dhcp and iptables
Hi,
I have a Linux machine that used to be a router as well so it used to have multiple interfaces. My firewall script used to have special lines to not accept certain traffic on the outside interface.
Nowadays the machine is just doing DHCP stuff on the internal network and all is fine, except.....
I was just now looking at my firewall script and noticed I accept DHCP and BOOTPS requests from all interfaces except... the only interface I have, but it all still works.
Can someone help me to understand this? Why does DHCP work when the iptable lines looks like in the first example
My firewall looks like this:
linein:~#(vm) iptables -L -v
Chain INPUT (policy DROP 49 packets, 5557 bytes)
pkts bytes target prot opt in out source destination
1131 88068 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2 104 ACCEPT tcp -- any any 172.16.0.0/15 anywhere tcp dpt:ssh
0 0 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- !eth0 any anywhere anywhere tcp dpt:bootps
0 0 ACCEPT udp -- !eth0 any anywhere anywhere udp dpt:bootps
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 172.16.0.0/15 anywhere
Chain OUTPUT (policy ACCEPT 1478 packets, 338K bytes)
pkts bytes target prot opt in out source destination
As you can see the bootps lines have 0 hits and that is also because they accept traffic only from interfaces other than eth0, which happens to be the only interface right now, except for lo.
As far as I can determine dhcp/bootps traffic gets accepted by the first line with the "state RELATED,ESTABLISHED" part, although that is only an educated guess.
Now why would be the case can anyone tell me that?
The funny thing it that once I changed the bootps lines to the proper format the bootps lines seem to hit my DHCP requests if I do a ipconfig /renew on my Windows machine.
linein:~/newfw#(vm) iptables -L -v
Chain INPUT (policy DROP 1 packets, 229 bytes)
pkts bytes target prot opt in out source destination
41 3424 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any 172.16.0.0/15 anywhere tcp dpt:ssh
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:bootps
1 328 ACCEPT udp -- any any anywhere anywhere udp dpt:bootps
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 172.16.0.0/15 anywhere
Chain OUTPUT (policy ACCEPT 42 packets, 7204 bytes)
pkts bytes target prot opt in out source destination
Now how can that be if the RELATED,ESTABLISHED line is the first in my iptable? The DHCP request should either hit that line and get accepted or get accepted by another iptables line or get dropped when the bootps line was wrong. But as the bootps lines are the last on my INPUT chain and the policy is DROP.... I don't get it. :-(
Can someone help me to understand this? Why does DHCP work when the iptable lines looked like in the first example
Ps. I see I still have some forward lines, I should delete those as well from my config but I want to change as little as possible right now to understand what is going on.
Bonno Bloksma
Reply to: