LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   security DHCP server (https://www.linuxquestions.org/questions/linux-security-4/security-dhcp-server-437156/)

eder_michael11 04-20-2006 12:05 PM
security DHCP server
 
i am going to install a dhcp server ,,, but i am not sure what services allow from the network

for example... i will close all -P INPUT DROP

but ... what exactly i have to ACCEPT for my server work correctly ... i think if i close all ... the server will not recibe the DHCP-DISCOVER from the computers that want to connect to my server...

do you know what do i have to ACCEPT exactly??

ataraxia 04-20-2006 12:34 PM
You need to accept UDP/67 (bootps) incoming from whatever your-net is.
Code:
iptables -A INPUT -j ACCEPT -p udp -s <your-net> -m udp --destination-port bootps
I also suggest you put these rules, on any machine where there isn't a specific reason not to:
Code:
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j ACCEPT -m state --state established

win32sux 04-20-2006 12:59 PM
Code:
iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --sport 68 --dport 67 -j ACCEPT

win32sux 04-20-2006 01:05 PM
Quote:
Originally Posted by ataraxia
-s <your-net>
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...

ataraxia 04-20-2006 04:48 PM
Quote:
Originally Posted by win32sux
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients :D

win32sux 04-21-2006 10:01 AM
Quote:
Originally Posted by ataraxia
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients
yeah, i absoloutely meant $LAN_IFACE... it was a typo, thanks for the heads-up... :D


All times are GMT -5. The time now is 07:49 AM.