[Dnsmasq-discuss] good practice with many interfaces?
SamLT
samuel.lethiec at intelunix.fr
Wed Sep 22 10:37:45 BST 2010
Hello,
I'm going to have several (vlan) interfaces on one server, and as I'm preparing
this I'm wondering what are the good practices when you don't want to offer dhcp
and/or dns services on every interfaces?
Here is what I currently have:
| eth0.10 -> no dhcp, no dns
| eth0.20 -> no dhcp, no dns
| eth0.30 -> no dhcp, dns
| eth1 -> dhcp, dns
and in dnsmasq.conf:
| interface=eth1
| interface=eth0.10
| no-dhcp-interface=eth0.10
And the associated iptables rules:
| IFACE_IN=eth1
| IFACE_IN_NET=192.168.50.0/24
| IFACE_IN_IP=192.168.50.1
| $IPTABLES -P INPUT DROP
| $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -p udp -m udp -m multiport --sports 67,68 -m multiport --dports 67,68 -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p udp -m udp --dport 53 -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p tcp -m tcp --dport 53 -j ACCEPT
This is working good so far, but below is what I'm planning:
| eth0.10 -> no dhcp, no dns
| eth0.20 -> no dhcp, no dns
| eth0.30 -> no dhcp, dns
| eth1.50 -> dhcp, dns
| eth1.51 -> dhcp, dns
| eth1.52 -> dhcp, dns
| eth1.53 -> dhcp, dns
| eth1.54 -> dhcp, dns
I'm not sure what is best to do:
-> Should I comment the 'interface' and 'no-dhcp-interface' lines, and use iptables
to restrict services?
-> or just continue to enumerate every interfaces and duplicate iptables
rules for each interface?
-> or something else I didn't think of?
Any advice highly appreciated!
Thanks!
samlt
More information about the Dnsmasq-discuss
mailing list