All of lore.kernel.org
 help / color / mirror / Atom feed
* DHCRELAY through IPTABLES Firewall
@ 2002-10-27  4:33 bigman
  2002-10-27  8:09 ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-27  4:33 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 759 bytes --]

All,
    I am wondering if someone out there would be so kind as to help me figure out why I cannot get DHCRELAY to relay DHCP requests from one LAN segment to another LAN segment where a Windows 2000 DHCP server resides. I have verified that the requests are hitting the DHCRELAY on 67/UDP and then the DHCRELAY is trying to send back out on ETH2 (LAN2 Segment) to the DHCP Server on LAN1, but there is nothing after that. I have used Snort in sniffer mode and I can see UDP traffic on 68/UDP and 67/UDP on LAN2, but I never see any on LAN1. So my guess is that for some reason it is not routing through the firewall correctly. Any help would be greatly appreciated.


Firewall Config
RH 7.3
IPTables v1.2.5
ETH0 (Internet)
ETH1 (LAN1)
ETH2 (LAN2)

[-- Attachment #2: Type: text/html, Size: 1543 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-27  4:33 DHCRELAY through IPTABLES Firewall bigman
@ 2002-10-27  8:09 ` Antony Stone
  2002-10-27  8:58   ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-27  8:09 UTC (permalink / raw)
  To: netfilter

On Sunday 27 October 2002 4:33 am, bigman@monster-solutions.net wrote:

> All,
>     I am wondering if someone out there would be so kind as to help me
> figure out why I cannot get DHCRELAY to relay DHCP requests from one LAN
> segment to another LAN segment where a Windows 2000 DHCP server resides. I
> have verified that the requests are hitting the DHCRELAY on 67/UDP and then
> the DHCRELAY is trying to send back out on ETH2 (LAN2 Segment) to the DHCP
> Server on LAN1, but there is nothing after that. I have used Snort in
> sniffer mode and I can see UDP traffic on 68/UDP and 67/UDP on LAN2, but I
> never see any on LAN1. So my guess is that for some reason it is not
> routing through the firewall correctly. Any help would be greatly
> appreciated.

Tell us:

1. Your netfilter rules

2. Your network addresses for LAN1 and LAN2.

3. The routing table on the firewall.

4. Your dhcrelay command line.

Antony.

-- 

If at first you don't succeed, destroy all the evidence that you tried.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-27  8:09 ` Antony Stone
@ 2002-10-27  8:58   ` bigman
  2002-10-28  8:49     ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-27  8:58 UTC (permalink / raw)
  To: Antony Stone, netfilter

I am running DHCRELAY as below

dhcrelay -i eth2 192.168.1.70

192.168.1.70    DHCP Server (W2K)
LAN1 192.168.1.0
LAN2 192.168.2.0

Here is my routing tables
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.0     *               255.255.255.0   U     0      0        0 eth2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
x.x.x.x (ISP Subnet)     *               255.255.252.0   U     0      0
0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         x.x.x.x (ISP Assigned IP) 0.0.0.0         UG    0      0
0 eth0

Here are my Netfilter settings

Chain INPUT (policy DROP 84 packets, 6522 bytes)
 pkts bytes target     prot opt in     out     source
destination
 2402  839K lan1-in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
 4468  730K ext-int-in  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
 9283 1160K lan2-in    all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
67892   42M lan1-lan2-fwd  all  --  eth1   eth2    0.0.0.0/0
0.0.0.0/0
54339 7531K lan2-lan1-fwd  all  --  eth2   eth1    0.0.0.0/0
0.0.0.0/0
 133K  153M ext-int-fwd  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
50699 4126K lan1-ext-fwd  all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
35220   30M lan2-ext-fwd  all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy DROP 172 packets, 19408 bytes)
 pkts bytes target     prot opt in     out     source
destination
  817  133K lan1-lan2  all  --  *      eth2    0.0.0.0/0
0.0.0.0/0
 2507  381K ACCEPT     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
 1351  337K ACCEPT     all  --  *      *       192.168.1.0/24
0.0.0.0/0
   60  3600 ACCEPT     tcp  --  *      *       0.0.0.0/0            x.x.x.x
(ISP Assigned IP)

Chain ext-int-fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    133K  153M ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 DROP       all  --  eth0   *       0.0.0.0/0
0.0.0.0/0

Chain ext-int-in (1 references)
 pkts bytes target     prot opt in     out     source
destination
  2681  201K ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    1432  483K DROP       all  --  eth0   *       0.0.0.0/0
0.0.0.0/0

Chain lan1-ext-fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
50699 4126K ACCEPT     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          state NEW,RELATED,ESTABLISHED
    0     0 DROP       all  --  eth1   *       0.0.0.0/0
0.0.0.0/0

Chain lan1-in (1 references)
 pkts bytes target     prot opt in     out     source
destination
 2387  834K ACCEPT     all  --  eth1   *       192.168.1.0/24
0.0.0.0/0
   15  4920 DROP       all  --  eth1   *       0.0.0.0/0
0.0.0.0/0

Chain lan1-lan2 (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     udp  --  *      eth2    0.0.0.0/0
0.0.0.0/0          udp dpt:68
  595 99614 ACCEPT     all  --  *      eth2    0.0.0.0/0
192.168.2.0/24     state RELATED,ESTABLISHED
  222 33821 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain lan1-lan2-fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     udp  --  *      eth2    0.0.0.0/0
192.168.2.105      udp dpt:6257
    0     0 ACCEPT     tcp  --  *      eth2    0.0.0.0/0
192.168.2.105      tcp dpt:6699
67463   42M ACCEPT     all  --  *      eth2    0.0.0.0/0
192.168.2.0/24     state RELATED,ESTABLISHED
  429  385K DROP       all  --  *      eth2    0.0.0.0/0
0.0.0.0/0

