Re: DHCP and iptables

Re: DHCP and iptables

[lkml]

Well, I just looked for "ethernet protocol" and read some things about  
DHCP again.

What's an ethernet protocol?

I also read, that "DHCP is built directly on UDP and IP" (RFC 2131).

It uses Ports (UDP 67/68) and the source address of the DHCP server is  
an IP address.

Could you answer me more in detail, why I get an IP, but block  
everything with iptables?

Sincerely yours Mathias Kub

--------------------
12.10.2009 Mathias Kub <lkml@makubi.at>

|   Thank you very much for that quick reply.
|
|   Yours Mathias Kub
|
|   --------------------
|   12.10.2009 Arnd Bergmann <arndbergmann@googlemail.com>
|
|   |   On Monday 12 October 2009, lkml@makubi.at wrote:
|   |   > The last few days I have been wondering about the fact, that I get
|   |   > an IP address via
|   |   > DHCP if all chains at iptables are set to drop and no accept rules
|   |   > set.
|   |   >
|   |   > Does this happen on purpose?
|   |
|   |   DHCP is an ethernet protocol, not an IP protocol, so you have to use
|   |   ebtables instead of iptables to filter it.
|   |
|   |   	Arnd <><
|
|   --
|   To unsubscribe from this list: send the line "unsubscribe linux-kernel"
|    in the body of a message to majordomo@vger.kernel.org
|   More majordomo info at  http://vger.kernel.org/majordomo-info.html
|   Please read the FAQ at  http://www.tux.org/lkml/
|

Re: DHCP and iptables

[Arnd Bergmann]

On Monday 12 October 2009, lkml@makubi.at wrote:
> Well, I just looked for "ethernet protocol" and read some things about  
> DHCP again.
> 
> What's an ethernet protocol?
> 
> I also read, that "DHCP is built directly on UDP and IP" (RFC 2131).
> 
> It uses Ports (UDP 67/68) and the source address of the DHCP server is  
> an IP address.

Ah, right. I confused it with the way that the ancient RARP protocol did
this before DHCP.

Sorry for the confusion.
 
> Could you answer me more in detail, why I get an IP, but block  
> everything with iptables?

The dhcp client opens a raw packet socket at the ethernet device
(if I'm not mistaken again), because there is no IP address assigned
with the netdev at that time. This allows it to send and receive
ethernet frames, bypassing the TCP/IP stack.

	Arnd <><

Re: DHCP and iptables

[lkml]

Well, but for example ICMP also uses raw sockets and gets blocked if I  
do not explicit allow it, doesn't it?

> On Monday 12 October 2009, lkml@makubi.at wrote:
>> Well, I just looked for "ethernet protocol" and read some things about
>> DHCP again.
>>
>> What's an ethernet protocol?
>>
>> I also read, that "DHCP is built directly on UDP and IP" (RFC 2131).
>>
>> It uses Ports (UDP 67/68) and the source address of the DHCP server is
>> an IP address.
>
> Ah, right. I confused it with the way that the ancient RARP protocol did
> this before DHCP.
>
> Sorry for the confusion.
>
>> Could you answer me more in detail, why I get an IP, but block
>> everything with iptables?
>
> The dhcp client opens a raw packet socket at the ethernet device
> (if I'm not mistaken again), because there is no IP address assigned
> with the netdev at that time. This allows it to send and receive
> ethernet frames, bypassing the TCP/IP stack.
>
> 	Arnd <><
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: DHCP and iptables

[H. Peter Anvin]

On 10/12/2009 02:50 PM, lkml@makubi.at wrote:
> Well, I just looked for "ethernet protocol" and read some things about  
> DHCP again.
> 
> What's an ethernet protocol?
> 
> I also read, that "DHCP is built directly on UDP and IP" (RFC 2131).
> 
> It uses Ports (UDP 67/68) and the source address of the DHCP server is  
> an IP address.
> 
> Could you answer me more in detail, why I get an IP, but block  
> everything with iptables?
> 

The reason is that the DHCP client bypasses the Linux IP stack
completely (because it has special requirements.)

