I have a Debian machine behind a wifi router. The machine is running a cron script to restore connectivity whenever a ping to a pre-defined host fails. I have set up iptables so that only the required ports/adresses are open. Everything works alright.
It gets a bit more complicated as I also need to be alert to possible changes in the router's external IP address, which is why I use a Dynamic DNS provider (www.noip.com) to keep the machine acessible from the outside. I use the following command to update the machine's address whenever connectivity is restored after a drop:
curl https://login:[email protected]/nic/update?hostname=user.domain.net&myip=11.22.33.44
In turn, to determine the 11.22.33.44 part, I run
dig +short myip.opendns.com @resolver1.opendns.com
Now, this part works, as well. But only with iptables disabled. Which is where my problem begins - I am not sure which ports/addresses to enable in iptables to let the above request go through.
I set up iptables to log the requests. I can see a UDP exchange between the machine in question and the wifi router that uses port 53 on both. That's DNS, I can understand that. But then, the Debian machine also receives from the router a packet intended for 224.0.0.1 (okay, I found the meaning of that - it's multicast, even though I'm not sure how necessary it is), and sends a UDP request to a server in Germany which looks like NTP (port 123). And finally, it contacts 52.9.108.157 on port 443, which is obviously the noip server.
Here's the questions I have:
1
Assuming that port 123 is ntp, what do I do about it? Is it really part of the dig / update process? If so, why that specific German server and should I then whitelist it?
2
224.0.0.1 - should I care to enable it?
(not asking about the dynamic handling of the IP address for dynupdate.no-ip.com, since it already has an answer on this site: Using iptables to redirect traffic to a dynamic DNS name instead of an IP address?)
(Added by David Go for readability formatting of iptables rules provided in comments)
-P INPUT DROP
..........
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
..........
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
..........
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
..........
-A INPUT -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT