Dynamic IP & lease loss - "callback" mechanism?
I'm playing with NAT, and have a script now that, at startup of my little Linux machine, creates some DNAT rules, which take one incoming special port, and forward that to another interface with a standard e.g. SSH port, so I can talk to this Linux box, from the outside, and to its connected 2nd box, as if it were one machine, but different ports.
The interface to the outside world was, so far, configured with static IP. But it might need configuring for dynamic assignment.
So, my simple startup bash script adding the DNAt rules with iptables, then won't work anymore:
- it can only be called when it's clear that the interface has gotten an IP
- the interface could lose the IP (lease) at some point - then the old DNAt rules need to be deleted (?) and new ones added for the updated IP address of the interface in question.
Is there some sort of callback mechanism in Linux that I can hook into, so it tells me when the IP address was changed/assigned, and I can then react to that by fixing the DNAT rules?
1 answer
It depends on a couple of factors:
- Whether the interface is directly connected to the internet, or is behind a separate firewall which is forwarding on to your machine
- What you are using to assign your dynamic address
If your machine is behind a separate firewall, that device is one which gets its WAN interface IP dynamically from your ISP. To access from the outside, you would typically configure the DNAT on that firewall and forward to your machine, which would usually be assigned a static (or DHCP-reserved) address in your internal LAN (so the firewall has a consistent place to forward the traffic to).
To cover if/when the ISP-assigned dynamic WAN address address changes, you would usually subscribe to a Dynamic DNS service (e.g. https://freedns.afraid.org/), which will automatically update a DNS record for you, when your address changes. This is managed either by installing the DDNS-provider's script onto your machine and scheduling it to poll the DDNS-provider's server/API every few minutes. Some firewalls have the facility to run the script for you without polling, by subscribing to events baked into the firewall device.
If it is the interface on your machine that is directly changing, then you have to hook into your DHCP client's facilities to kick off a script which updates your local firewall rules:
-
For ISC, there should be an
/etc/dhclient.conffile which contains a JSON-like block representing your interface. That block can contain ascriptdirective which points to the path of a custom script which runs for all events. Thedhclientdaemon passes specific arguments to the script, including the event name and new IP address. Your script would parse the arguments and update your NAT rules. Details of the mechanism can be found at https://linux.die.net/man/5/dhclient.conf and https://linux.die.net/man/8/dhclient-script. -
For systemd, there should be an associated
networkd-dispatcherservice; this typically has an/etc/networkd-dispatcherdirectory containing subdirectories which reference the various states. You would place your custom script into the subdirectory which best applies (possiblyroutable.d) and it would run when the network changes to that state. I think the details are passed to your script by environment variables. Some limited info can be found at https://manpages.ubuntu.com/manpages/focal/man8/networkd-dispatcher.8.html. -
For NetworkManager, it typically has an
/etc/NetworkManager/dispatcher.ddirectory, where you can place your own scripts. Each script is invoked by NetworkManager, and passed the name of the interface and an event name as arguments; the rest of the details are in environment variables. https://developer-old.gnome.org/NetworkManager/stable/NetworkManager.html has more details.
For any other client, or if your address is assigned some other way, you will need to hook whatever that mechanism is.
0 comment threads
0 comment threads