December 01, 2002 7:27 PM
Subject: Re: Red Hat 8
the Red Hat
others
the
This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk. All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to
HPD Software Limited or its affiliates.