[Dnsmasq-discuss] good practice with many interfaces?

Simon Kelley simon at thekelleys.org.uk
Wed Sep 22 18:11:44 BST 2010


SamLT wrote:
> 
> Hello,
> 
> I'm going to have several (vlan) interfaces on one server, and as I'm preparing
> this I'm wondering what are the good practices when you don't want to offer dhcp
> and/or dns services on every interfaces?
> 
> Here is what I currently have:
> 
> | eth0.10 -> no dhcp, no dns
> | eth0.20 -> no dhcp, no dns
> | eth0.30 -> no dhcp, dns
> | eth1    -> dhcp, dns
> 
> and in dnsmasq.conf:
> | interface=eth1
> | interface=eth0.10
> | no-dhcp-interface=eth0.10
> 
> And the associated iptables rules:
> | IFACE_IN=eth1
> | IFACE_IN_NET=192.168.50.0/24
> | IFACE_IN_IP=192.168.50.1
> | $IPTABLES -P INPUT DROP
> | $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -p udp -m udp -m multiport --sports 67,68 -m multiport --dports 67,68 -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p udp -m udp --dport 53 -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p tcp -m tcp --dport 53 -j ACCEPT
> 
> This is working good so far, but below is what I'm planning:
> 
> | eth0.10 -> no dhcp, no dns
> | eth0.20 -> no dhcp, no dns
> | eth0.30 -> no dhcp, dns
> | eth1.50 -> dhcp, dns
> | eth1.51 -> dhcp, dns
> | eth1.52 -> dhcp, dns
> | eth1.53 -> dhcp, dns
> | eth1.54 -> dhcp, dns
> 
> 
> I'm not sure what is best to do:
> 
>    -> Should I comment the 'interface' and 'no-dhcp-interface' lines, and use iptables
> to restrict services?
> 
>    -> or just continue to enumerate every interfaces and duplicate iptables
> rules for each interface?
>    
>    -> or something else I didn't think of?
> 

The shortest set of dnsmasq configurations you could use would be

except-interface=eth0.10
except-interface=eth0.20
no-dhcp-interface=eth0.30

leaving the rest to default to providing both services

It's difficult to advise on the IPTABLES stuff: are you just adding that
as belt-and-braces security, or do you need to isolate services
listening on other ports from those networks?


Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list