Simon Slick Simon Slick

Hosting with Dynamic IP Address

 

DynDNS®

  1. Create a free DynDNS® account
  2.  Add a host service of type ‘Host with IP address’
  3. DynDNS® automatic IP address updating (a or b but not both)
  1. If your router/gateway device has built-in dynamic DNS updating capability configure it to automatically update DynDNS®.
  2. If your router/gateway device does not have built-in dynamic DNS updating capability, download and install the DynDNS® Updater agent.
  1. If you have your own registered domain name, create an alias/CName pointing to your DynDNS® domain name

 

You should now be able to use the DynDNS® domain name you created and/or your registered domain name to resolve your dynamic IP address.

 

VPN (optional)

If the provider of your dynamic IP address blocks ports you require, you can purchase a low cost Linux VPS and create a VPN to a machine located at your dynamic IP address.

  1. Purchase a low cost Linux VPS with two IP addresses
  2. Install Open VPN on low cost Linux VPS machine as a server
  3. Create CA, Server, and Client security certificates
  4. Use the following iptables entries rather than those specified by Open VPN instructions for NATing packets between the internet and the VPN.

# NAT packets between internet and the VPN, except udp port 1194 which is used for the VPN.

# NAT non udp protocol packets from internet to the VPN

iptables -t nat -A PREROUTING -d <VPS IP #2> -p ! udp -j DNAT --to-destination 10.8.0.6

 

# NAT udp protocol packets except port 1194 from the internet to the VPN

iptables -t nat -A PREROUTING -d <VPS IP #2> -p udp -m udp ! --dport 1194 -j DNAT --to-destination 10.8.0.6

 

# NAT packets from the VPN to internet, except for local destination

iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d ! 10.8.0.0/255.255.255.0 -j SNAT --to-source <VPS IP #2>

 

  1. Install Open VPN on local machine (Windows or Linux) as a client
  2. If you have your own registered domain name, create an alias/CName pointing to the IP address of the VPN on the Linux VPS (VPS IP #2), otherwise add a DynDNS® host service of type ‘Host with IP address’ for VPS IP #2.

 

Notes:

Something that is kind of buried in the Open VPN instructions is to enable forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward 

 

The DEV/TUN device may have to be created for you by the VPS administrator.

 

You should now be able to use the domain name of your VPN to access your local machine via any ports, except udp port 1194 which is used for the VPN.

 


Alternately the following iptables entries may be used, instead of those above, for address and port specific NATing.

 

# NAT packets between internet and the VPN, based on address & port.  (I use this one)

# NAT Address & Port Specific Packets from Internet to the VPN (smtp, http, https, smtps, imaps, pop3s, rdp)  

iptables -t nat -A PREROUTING -p tcp -m tcp -m multiport -d <VPS IP #2> -i venet0 -j DNAT --to-destination 10.8.0.6 --dports 25,80,443,465,993,995,3389  

 

# NAT Packets from the VPN to Internet, Except for Local Destination  

iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 ! -d 10.8.0.0/255.255.255.0 -j SNAT --to-source <VPS IP #2>  

 

# NAT ICMP Specific Packets from Internet to the VPN (ICMP)  

iptables -t nat -A PREROUTING -p icmp -m icmp -d <VPS IP #2> -i venet0 --icmp-type any  

 

 

 

Additionally the following iptables entries can be used for filtering (firewall).

 

# Filtering (firewall)

# Allowed Inbound TCP Ports (ssh, smtp, dns, http, https, smtps, imaps, pop3s, rdp, webmin)  

iptables -t filter -A INPUT -p tcp -m tcp -m multiport -i venet0 -j ACCEPT --dports 22,25,53,80,443,465,993,995,3389,10000  

 

# Allowed Inbound UDP Ports (dns, openvpn)  

iptables -t filter -A INPUT -p udp -m udp -m multiport -i venet0 -j ACCEPT --dports 53,1194  

 

# Allowed Inbound ICMP (echo-request)  

iptables -t filter -A INPUT -p icmp -m icmp -i venet0 --icmp-type echo-request -j ACCEPT  

 

# Drop Inbound if No Existing Connection (invalid, new)  

iptables -t filter -A INPUT -m state -i venet0 --state NEW,INVALID -j DROP  

 

# Allowed Outbound TCP Ports (smtp, dns, http, https)  

iptables -t filter -A OUTPUT -p tcp -m tcp -m multiport -o venet0 -j ACCEPT --dports 20,21,22,25,53,80,443  

 

# Allowed Outbound UDP Ports (WoL, dns)  

iptables -t filter -A OUTPUT -p udp -m udp -m multiport -o venet0 -j ACCEPT --dports 9,53  

 

# Allowed Outbound ICMP (echo-request)  

iptables -t filter -A OUTPUT -p icmp -m icmp -o venet0 --icmp-type echo-request -j ACCEPT  

 

# Drop Outbound if No Existing Connection (invalid, new)  

iptables -t filter -A OUTPUT -m state -o venet0 --state NEW,INVALID -j DROP  

 

 

Zucchini Hosting with Dynamic IP Address