> |   |   DHCP is an ethernet protocol, not an IP protocol, so you have to use
> |   |   ebtables instead of iptables to filter it.
> |   |
> |   |   	Arnd <><

This is actually incorrect -- DHCP is an IP (UDP, in fact) protocol.  It
just has very special requirements (such as being able to use
src=0.0.0.0 dst=255.255.255.255) that aren't needed in normal operation,
so rather than slowing down the in-kernel IP stack it synthesizes raw
packets.

	-hpa

Re: DHCP and iptables

[lkml]

> On 10/12/2009 02:50 PM, lkml@makubi.at wrote:
>> Well, I just looked for "ethernet protocol" and read some things about
>> DHCP again.
>>
>> What's an ethernet protocol?
>>
>> I also read, that "DHCP is built directly on UDP and IP" (RFC 2131).
>>
>> It uses Ports (UDP 67/68) and the source address of the DHCP server is
>> an IP address.
>>
>> Could you answer me more in detail, why I get an IP, but block
>> everything with iptables?
>>
>
> The reason is that the DHCP client bypasses the Linux IP stack
> completely (because it has special requirements.)
>
>> |   |   DHCP is an ethernet protocol, not an IP protocol, so you have to use
>> |   |   ebtables instead of iptables to filter it.
>> |   |
>> |   |   	Arnd <><
>
> This is actually incorrect -- DHCP is an IP (UDP, in fact) protocol.  It
> just has very special requirements (such as being able to use
> src=0.0.0.0 dst=255.255.255.255) that aren't needed in normal operation,
> so rather than slowing down the in-kernel IP stack it synthesizes raw
> packets.
>
> 	-hpa
>

So iptables uses the in-kernel IP stack and because of that fact, it  
is not able to filter the DHCP packets?

Re: DHCP and iptables

[H. Peter Anvin]

On 10/12/2009 03:53 PM, lkml@makubi.at wrote:
> 
> So iptables uses the in-kernel IP stack and because of that fact, it  
> is not able to filter the DHCP packets?
> 

iptables is part of the in-kernel IP stack, yes...

	-hpa

Re: DHCP and iptables

[Mathias Kub]

Well, thank you very much, both of you.

Sincerely Mathias Kub

> On 10/12/2009 03:53 PM, lkml@makubi.at wrote:
>>
>> So iptables uses the in-kernel IP stack and because of that fact, it
>> is not able to filter the DHCP packets?
>>
>
> iptables is part of the in-kernel IP stack, yes...
>
> 	-hpa
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: DHCP and iptables

[Mathias Kub]

Thank you very much for that quick reply.

Yours Mathias Kub

--------------------
12.10.2009 Arnd Bergmann <arndbergmann@googlemail.com>

|   On Monday 12 October 2009, lkml@makubi.at wrote:
|   > The last few days I have been wondering about the fact, that I get an
|   > IP address via
|   > DHCP if all chains at iptables are set to drop and no accept rules set.
|   >
|   > Does this happen on purpose?
|
|   DHCP is an ethernet protocol, not an IP protocol, so you have to use
|   ebtables instead of iptables to filter it.
|
|   	Arnd <><

DHCP and iptables

[lkml]

Hi,

The last few days I have been wondering about the fact, that I get an IP
address via
DHCP if all chains at iptables are set to drop and no accept rules set.

Does this happen on purpose?

I checked twice, if I really get an IP from my DHCP-server, checked the DHCP-
messages and a wireshark trace.

I Also tried the check_dhcp-nagios plugin, which fails if I do not allow
packets for the input chain, destination port 68, protocol udp.


Why do I get an IP address, if I drop everything?

Sincerely yours Mathias Kub

Re: DHCP and iptables

[Arnd Bergmann]

On Monday 12 October 2009, lkml@makubi.at wrote:
> The last few days I have been wondering about the fact, that I get an IP
> address via
> DHCP if all chains at iptables are set to drop and no accept rules set.
> 
> Does this happen on purpose?

DHCP is an ethernet protocol, not an IP protocol, so you have to use
ebtables instead of iptables to filter it.

	Arnd <><