Re: Firewalling a DHCP client the Right Way (TM)
On 29 Mar 2002 12:24:37 +0900
Olaf Meeuwissen <olaf@epkowa.co.jp> wrote:
> Dear .debs,
>
> I have a DHCP client that receives a lot of its networking information
> from our DHCP servers. Things like routers, mail and name servers. I
> would like to put an iptables based packet filtering firewall on this
> client that by default drops everything unless explicitly allowed.
>
> I set the default policy through a script in /etc/network/if-pre-up.d/
> and add logging of everything that is dropped as a result of policy by
> means of a script in /etc/network/if-up.d/. So far no problems.
>
> Now I am wondering how to organise setting up the rest of the rules so
> I don't go nuts. If it weren't for DHCP, I would have just added more
> scripts in /etc/network/if-up.d/. Of course, you need to take care of
> their ordering and cater to the possibility of running more than once
> if you have multiple interfaces, but that is manageable.
>
> However, how do I cater to DHCP telling me that the IP address of the
> name server has changed, for example, or, tux forbid, the client's own
> IP address. Any ideas on how to go about this are welcome.
>
> Debian GNU/Linux 3.0
> kernel 2.4.18 (custom), iptables 1.2.5-7, dhcp-client 2.0pl5-7
> --
> Olaf Meeuwissen Epson Kowa Corporation, CID
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
> LPIC-2 -- I hack, therefore I am -- BOFH
>
I'm not sure if this is what your looking for but it might help.
You can use dhclient to re-run your iptables script after a DHCP release/renew cycle. SO when your lease is up and your network parameters change you renew your iptables rules to reflect the changes of your network.
Read the dhclient-script manual page for details :)
Here's a simple /etc/dhclient-exit-hooks script that works for me:
#!/bin/sh
logger -t dhclient-exit-hooks "Reason is $reason"
case "$reason" in
RENEW)
/etc/rc.d/init.d/iptables stop
/etc/rc.d/init.d/iptables start
;;
REBIND)
/etc/rc.d/init.d/iptables stop
/etc/rc.d/init.d/iptables start
;;
BOUND)
/etc/rc.d/init.d/iptables stop
/etc/rc.d/init.d/iptables start
;;
RELEASE)
/etc/rc.d/init.d/iptables stop
esac
Stef
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: