Block third-party DHCP servers on the Huawei Quidway S2300 (DHCP Snooping)

I will give an example of how on the Huawei Quidway S2300 switch (using the S2326TP-EI as an example) to allow receiving DHCP responses from the uplink port and prohibiting client responses.

Continue reading “Block third-party DHCP servers on the Huawei Quidway S2300 (DHCP Snooping)”

Configuring DHCP+TFTP for DOCSIS

Recently, it was necessary to configure the issuance of IP addresses to several old DOCSIS modems and the host located after the modem.
At hand was the Arris Cadant C3 and Thomson TCM-420 modems.

First of all, let’s start a DHCP server that will issue IP addresses to modems, for example, as I described in this article – Installing and configuring isc-dhcp-server.
And also we will launch a TFTP server on which there will be files for modems, for example, as I described in the article – Installing and Configuring a TFTP Server

Continue reading “Configuring DHCP+TFTP for DOCSIS”

Installing and configuring isc-dhcp-server in Ubuntu

Here’s an example of installing isc-dhcp-server in Ubuntu Server.

Installation command:

sudo apt-get install isc-dhcp-server

Open the first configuration file:

sudo nano /etc/default/isc-dhcp-server

Specify the name of the interface from which the IP addresses will be sent (for example, eth0):

INTERFACES="eth0"

Suppose that this interface has a static address in /etc/network/interfaces:

auto eth0
iface eth0 inet static
address 192.168.5.1
netmask 255.255.255.0

Let’s make a backup copy of the second configuration file:

sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

Create a new one:

sudo nano /etc/dhcp/dhcpd.conf

And we will add the following parameters to it:

default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

shared-network cable {

subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.10 192.168.5.254;
option domain-name-servers 192.168.5.1, 8.8.4.4;
option domain-name "example.net";
option routers 192.168.5.1;
option time-servers 192.168.5.1;
option broadcast-address 192.168.5.255;
default-lease-time 600;
max-lease-time 7200;
}
}

To reserve an IP address for a specific device, add after “max-lease-time 7200;” (before closing the quote “}”):

host test {
  hardware ethernet 00:01:02:aa:bb:cc;
  fixed-address 192.168.5.101;
}

It is more convenient for several hosts to specify one line:

host test { hardware ethernet 00:01:02:aa:bb:cc; fixed-address 192.168.5.101; }
host test2 { hardware ethernet 00:01:aa:aa:bb:cc; fixed-address 192.168.5.104; }

You can check whether dhcp server is started by the commands:

sudo service isc-dhcp-server status
sudo /etc/init.d/isc-dhcp-server status
sudo netstat -tulpn | grep :67

Restart the server for changes to the configuration files to take effect:

sudo service isc-dhcp-server restart
sudo /etc/init.d/isc-dhcp-server restart

You can see the issued IP by the command:

sudo less /var/lib/dhcp/dhcpd.leases

Logs are written to syslog (log-facility local7) to separate them, open the syslog configuration file in a text editor:

sudo nano /etc/rsyslog.d/50-default.conf

And in the end we add:

local7.*  /var/log/dhcp-server.log

After that they will be written in /var/log/syslog and in /var/log/dhcp-server.log

Let’s check if the DHCP server is running:

sudo netstat -tulpn | grep :67

An example of catching packages for analyzing problems via tcpdump:

sudo tcpdump port 67 or port 68 -e -n
sudo tcpdump ether host e0:cb:4e:c3:7c:44

In real time, you can watch logs like this:

tail -F /var/log/syslog | grep dhcpd
tail -F /var/log/syslog | grep 192.168.1.5
tail -F /var/log/syslog | grep e0:cb:4e:c3:7c:44

See also my articles:
IPTables rules for DHCP
DHCP configuration script
Installing ISC DHCP for ABillS
Configuring DHCP+TFTP for DOCSIS
Packet capturing with tcpdump

Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:

enable
configure

Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”

IPTables rules for DHCP

Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):

iptables -I INPUT -p udp -i em1 --dport 67 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

iptables -D INPUT -p udp -i em1 --dport 67 -j ACCEPT

Restrict access by IP is strictly impossible, because clients that do not have an IP address usually send a broadcast request from the IP address 0.0.0.0 to 255.255.255.255, and extend already unicast from their received IP.

Here is an example of an IP restriction (where 192.168.5.1 is the IP on which the DHCP server is running, and 172.17.0.0/16 is the network of clients with which it is allowed to renew the IP lease):

iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s 172.17.0.0/16 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT

See also my articles:
Configuring IPTables
IPTables rules for TFTP

Installing and Using dhcpdump

dhcpdump – sniffer utility for analyzing DHCP packets.

I will give an example of the installation command in Ubuntu/Debian:

sudo apt-get install dhcpdump

Installation in CentOS:

yum install dhcpdump

Let’s see what network interfaces are in the system:

ifconfig

Example of running dhcpdump with the name of the network interface:

dhcpdump -i eth0

An example of intercepting DHCP packets with only the specified MAC address ending:

dhcpdump -i eth0 -h ^02:b0:eb

I’ll give an example of displaying the result not on the screen, but in a file:

dhcpdump -i eth0 > file.txt

Configuring FreeRADIUS DHCP for ABillS

Suppose you installed FreeRADIUS 2 as written in this article – Installation and configuration of the ABillS billing system
Now copy the dhcp.conf file into the FreeRADIUS configuration:

sudo cp /usr/abills/misc/freeradius/v2/dhcp.conf /usr/local/freeradius/etc/raddb/sites-enabled/

Continue reading “Configuring FreeRADIUS DHCP for ABillS”