Redirect DHCP requests to DMZ?

Redirect DHCP requests to DMZ?

[Carsten Maass]

Hello List!

My network layout looks like this:


Local LAN (192.168.20.*)
     |
     |
   Switch
     |
     |
Router/Firewall ---- DMZ (192.168.21.*)
     |
     |
     |
  Internet


Everything runs smoothly, except for one thing: I am unable to redirect 
DHCP request from the clients on the local LAN to the DHCP server inside 
the DMZ.

So my question is: How can I accomplish this task? Is it at all possible 
to redirect broadcasts from one subnet to another with the help of iptables?

I tried the following rules, but they didn't work out:

$IPTABLES -A FORWARD -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p UDP -i $LAN_IFACE -d 255.255.255.255 
--dport 67 -j DNAT --to-destination $DMZ_DHCP_IP

I am running iptables v1.2.6a with kernel 2.4.20 on Debian GNU/Linux 3.0.

Any hint would be highly appreciated.

Thanks in advance,
Carsten.

Re: Redirect DHCP requests to DMZ?

[Cedric Blancher]

Le mer 23/04/2003 à 12:08, Carsten Maass a écrit :
> Local LAN (192.168.20.*)
>      |
>      |
>    Switch
>      |
>      |
> Router/Firewall ---- DMZ (192.168.21.*)
>      |
>      |
>      |
>   Internet
>
> Everything runs smoothly, except for one thing: I am unable to
> redirect DHCP request from the clients on the local LAN to the DHCP
> server inside the DMZ.

You'll achieve this setting a DHCP Relay up. Due to what they are, DHCP
packets cannot be routed through different IP networks (mainly because
of destination addresses that are used).

But this kind of setup is no secure. If someones breaks into your DMZ,
he will be able to have your LAN's configuration, and even tamper it,
acting on DHCP stuff. That's _very bad_. DMZ compromission must not
endanger rest of network security.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Redirect DHCP requests to DMZ?

[Arnt Karlsen]

On 23 Apr 2003 14:19:13 +0200, 
Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
<1051100353.12295.96.camel@elendil.intranet.cartel-securite.net>:

> Le mer 23/04/2003 à 12:08, Carsten Maass a écrit :
> > Local LAN (192.168.20.*)
> >      |
> >      |
> >    Switch
> >      |
> >      |
> > Router/Firewall ---- DMZ (192.168.21.*)
> >      |
> >      |
> >      |
> >   Internet
> >
> > Everything runs smoothly, except for one thing: I am unable to
> > redirect DHCP request from the clients on the local LAN to the DHCP
> > server inside the DMZ.
> 
> You'll achieve this setting a DHCP Relay up. Due to what they are,
> DHCP packets cannot be routed through different IP networks (mainly
> because of destination addresses that are used).
> 
> But this kind of setup is no secure. If someones breaks into your DMZ,
> he will be able to have your LAN's configuration, and even tamper it,
> acting on DHCP stuff. That's _very bad_. DMZ compromission must not
> endanger rest of network security.
> 

..to put it short: get that dhcp server out of your dmz box 
and into a lan box (or maybe the firewall).  

..the dmz is _only_ for stuff you want me, Saddam, Osama bin Laden, 
Bill Gates, the scriptkiddies and the FBI to see.  Here, I speak 
with authority; Neither of us needs your dhcp server.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Redirect DHCP requests to DMZ?

[Carsten Maass]

Salut Cedric!

Cedric Blancher wrote:
>>redirect DHCP request from the clients on the local LAN to the DHCP
>>server inside the DMZ.
> 
> You'll achieve this setting a DHCP Relay up. Due to what they are, DHCP
> packets cannot be routed through different IP networks (mainly because
> of destination addresses that are used).

This is exactly what I dont understand: What are they? After all they 
are just IP packets. And if I am able to apply to them a rule like

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 
--destination-port 67:68 -j DROP

which discards them, why am I unable to apply a rule which redirects 
them to another subnets interface? Shouldn't the DNAT thingy take care 
of the new destination address?

Yes, a DHCP relay would be a solution, but I opted against it. I am 
trying to keep the router/firewall as (c)lean as possible: just routing, 
firewall and ssh stuff.

> But this kind of setup is no secure. If someones breaks into your DMZ,
> he will be able to have your LAN's configuration, and even tamper it,
> acting on DHCP stuff. That's _very bad_. DMZ compromission must not
> endanger rest of network security.

Right you are. But our setup was a compromise between money and 
security: Another server is just not affordable at the moment.

But you make me considering if it wouldn't be better to convince our 
Windows admin to let go his DHCP idea. The administrative overhead of a 
static client setup might be a better price to pay, pondering the 
security impact of the current setup. On the other hand I am also eager 
to find out, why this doesn't work out as expected.


Thank you for your answer,
Carsten.

Re: Redirect DHCP requests to DMZ?

[Carsten Maass]

Arnt Karlsen wrote:
> 
> ..to put it short: get that dhcp server out of your dmz box 
> and into a lan box (or maybe the firewall).  
> 
> ..the dmz is _only_ for stuff you want me, Saddam, Osama bin Laden, 
> Bill Gates, the scriptkiddies and the FBI to see.  Here, I speak 
> with authority; Neither of us needs your dhcp server.  ;-)

Hey, who said you don't need our DHCP server? I raised it up with love, 
since it was just a little Debian package! It has very good manners and 
I tought him to respect every legal request, no matter from which OS it 
came. :-)

But seriously: I got your point and will reconsider our network layout.

Thank you for your advice,
Carsten.

Re: Redirect DHCP requests to DMZ?

[Jesper Lund]

> This is exactly what I dont understand: What are they? After all they
> are just IP packets. And if I am able to apply to them a rule like
>
> $IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255
> --destination-port 67:68 -j DROP
>
> which discards them, why am I unable to apply a rule which redirects
> them to another subnets interface? Shouldn't the DNAT thingy take care
> of the new destination address?

If you DNAT the DHCP request, the destination IP is not an broadcast
anymore. And because of that, the DHCP server will not recognize it as a
DHCP request.

//Jesper

Re: Redirect DHCP requests to DMZ?

[Cedric Blancher]

Le mer 23/04/2003 à 18:58, Carsten Maass a écrit :
> which discards them, why am I unable to apply a rule which redirects 
> them to another subnets interface? Shouldn't the DNAT thingy take care 
> of the new destination address?

Because after DNAT, it won't be broadcast anymore.

> Yes, a DHCP relay would be a solution, but I opted against it. I am 
> trying to keep the router/firewall as (c)lean as possible: just routing, 
> firewall and ssh stuff.

I understand this point, and, as I said below, this would be a bad idea.

> Right you are. But our setup was a compromise between money and 
> security: Another server is just not affordable at the moment.

You can just use an existing server to provide this service as it is
very light, even consider having it run on your firewall's internal
interface only waiting for a dedicated box.

> But you make me considering if it wouldn't be better to convince our 
> Windows admin to let go his DHCP idea. The administrative overhead of a 
> static client setup might be a better price to pay, pondering the 
> security impact of the current setup.

DHCP is a good thing, to save time. But I don't like the idea of dynamic
IPs. So I configure my DHCPd to give addresses on MAC address, so I have
static IPs, but DHCP distributed.

> On the other hand I am also eager 
> to find out, why this doesn't work out as expected.

Just because DHCP cannot be NATed.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE