[Dnsmasq-discuss] good practice with many interfaces?

SamLT samuel.lethiec at intelunix.fr
Wed Sep 22 10:37:45 BST 2010



Hello,

I'm going to have several (vlan) interfaces on one server, and as I'm preparing
this I'm wondering what are the good practices when you don't want to offer dhcp
and/or dns services on every interfaces?

Here is what I currently have:

| eth0.10 -> no dhcp, no dns
| eth0.20 -> no dhcp, no dns
| eth0.30 -> no dhcp, dns
| eth1    -> dhcp, dns

and in dnsmasq.conf:
| interface=eth1
| interface=eth0.10
| no-dhcp-interface=eth0.10

And the associated iptables rules:
| IFACE_IN=eth1
| IFACE_IN_NET=192.168.50.0/24
| IFACE_IN_IP=192.168.50.1
| $IPTABLES -P INPUT DROP
| $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -p udp -m udp -m multiport --sports 67,68 -m multiport --dports 67,68 -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p udp -m udp --dport 53 -j ACCEPT
| $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p tcp -m tcp --dport 53 -j ACCEPT

This is working good so far, but below is what I'm planning:

| eth0.10 -> no dhcp, no dns
| eth0.20 -> no dhcp, no dns
| eth0.30 -> no dhcp, dns
| eth1.50 -> dhcp, dns
| eth1.51 -> dhcp, dns
| eth1.52 -> dhcp, dns
| eth1.53 -> dhcp, dns
| eth1.54 -> dhcp, dns


I'm not sure what is best to do:

   -> Should I comment the 'interface' and 'no-dhcp-interface' lines, and use iptables
to restrict services?

   -> or just continue to enumerate every interfaces and duplicate iptables
rules for each interface?
   
   -> or something else I didn't think of?


Any advice highly appreciated!

Thanks!


samlt




More information about the Dnsmasq-discuss mailing list