Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc at jbco.com stevel_isc at jbco.com
Fri Feb 26 23:07:41 UTC 2016 

Bummer.  

I had high hopes since firehol has a helper for dhcp and does appear to be
setting an accept rule for "udp spt:bootpc dpt:bootps".  

I've never actually checked to see if dropping the rule would still let dhcp
function though.

At least I'm getting a good education on dhcp and iptables, thank you!

-----Original Message-----
From: dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Chuck Anderson
Sent: Friday, February 26, 2016 2:52 PM
To: dhcp-users at lists.isc.org
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?

Won't work.  Raw sockets aren't subject to iptables rules.  But maybe
if there IS a filtering mechanism that works with raw sockets, it
could work.  I don't know if there is (ebtables?).

On Fri, Feb 26, 2016 at 01:55:11PM -0800, stevel_isc at jbco.com wrote:
> Ok, another idea.  What about each of the servers using a different port
and
> using iptables for redirecting?
> 
> For example:
>   dhcp server for eth0.2 listening on 672
>   dhcp server for eth0.3 listening on 673
>   dhcp server for eth0.4 listening on 674
>   dhcp server for eth0.5 listening on 675
> 
> Then, iptables rules for mapping requests:
>   (to:67 via eth0.2) -> (to:672)
>   (to:67 via eth0.3) -> (to:673)
>   (to:67 via eth0.4) -> (to:674)
>   (to:67 via eth0.5) -> (to:675)
> 
> And replies:
>   (from:672) -> (via eth0.2 from:67)
>   (from:673) -> (via eth0.3 from:67)
>   (from:674) -> (via eth0.4 from:67)
>   (from:675) -> (via eth0.5 from:67)
> 
> I'm not an expert on iptables but I *think* it can do this.  Is there
> something about dhcpd's low level access that would prevent it?
> 
> -----Original Message-----
> From: dhcp-users-bounces at lists.isc.org
> [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Alex Bligh
> Sent: Friday, February 26, 2016 12:44 PM
> To: Users of ISC DHCP
> Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?
> 
> 
> On 26 Feb 2016, at 20:22, Chuck Anderson <cra at WPI.EDU> wrote:
> 
> > This won't work unless you use separate full virtual machines...
> 
> I believe you could also use multiple containers, bridges and veth
> interfaces (assuming Linux). Bridge the veth interfaces with
> each of the VLANs concerned.
> 
> -- 
> Alex Bligh
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list