[Dnsmasq-discuss] good practice with many interfaces?
Simon Kelley
simon at thekelleys.org.uk
Wed Sep 22 18:11:44 BST 2010
SamLT wrote:
>
> Hello,
>
> I'm going to have several (vlan) interfaces on one server, and as I'm preparing
> this I'm wondering what are the good practices when you don't want to offer dhcp
> and/or dns services on every interfaces?
>
> Here is what I currently have:
>
> | eth0.10 -> no dhcp, no dns
> | eth0.20 -> no dhcp, no dns
> | eth0.30 -> no dhcp, dns
> | eth1 -> dhcp, dns
>
> and in dnsmasq.conf:
> | interface=eth1
> | interface=eth0.10
> | no-dhcp-interface=eth0.10
>
> And the associated iptables rules:
> | IFACE_IN=eth1
> | IFACE_IN_NET=192.168.50.0/24
> | IFACE_IN_IP=192.168.50.1
> | $IPTABLES -P INPUT DROP
> | $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -p udp -m udp -m multiport --sports 67,68 -m multiport --dports 67,68 -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p udp -m udp --dport 53 -j ACCEPT
> | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p tcp -m tcp --dport 53 -j ACCEPT
>
> This is working good so far, but below is what I'm planning:
>
> | eth0.10 -> no dhcp, no dns
> | eth0.20 -> no dhcp, no dns
> | eth0.30 -> no dhcp, dns
> | eth1.50 -> dhcp, dns
> | eth1.51 -> dhcp, dns
> | eth1.52 -> dhcp, dns
> | eth1.53 -> dhcp, dns
> | eth1.54 -> dhcp, dns
>
>
> I'm not sure what is best to do:
>
> -> Should I comment the 'interface' and 'no-dhcp-interface' lines, and use iptables
> to restrict services?
>
> -> or just continue to enumerate every interfaces and duplicate iptables
> rules for each interface?
>
> -> or something else I didn't think of?
>
The shortest set of dnsmasq configurations you could use would be
except-interface=eth0.10
except-interface=eth0.20
no-dhcp-interface=eth0.30
leaving the rest to default to providing both services
It's difficult to advise on the IPTABLES stuff: are you just adding that
as belt-and-braces security, or do you need to isolate services
listening on other ports from those networks?
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list