[SOLVED] Linux Router: Iptables rules and dhcp server on eth1
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Rep:
Linux Router: Iptables rules and dhcp server on eth1
Installed new linux router for use today, Monday: Slackware 13, 2 nics.
eth0 - to the internet
eth1 - to the LAN (dhcp server is set to listen on this interface)
My iptables policies for INPUT OUTPUT and FORWARD are set to DROP.
I've got about 30 users and all day long, at any given time, about 10% of the LAN clients (Win XP Pro Boxes) had difficulty obtaining ip addresses from the dhcp server.
I've been logging packets and it appears I've found the problem, but I'm wondering if there's a better solution than the one I've implemented.
More specifically, I've been logging like this, and dropping whatever doesn't come from the allowed subnet range:
$IPT -t filter -A INPUT -i $LAN1 ! -s $SUBNET1 -j LOG --log-prefix "SPOOFED PKT"
$IPT -t filter -A INPUT -i $LAN1 ! -s $SUBNET1 -j DROP
And I've been ending up with lots of this in the log:
It seems like these dhcp requests are seen as spoofed packets, and it's happening as part of the natural course of a dhcp client calling out for an ip address, but not yet possessing a an address within the specified address range stated in the iptables rule.
The only thing that appears to have eased the problem is changing the second rule stated above to:
$IPT -t filter -A INPUT -i $LAN1 -j ACCEPT
and also adding the following rule in the OUTPUT chain:
$IPT -t filter -A OUTPUT -o $LAN1 -j ACCEPT
However, both of these cause me some security concerns and I'm not sure if it's good practice to open up the LAN interface to all incoming data.
Is there a better way?
- - - - - - - - - -
Also, a subsequent but related question: In order to facilitate dhcp clients obtaining ip addresses from LAN-side dhcp server, do I need to enable certain rules on the FORWARD chain?
Currently, I have these enabled but I don't know if they are even necessary (remember, my FORWARD policy is set to DROP):
$IPT -t filter -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPT -t filter -A FORWARD -m state --state INVALID -j DROP
$IPT -t filter -A FORWARD -i $LAN1 -p udp -s $SUBNET1 --dport 67 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -p udp -s $SUBNET1 --dport 68 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -m state --state NEW -p tcp -s $SUBNET1 --dport 67 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -m state --state NEW -p tcp -s $SUBNET1 --dport 68 -j ACCEPT
$IPT -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 ! -s $SUBNET1 -j DROP
It's quite obvious why all the dhcp request are logged by your "not-our-subnet" rule cause the come from 0.0.0.0 which sure is not in your subnet
You could just build a rule to get them before reaching the "not our subnet" rule like this
$IPT -t filter -A FORWARD -i $LAN1 -p udp -s $SUBNET1 --dport 67 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -p udp -s $SUBNET1 --dport 68 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -m state --state NEW -p tcp -s $SUBNET1 --dport 67 -j ACCEPT
$IPT -t filter -A FORWARD -i $LAN1 -m state --state NEW -p tcp -s $SUBNET1 --dport 68 -j ACCEPT
you have I'd go for the INPUT part. See the forward rule is used when you forward packages, but I think you need to accept the packages on the very server.
I always helped my self out with something like this to see how packages traverse the iptables rules and chains.
Code:
iptables -A INPUT -j LOG --log-prefix="INPUT chain"
iptables -A OUTPUT -j LOG --log-prefix="OUTPUT chain"
iptables -A FORWARD -j LOG --log-prefix="FORWARD chain"
iptables -t mangle -A INPUT -j LOG --log-prefix="mangle INPUT chain"
....
....
and tail -f the logfile.
Somewhere in /proc/net/ there is a file with all the legal targets and chains for iptables. (I'm just to lazy to look for it).
Cheers Zhjim
Last edited by zhjim; 09-24-2009 at 02:04 AM.
Reason: wrong names for log-prefix
the last two FORWARD rules facilitate destination routing to a few servers behind the firewall. They are needed to deal with my overall DROP policy in the FORWARD chain.
I'm definitely going to follow up on the tail -f logging example.
Hm I don't see now DHCP rules
I'd also say your Forward rules for the machine itself are a bit to open. There should be no need to forward traffic coming from the local interface (127.0.0.1). Also you should accept traffic coming from there.
I just diged up one of my favorite iptables script on the net http://homelansecurity.sourceforge.net/index.php
This really help me to get the hang on good, paranoid but also simple iptable rules.
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332
Original Poster
Rep:
Quote:
Originally Posted by zhjim
Hm I don't see now DHCP rules
Ya true, I only posted the relevant portions that needed work; it's not the whole firewall.
Quote:
I'd also say your Forward rules for the machine itself are a bit to open. There should be no need to forward traffic coming from the local interface (127.0.0.1).
No worries, the rule is a DROP, not accepting the forward --
$IPT -t filter -I FORWARD -i $SKYWAY -s 127.0.0.0/8 -j DROP
I like that HLS site, very good stuff to help follow the logic of chain statements from beginning to end. Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.