Solved

DHCP Serer hardening

Posted on 2004-09-28
3
581 Views
Last Modified: 2008-03-17
I have a linux red hat server running isc dhcpd, I am questioning the ports/flags/protocols required to be open for dhcpd to work.... I have my linux box secured with iptables, however I have switched to a new iptables script and now I think some linksys routers are being effected during the dhcp process. My dhcp server serves approxiamtely 1000 ip's to a wide variety of devices. If I can rule out my new iptables changes then I can concentrate on other dhcp fail spots.

My current iptables for dhcp are:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 67 -j ACCEPT

Esentiallly the only thing I have opened is udp port 67.... do you think I need tcp port 67 open or ports 68 open? Are there any other ports that would effect proper dhcpd service?

What about icmp packets? This is my current setup:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Would/could improper icmp firewalled packets cause problems for dhcpd?

Any and all input would be greatly appreciated. Thanks in advance.
0
Comment
Question by:QsSnrEng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12172820
I think that you'd want:

iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 68 -j ACCEPT

Since the request will be an all-net broadcast and any of the ports/protocols could be used. I don't believe the ICMP restrictions would be a problem.
0
 

Author Comment

by:QsSnrEng
ID: 12186682
Do you think I need to add the broadcast ip or just the ip of the ethernet card?  Does a dhcpd server listen for broadcast requests? I have had only the udp port 67 open for quite sometime without any problems, I was thinking of opening the other (67,68,tcp/udp) ports just incase. I actually tried that before making the post, I still noticed the chronic problem however.  Please respond back about the broadcast requests.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 175 total points
ID: 12186771
Do you think I need to add the broadcast ip or just the ip of the ethernet card?

Yes. Since the client can't necessarily know ahead of time what the IP of the DHCP is it does an all-net broadcast of the request in the general case. I don't know that I've ever looked, but a client that has gotten a DCHP assignement in the past may direct the query to the last server it has talked to. But if that doesn't work I think it does the broadcast. Things like routers and print servers that don't have non-volatile storage allways do broadcasts on power up.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fail2ban says an IP is banned, but not 12 140
NMAP shows service 1521 is closed 13 109
I am not sure how to read what this IP tables statement means 2 133
lunix and unix command 21 116
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question