Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-20-2006, 01:05 PM
|
#1
|
Member
Registered: Jan 2006
Posts: 51
Rep:
|
security DHCP server
i am going to install a dhcp server ,,, but i am not sure what services allow from the network
for example... i will close all -P INPUT DROP
but ... what exactly i have to ACCEPT for my server work correctly ... i think if i close all ... the server will not recibe the DHCP-DISCOVER from the computers that want to connect to my server...
do you know what do i have to ACCEPT exactly??
|
|
|
04-20-2006, 01:34 PM
|
#2
|
Member
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296
Rep:
|
You need to accept UDP/67 (bootps) incoming from whatever your-net is.
Code:
iptables -A INPUT -j ACCEPT -p udp -s <your-net> -m udp --destination-port bootps
I also suggest you put these rules, on any machine where there isn't a specific reason not to:
Code:
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j ACCEPT -m state --state established
|
|
|
04-20-2006, 01:59 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Code:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p UDP -i $LAN_IFACE --sport 68 --dport 67 -j ACCEPT
Last edited by win32sux; 04-21-2006 at 11:03 AM.
Reason: fixed a typo - i had put $WAN_IFACE instead of $LAN_IFACE...
|
|
|
04-20-2006, 02:05 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by ataraxia
-s <your-net>
|
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...
Last edited by win32sux; 04-20-2006 at 02:07 PM.
|
|
|
04-20-2006, 05:48 PM
|
#5
|
Member
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296
Rep:
|
Quote:
Originally Posted by win32sux
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...
|
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients 
|
|
|
04-21-2006, 11:01 AM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by ataraxia
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients
|
yeah, i absoloutely meant $LAN_IFACE... it was a typo, thanks for the heads-up... 
Last edited by win32sux; 04-21-2006 at 11:25 AM.
|
|
|
All times are GMT -5. The time now is 02:53 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|