| View previous topic :: View next topic |
| Author |
Message |
m.b.j.
Guru
Joined: 12 Sep 2003
Posts: 407
Location: Germany (Essen)
|
 Posted: Mon Jul 05, 2004 8:13 pm Post subject: iptables & dhcpd |
 |
|
My question:
Witch packets i have to ACCEPT if dhcp should run. netstat tells me that my dhcpd is using udp67, but i think if a machine does not have any ip adress (befor dhcp grants a lease) it could not connect to port67, so iptraf tells me that there is raw traffic on my eth, what kind of rule lets this traffic out or in?
im sorry for my bad englich, but it is funny!
_________________
root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard
Last edited by m.b.j. on Tue Jul 06, 2004 1:21 pm; edited 1 time in total |
|
| Back to top |
|
 |
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Mon Jul 05, 2004 8:41 pm Post subject: |
|
|
You shouldn't need any additional ACCEPT statements for DHCP.
DHCP is a layer 2 broadcast, even if iptables is set to drop everything by default, it will still work.
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
m.b.j.
Guru
Joined: 12 Sep 2003
Posts: 407
Location: Germany (Essen)
|
| Posted: Mon Jul 05, 2004 8:59 pm Post subject: |
|
|
Thx
_________________
root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard |
|
| Back to top |
|
|
primero.gentoo
Guru
Joined: 23 Dec 2003
Posts: 402
|
| Posted: Mon Jul 05, 2004 9:50 pm Post subject: |
|
|
| splooge wrote: | You shouldn't need any additional ACCEPT statements for DHCP.
DHCP is a layer 2 broadcast, even if iptables is set to drop everything by default, it will still work. |
Are you sure about this? i'm really not... 
So, i think is a Layer3 broadcast that works something like this:
The client broadcast a DHCPDISCOVER with src 0.0.0.0:68 and dst 255.255.255.255:67 to locate any DHCP avaible server on the same subnet (with a bootp relay if is on another one).
Servers responses with a DHCPOFFER Broadcast response wich conains network configuration anan available IP Address (it could also send it directly to the layer 2 address, it depends on implementations)
Then Client sends a DHCPREQUEST to the server he selected and the server response with a DHCPACK to confirm IP Assignement.
IMHO it all works at level 3 with a full usage of ports so i think that you should need RULES to accept traffic INPUT and OUTPUT for using DHCP Service ... at least i really need it with my ISP , i grant you 
Bye
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039) |
|
| Back to top |
|
|
m.b.j.
Guru
Joined: 12 Sep 2003
Posts: 407
Location: Germany (Essen)
|
| Posted: Tue Jul 06, 2004 12:35 pm Post subject: |
|
|
Thx, i will accept evry package to port 67 for my eth, and to port 68! I think i have to use just udp?
_________________
root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard |
|
| Back to top |
|
|
primero.gentoo
Guru
Joined: 23 Dec 2003
Posts: 402
|
| Posted: Tue Jul 06, 2004 7:17 pm Post subject: |
|
|
Yes i think Udp is enough ... and i've found this link i think is self-explain.
Bye
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039) |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Jul 06, 2004 9:32 pm Post subject: |
|
|
| primero.gentoo wrote: | | Are you sure about this? i'm really not... |
Well, I don't know the inner workings of dhcp, no, but I do know that I just set iptables to drop everything and my dhcp server still works:
| Code: | Chain INPUT (policy DROP)
target prot opt source destination |
| Code: | C:\Documents and Settings\Administrator>ipconfig /renew
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : pwned.com
IP Address. . . . . . . . . . . . : 192.168.0.198
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1 |
Well I can get an IP address from the DHCP server with iptables set to block everything.
'splain, Lucy!
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Jul 06, 2004 10:27 pm Post subject: |
|
|
Doing some research, it would appear the first request is a broadcast, while subsequent requests are unicast. So my setup is only half working. I bet what's going to happen once my workstation gets that lease is it won't be able to renew it and it will eventually expire until the workstation broadcasts for another one.
I guess the question here is, iptables isn't blocking that broadcast: why not?
Anyways primero.gentoo is right, for proper operation of dhcp you should have that port open.
Thanks for correcting my mistake.
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
primero.gentoo
Guru
Joined: 23 Dec 2003
Posts: 402
|
| Posted: Wed Jul 07, 2004 8:38 pm Post subject: |
|
|
| splooge wrote: | Doing some research, it would appear the first request is a broadcast, while subsequent requests are unicast. So my setup is only half working. I bet what's going to happen once my workstation gets that lease is it won't be able to renew it and it will eventually expire until the workstation broadcasts for another one.
I guess the question here is, iptables isn't blocking that broadcast: why not?
|
I had the same problems some time ago and had the same question ...
So , DHCP starts before Firewall , so it gets IP address, but when the lease time expire and the host has to renew the IP ... here come the problems.
Is here that you , and me , need the rules for accepting DHCP traffic.
| Quote: |
Anyways primero.gentoo is right, for proper operation of dhcp you should have that port open.
Thanks for correcting my mistake. |
 Bye man
_________________
"Linux, the choice of a GNU generation"
==Micro$oft - just say NO==
(L#USER 353039) |
|
| Back to top |
|
|
m.b.j.
Guru
Joined: 12 Sep 2003
Posts: 407
Location: Germany (Essen)
|
| Posted: Wed Jul 07, 2004 9:34 pm Post subject: |
|
|
Ok, it semms t be working now, all clients got a ip's, and if the expire times reach they could release their ip. Thx @all!
Other question, im using the isc dhpd server, how can i define "disable netbios" on the server, so windows machines do not use netbios? You have not to explain me how i set up a dhcp server i need the configuration line in /etc/dhcp/dhcpd.conf ?
_________________
root@mbj # echo "sys-pizza/calzone -tunfish" >> /etc/paludis/use.conf
root@mbj # paludis -i calzone --dl-blocks discard |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Wed Jul 07, 2004 10:43 pm Post subject: |
|
|
| Code: | | option netbios-node-type 1 |
That might work for ya.
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Wed Jul 07, 2004 10:43 pm Post subject: |
|
|
| Code: | | option netbios-node-type 1 |
That might work for ya.
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
|
Networking & Security
