Minimal requirements to firewall rules for running dhcpd server in linux container

Question

I want to run isc dhcpd server in lxd (lxc) container. But it does not recive clients requests (DHCPDISCOVER, DHCPREQUEST) from clients without this rule:

iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

I had prepared new rules to replace:

iptables -A FORWARD -d $DHCP -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A FORWARD -s $DHCP -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A FORWARD -i br-eth0 -m pkttype --pkt-type multicast -j ACCEPT

But it seems to me that this is not enough. To be precise - this is not enough.

I must allow broadcast another way ?

score 0 · Answer 1 · answered Mar 24 '16 at 14:59

0

I was wrong about multicast. I confused multicast with broadcast. Sorry.

My solution is to use following rule:

iptables -A FORWARD -i br-eth0 -m pkttype --pkt-type broadcast -j ACCEPT

answered Mar 24 '16 at 14:59

vskubriev

686
9
15

Minimal requirements to firewall rules for running dhcpd server in linux container

1 Answers1