IPTables rules for DHCP

Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):

iptables -I INPUT -p udp -i em1 --dport 67 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

iptables -D INPUT -p udp -i em1 --dport 67 -j ACCEPT

When limiting access by IP address, it is worth considering that clients without an IP address usually send a broadcast request from the IP address 0.0.0.0 to 255.255.255.255, and extend it by unicast from their received IP.

Here is an example of an IP restriction (where 192.168.5.1 is the IP on which the DHCP server is running, and 172.17.0.0/16 is the network of clients with which it is allowed to renew the IP lease):

iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 172.17.0.0/16 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT

When the DHCP server is running on a very large number of network interfaces, for example Accel-ppp, then you can omit them, for example:

iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p udp -m udp --dport 67 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/32 -p udp -m udp --dport 67 -j ACCEPT

If the default policy is INPUT ACCEPT, then the last rule will deny access (in this case, allowing rules must necessarily be before it, and not after):

iptables -A INPUT -p udp -m udp --dport 67 -j DROP

See also my articles:
Configuring IPTables
IPTables rules for TFTP
What is DHCP and how does it work?

Leave a comment

Leave a Reply

Discover more from IT Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading