Re: Iptables not blocking DHCP/UDP correctly?
On Fri, 2004-10-29 at 00:55 +0200, Bernd Eckenfels wrote:
> On Fri, Oct 29, 2004 at 12:35:25AM +0200, Bart-Jan Vrielink wrote:
> > And as far as I can tell, it almost always uses udp, not tcp.
> > So it needs CONFIG_PACKET for no apparent reason?
> Hmm... I dont think there is any packeting API which does not pass the
> prerouting chain of netfilter.
Well, only the nat and mangle tables do have a PREROUTING chain. And the
following test shows that both these chains don't stop tcpdump (which is
similar to dhcpd in this aspect) from getting the packets:
root@spiderwebs:~#iptables -t mangle -A PREROUTING -p tcp --dport 5555 -j DROP
root@spiderwebs:~#iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DROP
root@spiderwebs:~#tcpdump -n -i eth0 tcp port 5555
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:18:59.643035 IP 10.2.1.3.39138 > 10.2.1.1.5555: S 1686226515:1686226515(0) win 5840 <mss 1460,sackOK,timestamp 298281789 0,nop,wscale 0>
1 packets captured
1 packets received by filter
0 packets dropped by kernel
And yes, the PREROUTING chain of the mangle table did drop this packet,
after tcpdump has read it.