Chain lan2-ext-fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
35220   30M ACCEPT     all  --  eth2   *       0.0.0.0/0
0.0.0.0/0          state NEW,RELATED,ESTABLISHED
    0     0 DROP       all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

Chain lan2-in (1 references)
 pkts bytes target     prot opt in     out     source
destination
  109 37146 ACCEPT     udp  --  eth2   *       0.0.0.0/0
0.0.0.0/0          udp dpt:67
 9173 1123K ACCEPT     all  --  eth2   *       192.168.2.0/24
0.0.0.0/0
    1   328 DROP       all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

Chain lan2-lan1-fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
54339 7531K ACCEPT     all  --  eth2   eth1    0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  eth2   eth1    0.0.0.0/0
0.0.0.0/0

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, October 27, 2002 3:09 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Sunday 27 October 2002 4:33 am, bigman@monster-solutions.net wrote:
>
> > All,
> >     I am wondering if someone out there would be so kind as to help me
> > figure out why I cannot get DHCRELAY to relay DHCP requests from one LAN
> > segment to another LAN segment where a Windows 2000 DHCP server resides.
I
> > have verified that the requests are hitting the DHCRELAY on 67/UDP and
then
> > the DHCRELAY is trying to send back out on ETH2 (LAN2 Segment) to the
DHCP
> > Server on LAN1, but there is nothing after that. I have used Snort in
> > sniffer mode and I can see UDP traffic on 68/UDP and 67/UDP on LAN2, but
I
> > never see any on LAN1. So my guess is that for some reason it is not
> > routing through the firewall correctly. Any help would be greatly
> > appreciated.
>
> Tell us:
>
> 1. Your netfilter rules
>
> 2. Your network addresses for LAN1 and LAN2.
>
> 3. The routing table on the firewall.
>
> 4. Your dhcrelay command line.
>
> Antony.
>
> --
>
> If at first you don't succeed, destroy all the evidence that you tried.
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-27  8:58   ` bigman
@ 2002-10-28  8:49     ` Antony Stone
  2002-10-28 10:36       ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-28  8:49 UTC (permalink / raw)
  To: netfilter

On Sunday 27 October 2002 8:58 am, bigman@monster-solutions.net wrote:

> I am running DHCRELAY as below
>
> dhcrelay -i eth2 192.168.1.70
>
> 192.168.1.70    DHCP Server (W2K)
> LAN1 192.168.1.0
> LAN2 192.168.2.0
>
> Here is my routing tables
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.2.0     *               255.255.255.0   U     0      0        0
> eth2 192.168.1.0     *               255.255.255.0   U     0      0       
> 0 eth1 x.x.x.x (ISP Subnet)     *               255.255.252.0   U     0    
>  0 0 eth0
> 127.0.0.0       *               255.0.0.0       U     0      0        0 lo
> default         x.x.x.x (ISP Assigned IP) 0.0.0.0         UG    0      0
> 0 eth0

Okay, that all looks sensible.   By the way, just thought I'd check - I 
assume you are running dhcrelay on the firewall machine ?

> Here are my Netfilter settings

Please post the iptables commands used to set up your ruleset.

You sent the ouput of iptables -L which doesn't show all the information we 
need: even the verbose version iptables -L -v is not as informative as the 
original commands.   Thanks,

Antony.

-- 

With thanks to God,
For all that's come before,
For all that will come after,
But most of all, for this bit right here now.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-28  8:49     ` Antony Stone
@ 2002-10-28 10:36       ` bigman
  2002-10-28 10:54         ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-28 10:36 UTC (permalink / raw)
  To: Antony Stone, netfilter

yeah the DHCRELAY is running on the firewall... below is how I am setting up
these rules.

iptables -N lan1-in
iptables -N ext-int-in
iptables -N lan2-in
iptables -N lan1-lan2-fwd
iptables -N lan2-lan1-fwd
iptables -N ext-int-fwd
iptables -N lan1-ext-fwd
iptables -N lan2-ext-fwd
iptables -N lan1-lan2

iptables -A INPUT -i eth1 -j lan1-in
iptables -A INPUT -i eth0 -j ext-int-in
iptables -A INPUT -i eth2 -j lan2-in

iptables -A FORWARD -i eth1 -o eth2 -j lan1-lan2-fwd
iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
iptables -A FORWARD -i eth0 -j ext-int-fwd
iptables -A FORWARD -i eth1 -j lan1-ext-fwd
iptables -A FORWARD -i eth2 -j lan2-ext-fwd

iptables -A OUTPUT -o eth2 -j lan1-lan2
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp -d x.x.x.x (ISP Assigned IP) -j ACCEPT

iptables -A ext-int-fwd -i eth0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A ext-int-fwd -i eth0 -j DROP

iptables -A ext-int-in -i eth0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A ext-int-in -i eth0 -j DROP

iptables -A lan1-ext-fwd -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
iptables -A lan1-ext-fwd -i eth1 -j DROP

iptables -A lan1-in -i eth1 -s 192.168.1.0/24 -j ACCEPT
iptables -A lan1-in -i eth1 -j DROP

iptables -A lan1-lan2 -p udp -o eth2 --dport 68 -j ACCEPT
iptables -A lan1-lan2 -o eth2 -d 192.168.2.0/24 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A lan1-lan2 -j DROP

iptables -A lan1-lan2-fwd -o eth2 -d 192.168.2.0/24 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A lan1-lan2-fwd -o eth2 -j DROP

iptables -A lan2-ext-fwd -i eth2 -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
iptables -A lan2-ext-fwd -i eth2 -j DROP

