dhcrelay still responds dropped inbound offer packets from iptables

dhcrelay still responds dropped inbound offer packets from iptables

[Willy Chang]

Folks,

     I am running a dhrelay service and using iptables to be a
firewall to block packets from dhcp server on the inbound side, eth0,
of my Liunx. The reason to do this is to avoid generating duplicated
packets from my machine to dhcp client on the same subnet.
     For some reasons, I am unable to block these packets. I have a
simple rule setting below to simply block all incoming UDP packets
where it should block dhcp package as well.

iptables -A INPUT -p UDP -i eth0 -j DROP

     dhcp client are still able to receive duplicated packets, one is
from dhcp server and another is from my machine while dhcp relay agent
is relaying packets. Any people see this before? Any comments or
suggestions are welcome. Thanks,




Willy

Re: dhcrelay still responds dropped inbound offer packets from iptables (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.07.08 17:18, Willy Chang - changwilly@gmail.com wrote:
> Folks,
> 
>      I am running a dhrelay service and using iptables to be a
> firewall to block packets from dhcp server on the inbound side, eth0,
> of my Liunx. The reason to do this is to avoid generating duplicated
> packets from my machine to dhcp client on the same subnet.
>      For some reasons, I am unable to block these packets. I have a
> simple rule setting below to simply block all incoming UDP packets
> where it should block dhcp package as well.
> 
> iptables -A INPUT -p UDP -i eth0 -j DROP

I see two things to comment on.

First, if you add (-A) a rule like this at the end,
the packets in question might have already been accepted
by an earlier rule. For a case like this, you might want
to insert at the top (-I) instead.

Second, INPUT affects filtering of packets bound for the firewall
host itself. FORWARD rules affect packets bound for other hosts.
I think those are the packets you are trying to block.

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: dhcrelay still responds dropped inbound offer packets from iptables

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1097 bytes --]

On Fri, Jul 08, 2005 at 05:18:33PM -0400, Willy Chang wrote:
> Folks,
> 
>      I am running a dhrelay service and using iptables to be a
> firewall to block packets from dhcp server on the inbound side, eth0,
> of my Liunx. The reason to do this is to avoid generating duplicated
> packets from my machine to dhcp client on the same subnet.
>      For some reasons, I am unable to block these packets. I have a
> simple rule setting below to simply block all incoming UDP packets
> where it should block dhcp package as well.

iptables works in the IP stack.  Applications using PACKET sockets don't
use the IP stack and therefore are not affected by iptables.

My guess is that dhrelay uses PACKET sockets.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: dhcrelay still responds dropped inbound offer packets from iptables

[Jan Engelhardt]

>My guess is that dhrelay uses PACKET sockets.

About everything with DHCP from ISC uses AF_PACKET, as far as I can see.

And I guess it's not only ISC. Simply because DHCP needs to play with 
"normally unroutable" addresses like 0.0.0.0 and 255.255.255.255. In the 
earlier days, one could poke on the kernel's routing tables, today this is not 
as easy anymore and we're all better off using PACKET sockets.

Er, this does not help the problem. Dang. Surprisingly however is, that 
despite PACKET bypasses the firewall, that I was able to drop incoming dhcp 
packets and dhcpd got nothin...


Jan Engelhardt                                                               
--