iptables can't allow DNS & DHCP to LAN

tr1pl3x · 08-02-2010, 08:14 PM

hello everybody.. I'ts a cold morning here in my country

, can anyone give me a helping hand on how to let iptables to allow dns & dhcp distributions from the server to the clients only w/out exposing the port dhcp port udp 67,68 and tcp port 67,68 as well from the outside world. DHCP only uses udp, but still I also allowed tcp ports as well just to be sure & also I already allow DNS ports in the firewall w/c is not inluded below. linux newbie here, I will really appreciate your help. so far this is what i've done..
I already issued the command below: Note: '#' stands for root

when i issued the command below to allow those ports only to the internal network the firewall still blocking it. what seems to be the problem??,

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 67 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 68 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p tcp --dport 68 -j ACCEPT

#iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p tcp --dport 68 -j ACCEPT

other question is?, when I tried to issue the command below it will allow those ports from going out the firewall but exposing those ports to the internet w/c is not recommended for me..

#iptables -A INPUT -p udp --dport 67 -j ACCEPT

#iptables -A INPUT -p udp --dport 68 -j ACCEPT

#iptables -A INPUT -p tcp --dport 67 -j ACCEPT

#iptables -A INPUT -p tcp --dport 68 -j ACCEPT

can anyone help me how to remedy this situation.. guys i dont want to use gui firewall configuration such as firestarter 0r textbase firewall such as shorewall on configuring the firewall.. I really want to learn how iptables works and I believe it will be worth the patience & practice in learning this. tnx in advance..

______________________________________________________________________
Patience is the key to success!

dkm999 · 08-02-2010, 09:51 PM

Let us take this one step at a time. First of all, we need to know where the server, the clients, and the firewall are in your network. Is the server the same machine as the firewall? If not, what interfaces are there on the firewall, and how should traffic flow between the server and the clients?

Once that is clear, I think it would be useful to see the whole set of rules that the firewall is using; you can generate a listing with the command

Code:

#iptables -nvL

That way, we will be able to recommend things with (fairly) complete knowledge of what your system configuration is.

estabroo · 08-02-2010, 10:55 PM

part of the problem is the packets are going to be using a broadcast packet since initially the machine won't have an ip and won't even know what network it's on, so your src range isn't going to help.

you might actually have to bridge the ethernet ports between client and server side of things because of that. You can always just block those ports on the outside world ethernet.

dkm999 · 08-03-2010, 11:04 AM

estabroo is correct about the broadcast packet addresses. But you can deal with them using iptables, rather than going to the trouble of dealing with a bridging (Level 2) setup. There are two parts to this:

1. Accept broadcast packets on the internal interface(s)

Code:

#iptables -A INPUT -i eth0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT

2. Deny UDP access to the DHCP ports from the Internet in both directions:

Code:

#iptables -A INPUT -i eth1 -p udp -d 255.255.255.255 --dport 67 -j DROP
#iptables -A OUTPUT -i eth1 -p udp -s 255.255.255.255 --sport 68 -j DROP

These last two rules make sure that your firewall will not accept any external DHCP request (port 67) and will not forward any DHCP offering to external machines.