DHCP

[Charles Stack]

Spent most of yesterday trying to write a new firewall script based on Oskar
Andreasson's rc.firewall script.

Managed to lock it down so that it rejects ACK, FIN, SYN, NULL and XMAS
scans using the rules below.  But, my DHCP clients (Win2K) on my LAN are
unable to establish an IP via DHCP.

Can somebody shed some light as to why this is happening?   Policies default
to DROP.

Thanks,

Charles



# SYMBOLS
LAN_IP="10.0.0.5"
LAN_IP_RANGE="10.0.0.0/16"
LAN_BCAST_ADRESS="10.0.255.255"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

INET_IFACE="eth0"

IPTABLES="/sbin/iptables"


#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT -v
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
ACCEPT -v
$IPTABLES -A udpincoming_packets -p UDP -i $LAN_IFACE -j ACCEPT -v



# INPUT chain
#
# Take care of bad TCP  packets that we don't want
#
# TRAP X-MAS TREE SCAN
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -m state --state NEW --tcp-flags
ALL URG,PSH,FIN -j DROP

# TRAP NULL SCAN
$IPTABLES -A INPUT -p tcp -i $INET_IFACE  --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
# TRAP ACK ATTACK
$IPTABLES -A INPUT -p tcp -i $INET_IFACE  --tcp-flags ACK,URG ACK -j DROP
$IPTABLES -A INPUT -p tcp -i $INET_IFACE  -m state --state NEW --tcp-flags
FIN,URG FIN -j DROP

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"INPUT New not syn: " -v
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -v