Updating nftables with DDNS

October 9, 2024 Reading time: 18 minutes

Hobbyist admins and home-labbers sometimes want to make services on a remote host available to machines on a home network. Unfortunately, many residential ISP customers are stuck with dynamic IP addresses, even when they're not behind a CGNAT. This makes securing the remote host difficult. You'd like to configure the remote firewall to allow traffic only from friendly IP addresses, but if one or more of your addresses might change at any time, what can you do? One option is to buy a fixed IP address from your ISP, but that can be costly.

This article describes how you can configure a remote server using nftables to automatically update its firewall rules so that dynamic IP traffic is allowed with minimal downtime when the IP address changes. The solution requires making a small change to your nftables configuration and a short script that runs periodically as a cron job.

Read more