Solved

DHCP Serer hardening

Posted on 2004-09-28
3
609 Views
Last Modified: 2008-03-17
I have a linux red hat server running isc dhcpd, I am questioning the ports/flags/protocols required to be open for dhcpd to work.... I have my linux box secured with iptables, however I have switched to a new iptables script and now I think some linksys routers are being effected during the dhcp process. My dhcp server serves approxiamtely 1000 ip's to a wide variety of devices. If I can rule out my new iptables changes then I can concentrate on other dhcp fail spots.

My current iptables for dhcp are:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p udp -m udp --dport 67 -j ACCEPT

Esentiallly the only thing I have opened is udp port 67.... do you think I need tcp port 67 open or ports 68 open? Are there any other ports that would effect proper dhcpd service?

What about icmp packets? This is my current setup:
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -d xxx.xxx.xxx.xxx -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

Would/could improper icmp firewalled packets cause problems for dhcpd?

Any and all input would be greatly appreciated. Thanks in advance.
0
Comment
Question by:QsSnrEng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12172820
I think that you'd want:

iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p udp --dport 68 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -d 255.255.255.255 -i eth0 -p tcp --dport 68 -j ACCEPT

Since the request will be an all-net broadcast and any of the ports/protocols could be used. I don't believe the ICMP restrictions would be a problem.
0
 

Author Comment

by:QsSnrEng
ID: 12186682
Do you think I need to add the broadcast ip or just the ip of the ethernet card?  Does a dhcpd server listen for broadcast requests? I have had only the udp port 67 open for quite sometime without any problems, I was thinking of opening the other (67,68,tcp/udp) ports just incase. I actually tried that before making the post, I still noticed the chronic problem however.  Please respond back about the broadcast requests.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 175 total points
ID: 12186771
Do you think I need to add the broadcast ip or just the ip of the ethernet card?

Yes. Since the client can't necessarily know ahead of time what the IP of the DHCP is it does an all-net broadcast of the request in the general case. I don't know that I've ever looked, but a client that has gotten a DCHP assignement in the past may direct the query to the last server it has talked to. But if that doesn't work I think it does the broadcast. Things like routers and print servers that don't have non-volatile storage allways do broadcasts on power up.
0

Featured Post

How To Reduce Deployment Times With Pre-Baked AMIs

Even if we can't include all the files in the base image, we can sometimes include some of the larger files that we would otherwise have to download, and we can also sometimes remove the most time-consuming steps. This can help a lot with reducing deployment times.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question