Solved

DHCP Serer hardening

Posted on 2004-09-28
3
589 Views
Last Modified: 2008-03-17
I have a linux red hat server running isc dhcpd, I am questioning the ports/flags/protocols required to be open for dhcpd to work.... I have my linux box secured with iptables, however I have switched to a new iptables script and now I think some linksys routers are being effected during the dhcp process. My dhcp server serves approxiamtely 1000 ip's to a wide variety of devices. If I can rule out my new iptables changes then I can concentrate on other dhcp fail spots.

My current iptables for dhcp are:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 67 -j ACCEPT

Esentiallly the only thing I have opened is udp port 67.... do you think I need tcp port 67 open or ports 68 open? Are there any other ports that would effect proper dhcpd service?

What about icmp packets? This is my current setup:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Would/could improper icmp firewalled packets cause problems for dhcpd?

Any and all input would be greatly appreciated. Thanks in advance.
0
Comment
Question by:QsSnrEng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12172820
I think that you'd want:

iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 68 -j ACCEPT

Since the request will be an all-net broadcast and any of the ports/protocols could be used. I don't believe the ICMP restrictions would be a problem.
0
 

Author Comment

by:QsSnrEng
ID: 12186682
Do you think I need to add the broadcast ip or just the ip of the ethernet card?  Does a dhcpd server listen for broadcast requests? I have had only the udp port 67 open for quite sometime without any problems, I was thinking of opening the other (67,68,tcp/udp) ports just incase. I actually tried that before making the post, I still noticed the chronic problem however.  Please respond back about the broadcast requests.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 175 total points
ID: 12186771
Do you think I need to add the broadcast ip or just the ip of the ethernet card?

Yes. Since the client can't necessarily know ahead of time what the IP of the DHCP is it does an all-net broadcast of the request in the general case. I don't know that I've ever looked, but a client that has gotten a DCHP assignement in the past may direct the query to the last server it has talked to. But if that doesn't work I think it does the broadcast. Things like routers and print servers that don't have non-volatile storage allways do broadcasts on power up.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question