dhcpd and iptables

clausawits · 07-02-2001, 08:46 AM

after finding nothing on a search of these terms on this board, I thought I'd make a quick check to see if other people were having similar experiences.

To get up and running, I followed the rc.firewall of http://boingworld.com/workshops/linu...bles-tutorial/

Since then, masquerading seems to be working... dhcpd (running on the same machine) does not, though (will not assign an address while the firewall is up). If I flush my rules, it works fine. I'm running the ubiquitous Mandrake 8.
I figure I need to go through, check my entries and settings and get familiar with the specific rules chains, but I wanted to see if this was a phenomenon other people had already encountered and solved.

A quick google search shows other people are having this problem, but I haven't seen a reply with a specific solution.. (and some distributions claim to have iptables and dhcpd running on the same box, so it seems the problem is solvable.)

thanks for your time,
James

clausawits · 07-03-2001, 12:15 PM

wow! 1 day, ten views.. sucks to have a post with a title that is plain and descriptive.

I guess no one is doing DHCP with the 2.4 kernel masquerading?

Phucen ey · 08-15-2001, 09:44 AM

You might want to try the following for allowing DHCPD traffic.

# Allow incoming DHCP requests via the internal interface
#
iptables -A INPUT -i $internal_interface -s 0.0.0.0 -d 255.255.255.255/255.255.255.255 -j ACCEPT

# Allow outgoing DHCP responses via the internal interface
#
iptables -A OUTPUT -o $internal_interface -s $internal_network -d 255.255.255.255/32 -j ACCEPT

These worked for me even though they're probably not the best

FnA

[BHBS]=TK · 10-18-2001, 01:31 PM

I have the same trouble.... I have made two scripts one that flushes temporarily to get a lease, then one to bring the firewall up.. Will see if previous post works...

dizzydench · 10-18-2001, 03:41 PM

I have set-up (very recently... as in over the last week) a firewall with DHCP... What I did was created the dhcp.conf script per a how-to (pretty straight forward). Then the second eth1 gets its IP address from the DHCP server of our DSL provider. I disabled iptables all together and am just using ipchains... So far it works like a dream. Just make sure you put "echo 1 > /proc/sys/net/ipv4/ip_forward" in the rc.local script (something I learned from these boards...) I hope this helps your situation...

-Dizzy

::edit:::
Oh yeah... I set-up the IPchains to start-up with:
ipchains -P forward -j MASQ
with ip_forward on it works like a charm...

Cpare · 10-21-2001, 07:28 AM

I also have a RH7.1 (2.4) Router running DHCPD (For my LAN) and IPTABLES, my rules are pretty plain, but these are the only signifficant parts that should get you running...

#Change Default INPUT Policy to DROP
iptables -P INPUT DROP

# Allow all protocols to hit this box on eth0 (LAN) this allows me
# to FTP/TELNET from the LAN, but not the WAN
iptables -A INPUT -i eth0 -j ACCEPT

#Allow this box to be seen to my providors DHCP Server on eth1(WAN)
iptables -A INPUT -p tcp --dport 68 -i eth1 -j ACCEPT
iptables -A INPUT -p udp --dport 68 -i eth1 -j ACCEPT

DavidPhillips · 10-21-2001, 11:04 PM

To get your address from a SLIP, PPP, or DHCP

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

you should put it in the rc.firewall script

it works for me