iptables -A lan2-in -i eth2 -p udp --dport 67 -j ACCEPT
iptables -A lan2-in -i eth2 -s 192.168.2.0/24 -j ACCEPT
iptables -A lan2-in -i eth2 -j DROP

iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j ACCEPT
iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j DROP


iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Monday, October 28, 2002 3:49 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Sunday 27 October 2002 8:58 am, bigman@monster-solutions.net wrote:
>
> > I am running DHCRELAY as below
> >
> > dhcrelay -i eth2 192.168.1.70
> >
> > 192.168.1.70    DHCP Server (W2K)
> > LAN1 192.168.1.0
> > LAN2 192.168.2.0
> >
> > Here is my routing tables
> > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > Iface
> > 192.168.2.0     *               255.255.255.0   U     0      0        0
> > eth2 192.168.1.0     *               255.255.255.0   U     0      0
> > 0 eth1 x.x.x.x (ISP Subnet)     *               255.255.252.0   U     0
> >  0 0 eth0
> > 127.0.0.0       *               255.0.0.0       U     0      0        0
lo
> > default         x.x.x.x (ISP Assigned IP) 0.0.0.0         UG    0      0
> > 0 eth0
>
> Okay, that all looks sensible.   By the way, just thought I'd check - I
> assume you are running dhcrelay on the firewall machine ?
>
> > Here are my Netfilter settings
>
> Please post the iptables commands used to set up your ruleset.
>
> You sent the ouput of iptables -L which doesn't show all the information
we
> need: even the verbose version iptables -L -v is not as informative as the
> original commands.   Thanks,
>
> Antony.
>
> --
>
> With thanks to God,
> For all that's come before,
> For all that will come after,
> But most of all, for this bit right here now.
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-28 10:36       ` bigman
@ 2002-10-28 10:54         ` Antony Stone
  2002-10-28 11:26           ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-28 10:54 UTC (permalink / raw)
  To: netfilter

On Monday 28 October 2002 10:36 am, bigman@monster-solutions.net wrote:

> iptables -N lan1-in
> iptables -N ext-int-in
> iptables -N lan2-in
> iptables -N lan1-lan2-fwd
> iptables -N lan2-lan1-fwd
> iptables -N ext-int-fwd
> iptables -N lan1-ext-fwd
> iptables -N lan2-ext-fwd
> iptables -N lan1-lan2
>
> iptables -A INPUT -i eth1 -j lan1-in
> iptables -A INPUT -i eth0 -j ext-int-in
> iptables -A INPUT -i eth2 -j lan2-in
>
> iptables -A FORWARD -i eth1 -o eth2 -j lan1-lan2-fwd
> iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd

I don't like the look of that rule !

> iptables -A FORWARD -i eth0 -j ext-int-fwd
> iptables -A FORWARD -i eth1 -j lan1-ext-fwd
> iptables -A FORWARD -i eth2 -j lan2-ext-fwd
>
> iptables -A OUTPUT -o eth2 -j lan1-lan2

That seems like a strange name to use, but okay....

> iptables -A OUTPUT -o eth0 -j ACCEPT
> iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

Presumably that rule is the one which allows packets from the firewall to 
eth1, since you don't have another rule specifically for that ?

> iptables -A OUTPUT -p tcp -d x.x.x.x (ISP Assigned IP) -j ACCEPT

What is this destination address ?   (No, I don't mean tell me what it is 
numerically, I mean tell me which machine it belongs to and why you might be 
sending packets there from your firewall.)

> iptables -A ext-int-fwd -i eth0 -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> iptables -A ext-int-fwd -i eth0 -j DROP

Why are you specifying -i eth0 in these rules ?   If a packet didn't come in 
through eth0 it wouldn't get as far as the ext-int-fwd chain....

> iptables -A ext-int-in -i eth0 -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> iptables -A ext-int-in -i eth0 -j DROP

Same comment again - why bother to specify -i eth0 ?

In fact, I'd make the same comment for virtually all the following rules.   
You've already specified the input & output interfaces when selecting the 
packets to go to these chains, so why do it all again ?

> iptables -A lan1-ext-fwd -i eth1 -m state --state NEW,RELATED,ESTABLISHED
> -j ACCEPT
> iptables -A lan1-ext-fwd -i eth1 -j DROP
>
> iptables -A lan1-in -i eth1 -s 192.168.1.0/24 -j ACCEPT
> iptables -A lan1-in -i eth1 -j DROP
>
> iptables -A lan1-lan2 -p udp -o eth2 --dport 68 -j ACCEPT
> iptables -A lan1-lan2 -o eth2 -d 192.168.2.0/24 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> iptables -A lan1-lan2 -j DROP
>
> iptables -A lan1-lan2-fwd -o eth2 -d 192.168.2.0/24 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> iptables -A lan1-lan2-fwd -o eth2 -j DROP
>
> iptables -A lan2-ext-fwd -i eth2 -m state --state NEW,RELATED,ESTABLISHED
> -j ACCEPT
> iptables -A lan2-ext-fwd -i eth2 -j DROP
>
> iptables -A lan2-in -i eth2 -p udp --dport 67 -j ACCEPT
> iptables -A lan2-in -i eth2 -s 192.168.2.0/24 -j ACCEPT
> iptables -A lan2-in -i eth2 -j DROP
>
> iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j ACCEPT
> iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j DROP
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE

Well, aside from my very first comment above, I can't see anything else which 
I'd expect to cause your problem, so the best thing might be to add a LOGging 
rule just before the DROP rule in each of your lan1-lan2-fwd and 
lan2-lan1-fwd chains so you can see if anything's being blocked...
 

Antony.

-- 

Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Nobel Prizewinner in Physics


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-28 10:54         ` Antony Stone
@ 2002-10-28 11:26           ` bigman
  2002-10-28 11:39             ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-28 11:26 UTC (permalink / raw)
  To: Antony Stone, netfilter

my comments for each question are in BOLD... thanks for all of the help.


