DHCP Hell.

Chris chris@nospam.com
Sat, 01 Dec 2001 17:59:17 -0500 

Hello everyone.

I have set up a linux box for a small business to act as a firewall/ipmasq 
server.  That is all it does.  Just nat and fw.

The Hardware:  A dell dimension with a PII 333 with 128 megs of ram.  I 
have it set up with 128 megs of swap space on a partition.

The OS:  RedHat Linux 7.1 with the standard kenel that comes with it (I 
think 2.4.2).  I have the iptables that comes with it and the most recent 
update for the RH site (an i386 rpm).

The ISP:  Bignet  -- a DSL isp that uses DHCP.

We have been struggling with this for weeks now.  Everytime I set it up, I 
am sure that it is okay -- in fact I have the same exact firewall setup in 
two different places with no problems what so ever -- one of them even on a 
dell dimension computer (older computer though).

I think what is happening is that BigNet has a very short max lease 
time.  Every several hours, pumpd reconfigures eth0.  And I think that 
every time this is happening, is when the problems arise.  The owner tells 
me that he has no internet connection and I can't ssh in.  When he reboots 
the machine, it works again for a few more hours, and I can even ssh 
in.  Then it will stop working again, and kick me off!  The frustating 
thing is that it happens even when the ip address DOES NOT change, that is, 
it receives the same address from the dhcp server that it already 
had.  (About once or twice a week, however, it will actually get a new 
address).  The connection is never good for more than 5 hours, and once it 
goes bad, it stays that way until a reboot.  Nothing strange is in 
/var/log/messages or /var/log/secure.

This is just a nightmare!  It is as embarrassing as it is frustrating, and 
he is as frustrated as I am.  I can't see anything wrong with the script 
that I am using.  Can some one please help????????

Thank you so much for your help!

---Chris

Here is a copy of the firewall I am using:

#!/bin/bash
#Declare variables
LAN_IP_RANGE="10.100.100.0/24"
LAN_IP="10.100.100.1/32"
LAN_BCAST_ADDRESS="255.255.255.0/32"
LOCALHOST_IP="127.0.0.1/32"
INET_IFACE="eth0"
LAN_IFACE="eth1"
IPTABLES="/sbin/iptables"

#Flush 'em
$IPTABLES -F
$IPTABLES -X

#Needed to initailly load modules
/sbin/depmod -a
#
#Adds some iptables targets
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#support for owner matching
# Don't need /sbin/modprobe ipt_owner

#Support for connection tracking of FTP and IRC
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#Enable IP forwarding
echo "1" >/proc/sys/net/ipv4/ip_forward

#Enable DHCP Stuff
echo "1" >/proc/sys/net/ipv4/ip_dynaddr

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#inside
$IPTABLES -A INPUT -s 10.100.100.0/24 -d 10.100.100.1 -j ACCEPT
$IPTABLES -A OUTPUT -s 10.100.100.1 -d 10.100.100.0/24 -j ACCEPT

#create separate chains
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#Stop port scanners, but allow legit packets, i.e. established connections.
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j DROP
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#icmp rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#tcp rules
$IPTABLES -A tcp_packets -p TCP -s my.home.address --dport 22 -j ACCEPT

#udp ports
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 67 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 68 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#check for spoofers
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#input chain
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT INPUT packet died:"

#Output chain
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG 
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "






-----------------------------------------------------------------------------------------------------------------
Do not replay to this message directly.  I wil not receive it.

Use the following address instead. (This is to stop spam, sorry for the 
inconvenience).
cditri@mediaone.net