iptables and DHCP

[bitwise]

What is a good way to allow a router to request an IP from a DHCP server, and block external machines from requesting an IP from the DHCP server that the router is running to provide IP's for the local network? Is this sufficient?

$IPTABLES -A INPUT -i $EXTERNAL -p udp --sport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL -p udp --dport 67 -j DROP

Thanks,
-bitwise

 

[marsd]

Broadcasts are not routed(by default).
If you have a directly attached client connected via switch/hub/cable, etc..to your physically separate internal interface and it pops up saying 255.255.255.255 I need an address.....
It's not going out your external interface unless you are making it behave that way by explicit forwarding of this traffic.
Could you perhaps explain your congfiguration in a
little more detail?

 

[bitwise]

I have a router/firewall that is connected to one switch that provides internet access, etc. to the LAN. Getting an IP address via DHCP on the router works fine, and getting an IP address from the router when you plug a computer into the switch works fine as well. Now, assuming the rest of my router/firewall configuration is reletively secure, which I feel is pretty good, I'm just wondering if I should take any extra percautions regarding DHCP request from external machines to my router? I don't know how DHCP fully works. I know enough to setup a DHCP server and configure it according to my network, but not much else.

Thanks,
-bitwise

 

[lgarner]

marsd's point is that routers don't pass broadcasts, including DHCP requests. If someone targeted your router to obtain bogus addresses, and they filled your leases tables, it would be a type of DOS, but it's a stretch...

A firewall doesn't allow incoming packets at all unless it's been told to. By default, only responses to established outbound connections are permitted. Unless you've changed that behaviour, I don't think there's anything else to do.

 

[bitwise]

Ok, I guess I'm alright then.

Thanks again guys,
-bitwise