LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-20-2006, 12:05 PM   #1
eder_michael11
Member
 
Registered: Jan 2006
Posts: 51

Rep: Reputation: 15
Question security DHCP server


i am going to install a dhcp server ,,, but i am not sure what services allow from the network

for example... i will close all -P INPUT DROP

but ... what exactly i have to ACCEPT for my server work correctly ... i think if i close all ... the server will not recibe the DHCP-DISCOVER from the computers that want to connect to my server...

do you know what do i have to ACCEPT exactly??
 
Old 04-20-2006, 12:34 PM   #2
ataraxia
Member
 
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296

Rep: Reputation: 30
You need to accept UDP/67 (bootps) incoming from whatever your-net is.
Code:
iptables -A INPUT -j ACCEPT -p udp -s <your-net> -m udp --destination-port bootps
I also suggest you put these rules, on any machine where there isn't a specific reason not to:
Code:
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j ACCEPT -m state --state established
 
Old 04-20-2006, 12:59 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Code:
iptables -P INPUT DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p UDP -i $LAN_IFACE --sport 68 --dport 67 -j ACCEPT

Last edited by win32sux; 04-21-2006 at 10:03 AM. Reason: fixed a typo - i had put $WAN_IFACE instead of $LAN_IFACE...
 
Old 04-20-2006, 01:05 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ataraxia
-s <your-net>
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...

Last edited by win32sux; 04-20-2006 at 01:07 PM.
 
Old 04-20-2006, 04:48 PM   #5
ataraxia
Member
 
Registered: Apr 2006
Location: Pittsburgh
Distribution: Debian Sid AMD64
Posts: 296

Rep: Reputation: 30
Quote:
Originally Posted by win32sux
as the client is connecting to the DHCP server in order to *obtain* an IP address configuration, one should not have a source address/network match in this rule...
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients
 
Old 04-21-2006, 10:01 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ataraxia
Ah, you are right. I agree with your suggestion to use the interface instead, but I think you meant "$LAN_IFACE"? After all, it's not nice to serve DHCP to the outside world, and ignore your own clients
yeah, i absoloutely meant $LAN_IFACE... it was a typo, thanks for the heads-up...

Last edited by win32sux; 04-21-2006 at 10:25 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP security kriss3d Linux - Security 6 01-04-2006 09:39 PM
DHCP Server security! cereal83 Linux - Security 1 05-13-2005 11:19 AM
wireless security with dhcp kevinms Linux - Security 2 04-03-2005 08:51 AM
security on a dhcp network eflester Linux - Networking 2 08-17-2004 10:52 PM
XP Pro Build 2600/sp1 v.1105 DHCP Client to Redhat 8.0 DHCP Server - Problems atomant Linux - Networking 5 06-28-2003 11:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration