[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewalling a DHCP client the Right Way (TM)

On 29 Mar 2002 12:24:37 +0900
Olaf Meeuwissen <olaf@epkowa.co.jp> wrote:

> Dear .debs,
> I have a DHCP client that receives a lot of its networking information
> from our DHCP servers.  Things like routers, mail and name servers.  I
> would like to put an iptables based packet filtering firewall on this
> client that by default drops everything unless explicitly allowed.
> I set the default policy through a script in /etc/network/if-pre-up.d/
> and add logging of everything that is dropped as a result of policy by
> means of a script in /etc/network/if-up.d/.  So far no problems.
> Now I am wondering how to organise setting up the rest of the rules so
> I don't go nuts.  If it weren't for DHCP, I would have just added more
> scripts in /etc/network/if-up.d/.  Of course, you need to take care of
> their ordering and cater to the possibility of running more than once
> if you have multiple interfaces, but that is manageable.
> However, how do I cater to DHCP telling me that the IP address of the
> name server has changed, for example, or, tux forbid, the client's own
> IP address.  Any ideas on how to go about this are welcome.
> Debian GNU/Linux 3.0
> kernel 2.4.18 (custom), iptables 1.2.5-7, dhcp-client 2.0pl5-7
> -- 
> Olaf Meeuwissen                            Epson Kowa Corporation, CID
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
> LPIC-2               -- I hack, therefore I am --                 BOFH

I'm not sure if this is what your looking for but it might help.

You can use dhclient to re-run your iptables script after a DHCP release/renew cycle. SO when your lease is up and your network parameters change you renew your iptables rules to reflect the changes of your network.

Read the dhclient-script manual page for details :)

Here's a simple /etc/dhclient-exit-hooks script that works for me:


logger -t dhclient-exit-hooks "Reason is $reason"

case "$reason" in
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
		/etc/rc.d/init.d/iptables stop
		/etc/rc.d/init.d/iptables start
	/etc/rc.d/init.d/iptables stop


To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: