iptables vs dhcpd

Posted on 2001-07-22
Last Modified: 2012-05-04
I've set up a NAT firewall for a cable modem.  All works perfectly for the two machines behind the wall.  To make it easier to take a laptop to other places that use dhcp, I set up dhcpd on the firewall box.  Unfortunately, no addresses ever show up at the Win98 laptop.

Watching dhcpd on console (dhcpd -r -f eth1) reveals that the requests never show up.

Something in the firewall script is killing the incoming dhcp requests because if I comment out rc.firewall in rc.local the dhcp works perfectly.  I've searched google for other people doing the same thing, but can only find people using ipchains.

Can anyone supply a specific iptables line that would allow incoming dhcp requests only on eth1?

Digging through the iptables man page, the best I make on my own was:

iptables -A udpincoming_packets -p UDP -i eth1 --source-port 67 -j ACCEPT

...since I thought that dhcp requests were upd type on port 67, but that doesn't work.

thanks for any help!
Question by:magarity

Expert Comment

ID: 6306399
DHCP clienst send packets from ip port 68 to port 67. I'm not sure if the answer from the server comes from or its real ip.
So if you filter the packets bi IP that go to the chain udpincoming_packets it will not work.

You could try to set it up this way:

# all udp packets to chain udpincoming_packets
iptables -A input -p udp -j udpincoming_packets
# accept DHCP packets from IP
iptables -A udpincoming_packets -p udp \
  --source --sport 68 \
  --destination --dport 67 \
  -i eth1 -j ACCEPT
# accept DHCP packets from our network
iptables -A udpincoming_packets -p udp \
  --source --sport 68 \
  --destination --dport 67 \
  -i eth1 -j ACCEPT

Ofcourse you could do it a bit simpler:

iptables -A udpincoming_packets -p UDP -i eth1 --source-port 68 -j ACCEPT
LVL 13

Author Comment

ID: 6306540
That looked promising, but didn't work.  dhcpd never reported any requests showing up.

Local network is 192.168.0.x with the linux box being  I tried a variety of modifying the second set of IPs you listed above...  I assume I should use "--source" and "--destination" or is that wrong?


Accepted Solution

ifincham earned 100 total points
ID: 6306596

Not certain on this but try these for size...

/sbin/iptables -t nat -A PREROUTING -i eth1 -p UDP -s --sport 68 --dport 67 -j ACCEPT

/sbin/iptables -A OUTPUT -o eth1 -p UDP -s --sport 67 -d --dport 68 -m state --state ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i eth1 -p UDP -s --sport 68 -d --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT

/sbin/iptables -A OUTPUT -o eth1 -p UDP -s any/0--sport 67 -d --dport 68 -m state --state ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT  -i eth1 -p UDP -s --sport 68 -d any/0 --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT


Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 16

Expert Comment

ID: 6324958
Simple.  Turn on logging for all chains (-l) and check your logs to see which one is blocking dhcp.


LVL 13

Author Comment

ID: 6325377
Those lines made it work, thanks!

That would be the first rule that doesn't allow anything.  It's subsequent rules that change iptable's mind and let it accept a packet.

thanks all,
LVL 16

Expert Comment

ID: 6325907
"That would be the first rule that doesn't allow anything.  It's subsequent rules that change iptable's mind and let it accept a packet."

That is incorrect.  The linux kernel proceeds sequentially through each rule until it is finally redirected to a final result (usually using the -j argument).  The code never 'changes it's mind' - once it gets a final destination for the packet (usually ACCEPT/REJECT/DENY/etc), the ruleset is finished with the packet - no chance for any change of mind later...

This is why the tool used to be called ipchains (it is a reference to the 'chainlike' iteration through the rules), although I guess they felt it needed re-naming once so much additional functionality was added.

I guess I shouldn't have assumed you'd realize that the default policies can be duplicated (and made to log) easily enough with simple rules


etc...  Information generated using the logging option in iptables rules will reveal the problem.

In any case, I'm glad you found your solution.  I'd remember the '-l' trick, if I were you - it _will_ provide the answer to solving most problems like these, or at least tell you why it's not working.



Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Traceroute command on mac printing * * *** 10 79
Samba Security Improvement for Writable Directories 8 64
linux / python expert needed 3 88
Issue to mail 11 69
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: (…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now