Iptables – How to i prevent TINC from relaying DHCP

bridgedhcpiptablestincvpn

I am running tinc in several NAT routers running Debian 7 Wheezy, the VPN works fine for months, except because i've set it up in switch mode it relays DHCP requests and answers over all the VPN. The problem is that host A is using a Pool from 10.10.10.2-254 for DHCP, with 10.10.10.1 as gateway (host A), host B is using a Pool from 10.10.10.2-254 for DHCP with 10.10.20.1 as gateway (host B), and so on.

Please note that the tinc tap (ethernet) interface is bridged across the physical LAN interface, because the purpose of my "cloud" is to make ALL hosts in all networks (A,B ..) appear in the same LAN.

I am looking for a simple solution to overcome this. Tryed using iptables with physdev and physdev-in specifying the tinc interface but this doesen't seem to work.

Is there any other solution to this ?

P.S: switching tinc to router mode is not a solution as i really need multicast and other non-routable protocols.

Best Answer

It should work with iptables -t mangle -m physdev if you have the sysctl variable net.bridge.bridge-nf-call-iptables set to 1.

sysctl -w net.bridge.bridge-nf-call-iptables=1
iptables -t mangle -I PREROUTING -m physdev --physdev-in vpn1 \
    -p udp --dport 67:68 -j DROP

You also have the alternative to block it with ebtables:

## dont accept dhcp packets directed to the local machine
ebtables -A INPUT --in-interface vpn1 --protocol ipv4 \
    --ip-protocol udp --ip-destination-port 67:68 -j DROP

## dont forward dhcp packets coming in from vpn
ebtables -A FORWARD --in-interface vpn1 --protocol ipv4 \
    --ip-protocol udp --ip-destination-port 67:68 -j DROP

## dont send dhcp requests over vpn
ebtables -A FORWARD --out-interface vpn1 --protocol ipv4 \
   --ip-protocol udp --ip-destination-port 67:68 -j DROP

Related Solutions

Can’t ping through PPTP when Shorewall is active

You did not mention your rules file. Have you added appropriate entries to the rules file to allow TCP port 1723 and GRE (IP protocol 47) traffic to your pptp server? See this page for details.

Response to Update

Try replacing vpn all ACCEPT with the equivalent set of policies

vpn fw  ACCEPT
vpn wan ACCEPT
vpn lan ACCEPT

and test whether everything still works. If so, next try removing each of those policies one by one, testing whether everything still works each time, to get down to the minimal set of policies required. Is it possible that the only policy you really need to add is vpn wan ACCEPT ?

RRAS VPN server on 2008R2 — two subnets, how to use DHCP

Well, I can't explain exactly what was wrong, but I reconfigured RRAS as a VPN server, using the 'client' interface as the RRAS 'external' interface, and now VPN clients are getting DHCP addresses in the client subnet.

I had to add a static route on the client interface for all traffic destined for the server subnet to go through the default gateway on the client subnet to get full network connectivity for the clients, but that's all it took -- the client got its IP address and DNS servers from the VPN server's client interface.

I can't explain the strange behavior I was experiencing with my earlier attempts.

Best Answer

Related Solutions

Can’t ping through PPTP when Shorewall is active

RRAS VPN server on 2008R2 — two subnets, how to use DHCP

Related Topic