iptables bug using dhcpd3 on debian sarge 2.6.8

iptables bug using dhcpd3 on debian sarge 2.6.8

[staenker]

hello,
at first nice weekend! and now to to my problem.
i tried to set up a firewall on my dsl gate. i want to use policy drop
for input and output chain. so, if i was right, i have to write some
rules for the dhcpd3 server, ssh, dns,... ok, i wrote the rules for
sshd using port 64385. works fine. if i don't use this rules, sshd is
not reachable. also fine. but i realised that my dhcp server works fine
even though that i do not iplement any accept rules for dhcp. i know
that sounds strange, thatswhy i put a date between the iptables calls
that it looks a bit like i was not lying. and i wish i where - but
wishes are wishes and reality is hard to accept. so pleasy believe me,
that i was not lying! ok, here the output:
-----
Antifreeze:~# date;iptables -L;date;iptables -t nat -L;date;iptables -t
mangle -L;date;tcpdump -i eth0 udp
Mon Mar  7 14:50:57 CET 2005
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:64385 state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp
spt:64385 state ESTABLISHED
Mon Mar  7 14:50:57 CET 2005
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Mon Mar  7 14:50:57 CET 2005
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Mon Mar  7 14:50:57 CET 2005
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:51:01.030148 IP 192.168.0.4.3365 > 193.174.103.1.domain:  53003+ A?
download.windowsupdate.com. (44)
14:51:02.029715 IP 192.168.0.4.3365 > 193.174.103.1.domain:  53003+ A?
download.windowsupdate.com. (44)
14:51:03.030160 IP 192.168.0.4.3365 > 193.174.103.1.domain:  53003+ A?
download.windowsupdate.com. (44)
14:51:05.030290 IP 192.168.0.4.3365 > 193.174.103.1.domain:  53003+ A?
download.windowsupdate.com. (44)
14:51:09.031182 IP 192.168.0.4.3365 > 193.174.103.1.domain:  53003+ A?
download.windowsupdate.com. (44)
14:51:10.965603 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:0f:cb:ad:75:a8, length: 300
14:51:10.966600 IP Antifreeze.lan.bootps > 192.168.0.19.bootpc:
BOOTP/DHCP, Reply, length: 300
14:51:10.975221 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 00:0f:cb:ad:75:a8, length: 322
14:51:10.978049 IP Antifreeze.lan.bootps > 192.168.0.19.bootpc:
BOOTP/DHCP, Reply, length: 300
14:51:16.039898 IP 192.168.0.4.3365 > 193.174.103.1.domain:  40968+ A?
download.windowsupdate.com. (44)
14:51:17.039462 IP 192.168.0.4.3365 > 193.174.103.1.domain:  40968+ A?
download.windowsupdate.com. (44)
14:51:18.039531 IP 192.168.0.4.3365 > 193.174.103.1.domain:  40968+ A?
download.windowsupdate.com. (44)
14:51:20.039913 IP 192.168.0.4.3365 > 193.174.103.1.domain:  40968+ A?
download.windowsupdate.com. (44)
14:51:24.040680 IP 192.168.0.4.3365 > 193.174.103.1.domain:  40968+ A?
download.windowsupdate.com. (44)

14 packets captured
14 packets received by filter
0 packets dropped by kernel
Antifreeze:~# date
Mon Mar  7 14:51:35 CET 2005
Antifreeze:~#
----

so please show me my fault. i was teting since about 4 houres and could
not understand why this dhcpd is working.

thanks for your attention
richard hauswald

Re: iptables bug using dhcpd3 on debian sarge 2.6.8

[richard hauswald]

sorry for crosspost, i did not know, that this mail arrives today if i 
send it yesterday.

Re: iptables bug using dhcpd3 on debian sarge 2.6.8

[Patrick McHardy]

staenker@rhcs.de wrote:
> hello,
> at first nice weekend! and now to to my problem.
> i tried to set up a firewall on my dsl gate. i want to use policy drop
> for input and output chain. so, if i was right, i have to write some
> rules for the dhcpd3 server, ssh, dns,... ok, i wrote the rules for
> sshd using port 64385. works fine. if i don't use this rules, sshd is
> not reachable. also fine. but i realised that my dhcp server works fine
> even though that i do not iplement any accept rules for dhcp. i know
> that sounds strange, thatswhy i put a date between the iptables calls
> that it looks a bit like i was not lying. and i wish i where - but
> wishes are wishes and reality is hard to accept. so pleasy believe me,
> that i was not lying! ok, here the output:

ISC DHCP uses AF_PACKET sockets on Linux by default, which receive
packets before iptables. There are some compile-time options to make it
use normal UDP sockets.

Regards
Patrick

Re: iptables bug using dhcpd3 on debian sarge 2.6.8

[richard hauswald]

Patrick McHardy wrote:

>
> ISC DHCP uses AF_PACKET sockets on Linux by default, which receive
> packets before iptables. There are some compile-time options to make it
> use normal UDP sockets.
>
> Regards
> Patrick
>
Thanks for that tip. But is this good or bad? I mean if i where a trojan 
programmer, couldn't i use these AF_PACKET sockets to code an iptables 
passing trojan?
I'm not good programming networkstuff, so excuse my simple question.

Regards
Richard Hauswald

Re: iptables bug using dhcpd3 on debian sarge 2.6.8

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]


Hi Richard,

On Thu, Mar 10, 2005 at 09:10:25AM +0100, richard hauswald told us:
> Patrick McHardy wrote:
> 
> >
> >ISC DHCP uses AF_PACKET sockets on Linux by default, which receive
> >packets before iptables. There are some compile-time options to make it
> >use normal UDP sockets.
> >
> >Regards
> >Patrick
> >
> Thanks for that tip. But is this good or bad? I mean if i where a trojan 
> programmer, couldn't i use these AF_PACKET sockets to code an iptables 
> passing trojan?
> I'm not good programming networkstuff, so excuse my simple question.

as far as I know (and from reading the kernel source), for using
AF_PACKET sockets, you need the CAP_NET_RAW capability or you need to
be root, so in most setups (where probably no capabilities are used)
you need to be root. And when you (or a trojan) has root privileges,
it might as well alter the iptables rule set to allow its network
traffic going out...please anybody correct me if I'm wrong.


Sven

> 
> Regards
> Richard Hauswald
> 
> 

-- 
Linux zion 2.6.11-mm1 #1 Mon Mar 7 11:17:40 CET 2005 i686 athlon i386 GNU/Linux
 10:30:33 up 10:51,  1 user,  load average: 0.14, 0.04, 0.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]