I am wondering what is the correct way to restrict connections to the dhcp server to come only from trusted subnets assuming that I don't have administrative access to the routers and the server connects directly to all trusted subnets. I am trying to use these rules:
iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p tcp --sport 68 --dport 67 -j ACCEPT iptables -A INPUT -s 0.0.0.0/32 -d 0/0 -p udp --sport 68 --dport 67 -j ACCEPT (later, on everything else is denied) I have used 0.0.0.0 because it looks like this is the IP address that the dhcp clients use before they have gotten a valid IP address. The dhcp server needs to respond to requests that come only from the subnets that it connects to directly. My question is, is it possible for an attacker who comes from outside of the trusted subnets to which dhcp server connects directly to spoof the IP source address to look like 0.0.0.0 in order to run an exploit on dhcpd? If yes, how can I prevent this? -akop
