DHCP Configuration

Reconfiguring packet filter to allow DHCP on other interfaces

Note: This information was obtained from http://www.oxygenimpaired.com/tangling-with-untangle

Hmmm.. trying to research how to serve DHCP on interfaces other than the Internal and DMZ but still be able to use packet filter to block unwanted interfaces. The following post explains how we can config dnsmasq to serve on multiple interfaces but the only suggestion for configuring the packet filter is to turn off DHCP filtering for all interfaces, which leaves the External interface exposed:
http://forums.untangle.com/tip-day/7206-dhcp-multiple-networks.html

I didn’t like this, and after a bit of searching it appears I’m not alone:
http://forums.untangle.com/networking/16176-dummies-guide-enabling-dhcp-eth3-eth4-eth5-eth6.html
http://forums.untangle.com/networking/17766-network-config-assist-4-untangle-interfaces.html
http://forums.untangle.com/networking/15115-dhcp-only-eth4.html

So.. as a long time linux user it seemed only proper to crack open my Untagle box and do a bit of digging.

It appears that the following ruby script is responsible for doing most the work of translating the packet filter gui into actual iptables rules:
/var/lib/rails/untangle-net-alpaca/lib/os_library/debian/packet_filter_manager.rb

When you apply changes in the gui the script then rebuilds the iptables rules in this file:
/etc/untangle-net-alpaca/iptables-rules.d/400-firewall

By studying this file you can see that when you apply the built-in “Allow DHCP Requests from the internal interface.” rule it creates the following iptables rule:
iptables -t filter -I INPUT 1 -p udp -m mark —mark 2/2 -m multiport —destination-ports 67 -j RETURN

The “Allow DMZ..” rule does the same except that the “-mark 2/2″ portion changes for each interface.

I then tried making an “Allow DHCP” rule of my own for my eth3 using the gui which creates this actual iptable rule:
iptables -t mangle -A firewall-rules -p udp -m multiport —destination-ports 67 -m mark —mark 8/8 -j RETURN

Now we’re onto something… I then checked the “Block all DHCP Requests to the local DHCP Server.” rule and found it creates:
iptables -t filter -A INPUT -p udp -m multiport —destination-port 67 -j DROP

Bingo! The difference is that all the user rules are created by appending rules to the end of “firewall-rules” rule set of the “mangle” table whereas the built-in set of Allow rules are inserting rules into the top of the input chain (INPUT 1) in the default “filter” table. In short this means that when creating custom user rules they’re getting added after the the built-in “Block all DHCP..” rule so the DHCP packets are being dropped before they ever get to the user created Allow rules (vs the built-in Allow rules that get inserted before the built-in “Block all DHCP..” rule).

I was able to test this by manually adding an iptable rule for my eth3 interface that uses the insert vs the append method and it was successful in allowing DHCP (but this would get overwritten by untangle in the next rule refresh):
iptables -t filter -I INPUT 1 -p udp -m mark —mark 8/8 -m multiport —destination-ports 67 -j RETURN

So.. now understanding the issue. The simplest solution I found was to just abandon the built-in rules and do it all through a couple user rules.

Steps:

1) Uncheck: “Block all DHCP Requests to the local DHCP Server.”, “Allow DHCP Requests from the DMZ interface.”, “Allow DHCP Requests from the internal interface.”

2) Create a user rule to accept on any of the interfaces you do want DCHP:
Action: Pass, Protocol: UDP, Destination Port: 67, Source Interface: Internal, eth3

3) Create a rule to Drop on all the interfaces:
Action: Drop, Protocol: UDP, Destination Port: 67, Source Interface: all (even the ones you checked in the previous Pass rule)

Make sure the Pass rule is ordered above the Drop rule. Assuming your DHCP is configured correctly you should now have DHCP access on any interfaces you have checked within the Pass rule.

——-

Mapping the Builtin Untangle Packet Filter rules.

The interfaces on this box are identified by Untangle as follows ( the “–mark #/#” is basically another identifier for the different interfaces within iptables):
eth0 = External (–mark 1/1)
eth1 = Internal (–mark 2/2 and –mark 258/258)
eth2 = DMZ (–mark 4/4)
eth3 = eth3 (–mark 8/8)
VPN (–mark 128/128)
All Interfaces (–mark 256/256)

First line = the built-in rule description listed in the Untangle gui.
Second/third lines = actual rule(s) created in /etc/untangle-net-alpaca/iptables-rules.d/400-firewall by checking the gui description.

MAPPING:

Allow DHCP Requests from the internal interface.
${IPTABLES} -t filter -I INPUT 1 -p udp -m mark –mark 2/2 -m multiport –destination-ports 67 -j RETURN

Allow DHCP Requests from the DMZ interface.
${IPTABLES} -t filter -I INPUT 1 -p udp -m mark –mark 4/4 -m multiport –destination-ports 67 -j RETURN

Block all DHCP Requests to the local DHCP Server.
${IPTABLES} -t filter -A INPUT -p udp -m multiport –destination-port 67 -j DROP

Prefer Local DHCP Traffic from non-internal interfaces.
${IPTABLES} -t mangle -A FORWARD -p udp -m multiport –destination-ports 67,68 -m physdev –physdev-is-bridged –physdev-out eth1 -j DROP
${IPTABLES} -t mangle -A FORWARD -p udp -m multiport –destination-ports 67,68 -m physdev –physdev-is-bridged –physdev-in eth1 -j DROP

Accept DHCP traffic to the local DHCP client.
${IPTABLES} -t filter -I INPUT 1 -p udp -m multiport –destination-ports 68 -j RETURN

Accept DNS traffic from the Internal and VPN interfaces to the local DNS Server.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 53 -m mark –mark 258/258 -j RETURN
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 53 -m mark –mark 384/384 -j RETURN

Accept DNS traffic to the local DNS Server from all interfaces.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 53 -m mark –mark 256/256 -j RETURN

Accept SNMP traffic from the Internal interface.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 161 -m mark –mark 258/258 -j RETURN

Accept SNMP traffic from all interfaces.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 161 -m mark –mark 256/256 -j RETURN

Block OpenVPN traffic from the internal interface.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 1194 -m mark –mark 258/258 -j alpaca-pfi-drop

Accept OpenVPN traffic from all interfaces.
${IPTABLES} -t mangle -A firewall-rules -p udp -m multiport –destination-ports 1194 -m mark –mark 256/256 -j RETURN

Accept SSH traffic from all interfaces.
${IPTABLES} -t mangle -A firewall-rules -p tcp -m multiport –destination-ports 22 -m mark –mark 256/256 -j RETURN

Allow Ping on all interfaces.
${IPTABLES} -t mangle -A firewall-rules -p icmp -m mark –mark 256/256 -j RETURN

Block all local traffic.
(added to 700-nat-firewall)
${IPTABLES} -t mangle -A firewall-rules -j alpaca-pfi-drop

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License