• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 756
  • Last Modified:

DHCP Serer hardening

I have a linux red hat server running isc dhcpd, I am questioning the ports/flags/protocols required to be open for dhcpd to work.... I have my linux box secured with iptables, however I have switched to a new iptables script and now I think some linksys routers are being effected during the dhcp process. My dhcp server serves approxiamtely 1000 ip's to a wide variety of devices. If I can rule out my new iptables changes then I can concentrate on other dhcp fail spots.

My current iptables for dhcp are:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 67 -j ACCEPT

Esentiallly the only thing I have opened is udp port 67.... do you think I need tcp port 67 open or ports 68 open? Are there any other ports that would effect proper dhcpd service?

What about icmp packets? This is my current setup:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Would/could improper icmp firewalled packets cause problems for dhcpd?

Any and all input would be greatly appreciated. Thanks in advance.
0
QsSnrEng
Asked:
QsSnrEng
  • 2
1 Solution
 
jlevieCommented:
I think that you'd want:

iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 68 -j ACCEPT

Since the request will be an all-net broadcast and any of the ports/protocols could be used. I don't believe the ICMP restrictions would be a problem.
0
 
QsSnrEngAuthor Commented:
Do you think I need to add the broadcast ip or just the ip of the ethernet card?  Does a dhcpd server listen for broadcast requests? I have had only the udp port 67 open for quite sometime without any problems, I was thinking of opening the other (67,68,tcp/udp) ports just incase. I actually tried that before making the post, I still noticed the chronic problem however.  Please respond back about the broadcast requests.
0
 
jlevieCommented:
Do you think I need to add the broadcast ip or just the ip of the ethernet card?

Yes. Since the client can't necessarily know ahead of time what the IP of the DHCP is it does an all-net broadcast of the request in the general case. I don't know that I've ever looked, but a client that has gotten a DCHP assignement in the past may direct the query to the last server it has talked to. But if that doesn't work I think it does the broadcast. Things like routers and print servers that don't have non-volatile storage allways do broadcasts on power up.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now