Multiple chrooted dhcp servers for vlans on Linux?
stevel_isc at jbco.com
stevel_isc at jbco.com
Fri Feb 26 23:07:41 UTC 2016
Bummer.
I had high hopes since firehol has a helper for dhcp and does appear to be
setting an accept rule for "udp spt:bootpc dpt:bootps".
I've never actually checked to see if dropping the rule would still let dhcp
function though.
At least I'm getting a good education on dhcp and iptables, thank you!
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Chuck Anderson
Sent: Friday, February 26, 2016 2:52 PM
To: dhcp-users at lists.isc.org
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?
Won't work. Raw sockets aren't subject to iptables rules. But maybe
if there IS a filtering mechanism that works with raw sockets, it
could work. I don't know if there is (ebtables?).
On Fri, Feb 26, 2016 at 01:55:11PM -0800, stevel_isc at jbco.com wrote:
> Ok, another idea. What about each of the servers using a different port
and
> using iptables for redirecting?
>
> For example:
> dhcp server for eth0.2 listening on 672
> dhcp server for eth0.3 listening on 673
> dhcp server for eth0.4 listening on 674
> dhcp server for eth0.5 listening on 675
>
> Then, iptables rules for mapping requests:
> (to:67 via eth0.2) -> (to:672)
> (to:67 via eth0.3) -> (to:673)
> (to:67 via eth0.4) -> (to:674)
> (to:67 via eth0.5) -> (to:675)
>
> And replies:
> (from:672) -> (via eth0.2 from:67)
> (from:673) -> (via eth0.3 from:67)
> (from:674) -> (via eth0.4 from:67)
> (from:675) -> (via eth0.5 from:67)
>
> I'm not an expert on iptables but I *think* it can do this. Is there
> something about dhcpd's low level access that would prevent it?
>
> -----Original Message-----
> From: dhcp-users-bounces at lists.isc.org
> [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Alex Bligh
> Sent: Friday, February 26, 2016 12:44 PM
> To: Users of ISC DHCP
> Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?
>
>
> On 26 Feb 2016, at 20:22, Chuck Anderson <cra at WPI.EDU> wrote:
>
> > This won't work unless you use separate full virtual machines...
>
> I believe you could also use multiple containers, bridges and veth
> interfaces (assuming Linux). Bridge the veth interfaces with
> each of the VLANs concerned.
>
> --
> Alex Bligh
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list