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Monday, October 28, 2002 5:54 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Monday 28 October 2002 10:36 am, bigman@monster-solutions.net wrote:
>
> > iptables -N lan1-in
> > iptables -N ext-int-in
> > iptables -N lan2-in
> > iptables -N lan1-lan2-fwd
> > iptables -N lan2-lan1-fwd
> > iptables -N ext-int-fwd
> > iptables -N lan1-ext-fwd
> > iptables -N lan2-ext-fwd
> > iptables -N lan1-lan2
> >
> > iptables -A INPUT -i eth1 -j lan1-in
> > iptables -A INPUT -i eth0 -j ext-int-in
> > iptables -A INPUT -i eth2 -j lan2-in
> >
> > iptables -A FORWARD -i eth1 -o eth2 -j lan1-lan2-fwd
> > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
>
> I don't like the look of that rule !
IT SHOULD BE -O ETH1 AND NOT -O ETH2

>
> > iptables -A FORWARD -i eth0 -j ext-int-fwd
> > iptables -A FORWARD -i eth1 -j lan1-ext-fwd
> > iptables -A FORWARD -i eth2 -j lan2-ext-fwd
> >
> > iptables -A OUTPUT -o eth2 -j lan1-lan2
>
> That seems like a strange name to use, but okay....
>
> > iptables -A OUTPUT -o eth0 -j ACCEPT
> > iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
>
> Presumably that rule is the one which allows packets from the firewall to
> eth1, since you don't have another rule specifically for that ?
>
> > iptables -A OUTPUT -p tcp -d x.x.x.x (ISP Assigned IP) -j ACCEPT
>
> What is this destination address ?   (No, I don't mean tell me what it is
> numerically, I mean tell me which machine it belongs to and why you might
be
> sending packets there from your firewall.)

THIS IS JUST FOR MY OWN TESTING IS ALL.....
>
> > iptables -A ext-int-fwd -i eth0 -m state --state RELATED,ESTABLISHED -j
> > ACCEPT
> > iptables -A ext-int-fwd -i eth0 -j DROP
>
> Why are you specifying -i eth0 in these rules ?   If a packet didn't come
in
> through eth0 it wouldn't get as far as the ext-int-fwd chain....

VERY VALID POINT!!!

>
> > iptables -A ext-int-in -i eth0 -m state --state RELATED,ESTABLISHED -j
> > ACCEPT
> > iptables -A ext-int-in -i eth0 -j DROP
>
> Same comment again - why bother to specify -i eth0 ?
>
> In fact, I'd make the same comment for virtually all the following rules.
> You've already specified the input & output interfaces when selecting the
> packets to go to these chains, so why do it all again ?
>
> > iptables -A lan1-ext-fwd -i eth1 -m state --state
NEW,RELATED,ESTABLISHED
> > -j ACCEPT
> > iptables -A lan1-ext-fwd -i eth1 -j DROP
> >
> > iptables -A lan1-in -i eth1 -s 192.168.1.0/24 -j ACCEPT
> > iptables -A lan1-in -i eth1 -j DROP
> >
> > iptables -A lan1-lan2 -p udp -o eth2 --dport 68 -j ACCEPT
> > iptables -A lan1-lan2 -o eth2 -d 192.168.2.0/24 -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
> > iptables -A lan1-lan2 -j DROP
> >
> > iptables -A lan1-lan2-fwd -o eth2 -d 192.168.2.0/24 -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
> > iptables -A lan1-lan2-fwd -o eth2 -j DROP
> >
> > iptables -A lan2-ext-fwd -i eth2 -m state --state
NEW,RELATED,ESTABLISHED
> > -j ACCEPT
> > iptables -A lan2-ext-fwd -i eth2 -j DROP
> >
> > iptables -A lan2-in -i eth2 -p udp --dport 67 -j ACCEPT
> > iptables -A lan2-in -i eth2 -s 192.168.2.0/24 -j ACCEPT
> > iptables -A lan2-in -i eth2 -j DROP
> >
> > iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j ACCEPT
> > iptables -A lan2-lan1-fwd -i eth2 -o eth1 -j DROP
> >
> > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j MASQUERADE
>
> Well, aside from my very first comment above, I can't see anything else
which
> I'd expect to cause your problem, so the best thing might be to add a
LOGging
> rule just before the DROP rule in each of your lan1-lan2-fwd and
> lan2-lan1-fwd chains so you can see if anything's being blocked...

SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO WORK?


>
>
> Antony.
>
> --
>
> Anything that improbable is effectively impossible.
>
>  - Murray Gell-Mann, Nobel Prizewinner in Physics
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-28 11:26           ` bigman
@ 2002-10-28 11:39             ` Antony Stone
  2002-10-29  7:37               ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-28 11:39 UTC (permalink / raw)
  To: netfilter

On Monday 28 October 2002 11:26 am, bigman@monster-solutions.net wrote:

> my comments for each question are in BOLD... thanks for all of the help.

> > > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
> >
> > I don't like the look of that rule !
>
> IT SHOULD BE -O ETH1 AND NOT -O ETH2

I know.   I just thought you should check whether this was a typo in your 
email, or a typo in the original script...

> > the best thing might be to add a LOGging
> > rule just before the DROP rule in each of your lan1-lan2-fwd and
> > lan2-lan1-fwd chains so you can see if anything's being blocked...
>
> SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO WORK?

No, sorry, I should have suggested adding the LOGging rules to the chains 
lan1-in lan2-in and lan1-lan2.

