Re: Firewalling a DHCP client the Right Way (TM)

Fri, 29 Mar 2002 15:02:27 -0600 

On 29 Mar 2002 12:24:37 +0900
Olaf Meeuwissen <[EMAIL PROTECTED]> wrote:

> Dear .debs,
> 
> I have a DHCP client that receives a lot of its networking information
> from our DHCP servers.  Things like routers, mail and name servers.  I
> would like to put an iptables based packet filtering firewall on this
> client that by default drops everything unless explicitly allowed.
> 
> I set the default policy through a script in /etc/network/if-pre-up.d/
> and add logging of everything that is dropped as a result of policy by
> means of a script in /etc/network/if-up.d/.  So far no problems.
> 
> Now I am wondering how to organise setting up the rest of the rules so
> I don't go nuts.  If it weren't for DHCP, I would have just added more
> scripts in /etc/network/if-up.d/.  Of course, you need to take care of
> their ordering and cater to the possibility of running more than once
> if you have multiple interfaces, but that is manageable.
> 
> However, how do I cater to DHCP telling me that the IP address of the
> name server has changed, for example, or, tux forbid, the client's own
> IP address.  Any ideas on how to go about this are welcome.
> 
> Debian GNU/Linux 3.0
> kernel 2.4.18 (custom), iptables 1.2.5-7, dhcp-client 2.0pl5-7
> -- 
> Olaf Meeuwissen                            Epson Kowa Corporation, CID
> GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
> LPIC-2               -- I hack, therefore I am --                 BOFH
> 

I'm not sure if this is what your looking for but it might help.

You can use dhclient to re-run your iptables script after a DHCP release/renew 
cycle. SO when your lease is up and your network parameters change you renew 
your iptables rules to reflect the changes of your network.

Read the dhclient-script manual page for details :)

Here's a simple /etc/dhclient-exit-hooks script that works for me:

#!/bin/sh

logger -t dhclient-exit-hooks "Reason is $reason"

case "$reason" in
        RENEW)
                /etc/rc.d/init.d/iptables stop
                /etc/rc.d/init.d/iptables start
        ;;
        REBIND)
                /etc/rc.d/init.d/iptables stop
                /etc/rc.d/init.d/iptables start
        ;;
        BOUND)
                /etc/rc.d/init.d/iptables stop
                /etc/rc.d/init.d/iptables start
        ;;
        RELEASE)
        /etc/rc.d/init.d/iptables stop
esac

Stef


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to