Re: iptables not blocking dhcp traffic (dhclient)

To: debian-firewall@lists.debian.org
Subject: Re: iptables not blocking dhcp traffic (dhclient)
From: "Remy C. Cool" <dev-python@smartology.nl>
Date: Tue, 25 Mar 2003 08:02:10 +0100
Message-id: <[🔎] 200303250802.10421.dev-python@smartology.nl>
Reply-to: dev-python@smartology.nl
In-reply-to: <[🔎] 20030324180711.GB1300@dvmwest.gt.owl.de>
References: <[🔎] 200303241723.06141.dev-python@smartology.nl> <[🔎] 20030324180711.GB1300@dvmwest.gt.owl.de>

Hi,

Ok, it's not IP but when the interface is configured and you run 
dhclient again it uses port 67:68 right? So why is this traffic not 
blocked? With my old ipchains firewall I could not get a lease 
without letting traffic pass on UDP ports 67 and 68.  

Regards,
Remy

On Monday 24 March 2003 19:07, Frank Matthieß wrote:
> Montag den 24.03.2003 um 17:23 CET +0100, schrieb Remy C. Cool:
> > Hi,
> >
> > I've configured kernel 2.4.20 (with freeswan patch) with iptables
> > support and installed the iptables package from debian testing
> > (1.2.7a-7). When I use the following 'rules', all traffic should
> > be dropped is it not?
> >
> > iptables -F
> > iptables -X
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > iptables -A INPUT -j LOG --log-level 6
> > iptables -A OUTPUT -j LOG --log-level 6
> >
> > Why is it that the dhclient program on this machine still get's
> > it IP from the dhcp server and why don't I get the DHCP traffic
> > in the log?
>
> Because it isn't ip ;-) You need dhcp to get ip parm's? So it can't
> be ip and iptables has no chance to match any dhcp packet.
>
> > The rules are installed before networking is initialized. (The
> > logging works for any other traffic on this box.)
> >
> > Also when I create a rule which sets ICMP incomming to REJECT and
> > try to telnet to the machine, the 'telnetting' machine does not
> > get the icmp port unreachable message but times out. When doing
> > this with my old ipchains box, the message was recieved and did
> > not have to wait on a timeout. Is this normal behaviour for
> > iptables or does it has to be something else?
>
> I'm not realy sure, but try:
>
> iptables -A INPUT -s localhost -j ACCEPT
> iptables -A OUTPUT -d localhost -j ACCEPT
>
> otherwise you drop also localhost traffic, so you have 'some
> strange behaviour'.
>
> Frank.
> --
> Frank Matthieß                                              
> frankm@lug-owl.de
>
>            Digital Restriction Managment - Freedom for industry.
>                    Ross Anderson TCPA/Palladium FAQ
>                http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
>             http://moon.hipjoint.de/tcpa-palladium-faq-de.html

Reply to:

References:
- iptables not blocking dhcp traffic (dhclient)
  - From: "Remy C. Cool" <dev-python@smartology.nl>
- Re: iptables not blocking dhcp traffic (dhclient)
  - From: Frank Matthieß <frankm@lug-owl.de>

Prev by Date: Earn more without ever taking more classes
Next by Date: Please excuse, but I am not a router/firewall-guru...
Previous by thread: Re: iptables not blocking dhcp traffic (dhclient)
Next by thread: Earn more without ever taking more classes
Index(es):
- Date
- Thread