* blocking dhcp on bridge
@ 2005-02-06 21:01 Ron Peterson
2005-02-07 18:57 ` Ron Peterson
0 siblings, 1 reply; 3+ messages in thread
From: Ron Peterson @ 2005-02-06 21:01 UTC (permalink / raw)
To: netfilter
I am running a dhcp server on a bridging firewall. The dhcp server runs
on br0. I have eth0 connected to my 'private' network, and eth1
connected to my 'public' network.
I only want this dhcp server to service dhcp requests from the private
network. Any dhcp requests entering via eth1, or any dhcp replies being
sent via eth1 should be dropped.
(On the alternative solutions front... NAT'ing isn't really an option; I
have administrative staff on the private side of the bridge who need
access to an exchange server (ack, not mine!). Stupid exchange mail
server needs to be able to initiate contact to the clients sometimes.
The whole setup is basically predicated on the need to treat
unregistered computers on the private side of the bridge differently
than unregistered computers on the public side. I'd really rather not
add yet more hardware to this setup if possible..)
I have tried various combinations of physdev prerouting postrouting
input output etc. rules, but have yet to successfully prevent this box
from recieving and responding to dhcp requests from the public network.
In the set of rules I'm trying below, for example, you can see that I'm
dropping at least some packets with a bootpc source port (but not all,
see tcpdump output below). None of the other rules are catching any
packets at all.
382# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 4882K packets, 2316M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- eth1 any anywhere anywhere udp dpt:bootps
0 0 DROP udp -- eth1 any anywhere anywhere udp spt:bootpc
64 21106 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp dpt:bootps
Chain POSTROUTING (policy ACCEPT 1348K packets, 227M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any eth1 anywhere anywhere udp spt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 --physdev-is-bridged udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp dpt:bootpc
You can see in the tcpdump output that follows that dhcp requests are
still being recieved and responded to (I can tell you from the mac
addresses involved that these requests are on the 'public' network.)
(fil49a is the dual-homed box I'm talking about).
15:50:23.264842 IP fil49a.mtholyoke.edu.bootps > n227-35.mtholyoke.edu.bootpc: BOOTP/DHCP, Reply, length: 300
15:50:23.265473 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:5a:58:24:5b, length: 300
15:50:28.463293 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:02:2d:7e:1a:5c, length: 300
15:50:28.463699 IP fil49a.mtholyoke.edu.bootps > n229-76.mtholyoke.edu.bootpc: BOOTP/DHCP, Reply, length: 300
15:50:33.269991 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:04:5a:58:24:5b, length: 300
I'm using iptables 1.2.9 on Ubuntu linux 2.6.8.1-4-686.
?
--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking dhcp on bridge
2005-02-06 21:01 blocking dhcp on bridge Ron Peterson
@ 2005-02-07 18:57 ` Ron Peterson
2005-02-14 22:09 ` Ron Peterson
0 siblings, 1 reply; 3+ messages in thread
From: Ron Peterson @ 2005-02-07 18:57 UTC (permalink / raw)
To: netfilter
On Sun, Feb 06, 2005 at 04:01:54PM -0500, Ron Peterson wrote:
> I am running a dhcp server on a bridging firewall. The dhcp server runs
> on br0. I have eth0 connected to my 'private' network, and eth1
> connected to my 'public' network.
>
> I only want this dhcp server to service dhcp requests from the private
> network. Any dhcp requests entering via eth1, or any dhcp replies being
> sent via eth1 should be dropped.
I have been kicking this some more, and the results are ... weird.
Here's some tcpdump output (tcpdump -i br0 -w /root/tmp/dhcp.dump port
67 or port 68 &). At 11:47:25, the log changes drastically. Prior to
that time, the only packets seen from fil49a (my bridged dhcp server)
are those sent to the private interface, which is what I want. No
incoming dhcp requests are seen from the public network. This is
exactly what I want. Then suddenly dhcp requests start showing up from
the public network, and fil49a starts responding! There were no changes
to iptables rules.
11:45:05.229455 IP must.mtholyoke.edu.bootps > n238-107.mtholyoke.edu.bootpc: UDP, length: 300
11:45:53.685620 IP must.mtholyoke.edu.bootps > kfelsent.mtholyoke.edu.bootpc: UDP, length: 300
11:45:53.687892 IP must.mtholyoke.edu.bootps > kfelsent.mtholyoke.edu.bootpc: UDP, length: 300
11:45:53.688271 IP dot.mtholyoke.edu.bootps > 255.255.255.255.bootpc: UDP, length: 319
11:45:53.690336 IP dot.mtholyoke.edu.bootps > 255.255.255.255.bootpc: UDP, length: 319
11:45:53.693789 IP ambr.mtholyoke.edu.bootps > kfelsent.mtholyoke.edu.bootpc: UDP, length: 300
11:45:53.694250 IP ambr.mtholyoke.edu.bootps > kfelsent.mtholyoke.edu.bootpc: UDP, length: 300
11:46:35.311306 IP must.mtholyoke.edu.bootps > wh1-hp.mtholyoke.edu.bootpc: UDP, length: 300
11:47:00.913538 IP must.mtholyoke.edu.bootps > n213-107.mtholyoke.edu.bootpc: UDP, length: 300
11:47:16.702384 IP must.mtholyoke.edu.bootps > 255.255.255.255.bootpc: UDP, length: 300
11:47:16.703252 IP must.mtholyoke.edu.bootps > 255.255.255.255.bootpc: UDP, length: 300
11:47:25.618022 IP must.mtholyoke.edu.bootps > 138.110.233.56.bootpc: UDP, length: 300
11:47:36.809950 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 548
11:47:37.000654 IP fil49a.mtholyoke.edu.bootps > 138.110.49.166.bootpc: UDP, length: 300
11:47:37.044793 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 548
11:47:37.046364 IP fil49a.mtholyoke.edu.bootps > 138.110.49.166.bootpc: UDP, length: 300
11:47:37.625675 IP ambr.mtholyoke.edu.bootps > 138.110.109.229.bootpc: UDP, length: 300
11:47:41.403244 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 303
11:47:41.403672 IP fil49a.mtholyoke.edu.bootps > dw10-18.mtholyoke.edu.bootpc: UDP, length: 300
11:47:44.826415 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 300
11:47:44.826823 IP fil49a.mtholyoke.edu.bootps > n227-35.mtholyoke.edu.bootpc: UDP, length: 300
11:47:44.826957 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 300
11:47:44.827346 IP fil49a.mtholyoke.edu.bootps > n227-35.mtholyoke.edu.bootpc: UDP, length: 300
11:47:44.827981 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 300
11:47:51.240491 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: UDP, length: 339
11:47:51.240937 IP fil49a.mtholyoke.edu.bootps > sk23-63.mtholyoke.edu.bootpc: UDP, length: 300
Here are the rules I'm running, along with packet/byte counts. There
are a lot of them, because I'm trying all the combinations of blocking
incoming bootpc, outgoing bootps, physdev, input, output, forward,
prerouting, and postrouting for both -t filter and -t nat.
473# iptables -L -v
Chain INPUT (policy ACCEPT 371K packets, 42M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- eth1 any anywhere anywhere udp dpt:bootps
0 0 DROP udp -- eth1 any anywhere anywhere udp spt:bootpc
3683 1266K DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp dpt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp dpt:bootps
Chain FORWARD (policy ACCEPT 785K packets, 160M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 --physdev-is-bridged udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 --physdev-is-bridged udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp dpt:bootpc
3683 1266K DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-is-bridged udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-is-bridged udp dpt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp dpt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp dpt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp spt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp dpt:bootpc
0 0 DROP udp -- eth1 any anywhere anywhere udp spt:bootpc
0 0 DROP udp -- eth1 any anywhere anywhere udp dpt:bootps
Chain OUTPUT (policy ACCEPT 3087 packets, 905K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any eth1 anywhere anywhere udp spt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp dpt:bootpc
4 1312 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp dpt:bootpc
474# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 7624K packets, 3349M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- eth1 any anywhere anywhere udp dpt:bootps
0 0 DROP udp -- eth1 any anywhere anywhere udp spt:bootpc
4371 1494K DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-in eth1 udp dpt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp spt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-in --physdev-in eth1 udp dpt:bootps
Chain POSTROUTING (policy ACCEPT 2102K packets, 356M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 --physdev-is-bridged udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 --physdev-is-bridged udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any eth1 anywhere anywhere udp spt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp dpt:bootpc
Chain OUTPUT (policy ACCEPT 613 packets, 41072 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-is-out --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp spt:bootps
0 0 DROP udp -- any any anywhere anywhere PHYSDEV match --physdev-out eth1 udp dpt:bootpc
0 0 DROP udp -- any eth1 anywhere anywhere udp spt:bootps
0 0 DROP udp -- any eth1 anywhere anywhere udp dpt:bootpc
Sorry for such long post. I believe at this point I should probably try
2.6.10, although I was really hoping to avoid leaving the land of
distribution packages. Something really odd seems to be going on,
though.
The fortune cookie in my lunch says "Your luck has been completely
changed today." Yikes.
--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: blocking dhcp on bridge
2005-02-07 18:57 ` Ron Peterson
@ 2005-02-14 22:09 ` Ron Peterson
0 siblings, 0 replies; 3+ messages in thread
From: Ron Peterson @ 2005-02-14 22:09 UTC (permalink / raw)
To: netfilter
On Mon, Feb 07, 2005 at 01:57:11PM -0500, Ron Peterson wrote:
> On Sun, Feb 06, 2005 at 04:01:54PM -0500, Ron Peterson wrote:
>
> > I am running a dhcp server on a bridging firewall. The dhcp server runs
> > on br0. I have eth0 connected to my 'private' network, and eth1
> > connected to my 'public' network.
> >
> > I only want this dhcp server to service dhcp requests from the private
> > network. Any dhcp requests entering via eth1, or any dhcp replies being
> > sent via eth1 should be dropped.
I stopped using iptables, and used ebtables instead. Seems to work.
Obviously, there is some overlapping functionality between these two
toolsets. I'm learning the hard way when to use which tool.
$EBTABLES -A INPUT --in-interface $PUB --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
$EBTABLES -A INPUT --in-interface $PUB --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP
$EBTABLES -A FORWARD --in-interface $PRIV --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
$EBTABLES -A FORWARD --in-interface $PUB --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP
--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-14 22:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-06 21:01 blocking dhcp on bridge Ron Peterson
2005-02-07 18:57 ` Ron Peterson
2005-02-14 22:09 ` Ron Peterson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.