[Dnsmasq-discuss] Re: DCHP server not assign IP addresses

Troy Piggins troy at piggo.com
Tue Nov 18 12:05:18 GMT 2008


* Rune Kock wrote :
> On Tue, Nov 18, 2008 at 07:09, Troy Piggins <troy at piggo.com> wrote:
> > * Rune Kock wrote :
> >>* Troy Piggins wrote:
> >>> * Rune Kock wrote :
> >>>>* Troy Piggins wrote:
> >>>>
<snip />
> >>> $ sudo iptables-save | grep 67
> >>> -A udpincoming_packets -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
> >>
> >> I'm not entirely fluent in iptables syntax, but to me this sounds like
> >> "accept packets with source port 67/68 AND dest port 67/68".
> >
> > I see.  You're interpretation is correct.  I thought the requests
> > only came and went on those ports.
> >
> >> I believe that you need "accept source port 67/68 OR dest port
> >> 67/68".
> >
> > I split the rules up as you suggested.
> >
> > It still is not assigning addresses.
> 
> I still think that the firewall is the most likely problem.  Or is
> there some kind of router/wireless between the NAS and your dnsmasq
> machine?

To be honest, it can't be the firewall anyway.  All traffic from
the internal network is allowed by default.  The only
blocking/dropping rules are on the external interface.

> Try running without any firewall, if that is possible.

No can do.  It's protecting the network from the internets.  :)

> Try posting your complete firewall setup; someone on the list may be
> able to spot something.

Ok.  Now I know this isn't pretty, but it seems to have worked
for years...

# Generated by iptables-save v1.3.8 on Tue Nov 18 22:00:41 2008
*nat
:PREROUTING ACCEPT [908014:90154200]
:POSTROUTING ACCEPT [251607:17593135]
:OUTPUT ACCEPT [1552731:111849566]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Tue Nov 18 22:00:41 2008
# Generated by iptables-save v1.3.8 on Tue Nov 18 22:00:41 2008
*mangle
:PREROUTING ACCEPT [111174775:53677031631]
:INPUT ACCEPT [103043328:49242147022]
:FORWARD ACCEPT [8129160:4434679979]
:OUTPUT ACCEPT [108137128:54585306347]
:POSTROUTING ACCEPT [116329017:59027145621]
COMMIT
# Completed on Tue Nov 18 22:00:41 2008
# Generated by iptables-save v1.3.8 on Tue Nov 18 22:00:41 2008
*filter
:INPUT DROP [787:267137]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6517:3478610]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udpincoming_packets - [0:0]
-A INPUT -p tcp -j bad_tcp_packets 
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 192.168.0.255 -i eth1 -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -j tcp_packets 
-A INPUT -i eth0 -p udp -j udpincoming_packets 
-A INPUT -i eth0 -p icmp -j icmp_packets 
-A FORWARD -p tcp -j bad_tcp_packets 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -j bad_tcp_packets 
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -s 192.168.0.1 -j ACCEPT 
-A OUTPUT -o eth0 -j ACCEPT 
-A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A allowed -p tcp -j DROP 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A icmp_packets -p icmp -j ACCEPT 
-A tcp_packets -p tcp -m tcp --dport 22 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 8080 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 80 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 25 -j allowed 
-A tcp_packets -p tcp -m tcp --dport 993 -j allowed 
-A udpincoming_packets -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT 
-A udpincoming_packets -i eth1 -p udp -m udp --sport 67:68 -j ACCEPT 
-A udpincoming_packets -i eth1 -p udp -m udp --dport 67:68 -j ACCEPT 
COMMIT
# Completed on Tue Nov 18 22:00:41 2008

> BTW, as Richard pointed out, my suggestion of accepting source or
> destination port 67/68, is probably opening more than necessary, thus
> creating a small hole in the security of the firewall.  I guess that
> the correct thing is to allow destination port 67&68, and not fiddle
> with source ports at all.

Ok.  Thanks

-- 
Troy Piggins | http://piggo.com/~troy                           
RLU#415538                                                      ,-O   (o-    O  
                                                               O   )  //\     O 
                                                                `-O   V_/_  OOO



More information about the Dnsmasq-discuss mailing list