[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iptables not blocking DHCP/UDP correctly?

On Fri, 2004-10-29 at 00:55 +0200, Bernd Eckenfels wrote:
> On Fri, Oct 29, 2004 at 12:35:25AM +0200, Bart-Jan Vrielink wrote:
> > And as far as I can tell, it almost always uses udp, not tcp.

> > So it needs CONFIG_PACKET for no apparent reason?
> 
> Hmm... I dont think there is any packeting API which does not pass the
> prerouting chain of netfilter.

Well, only the nat and mangle tables do have a PREROUTING chain. And the
following test shows that both these chains don't stop tcpdump (which is
similar to dhcpd in this aspect) from getting the packets:

root@spiderwebs:~#iptables -t mangle -A PREROUTING -p tcp --dport 5555 -j DROP
root@spiderwebs:~#iptables -t nat -A PREROUTING -p tcp --dport 5555 -j DROP
root@spiderwebs:~#tcpdump -n -i eth0 tcp port 5555
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
01:18:59.643035 IP 10.2.1.3.39138 > 10.2.1.1.5555: S 1686226515:1686226515(0) win 5840 <mss 1460,sackOK,timestamp 298281789 0,nop,wscale 0>

1 packets captured
1 packets received by filter
0 packets dropped by kernel
root@spiderwebs:~#

And yes, the PREROUTING chain of the mangle table did drop this packet,
after tcpdump has read it.

-- 
Tot ziens,
Bart-Jan Vrielink
Reply to: