LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 08-02-2010, 08:14 PM   #1
tr1pl3x
LQ Newbie
 
Registered: Jul 2010
Distribution: Ubuntu 10.4, Fedora 13
Posts: 25

Rep: Reputation: 16
Cool iptables can't allow DNS & DHCP to LAN


hello everybody.. I'ts a cold morning here in my country , can anyone give me a helping hand on how to let iptables to allow dns & dhcp distributions from the server to the clients only w/out exposing the port dhcp port udp 67,68 and tcp port 67,68 as well from the outside world. DHCP only uses udp, but still I also allowed tcp ports as well just to be sure & also I already allow DNS ports in the firewall w/c is not inluded below. linux newbie here, I will really appreciate your help. so far this is what i've done..
I already issued the command below: Note: '#' stands for root

when i issued the command below to allow those ports only to the internal network the firewall still blocking it. what seems to be the problem??,

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 67 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 68 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p tcp --dport 68 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p tcp --dport 68 -j ACCEPT



other question is?, when I tried to issue the command below it will allow those ports from going out the firewall but exposing those ports to the internet w/c is not recommended for me..


#iptables -A INPUT -p udp --dport 67 -j ACCEPT

#iptables -A INPUT -p udp --dport 68 -j ACCEPT

#iptables -A INPUT -p tcp --dport 67 -j ACCEPT

#iptables -A INPUT -p tcp --dport 68 -j ACCEPT

can anyone help me how to remedy this situation.. guys i dont want to use gui firewall configuration such as firestarter 0r textbase firewall such as shorewall on configuring the firewall.. I really want to learn how iptables works and I believe it will be worth the patience & practice in learning this. tnx in advance..

______________________________________________________________________
Patience is the key to success!

Last edited by tr1pl3x; 08-02-2010 at 08:17 PM.
 
Old 08-02-2010, 09:51 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 401

Rep: Reputation: 35
Let us take this one step at a time. First of all, we need to know where the server, the clients, and the firewall are in your network. Is the server the same machine as the firewall? If not, what interfaces are there on the firewall, and how should traffic flow between the server and the clients?

Once that is clear, I think it would be useful to see the whole set of rules that the firewall is using; you can generate a listing with the command
Code:
#iptables -nvL
That way, we will be able to recommend things with (fairly) complete knowledge of what your system configuration is.
 
Old 08-02-2010, 10:55 PM   #3
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,092
Blog Entries: 2

Rep: Reputation: 109Reputation: 109
part of the problem is the packets are going to be using a broadcast packet since initially the machine won't have an ip and won't even know what network it's on, so your src range isn't going to help.

you might actually have to bridge the ethernet ports between client and server side of things because of that. You can always just block those ports on the outside world ethernet.
 
Old 08-03-2010, 11:04 AM   #4
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 401

Rep: Reputation: 35
estabroo is correct about the broadcast packet addresses. But you can deal with them using iptables, rather than going to the trouble of dealing with a bridging (Level 2) setup. There are two parts to this:

1. Accept broadcast packets on the internal interface(s)
Code:
#iptables -A INPUT -i eth0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT
2. Deny UDP access to the DHCP ports from the Internet in both directions:
Code:
#iptables -A INPUT -i eth1 -p udp -d 255.255.255.255 --dport 67 -j DROP
#iptables -A OUTPUT -i eth1 -p udp -s 255.255.255.255 --sport 68 -j DROP
These last two rules make sure that your firewall will not accept any external DHCP request (port 67) and will not forward any DHCP offering to external machines.
 
  


Reply

Tags
dhcp, firewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
integrate Samba PDC & RHDS &DNS &DHCP on one RHEL 5 server mbachman Linux - Server 1 07-03-2008 01:00 PM
integrate Samba PDC & RHDS &DNS &DHCP on one RHEL 5 server mbachman Linux - Server 0 07-03-2008 10:49 AM
simple home LAN - DNS and DHCP davepass Linux - Networking 1 02-24-2006 01:55 PM
Failing to assign DNS servers to lan in DHCP Samhein Linux - Networking 3 01-25-2006 09:56 AM
Some questions on DNS & DHCP on a LAN BrianK Linux - Networking 3 07-26-2005 03:33 PM


All times are GMT -5. The time now is 09:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration