Questions about DHCP firewall rules

Questions about DHCP firewall rules

[Nicholas Kline]

Greetings,

I am in the process of learning Netfilter/IPtables.  I
plan on using Netfilter/IPtables to protect my Linux
desktop computers and servers.  We're talking
host-based firewalls, not one firewall protecting all
of the desktops and servers.

I have a basic question I am hoping someone on this
mailing list can answer.  I am a little confused about
configuring Netfilter/IPtables on a Linux desktop
computer.  Specifically, this situation:

a linux desktop computer that is configured to use
DHCP
and configured to use the following rule:

$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix
"Spoofed source IP"
$IPTABLES -A INPUT -s $IP_LOCAL -j DROP

I would like to include the previous rule as part of a
standard rule set.

From how I understand this situation, the firewall
would have to be able to automatically detect when the
computers IP address changes, right?  Manually
inputting the computers IP address each time it
changes would get really old.

I'm using several books as references for learning
Netfilter/IPtables and they discuss implementing
"dynamic firewall scripts".  In this case, a dynamic
firewall script that recognizes when the computers IP
address changes.

So, my questions are:

1.) If I am using a computer that is configured to
obtain its IP address through DHCP, what firewall
rules do I need to setup?

2.) Additionally, how do I configure the firewall to
automatically detect changes in the computers network
configuration (IP address change, etc.)?

Thank you for your time,

*Nick*

Re: Questions about DHCP firewall rules

[Anatoly Y.]

Timestamp: Sat 12 May 2007, 11:03 +0700 (NOVT)
Nicholas Kline wrote:
> Greetings,
> 
> I am in the process of learning Netfilter/IPtables.  I
> plan on using Netfilter/IPtables to protect my Linux
> desktop computers and servers.  We're talking
> host-based firewalls, not one firewall protecting all
> of the desktops and servers.
> 
> I have a basic question I am hoping someone on this
> mailing list can answer.  I am a little confused about
> configuring Netfilter/IPtables on a Linux desktop
> computer.  Specifically, this situation:
> 
> a linux desktop computer that is configured to use
> DHCP
> and configured to use the following rule:
> 
> $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix
> "Spoofed source IP"
> $IPTABLES -A INPUT -s $IP_LOCAL -j DROP
> 
> I would like to include the previous rule as part of a
> standard rule set.
> 
>>From how I understand this situation, the firewall
> would have to be able to automatically detect when the
> computers IP address changes, right?  Manually
> inputting the computers IP address each time it
> changes would get really old.
> 
> I'm using several books as references for learning
> Netfilter/IPtables and they discuss implementing
> "dynamic firewall scripts".  In this case, a dynamic
> firewall script that recognizes when the computers IP
> address changes.
> 
> So, my questions are:
> 
> 1.) If I am using a computer that is configured to
> obtain its IP address through DHCP, what firewall
> rules do I need to setup?
> 
> 2.) Additionally, how do I configure the firewall to
> automatically detect changes in the computers network
> configuration (IP address change, etc.)?

Use full prefix of all fake networks (or your only).
-A INPUT -s 192.168.0.0/16 -j LOG .... for example.

-- 
Anatoly Y. aka Snelius | AY254-RIPE

Questions about DHCP firewall rules

[Nicholas Kline]

Questions about DHCP firewall rules

Greetings,

I am in the process of learning Netfilter/IPtables.  I
plan on using Netfilter/IPtables to protect my Linux
desktop computers and servers.  We're talking
host-based firewalls, not one firewall protecting all
of the desktops and servers.

I have a basic question I am hoping someone on this
mailing list can answer.  I am a little confused about
configuring Netfilter/IPtables on a Linux desktop
computer.  Specifically, this situation:

a linux desktop computer that is configured to use
DHCP and configured to use the following rule:

$IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix
"Spoofed source IP"
$IPTABLES -A INPUT -s $IP_LOCAL -j DROP

I would like to include the previous rule as part of a
standard rule set.

From how I understand this situation, the firewall
would have to be able to automatically detect when the
computers IP address changes, right?  Manually
inputting the computers IP address each time it
changes would get really old.

I'm using several books as references for learning
Netfilter/IPtables and they discuss implementing
"dynamic firewall scripts".  In this case, a dynamic
firewall script that recognizes when the computers IP
address changes.

So, my questions are:

1.) If I am using a computer that is configured to
obtain its IP address through DHCP, what firewall
rules do I need to setup?

2.) Additionally, how do I configure the firewall to
automatically detect changes in the computers network
configuration (IP address change, etc.)?

Thank you for your time,

*Nick*

Re: Questions about DHCP firewall rules

[Elvir Kuric]

Hi all,
On 5/16/07, Nicholas Kline <kakster7@sbcglobal.net> wrote:
> Questions about DHCP firewall rules
>
> Greetings,
>
> I am in the process of learning Netfilter/IPtables.  I
> plan on using Netfilter/IPtables to protect my Linux
> desktop computers and servers.  We're talking
> host-based firewalls, not one firewall protecting all
> of the desktops and servers.
>
> I have a basic question I am hoping someone on this
> mailing list can answer.  I am a little confused about
> configuring Netfilter/IPtables on a Linux desktop
> computer.  Specifically, this situation:
>
> a linux desktop computer that is configured to use
> DHCP and configured to use the following rule:
>
> $IPTABLES -A INPUT -s $IP_LOCAL -j LOG --log-prefix
> "Spoofed source IP"
> $IPTABLES -A INPUT -s $IP_LOCAL -j DROP
>
> I would like to include the previous rule as part of a
> standard rule set.
>
> >From how I understand this situation, the firewall
> would have to be able to automatically detect when the
> computers IP address changes, right?  Manually
> inputting the computers IP address each time it
> changes would get really old.
>
> I'm using several books as references for learning
> Netfilter/IPtables and they discuss implementing
> "dynamic firewall scripts".  In this case, a dynamic
> firewall script that recognizes when the computers IP
> address changes.
>
> So, my questions are:
>
> 1.) If I am using a computer that is configured to
> obtain its IP address through DHCP, what firewall
> rules do I need to setup?

So, you need to allow DHCP ports that use clinet to send an request to
server and server to sent an offer to client. I do not what is
configuation of your network but in case you are implementing iptables
firewall on client then it should look like

iptables -A INPUT -p udp --dport 68 -j ACCEPT
This will accept all messages in INPUT chain that are destinated to
port 67 ( the port that is used by dhcp server to send replays to
clinets )
DHCP uses udp as transport protocol.
In OUTPUT chain you probably will not have any restriction, but in
case you have, server accepts dhcp requests on port 67.


>
> 2.) Additionally, how do I configure the firewall to
> automatically detect changes in the computers network
> configuration (IP address change, etc.)?
>

for this I think you can take that information from DHCP server or,
make some kind of logging on iptables firewall, ...

take a look at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Regards

Elvir Kuric

> Thank you for your time,
>
> *Nick*
>
>