Re: iptables not blocking dhcp traffic (dhclient)
Montag den 24.03.2003 um 17:23 CET +0100, schrieb Remy C. Cool:
> Hi,
>
> I've configured kernel 2.4.20 (with freeswan patch) with iptables
> support and installed the iptables package from debian testing
> (1.2.7a-7). When I use the following 'rules', all traffic should be
> dropped is it not?
>
> iptables -F
> iptables -X
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A INPUT -j LOG --log-level 6
> iptables -A OUTPUT -j LOG --log-level 6
>
> Why is it that the dhclient program on this machine still get's it IP
> from the dhcp server and why don't I get the DHCP traffic in the log?
Because it isn't ip ;-) You need dhcp to get ip parm's? So it can't be
ip and iptables has no chance to match any dhcp packet.
> The rules are installed before networking is initialized. (The
> logging works for any other traffic on this box.)
>
> Also when I create a rule which sets ICMP incomming to REJECT and try
> to telnet to the machine, the 'telnetting' machine does not get the
> icmp port unreachable message but times out. When doing this with my
> old ipchains box, the message was recieved and did not have to wait
> on a timeout. Is this normal behaviour for iptables or does it has to
> be something else?
I'm not realy sure, but try:
iptables -A INPUT -s localhost -j ACCEPT
iptables -A OUTPUT -d localhost -j ACCEPT
otherwise you drop also localhost traffic, so you have 'some strange
behaviour'.
Frank.
--
Frank Matthieß frankm@lug-owl.de
Digital Restriction Managment - Freedom for industry.
Ross Anderson TCPA/Palladium FAQ
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
http://moon.hipjoint.de/tcpa-palladium-faq-de.html
Reply to: