Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default Howto: Reconfiguring packet filter to allow DHCP on other interfaces

    I have a writeup ready to go, but evidentially I'm going to need 5 posts before I can submit a post with links.

    So here's post 1.

  2. #2
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default

    Here's post 2.

  3. #3
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default

    Here's post 3 (this is silly)

  4. #4
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default

    Here's post 4 (almost there)

  5. #5
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default

    Not quite...

  6. #6
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default Howto: Reconfiguring packet filter to allow DHCP on other interfaces (finally)

    So, I've been lurking here for a little while trying to research how to serve DHCP on interfaces other than the Internal and DMZ but still be able to use packet filter to block unwanted interfaces. The following post explains how we can config dnsmasq to serve on multiple interfaces but the only suggestion for configuring the packet filter is to turn off DHCP filtering for all interfaces, which leaves the External interface exposed:
    http://forums.untangle.com/tip-day/7...-networks.html

    I didn't like this, and after a bit of searching it appears I'm not alone:
    http://forums.untangle.com/networkin...eth5-eth6.html
    http://forums.untangle.com/networkin...nterfaces.html
    http://forums.untangle.com/networkin...only-eth4.html
    http://forums.untangle.com/networkin...er-socket.html

    So.. as a long time linux user it seemed only proper to crack open my Untagle box and do a bit of digging.

    It appears that the following ruby script is responsible for doing most the work of translating the packet filter gui into actual iptables rules:
    Code:
    /var/lib/rails/untangle-net-alpaca/lib/os_library/debian/packet_filter_manager.rb
    When you apply changes in the gui the script then rebuilds the iptables rules in this file:
    Code:
    /etc/untangle-net-alpaca/iptables-rules.d/400-firewall
    By studying this file you can see that when you apply the built-in "Allow DHCP Requests from the internal interface." rule it creates the following iptables rule:
    Code:
    iptables -t filter -I INPUT 1 -p udp -m mark --mark 2/2 -m multiport --destination-ports 67 -j RETURN
    The "Allow DMZ.." rule does the same except that the "-mark 2/2" portion changes for each interface.

    I then tried making an "Allow DHCP" rule of my own for my eth3 using the gui which creates this actual iptable rule:
    Code:
    iptables -t mangle -A firewall-rules  -p udp -m multiport  --destination-ports  67 -m mark --mark 8/8 -j RETURN
    Now we're onto something... I then checked the "Block all DHCP Requests to the local DHCP Server." rule and found it creates:
    Code:
    iptables -t filter -A INPUT -p udp -m multiport --destination-port 67 -j DROP
    Bingo! The difference is that all the user rules are created by appending rules to the end of the "mangle" chain whereas the built-in rules are inserting rules into the INPUT chain. This means that packets hit the default "Block all DHCP.." and get dropped before they ever have a chance to hit the user created rules while the built-in rules work because they get inserted prior to the block.

    I was able to test this by manually adding an iptable rule for my eth3 interface that uses the insert vs the append method and it was successful in allowing DHCP (but this would get overwritten by untangle in the next rule refresh):
    Code:
    iptables -t filter -I INPUT 1 -p udp -m mark --mark 8/8 -m multiport --destination-ports 67 -j RETURN
    So.. now understanding the issue. The simplest solution I found was to just abandon the built-in rules and do it all through a couple user rules.

    Steps:
    1) Uncheck: "Block all DHCP Requests to the local DHCP Server.", "Allow DHCP Requests from the DMZ interface.", "Allow DHCP Requests from the internal interface."

    2) Create a user rule to accept on any of the interfaces you do want DCHP:
    Action: Pass, Protocol: UDP, Destination Port: 67, Source Interface: Internal, eth3

    3) Create a rule to Drop on all the interfaces:
    Action: Drop, Protocol: UDP, Destination Port: 67, Source Interface: all (even the ones you checked in the previous Pass rule)

    Make sure the Pass rule is ordered above the Drop rule. Assuming your DHCP is configured correctly you should now have DHCP access on any interfaces you have checked within the Pass rule.

    Hope this helps. For anyone that cares, I'm keeping track of my Untangle build progress here: http://www.oxygenimpaired.com/tangling-with-untangle.
    Last edited by thump; 10-18-2010 at 11:12 PM.

  7. #7
    Untangler
    Join Date
    Oct 2010
    Posts
    39

    Default

    Update - to be more technically correct.. the "Bingo!" paragraph should actually read:

    "Bingo! The difference is that all the user rules are created by appending rules to the end of “firewall-rules” rule set of the “mangle” table whereas the built-in set of Allow rules are inserting rules into the top of the input chain (INPUT 1) in the default “filter” table. In short this means that when creating custom user rules they’re getting added after the the built-in “Block all DHCP..” rule so the DHCP packets are being dropped before they ever get to the user created Allow rules (vs the built-in Allow rules that get inserted before the built-in “Block all DHCP..” rule)."

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Cool. Nice howto!
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2