0

I have an openstack environment with a provider network scenario implemented using openvswitch. My openstack is installed on allinone node setup. Is there a way that i can disable/drop all DHCP requests that lands on oen of the network interfaces of my server?

Gaurav Parashar
  • 113
  • 1
  • 8

1 Answers1

2

DHCP/BOOTP requests are sent to port 67 UDP. Set up a firewall rule to drop all packages with destination port 67 and protocol UDP and you have blocked it.

Port 67 is only used for the server destination, clients receive answers on port 68, so you can still send requests from that server but not to that server.

Better practice would be to disable ALL incoming traffic (policy drop) and just allow those connections you really want.

The drop rule for your particular case is:

iptables -A INPUT -p udp -i em2 --dport 67 -j DROP

Better practice is to create a firewall script that you place in your /root/, e.g. called firewall and give it execute permissions: chmod u+x /root/firewall and in this script you write down all your rules. This is an example from an e-mail server of ours:

#!/bin/bash

# IPv4 flush all tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

# IPv6 flush all tables
ip6tables -F INPUT
ip6tables -F FORWARD
ip6tables -F OUTPUT

# IPv4 set default policy drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# IPv6 set default policy drop
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# IPv4 allow local communication
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# IPv6 allow local communication
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# IPv4 allow related/established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# IPv6 allow related/established
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# INPUT

# ICMP
iptables -A INPUT -p icmp -m state --state NEW -j ACCEPT

# SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# EMAIL
iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

# OUTPUT allow all

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# save rules
iptables-save > /etc/iptables.conf
ip6tables-save > /etc/ip6tables.conf

Then you just executed the script as root: /root/firewall and all your rules are set.

Broco
  • 1,999
  • 13
  • 21
  • iptables -A INPUT -p ALL -s 172.19.1.10 -i em2 -dport67 -j DROP iptables -A INPUT -p ALL -s 172.19.1.10 -i em2 -dport68 -j DROP I added these two rules and did a iptables-save. Is that sufficient. I have centos7.2 running with firewalld service disabled and iptables running. Also, why i am not seeing this rule when i issue "iptables -t filter -L" – Gaurav Parashar Sep 27 '16 at 08:58
  • That works but you would just block traffic from 172.19.1.10, you said you wanted to block all DHCP requests, for that you can just leave the -s option out. And put a space between -dport and 67. Oh and -p udp, not all – Broco Sep 27 '16 at 09:00
  • yes 172.19.1.10 is the DHCP server in my case. This is also the nameserver, i hope that the DNS reply will still land as it is on different port? – Gaurav Parashar Sep 27 '16 at 09:02
  • You mean the destination? You better read more about firewalls if you handle a crucial system. As I said, better set a policy to drop everything and enable all ports/protocols you need. And yes, DNS is a different port. If you don't want to use DHCP, why enable it in the first place? Your IPtables rules don't show because they are wrong, -s is the SOURCE option, you want to disable DESTINATION (-d). If you want to block traffic to port 67 udp of the interface completely you don't have to add the -s flag. Also it is `-dport 67`, not `-dport67` – Broco Sep 27 '16 at 09:06
  • ok, so what i was trying to do is any IP packet that lands on my server(x.y.z.w) and has a source address of 172.19.1.10(which will be because i assume DHCP packets coming from the DHCP server'172.19.1.10') should be dropped. Why should i use destination in this case? – Gaurav Parashar Sep 27 '16 at 09:24
  • Also have they dropped the option --dport in iptables for Centos 7? [root@localhost ~(keystone_admin)]# iptables -A INPUT -p ALL -s 172.19.1.10 -i em2 --dport 67 -j DROP iptables v1.4.21: unknown option "--dport" Try `iptables -h' or 'iptables --help' for more information. This is what i get – Gaurav Parashar Sep 27 '16 at 09:27
  • Oh ok now I get it. You want to block DHCP INCOMING traffic. In your question you said you want to block DHCP requests, not DHCP replies. Yes, then it's source of course. – Broco Sep 27 '16 at 09:27
  • Hi broco, Can you please comment on the dport part? – Gaurav Parashar Sep 27 '16 at 09:30
  • You have to specify a protocol for dport to take effect. use -p udp --dport 67 – Broco Sep 27 '16 at 09:31
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/45947/discussion-between-broco-and-gaurav-parashar). – Broco Sep 27 '16 at 09:32