[Dnsmasq-discuss] good practice with many interfaces?

SamLT samuel.lethiec at intelunix.fr
Thu Sep 23 10:56:52 BST 2010


On Wed, Sep 22, 2010 at 06:11:44PM +0100, Simon Kelley wrote:
> SamLT wrote:
> > 
> > Hello,
> > 
> > I'm going to have several (vlan) interfaces on one server, and as I'm preparing
> > this I'm wondering what are the good practices when you don't want to offer dhcp
> > and/or dns services on every interfaces?
> > 
> > Here is what I currently have:
> > 
> > | eth0.10 -> no dhcp, no dns
> > | eth0.20 -> no dhcp, no dns
> > | eth0.30 -> no dhcp, dns
> > | eth1    -> dhcp, dns
> > 
> > and in dnsmasq.conf:
> > | interface=eth1
> > | interface=eth0.10
> > | no-dhcp-interface=eth0.10
> > 
> > And the associated iptables rules:
> > | IFACE_IN=eth1
> > | IFACE_IN_NET=192.168.50.0/24
> > | IFACE_IN_IP=192.168.50.1
> > | $IPTABLES -P INPUT DROP
> > | $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > | $IPTABLES -A INPUT -i $IFACE_IN -p udp -m udp -m multiport --sports 67,68 -m multiport --dports 67,68 -j ACCEPT
> > | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p udp -m udp --dport 53 -j ACCEPT
> > | $IPTABLES -A INPUT -i $IFACE_IN -s $IFACE_IN_NET -p tcp -m tcp --dport 53 -j ACCEPT
> > 
> > This is working good so far, but below is what I'm planning:
> > 
> > | eth0.10 -> no dhcp, no dns
> > | eth0.20 -> no dhcp, no dns
> > | eth0.30 -> no dhcp, dns
> > | eth1.50 -> dhcp, dns
> > | eth1.51 -> dhcp, dns
> > | eth1.52 -> dhcp, dns
> > | eth1.53 -> dhcp, dns
> > | eth1.54 -> dhcp, dns
> > 
> > 
> > I'm not sure what is best to do:
> > 
> >    -> Should I comment the 'interface' and 'no-dhcp-interface' lines, and use iptables
> > to restrict services?
> > 
> >    -> or just continue to enumerate every interfaces and duplicate iptables
> > rules for each interface?
> >    
> >    -> or something else I didn't think of?
> > 
> 
> The shortest set of dnsmasq configurations you could use would be
> 
> except-interface=eth0.10
> except-interface=eth0.20
> no-dhcp-interface=eth0.30
> 
> leaving the rest to default to providing both services

Nice! I think think of except-interface:)


> 
> It's difficult to advise on the IPTABLES stuff: are you just adding that
> as belt-and-braces security, or do you need to isolate services
> listening on other ports from those networks?
> 

I'd say the first option, as you can see, this configuration is quite simple and
standart, I'm just trying to keep things as clean and safe as possible. default
INPUT policy is DROP and I'd like to only allow what I need.


Thank you Simon for you answer



> 
> Cheers,
> 
> Simon.
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list