Brian <[EMAIL PROTECTED]> writes:
> > > I am wondering what is the correct way to restrict connections to the
> > > dhcp server to come only from trusted subnets assuming that I don't
> > > have administrative access to the routers and the server connects
> > > directly to all trusted subnets. I am trying to use these rules:
>
> I generally create a 'sanity' chain on my input ruleset that gets run
> first. It would look something like this:
[...]
> iptables -A sanity -s 0.0.0.0/32 ${BAD}
This will break DHCP.
Akop, filtering Martian packets is standard security practice; you
could ask whoever does maintain your router if they already have them
(specifically against packets with a source or destination address of
0.0.0.0) and if not to add them. This is recommended (and described
well) in the NSA's guidelines for securing a Cisco router (google for
it), and your network admins really should be doing it, whether there
are DHCP servers on it or not.
You could also try filtering by MAC address. Anything from the
Internet will have a MAC address of one of your routers, so if you can
find their MAC addresses (use "/sbin/arp -a") you can make a filter to
drop those packets with iptables. The downside is that if the router
maintainer replaces hardware and the MAC address changes, or adds a
new router, your filters break...
You could also try asking in the mailing list for your DHCP server;
this seems to me like a common problem that somebody with better
knowledge of DHCP than us would have figured out. Also,
comp.protocols.tcp-ip tends to have a lot of gurus who hang out in it
and may have a better solution for you, or a reason why a better
solution isn't necessary.
-----ScottG.
