Solved

DHCP Serer hardening

Posted on 2004-09-28
3
573 Views
Last Modified: 2008-03-17
I have a linux red hat server running isc dhcpd, I am questioning the ports/flags/protocols required to be open for dhcpd to work.... I have my linux box secured with iptables, however I have switched to a new iptables script and now I think some linksys routers are being effected during the dhcp process. My dhcp server serves approxiamtely 1000 ip's to a wide variety of devices. If I can rule out my new iptables changes then I can concentrate on other dhcp fail spots.

My current iptables for dhcp are:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 67 -j ACCEPT

Esentiallly the only thing I have opened is udp port 67.... do you think I need tcp port 67 open or ports 68 open? Are there any other ports that would effect proper dhcpd service?

What about icmp packets? This is my current setup:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Would/could improper icmp firewalled packets cause problems for dhcpd?

Any and all input would be greatly appreciated. Thanks in advance.
0
Comment
Question by:QsSnrEng
  • 2
3 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12172820
I think that you'd want:

iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 68 -j ACCEPT

Since the request will be an all-net broadcast and any of the ports/protocols could be used. I don't believe the ICMP restrictions would be a problem.
0
 

Author Comment

by:QsSnrEng
ID: 12186682
Do you think I need to add the broadcast ip or just the ip of the ethernet card?  Does a dhcpd server listen for broadcast requests? I have had only the udp port 67 open for quite sometime without any problems, I was thinking of opening the other (67,68,tcp/udp) ports just incase. I actually tried that before making the post, I still noticed the chronic problem however.  Please respond back about the broadcast requests.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 175 total points
ID: 12186771
Do you think I need to add the broadcast ip or just the ip of the ethernet card?

Yes. Since the client can't necessarily know ahead of time what the IP of the DHCP is it does an all-net broadcast of the request in the general case. I don't know that I've ever looked, but a client that has gotten a DCHP assignement in the past may direct the query to the last server it has talked to. But if that doesn't work I think it does the broadcast. Things like routers and print servers that don't have non-volatile storage allways do broadcasts on power up.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adding Active Directory user as member of administrators in Linux 4 84
IPTables 4 148
linux, squid, exchange 14 175
Linux Login using LDAP or Active Directory 4 141
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question