LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-17-2015, 01:47 PM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
restrictive iptables rule for DHCP


I was reading the frozentux appendix for dhcp (https://www.frozentux.net/iptables-t...tml/x6316.html) and I was wondering how could this
Code:
$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
be made to be more restrictive? The author himself says that this ca be done, but doesn't give any details in this respect.

I am interested in both cases - if the computer is a dhcp server or if it is only a dhcp client. Can you help me out with this?
 
Old 04-17-2015, 07:34 PM   #2
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 808

Rep: Reputation: 216Reputation: 216Reputation: 216
Quote:
Originally Posted by vincix View Post
I was reading the frozentux appendix for dhcp (https://www.frozentux.net/iptables-t...tml/x6316.html) and I was wondering how could this
Code:
$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT
be made to be more restrictive? The author himself says that this ca be done, but doesn't give any details in this respect.

I am interested in both cases - if the computer is a dhcp server or if it is only a dhcp client. Can you help me out with this?
Any additional condition that you put in would make the rule more restrictive. E.g. if you only want to allow dhcp requests from a certain mac address you could use the option
Code:
-m mac --mac-source <mac address>
What is it that you want to achieve? Give us a little background...
 
Old 04-18-2015, 07:41 AM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Well, to be more specific, I don't want to include both 67 and 68 in sports and dports.

So for instance, if the linux machine is a dhcp client, is it ok to use in the INPUT chain --dport 68 and --sport 67 and if it is the dhcp server, the reverse, --dport 67 and --sport 68? Does that allow for a proper dhcp transfer? Or how should I do it?

Maybe if it's a dhcp client, I should just work at the OUTPUT chain and let iptables work out the relationship between 67 and 68? (you know, like the ftp conntrack module does, where you don't need to specify both 20 and 21 ports for the connection to be identified as established/related), and if it's the server, work only in the INPUT chain? Now that I think about it, a dhcp connection cannot actually be established, can it?

I guess I don't understand thoroughly how iptables deals with dhcp transfers.

Last edited by vincix; 04-18-2015 at 07:43 AM.
 
Old 04-18-2015, 02:55 PM   #4
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 808

Rep: Reputation: 216Reputation: 216Reputation: 216
I don't know that iptables can "work out" any relationships on it's own. Just block / open the ports for the protocols you want.
Easiest may be if you post your current config script, as any isolated lines we may be able to throw out here won't necessarily make sense in the context of your config.

That said, you might just want to close everything and then step by step open things up and just try if it works. That way you'll find out how big a hole you need...
Does that make sense?
 
Old 04-18-2015, 06:28 PM   #5
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Well, that's what I've been doing anyway. I really was just trying to understand dhcp in the iptables better. This is how my iptables looks like, I know it's not particularly clean:


Quote:
# Generated by iptables-save v1.4.7 on Sat Apr 18 15:10:37 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 53,80 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 111,662,875,892 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp -m multiport --dports 111,662,875,892 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1024:65535 -j ACCEPT
-A OUTPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1024:65535 -j ACCEPT
-A OUTPUT -p udp -m conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate NEW -m tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -p icmp -m conntrack --ctstate NEW -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
So for instance, if, I am the dhcp client, what rule should I introduce?
what about access to UDP --sport 58 and --dport 57 in OUTPUT and the reverse in INPUT? Does this make sense?
 
Old 04-18-2015, 07:04 PM   #6
joe_2000
Member
 
Registered: Jul 2012
Location: Aachen, Germany
Distribution: Void, Debian
Posts: 808

Rep: Reputation: 216Reputation: 216Reputation: 216
Quote:
Originally Posted by vincix View Post
So for instance, if, I am the dhcp client, what rule should I introduce?
what about access to UDP --sport 58 and --dport 57 in OUTPUT and the reverse in INPUT? Does this make sense?
I take it you mean 68 and 67, but basically what you say seems to make sense. However, Although I typically set up my firewall to block any incoming traffic except established traffic I never have to manually open either 67 or 68. I am thinking this is because, as a client, I am the one initiating the dhcp negotiation. So my guess would be that in combination with your established,related input rule it should be sufficient to allow 68->67 on output.

Again, if you want to find out, you can always just test what happens if you don't open these ports.
One thing I found very useful when investigating something similar was firewall logging.
You can log every packet and see where it comes and goes just before it gets dropped because no other rule applied.
That helps a lot to understand better.
It's the -j LOG option you should look at. Set the log level to 4 so it shows up in your system logs.
Example:
Code:
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix 'IN_FIREWALL '
This would go right before the DROP line.
The logging then happens in /var/log/messages (at least on Debian). You can also make it go to another logfile, but that's a story for a different thread I guess.
 
Old 04-19-2015, 04:52 AM   #7
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Of course, yes, I meant 67 and 68, not 57/58. In my second post I got it right

So, that's the weird thing. I've been connecting to my server remotely for several months now with this restrictive iptables and only now did it cross my mind to allow dhcp access. And I am still wondering how come the ip lease hadn't expired. I checked the /var/log/messages (iptables logs are redirected to /var/log/iptables.log), and it was full of messages like this one:
Quote:
Apr 19 11:40:22 myhost dhclient[1251]: DHCPREQUEST on eth0 to X.X.X.X port 67 (xid=0x120a262c)
Apr 19 11:40:22 myhost dhclient[1251]: send_packet: Operation not permitted
After entering:
iptables -I OUTPUT 10 -m conntrack --ctstate NEW -p udp --dport 67 -j ACCEPT

I finally got:
Quote:
Apr 19 11:42:01 myhost dhclient[1251]: DHCPREQUEST on eth0 to X.X.X.X port 67 (xid=0x120a262c)
Apr 19 11:42:01 myhost dhclient[1251]: DHCPACK from X.X.X.X (xid=0x120a262c)
Apr 19 11:42:02 myhost dhclient[1251]: bound to MY IP -- renewal in 39881 seconds.
My server rebooted very often and my /etc/sysconfig/network-scripts/ifcfg-eth0 shows:
Quote:
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
So I'm having a hard time understanding how dhcp works/-ed and what really happened here. How was my server still connected?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: rule with RETURN target just after a rule with ACCEPT target Nerox Linux - Networking 6 09-04-2011 04:33 PM
[SOLVED] IPtables rule szboardstretcher Linux - Security 7 02-24-2011 08:30 PM
Need a less restrictive SMTP account (SBC just became too restrictive) jgombos Linux - Networking 2 04-26-2008 10:30 PM
LimeWire P2P and ipTables (Restrictive Firewall) win32sux Linux - Networking 1 10-09-2004 04:31 PM
Sendmail + restrictive iptables = headache flp Linux - Security 5 09-09-2004 07:35 PM


All times are GMT -5. The time now is 08:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration