On Fri, Nov 15, 2002 at 03:33:21PM -0600, Alex Malinovich wrote: > My DHCP server also acts as my NAT router and as such is connected both > to my internal network and the outside world. I only want the DHCP > server to listen to requests on the internal connection. (eth1) Which dhcp server are you using? I use the "dhcp" package; all I had to do was to tweak /etc/init.d/dhcp so it starts dhcpd with "eth0" on the command line (you probably want eth1 there though). > Unfortunately, it seems that no matter what I do requests (i.e. > DHCPDISCOVER from * via eth0) still come in on the external connection > (eth0). While the requests aren't being honored, they are still coming > in and being written to the syslog, causing a LOT of garbage in there. At least having dhcpd bind only to eth1 should avoid that bit. > I've decided to try and just filter out any requests via iptables, but > nothing that I've tried seems to work. Here's the configs that I've I would argue that you should filter them out by default. Basically you should have a good firewalling ruleset in place, and only let through > tried: what you know about. I.e. let the default policy be DROP > iptables -A INPUT -p udp -m udp --dport 67:68 -j DROP > iptables -A INPUT -p udp -m udp --dport 67:68 -i eth0 -j DROP > iptables -A INPUT -p udp -m udp --sport 67:68 -j DROP > iptables -A INPUT -p udp -m udp --sport 67:68 -i eth0 -j DROP That *should* work... > and various other combinations of the above. (TCP instead of UDP, etc.) IIRC dhcp does not use TCP... > Unfortunately, no matter what I do the requests still come in and clog > my syslog. I've looked all over google and the first one of the above is > what I keep finding. Unfortunately, it still doesn't work. Any > suggestions? TIA. HTH -- Karl E. Jørgensen karl@jorgensen.com http://karl.jorgensen.com ... An rfc2324 advocate http://www.faqs.org/rfcs/rfc2324.html
Attachment:
pgpBylYJZUdCp.pgp
Description: PGP signature