Brian <[EMAIL PROTECTED]> writes: > > > I am wondering what is the correct way to restrict connections to the > > > dhcp server to come only from trusted subnets assuming that I don't > > > have administrative access to the routers and the server connects > > > directly to all trusted subnets. I am trying to use these rules: > > I generally create a 'sanity' chain on my input ruleset that gets run > first. It would look something like this:
[...] > iptables -A sanity -s 0.0.0.0/32 ${BAD} This will break DHCP. Akop, filtering Martian packets is standard security practice; you could ask whoever does maintain your router if they already have them (specifically against packets with a source or destination address of 0.0.0.0) and if not to add them. This is recommended (and described well) in the NSA's guidelines for securing a Cisco router (google for it), and your network admins really should be doing it, whether there are DHCP servers on it or not. You could also try filtering by MAC address. Anything from the Internet will have a MAC address of one of your routers, so if you can find their MAC addresses (use "/sbin/arp -a") you can make a filter to drop those packets with iptables. The downside is that if the router maintainer replaces hardware and the MAC address changes, or adds a new router, your filters break... You could also try asking in the mailing list for your DHCP server; this seems to me like a common problem that somebody with better knowledge of DHCP than us would have figured out. Also, comp.protocols.tcp-ip tends to have a lot of gurus who hang out in it and may have a better solution for you, or a reason why a better solution isn't necessary. -----ScottG.