Re: Questions about DHCP firewall rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,
On 5/16/07, Nicholas Kline <kakster7@xxxxxxxxxxxxx> wrote:

Questions about DHCP firewall rules

Greetings,

I am in the process of learning Netfilter/IPtables.  I
plan on using Netfilter/IPtables to protect my Linux
desktop computers and servers.  We're talking
host-based firewalls, not one firewall protecting all
of the desktops and servers.

I have a basic question I am hoping someone on this
mailing list can answer.  I am a little confused about
configuring Netfilter/IPtables on a Linux desktop
computer.  Specifically, this situation:

a linux desktop computer that is configured to use
DHCP and configured to use the following rule:

$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix
"Spoofed source IP"
$IPTABLES -A INPUT -s $IP_LOCAL -j DROP

I would like to include the previous rule as part of a
standard rule set.

>From how I understand this situation, the firewall
would have to be able to automatically detect when the
computers IP address changes, right?  Manually
inputting the computers IP address each time it
changes would get really old.

I'm using several books as references for learning
Netfilter/IPtables and they discuss implementing
"dynamic firewall scripts".  In this case, a dynamic
firewall script that recognizes when the computers IP
address changes.

So, my questions are:

1.) If I am using a computer that is configured to
obtain its IP address through DHCP, what firewall
rules do I need to setup?


So, you need to allow DHCP ports that use clinet to send an request to
server and server to sent an offer to client. I do not what is
configuation of your network but in case you are implementing iptables
firewall on client then it should look like

iptables -A INPUT -p udp --dport 68 -j ACCEPT
This will accept all messages in INPUT chain that are destinated to
port 67 ( the port that is used by dhcp server to send replays to
clinets )
DHCP uses udp as transport protocol.
In OUTPUT chain you probably will not have any restriction, but in
case you have, server accepts dhcp requests on port 67.




2.) Additionally, how do I configure the firewall to
automatically detect changes in the computers network
configuration (IP address change, etc.)?



for this I think you can take that information from DHCP server or,
make some kind of logging on iptables firewall, ...

take a look at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Regards

Elvir Kuric


Thank you for your time,

*Nick*
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux