> > I am wondering what is the correct way to restrict connections to the
> > dhcp server to come only from trusted subnets assuming that I don't
> > have administrative access to the routers and the server connects
> > directly to all trusted subnets. I am trying to use these rules:
I generally create a 'sanity' chain on my input ruleset that gets run
first. It would look something like this:
UNTRUST_IF=eth0
BAD="-j DROP"
#BAD="-j REJECT"
iptables -N sanity
iptables -I INPUT -i ${UNTRUST_IF} -j sanity
iptables -I FORWARD -i ${UNTRUST_IF} -j sanity
iptables -A sanity -s 0.0.0.0/32 ${BAD}
iptables -A sanity -s 10.0.0.0/8 ${BAD}
iptables -A sanity -s 172.16.0.0/12 ${BAD}
iptables -A sanity -s 192.168.0.0/16 ${BAD}
iptables -A sanity -s 224.0.0.0/8 ${BAD}
...
iptables -A sanity -j RETURN
...
(This is obviously not a whole ruleset, and I know the 224 with /8 mask is
wrong, I dont recall off the top of my head what the real range is for
that). Using a ruleset such as this would help prevent some of those
spoofing attacks.
A few notes on how you might elaborate on this: fix the 224 netmask, add
some limits to prevent ping/syn/whatever floods (do something like
'iptables -p icmp -m limit -j ACCEPT;iptables -p icmp -j DROP').
Hopefully that will give you a few ideas...
--brian
