RE: [SLE] DHCP through transparent bridge
Hi all, I am completely stuck with getting my transparent bridge working correctly. The aim is to create a bridge that will have our LAN on its internal port, and a switch on the external port into which I can plug in suspect machines. If I can get this working, the following script will only permit DNS, ICMP pings, and HTTP through so any self propagating virri / worms will not infect the rest of my lan. At this point, I can then use the network to download updated virus definitions and any patches to fix the machines.
It is all working fine as long as my client on the external interface (i,e the infected machine) has a static IP.... but this is not ideal.
How can I ammend the following script to allow DHCP through so the client can get all its IP / default route etc from my DHCP on the internal segment ????
I thought that DHCP used UDP ports 67 + 68 although I could be wrong... The client machines are all Windows XP if that makes any difference...
Any suggestions or ideas are greatly appreciated.
[... script trimmed...]
Why not just run another DHCP server that only listens on the "safe" interface, and do the NAT thing on the LAN interface? If all you need is to be able to download patches, just put the infected machine on a second isolated network and allow http/ftp through a NAT'ed gateway instead of messing with a bridge. :) That also gives you a second test network to play with later on, while you're testing other network devices, etc.
--Danny, doing just that here
I really wanted to use a bridge because I also plan to use this as a learning excercie into how to effectivly setup bridges etc. I think I need to be looking into dhc-relay which relays DHCP requests - although I would much rather find out why they dont make it through my script. If anyone can see why my script is blocking DHCP I would really appreciate the pointers... Richard
Richard wrote regarding 'RE: [SLE] DHCP through transparent bridge' on Fri, Aug 06 at 10:52: [...]
How can I ammend the following script to allow DHCP through so the client can get all its IP / default route etc from my DHCP on the internal segment ????
[... script trimmed...]
Why not just run another DHCP server that only listens on the "safe" interface, and do the NAT thing on the LAN interface? If all you need is to be able to download patches, just put the infected machine on a second isolated network and allow http/ftp through a NAT'ed gateway instead of messing with a bridge. :) That also gives you a second test network to play with later on, while you're testing other network devices, etc.
--Danny, doing just that here
I really wanted to use a bridge because I also plan to use this as a learning excercie into how to effectivly setup bridges etc.
Cool - learning == good.
I think I need to be looking into dhc-relay which relays DHCP requests - although I would much rather find out why they dont make it through my script.
Dhrelay would do it.
If anyone can see why my script is blocking DHCP I would really appreciate the pointers...
The rules look fine, IMHO, but you may be missing something else. For example, do you maybe need to have proxyARP enabled or something like that? --Danny
participants (2)
-
Danny Sauer
-
Richard Curtis