HPE Community
Operating System - Linux
1827840 Members
1805 Online
109969 Solutions
New Discussion

iptables synthax help

 
K.C. Chan
Trusted Contributor

‎06-18-2002 12:34 PM

‎06-18-2002 12:34 PM

iptables synthax help

All,
I am trying to open up DHCP, but I am in a dellema; When I used "iptables -A FORWARD -s $OURNET --sport 68 --dport 67 -j ACCEPT" it doesn't work. But if I use "iptables -A FORWARD --sport 68 --dport 67 -j ACCEPT", it works. So how do I prevent someone from outside from trying to hack the DHCP port if I can't specificy the source? I can't really set the source yet bec. the client doesn't have one (it's by default 0.0.0.0/24). How do I secure my DHCP server? By the way I am just testing this and the DHCP server is on the other side of switch.
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
2 REPLIES 2
Mike Hassell
Respected Contributor

‎06-18-2002 05:05 PM

‎06-18-2002 05:05 PM

Re: iptables synthax help

Michael,

Please clarify a bit on exactly what you are trying to do here. If you are trying to allow DHCP traffic to reach the Linux box, then you may wish to use the following:

iptables -A INPUT -i eth0 -p udp --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 68 --dport 67 -j ACCEPT

Since broadcasts are not routeable, then you shouldn't have to worry about -s $OURNET, however you can add your ISP's server subnet address to the input rule, ex:

-s 1.2.3.0/24

Please give us some more details as to how your network is configured, so we can point you in the right direction, thanks.

-Mike
The network is the computer, yeah I stole it from Sun, so what?
0 Kudos
Reply
K.C. Chan
Trusted Contributor

‎06-20-2002 06:33 AM

‎06-20-2002 06:33 AM

Re: iptables synthax help

This is a firewall + bridge I am trying to implement. For the most part is working, but I want to make it more secure in regards to how DCHP is filtered. Since I am only testing it, only one pc is behind the firewall. eth0 is has access to the internet. eth1 is the uplink for the hub which the pc is hook up to. Since the Linux server is the bridge and firewall, I don't think the policy "INPUT" or "OUTPUT" has any affect on it. The only policy that make sense is "FORWARD". As I mention above, "iptables -A FORWARD --sport 68 --dport 67 -j ACCEPT" works. But this implicitly implied 0/0 as the source. But if I explicitly set the source to $OURNET, it doesn't work. It make since because initially the NIC card does not have any address assigned to it, so by default the address 0/0 until DHCPD assigned it one. I understand why you have to do it this way to get it to work, but I am just wondering if there's another way that works and provides a little more security than this?
Reputation of a thousand years can be determined by the conduct of an hour
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.