iptables - how would you do this?

Greetings and Felicitaions,

We run a linux thin client setup with several servers, and we want two
of these servers to only accept connections from specific clients. On
these machines,I have setup the following rules via iptables

-A INPUT -s 192.168.0.0/255.255.255.0 -j REJECT
-A INPUT -s 172.24.0.19 -i eth1 -j ACCEPT
-A INPUT -s 172.24.0.27 -i eth1 -j ACCEPT
-A INPUT -s 172.24.0.28 -i eth1 -j ACCEPT
-A INPUT -s 172.24.0.29 -i eth1 -j ACCEPT
-A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
-A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP

What I think that this should do is
- reject any connections from the 192.168.0.0 network.
- accept connections from the 4 specified hosts on the 172.24.0.0
network.
- accept connections from the two specified mac addresses (which are
thin clients)
- reject all other DHCP requests.

However the machine is still issuing i/p addresses in reply to a DHCP
request. How can we prevent this, bearing in mind that the dhcpd must
be running for the clients that we want to connect to do just that.

Thanks
--
Regards
Martin Woolley
ICT Support
Handsworth Grammar School
Isis Astarte Diana Hecate Demeter Kali Inanna

(E-Mail Removed) wrote:

> Greetings and Felicitaions,
>
> We run a linux thin client setup with several servers, and we want two
> of these servers to only accept connections from specific clients. On
> these machines,I have setup the following rules via iptables
>
> -A INPUT -s 192.168.0.0/255.255.255.0 -j REJECT
> -A INPUT -s 172.24.0.19 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.27 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.28 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.29 -i eth1 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
> -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
^^^^^^^^
what does this say? Replace with the same command, but no -m option, or set
the default policy to drop (which you should do anyways) Alex

(E-Mail Removed) wrote:
> Greetings and Felicitaions,
>
> We run a linux thin client setup with several servers, and we want two
> of these servers to only accept connections from specific clients. On
> these machines,I have setup the following rules via iptables
>
> -A INPUT -s 192.168.0.0/255.255.255.0 -j REJECT
> -A INPUT -s 172.24.0.19 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.27 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.28 -i eth1 -j ACCEPT
> -A INPUT -s 172.24.0.29 -i eth1 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C7:39 -j ACCEPT
> -A INPUT -m mac --mac-source 00:11:85:E3:C8:F7 -j ACCEPT
> -A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j DROP
>
> What I think that this should do is
> - reject any connections from the 192.168.0.0 network.

Why REJECT this range specifically? If a IPaddress is not in an accept
it will not be accepted.

> - accept connections from the 4 specified hosts on the 172.24.0.0
> network.

OK

> - accept connections from the two specified mac addresses (which are
> thin clients)

Don't Know about this one

> - reject all other DHCP requests.

Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.

>
> However the machine is still issuing i/p addresses in reply to a DHCP
> request. How can we prevent this, bearing in mind that the dhcpd must
> be running for the clients that we want to connect to do just that.

Why are you even using dhcp if you are only accepting 6 connections ???

>
> Thanks
> --
> Regards
> Martin Woolley
> ICT Support
> Handsworth Grammar School
> Isis Astarte Diana Hecate Demeter Kali Inanna
>

> set the default policy to drop (which you should do anyways)

We tried that and nothing would work, ie we couldn't even log into the
box let alone get our thin clients to come up.

> Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.

Clearly it isn't, as i/p addresses are still being issued by the
machine.

> Why are you even using dhcp if you are only accepting 6 connections ???

Obviously we have many more than six connections; this is just a snip
from our iptables. AFAIK a thin client must issue a DCHP request
otherwise TFTP won't deliver a kernel to the client.
--
Regards
Martin Woolley
ICT Support
Handsworth Grammar School
Isis Astarte Diana Hecate Demeter Kali Inanna

On 6 Jul 2005 00:38:53 -0700, (E-Mail Removed) wrote:
> > set the default policy to drop (which you should do anyways)
> We tried that and nothing would work, ie we couldn't even log into the
> box let alone get our thin clients to come up.

If this is true, then the rules shown are not effective. The default
policy is used after all rules in a chain are tried. You have ACCEPT
rules, so if they were effective, the default policy would never be
used.

The easiest way to debug iptables problems is to insert log rules into
the stream of rules and then look at the console or /var/log/messages
to determine which rules are effective. LOG is a "non-terminating
target", so it will simply give you a message and not disrupt the
other rules (if properly placed). Use different --log-prefix strings
for each LOG rule so that you can tell them apart.

--
Dale Dellutri <(E-Mail Removed)> (lose the Q's)

(E-Mail Removed) wrote:
>>set the default policy to drop (which you should do anyways)
>
>
> We tried that and nothing would work, ie we couldn't even log into the
> box let alone get our thin clients to come up.
>
>
>>Your rule is droping all "udp" packets to ports 67 & 68 not rejecting them.
>
>
> Clearly it isn't, as i/p addresses are still being issued by the
> machine.
>
>

Clearly your total iptables is screwed up and as you did not disclose
them noone can guess whats messed up.


>>Why are you even using dhcp if you are only accepting 6 connections ???
>
>
> Obviously we have many more than six connections; this is just a snip
> from our iptables. AFAIK a thin client must issue a DCHP request
> otherwise TFTP won't deliver a kernel to the client.

Say What ???

> --
> Regards
> Martin Woolley
> ICT Support
> Handsworth Grammar School
> Isis Astarte Diana Hecate Demeter Kali Inanna
>