You are correct that dhcrelay is supposed to pick up broadcasts on the source 
network (which will come in to the firewall via the INPUT chain) and the 
dhcrelay application then generates its own packet to send to the dhcp server 
(which will go out via the OUTPUT chain).

Replies should come back in from the dhcp server through the INPUT chain, and 
then go back out to the original client through the OUTPUT chain.

No packets are expected to be FORWARDed (routed).

Antony.

-- 

KDE 3.0.3 contains an important fix for handling SSL certificates.  Users of 
Internet Explorer, which suffers from the same problem but which
does not yet have a fix available, are also encouraged to switch to KDE 3.0.3.

http://www.kde.org/announcements/announce-3.0.3.html


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-28 11:39             ` Antony Stone
@ 2002-10-29  7:37               ` bigman
  2002-10-29  9:15                 ` Antony Stone
  2002-10-29 10:02                 ` bigman
  0 siblings, 2 replies; 18+ messages in thread
From: bigman @ 2002-10-29  7:37 UTC (permalink / raw)
  To: Antony Stone, netfilter

here is how I ended up fixing my problem. However I have just discovered it
only works with one client. When I try to get another client to obtain an IP
it does not work. Any ideas? Is DNAT limiting me on one MAC to pass through
or something? I am lost here.


1)    turned off DHCPD and DHCRELAY on firewall
2)    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 67 -j
DNAT --to-destination 192.168.1.70
3)    iptables -A FORWARD -p udp -m multiport --dport 67,68 -j ACCEPT

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Monday, October 28, 2002 6:39 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Monday 28 October 2002 11:26 am, bigman@monster-solutions.net wrote:
>
> > my comments for each question are in BOLD... thanks for all of the help.
>
> > > > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
> > >
> > > I don't like the look of that rule !
> >
> > IT SHOULD BE -O ETH1 AND NOT -O ETH2
>
> I know.   I just thought you should check whether this was a typo in your
> email, or a typo in the original script...
>
> > > the best thing might be to add a LOGging
> > > rule just before the DROP rule in each of your lan1-lan2-fwd and
> > > lan2-lan1-fwd chains so you can see if anything's being blocked...
> >
> > SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO
WORK?
>
> No, sorry, I should have suggested adding the LOGging rules to the chains
> lan1-in lan2-in and lan1-lan2.
>
> You are correct that dhcrelay is supposed to pick up broadcasts on the
source
> network (which will come in to the firewall via the INPUT chain) and the
> dhcrelay application then generates its own packet to send to the dhcp
server
> (which will go out via the OUTPUT chain).
>
> Replies should come back in from the dhcp server through the INPUT chain,
and
> then go back out to the original client through the OUTPUT chain.
>
> No packets are expected to be FORWARDed (routed).
>
> Antony.
>
> --
>
> KDE 3.0.3 contains an important fix for handling SSL certificates.  Users
of
> Internet Explorer, which suffers from the same problem but which
> does not yet have a fix available, are also encouraged to switch to KDE
3.0.3.
>
> http://www.kde.org/announcements/announce-3.0.3.html
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29  7:37               ` bigman
@ 2002-10-29  9:15                 ` Antony Stone
  2002-10-29 11:20                   ` bigman
  2002-10-29 10:02                 ` bigman
  1 sibling, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-29  9:15 UTC (permalink / raw)
  To: netfilter

On Tuesday 29 October 2002 7:37 am, bigman@monster-solutions.net wrote:

> here is how I ended up fixing my problem. However I have just discovered it
> only works with one client. When I try to get another client to obtain an
> IP it does not work. Any ideas? Is DNAT limiting me on one MAC to pass
> through or something? I am lost here.

Please can you confirm whether this works at all for a client which does not 
have an IP address to start with (ie it's not a renewal, or a request for the 
last IP address it had).   I don't see how it can work for a totally clean 
client.

> 1)    turned off DHCPD and DHCRELAY on firewall
> 2)    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 67 -j
> DNAT --to-destination 192.168.1.70
> 3)    iptables -A FORWARD -p udp -m multiport --dport 67,68 -j ACCEPT

Okay, what this is doing is taking the original client's DHCP request, which 
has the following characteristics:
Source IP address = 0.0.0.0
Destination IP address = 0.0.0.0
Source MAC address = client's mac address
Destinaton MAC address = FF:FF:FF:FF:FF:FF

The broadcast MAC address means it gets to your firewall.

The PREROUTING rule then sets a destination IP address, and the normal 
routing system of Linux gives it a source MAC address = your Firewall, and a 
destination MAC address = the DHCP server.

The request gets to the server, it allocates an IP address based on the MAC 
address of your firewall (because that's where the local packet came from; 
remember MAC addresses only work within physical subnets), and sends the 
response back again.

The response has:
Source IP address = 192.168.1.70
Destination IP address = assigned DHCP address
Source MAC address = DHCP server
Destination MAC address = Firewall

Therefore the firewall receives the packet (because of the destination MAC 
address), forwards the packet on to the destination IP address (because of 
your rule 3), and the client gets an IP address.

The bit which I don't think can work unless the client already had an IP 
address (and the request was just a renewal, or a check that it could have 
the last IP address it had used again), is when the firewall sends the 
response back to the client, because unless the client responds to an ARP 
request from the firewall, how does the firewall know which MAC address to 
send the answer back to ?

I can say that this is definitely not the asnwer to your problem, because 
DHCP requests & responses with definitely break across a router (such as a 
netfilter firewall) simply because of what happens to the MAC addresses.

If you want to allocate addresses on one subnet from a DHCP server on another 
subnet you must use DHCRELAY.

Antony.

-- 

It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

 - Daniel C Dennett


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29  7:37               ` bigman
  2002-10-29  9:15                 ` Antony Stone
@ 2002-10-29 10:02                 ` bigman
  2002-10-29 10:29                   ` Antony Stone
  1 sibling, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-29 10:02 UTC (permalink / raw)
  To: bigman, Antony Stone, netfilter

and I have also looked into this further by putting a sniffer on my DHCP
server. I see the request come in from the system that is getting an IP
successfully, but I never see a request from the system that is failing.
Both systems are on the same subnet so they should be using the same
netfilter rules.

----- Original Message -----
From: <bigman@monster-solutions.net>
To: "Antony Stone" <Antony@Soft-Solutions.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, October 29, 2002 2:37 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> here is how I ended up fixing my problem. However I have just discovered
it
> only works with one client. When I try to get another client to obtain an
IP
> it does not work. Any ideas? Is DNAT limiting me on one MAC to pass
through
> or something? I am lost here.
>
>
> 1)    turned off DHCPD and DHCRELAY on firewall
> 2)    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 67 -j
> DNAT --to-destination 192.168.1.70
> 3)    iptables -A FORWARD -p udp -m multiport --dport 67,68 -j ACCEPT
>
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.netfilter.org>
> Sent: Monday, October 28, 2002 6:39 AM
> Subject: Re: DHCRELAY through IPTABLES Firewall
>
>
> > On Monday 28 October 2002 11:26 am, bigman@monster-solutions.net wrote:
> >
> > > my comments for each question are in BOLD... thanks for all of the
help.
> >
> > > > > iptables -A FORWARD -i eth2 -o eth2 -j lan2-lan1-fwd
> > > >
> > > > I don't like the look of that rule !
> > >
> > > IT SHOULD BE -O ETH1 AND NOT -O ETH2
> >
> > I know.   I just thought you should check whether this was a typo in
your
> > email, or a typo in the original script...
> >
> > > > the best thing might be to add a LOGging
> > > > rule just before the DROP rule in each of your lan1-lan2-fwd and
> > > > lan2-lan1-fwd chains so you can see if anything's being blocked...
> > >
> > > SO DHCRELAY WILL USE FORWARDING INSTEAD OF OUTPUT AND INPUT FOR IT TO
> WORK?
> >
> > No, sorry, I should have suggested adding the LOGging rules to the
chains
> > lan1-in lan2-in and lan1-lan2.
> >
> > You are correct that dhcrelay is supposed to pick up broadcasts on the
> source
> > network (which will come in to the firewall via the INPUT chain) and the
> > dhcrelay application then generates its own packet to send to the dhcp
> server
> > (which will go out via the OUTPUT chain).
> >
> > Replies should come back in from the dhcp server through the INPUT
chain,
> and
> > then go back out to the original client through the OUTPUT chain.
> >
> > No packets are expected to be FORWARDed (routed).
> >
> > Antony.
> >
> > --
> >
> > KDE 3.0.3 contains an important fix for handling SSL certificates.
Users
> of
> > Internet Explorer, which suffers from the same problem but which
> > does not yet have a fix available, are also encouraged to switch to KDE
> 3.0.3.
> >
> > http://www.kde.org/announcements/announce-3.0.3.html
> >
>
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29 10:02                 ` bigman
@ 2002-10-29 10:29                   ` Antony Stone
  2002-10-29 11:44                     ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-29 10:29 UTC (permalink / raw)
  To: netfilter

On Tuesday 29 October 2002 10:02 am, bigman@monster-solutions.net wrote:

> and I have also looked into this further by putting a sniffer on my DHCP
> server. I see the request come in from the system that is getting an IP
> successfully, but I never see a request from the system that is failing.
> Both systems are on the same subnet so they should be using the same
> netfilter rules.

Would I be right in guessing that the system which works already has a DHCP 
address, and is either renewing it (before its lease runs out) or is 
requesting the same address again (after the lease has run out), whereas the 
system which fails has never had a DHCP address and is trying to get one for 
the first time ?

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29  9:15                 ` Antony Stone
@ 2002-10-29 11:20                   ` bigman
  2002-10-29 13:03                     ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-29 11:20 UTC (permalink / raw)
  To: Antony Stone, netfilter

below is what gets logged when using DHCRELAY. It looks like it will work
but then I never see the request from the 192.168.2.69 (firewall) hit the
DHCP server which I am running a sniffer on. I must be making this harder
then it should be. Can you provide me with the steps to get DHCRELAY working
across different subnets. I really appreciate all of the help.

Oct 29 07:13:12 firewall kernel: IN=eth2 OUT=
MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8523 PROTO=UDP
SPT=68 DPT=67 LEN=308
Oct 29 07:13:12 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=67 LEN=308
Oct 29 07:13:27 firewall kernel: IN=eth2 OUT=
MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8537 PROTO=UDP
SPT=68 DPT=67 LEN=308
Oct 29 07:13:27 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
DPT=67 LEN=308


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 29, 2002 4:15 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Tuesday 29 October 2002 7:37 am, bigman@monster-solutions.net wrote:
>
> > here is how I ended up fixing my problem. However I have just discovered
it
> > only works with one client. When I try to get another client to obtain
an
> > IP it does not work. Any ideas? Is DNAT limiting me on one MAC to pass
> > through or something? I am lost here.
>
> Please can you confirm whether this works at all for a client which does
not
> have an IP address to start with (ie it's not a renewal, or a request for
the
> last IP address it had).   I don't see how it can work for a totally clean
> client.
>
> > 1)    turned off DHCPD and DHCRELAY on firewall
> > 2)    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 67 -j
> > DNAT --to-destination 192.168.1.70
> > 3)    iptables -A FORWARD -p udp -m multiport --dport 67,68 -j ACCEPT
>
> Okay, what this is doing is taking the original client's DHCP request,
which
> has the following characteristics:
> Source IP address = 0.0.0.0
> Destination IP address = 0.0.0.0
> Source MAC address = client's mac address
> Destinaton MAC address = FF:FF:FF:FF:FF:FF
>
> The broadcast MAC address means it gets to your firewall.
>
> The PREROUTING rule then sets a destination IP address, and the normal
> routing system of Linux gives it a source MAC address = your Firewall, and
a
> destination MAC address = the DHCP server.
>
> The request gets to the server, it allocates an IP address based on the
MAC
> address of your firewall (because that's where the local packet came from;
> remember MAC addresses only work within physical subnets), and sends the
> response back again.
>
> The response has:
> Source IP address = 192.168.1.70
> Destination IP address = assigned DHCP address
> Source MAC address = DHCP server
> Destination MAC address = Firewall
>
> Therefore the firewall receives the packet (because of the destination MAC
> address), forwards the packet on to the destination IP address (because of
> your rule 3), and the client gets an IP address.
>
> The bit which I don't think can work unless the client already had an IP
> address (and the request was just a renewal, or a check that it could have
> the last IP address it had used again), is when the firewall sends the
> response back to the client, because unless the client responds to an ARP
> request from the firewall, how does the firewall know which MAC address to
> send the answer back to ?
>
> I can say that this is definitely not the asnwer to your problem, because
> DHCP requests & responses with definitely break across a router (such as a
> netfilter firewall) simply because of what happens to the MAC addresses.
>
> If you want to allocate addresses on one subnet from a DHCP server on
another
> subnet you must use DHCRELAY.
>
> Antony.
>
> --
>
> It is also possible that putting the birds in a laboratory setting
> inadvertently renders them relatively incompetent.
>
>  - Daniel C Dennett
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29 10:29                   ` Antony Stone
@ 2002-10-29 11:44                     ` bigman
  0 siblings, 0 replies; 18+ messages in thread
From: bigman @ 2002-10-29 11:44 UTC (permalink / raw)
  To: Antony Stone, netfilter

i have removed the DNAT rule and started DHCRELAY -i eth2 192.168.1.70 and
rebooted the system that was able to get an IP via DHCP with the DNAT rule
and it was not successful after the reboot. For some reason after DHCRELAY
gets the request and tries to forward to the DHCP server it is not making
it.

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 29, 2002 5:29 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Tuesday 29 October 2002 10:02 am, bigman@monster-solutions.net wrote:
>
> > and I have also looked into this further by putting a sniffer on my DHCP
> > server. I see the request come in from the system that is getting an IP
> > successfully, but I never see a request from the system that is failing.
> > Both systems are on the same subnet so they should be using the same
> > netfilter rules.
>
> Would I be right in guessing that the system which works already has a
DHCP
> address, and is either renewing it (before its lease runs out) or is
> requesting the same address again (after the lease has run out), whereas
the
> system which fails has never had a DHCP address and is trying to get one
for
> the first time ?
>
> Antony.
>
> --
>
> If the human brain were so simple that we could understand it,
> we'd be so simple that we couldn't.
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29 11:20                   ` bigman
@ 2002-10-29 13:03                     ` Antony Stone
  2002-10-30  0:30                       ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-29 13:03 UTC (permalink / raw)
  To: netfilter

On Tuesday 29 October 2002 11:20 am, bigman@monster-solutions.net wrote:

> below is what gets logged when using DHCRELAY. It looks like it will work
> but then I never see the request from the 192.168.2.69 (firewall) hit the
> DHCP server which I am running a sniffer on. I must be making this harder
> then it should be. Can you provide me with the steps to get DHCRELAY
> working across different subnets. I really appreciate all of the help.
>
> Oct 29 07:13:12 firewall kernel: IN=eth2 OUT=
> MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8523 PROTO=UDP
> SPT=68 DPT=67 LEN=308

Packet comes in on eth2 with broadcast destination IP and MAC adresses, 
source IP address = 0.0.0.0

> Oct 29 07:13:12 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
> DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
> DPT=67 LEN=308

The the firewall sends a packet from its own IP address 192.168.2.69 to the 
DHCP server 192.168.1.70 on *eth2* !!!

Why ?

> Oct 29 07:13:27 firewall kernel: IN=eth2 OUT=
> MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
> DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8537 PROTO=UDP
> SPT=68 DPT=67 LEN=308

DHCP client hasn't had an answer within 15 seconds so it asks again.

> Oct 29 07:13:27 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
> DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=67
> DPT=67 LEN=308

Firewall sends the request to 192.168.1.70 out of the wrong interface again.

Antony.

-- 

Normal people think "if it ain't broke, don't fix it".
Engineers think "if it ain't broke, it doesn't have enough features yet".


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-29 13:03                     ` Antony Stone
@ 2002-10-30  0:30                       ` bigman
  2002-10-30  0:41                         ` Antony Stone
  0 siblings, 1 reply; 18+ messages in thread
From: bigman @ 2002-10-30  0:30 UTC (permalink / raw)
  To: Antony Stone, netfilter

when I run DHCRELAY -i eth2 it tells me that it is listening on eth2 and
sending on eth2. I assume this is wrong? how do I fix it? is it my routing
table?

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 29, 2002 8:03 AM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Tuesday 29 October 2002 11:20 am, bigman@monster-solutions.net wrote:
>
> > below is what gets logged when using DHCRELAY. It looks like it will
work
> > but then I never see the request from the 192.168.2.69 (firewall) hit
the
> > DHCP server which I am running a sniffer on. I must be making this
harder
> > then it should be. Can you provide me with the steps to get DHCRELAY
> > working across different subnets. I really appreciate all of the help.
> >
> > Oct 29 07:13:12 firewall kernel: IN=eth2 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
> > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8523 PROTO=UDP
> > SPT=68 DPT=67 LEN=308
>
> Packet comes in on eth2 with broadcast destination IP and MAC adresses,
> source IP address = 0.0.0.0
>
> > Oct 29 07:13:12 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
> > DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=67
> > DPT=67 LEN=308
>
> The the firewall sends a packet from its own IP address 192.168.2.69 to
the
> DHCP server 192.168.1.70 on *eth2* !!!
>
> Why ?
>
> > Oct 29 07:13:27 firewall kernel: IN=eth2 OUT=
> > MAC=ff:ff:ff:ff:ff:ff:08:00:09:f1:b2:ba:08:00 SRC=0.0.0.0
> > DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=8537 PROTO=UDP
> > SPT=68 DPT=67 LEN=308
>
> DHCP client hasn't had an answer within 15 seconds so it asks again.
>
> > Oct 29 07:13:27 firewall kernel: IN= OUT=eth2 SRC=192.168.2.69
> > DST=192.168.1.70 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=67
> > DPT=67 LEN=308
>
> Firewall sends the request to 192.168.1.70 out of the wrong interface
again.
>
> Antony.
>
> --
>
> Normal people think "if it ain't broke, don't fix it".
> Engineers think "if it ain't broke, it doesn't have enough features yet".
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-30  0:30                       ` bigman
@ 2002-10-30  0:41                         ` Antony Stone
  2002-10-30  7:15                           ` bigman
  0 siblings, 1 reply; 18+ messages in thread
From: Antony Stone @ 2002-10-30  0:41 UTC (permalink / raw)
  To: netfilter

On Wednesday 30 October 2002 12:30 am, bigman@monster-solutions.net wrote:

> when I run DHCRELAY -i eth2 it tells me that it is listening on eth2 and
> sending on eth2. I assume this is wrong?

Sounds wrong to me.   Sounds kinda pointless to me.   If you wanted the 
requests to go out on the same network they came in on, you wouldn't need a 
relay....

> how do I fix it? is it my routing table?

Could be - what does your routing table say ?

My copy of "man dhcrelay" says:

dhcrelay [ -p port ] [ -d ] [ -q ] [ -i if0 [ ...  -i ifN ] ] server0
    [ ...serverN ]

The DHCP Relay Agent listens for DHCP requests on all interfaces attached to 
a host, unless one or more  interfaces  are specified on the command line 
with the -i flag.

When a query is received, dhcrelay forwards it to the list of DHCP servers 
specified on the command line.   When a reply is received, it is broadcast or 
unicast on the network from whence the original request came.

Therefore I think your command should be:

dhcrelay -i eth2 192.168.1.70

If this sends packets to 192.168.1.70 out of eth2, try pinging 192.168.1.70 
and see where the packets come out of then.

Antony.

-- 

In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: DHCRELAY through IPTABLES Firewall
  2002-10-30  0:41                         ` Antony Stone
@ 2002-10-30  7:15                           ` bigman
  0 siblings, 0 replies; 18+ messages in thread
From: bigman @ 2002-10-30  7:15 UTC (permalink / raw)
  To: Antony Stone, netfilter

I fixed my problem. I downloaded the newest source code and compiled it and
ran DHCRELAY -i eth1 -i eth2 192.168.1.70 and now it is working. Thanks for
all of the help.

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 29, 2002 7:41 PM
Subject: Re: DHCRELAY through IPTABLES Firewall


> On Wednesday 30 October 2002 12:30 am, bigman@monster-solutions.net wrote:
>
> > when I run DHCRELAY -i eth2 it tells me that it is listening on eth2 and
> > sending on eth2. I assume this is wrong?
>
> Sounds wrong to me.   Sounds kinda pointless to me.   If you wanted the
> requests to go out on the same network they came in on, you wouldn't need
a
> relay....
>
> > how do I fix it? is it my routing table?
>
> Could be - what does your routing table say ?
>
> My copy of "man dhcrelay" says:
>
> dhcrelay [ -p port ] [ -d ] [ -q ] [ -i if0 [ ...  -i ifN ] ] server0
>     [ ...serverN ]
>
> The DHCP Relay Agent listens for DHCP requests on all interfaces attached
to
> a host, unless one or more  interfaces  are specified on the command line
> with the -i flag.
>
> When a query is received, dhcrelay forwards it to the list of DHCP servers
> specified on the command line.   When a reply is received, it is broadcast
or
> unicast on the network from whence the original request came.
>
> Therefore I think your command should be:
>
> dhcrelay -i eth2 192.168.1.70
>
> If this sends packets to 192.168.1.70 out of eth2, try pinging
192.168.1.70
> and see where the packets come out of then.
>
> Antony.
>
> --
>
> In science, one tries to tell people
> in such a way as to be understood by everyone
> something that no-one ever knew before.
>
> In poetry, it is the exact opposite.
>
>  - Paul Dirac
>



^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2002-10-30  7:15 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-27  4:33 DHCRELAY through IPTABLES Firewall bigman
2002-10-27  8:09 ` Antony Stone
2002-10-27  8:58   ` bigman
2002-10-28  8:49     ` Antony Stone
2002-10-28 10:36       ` bigman
2002-10-28 10:54         ` Antony Stone
2002-10-28 11:26           ` bigman
2002-10-28 11:39             ` Antony Stone
2002-10-29  7:37               ` bigman
2002-10-29  9:15                 ` Antony Stone
2002-10-29 11:20                   ` bigman
2002-10-29 13:03                     ` Antony Stone
2002-10-30  0:30                       ` bigman
2002-10-30  0:41                         ` Antony Stone
2002-10-30  7:15                           ` bigman
2002-10-29 10:02                 ` bigman
2002-10-29 10:29                   ` Antony Stone
2002-10-29 11:44                     ` bigman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.