Re: DHCRELAY through IPTABLES Firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

From: <bigman@monster-solutions.net>
To: Antony Stone <Antony@Soft-Solutions.co.uk>,
	netfilter@lists.netfilter.org
Subject: Re: DHCRELAY through IPTABLES Firewall
Date: Tue, 29 Oct 2002 02:37:00 -0500	[thread overview]
Message-ID: <000b01c27f1d$f805e430$8f33e40f@lsmith5953> (raw)
In-Reply-To: 200210281139.g9SBdPe08223@vulcan.rissington.net

here is how I ended up fixing my problem. However I have just discovered it
only works with one client. When I try to get another client to obtain an IP
it does not work. Any ideas? Is DNAT limiting me on one MAC to pass through
or something? I am lost here.


1)    turned off DHCPD and DHCRELAY on firewall
2)    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 67 -j
DNAT --to-destination 192.168.1.70
3)    iptables -A FORWARD -p udp -m multiport --dport 67,68 -j ACCEPT

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Monday, October 28, 2002 6:39 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Monday 28 October 2002 11:26 am, bigman@monster-solutions.net wrote:
>
> > my comments for each question are in BOLD... thanks for all of the help.
>
> > > > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
> > >
> > > I don't like the look of that rule !
> >
> > IT SHOULD BE -O ETH1 AND NOT -O ETH2
>
> I know.   I just thought you should check whether this was a typo in your
> email, or a typo in the original script...
>
> > > the best thing might be to add a LOGging
> > > rule just before the DROP rule in each of your lan1-lan2-fwd and
> > > lan2-lan1-fwd chains so you can see if anything's being blocked...
> >
> > SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO
WORK?
>
> No, sorry, I should have suggested adding the LOGging rules to the chains
> lan1-in lan2-in and lan1-lan2.
>
> You are correct that dhcrelay is supposed to pick up broadcasts on the
source
> network (which will come in to the firewall via the INPUT chain) and the
> dhcrelay application then generates its own packet to send to the dhcp
server
> (which will go out via the OUTPUT chain).
>
> Replies should come back in from the dhcp server through the INPUT chain,
and
> then go back out to the original client through the OUTPUT chain.
>
> No packets are expected to be FORWARDed (routed).
>
> Antony.
>
> --
>
> KDE 3.0.3 contains an important fix for handling SSL certificates.  Users
of
> Internet Explorer, which suffers from the same problem but which
> does not yet have a fix available, are also encouraged to switch to KDE
3.0.3.
>
> http://www.kde.org/announcements/announce-3.0.3.html
>

next prev parent reply	other threads:[~2002-10-29  7:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-27  4:33 DHCRELAY through IPTABLES Firewall bigman
2002-10-27  8:09 ` Antony Stone
2002-10-27  8:58   ` bigman
2002-10-28  8:49     ` Antony Stone
2002-10-28 10:36       ` bigman
2002-10-28 10:54         ` Antony Stone
2002-10-28 11:26           ` bigman
2002-10-28 11:39             ` Antony Stone
2002-10-29  7:37               ` bigman [this message]
2002-10-29  9:15                 ` Antony Stone
2002-10-29 11:20                   ` bigman
2002-10-29 13:03                     ` Antony Stone
2002-10-30  0:30                       ` bigman
2002-10-30  0:41                         ` Antony Stone
2002-10-30  7:15                           ` bigman
2002-10-29 10:02                 ` bigman
2002-10-29 10:29                   ` Antony Stone
2002-10-29 11:44                     ` bigman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000b01c27f1d$f805e430$8f33e40f@lsmith5953' \
    --to=bigman@monster-solutions.net \
    --cc=Antony@Soft-Solutions.co.uk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.