DHCP works but iptables should have dropped

DHCP works but iptables should have dropped

[pockiman]

Hello,

i have a debian (etch) server/firewall with dhcp-server and iptables with eth3 connectet to a switch, and a Laptop without Batterypack and without any Harddisk, USB-Stick or whatever can store Information, also connected  to that switch, no other computer is connect to that switch.

-I've set the default policy of both ipv4 and ipv6 for all chains to DROP (debian server)
-there is no rule specified
-the dhcp-server is configured (by MAC) to delivery the ip xx.xx.xx.34 to the Laptop
-the Laptop has a DVD-drive with a Knoppix-Distribution configured to use DHCP

if i boot the Laptop, there are 4 Packet registered to be dropped by the INPUT-default-policy, but the Laptop gets the ip-address.
In the syslog of the server, there are entries from the dhcp-deamon for the request and the answers., but the OUTPUT - chain - Packet-Counter is already at 0.

How are the packets (i thought it would be UDP) transmitted.

Thanks in advance,
pockiman

Re: DHCP works but iptables should have dropped

[Petr Pisar]

On 2007-10-12, pockiman@freenet.de <pockiman@freenet.de> wrote:
>
> i have a debian (etch) server/firewall with dhcp-server and iptables
[...]
> -I've set the default policy of both ipv4 and ipv6 for all chains to
> DROP (debian server)
[...]
> if i boot the Laptop, there are 4 Packet registered to be dropped by
> the INPUT-default-policy, but the Laptop gets the ip-address.
> In the syslog of the server, there are entries from the dhcp-deamon
> for the request and the answers., but the OUTPUT - chain
> - Packet-Counter is already at 0.
>
> How are the packets (i thought it would be UDP) transmitted.
>
Use "netstat -lnp |grep dhcp". You can see that dhcpd has open 2 sockets.
One is UDP socket for reply packet transmission, the second one is raw
socket for request recieving.

The raw socket has one important attribute: it recieves packets before
netfilter. The same mechanism is used by tcpdump/libcap.

Therefore dhcpd can recieve packet even if they are blocked by
netfilter. This is feature, not a bug. I have not idea why ISC' DHCP
sever is implemented in this manner, but it is. (May be because of indirect
broadcast destination IP address in DISCOVERY client request.)

-- Petr

Re: DHCP works but iptables should have dropped

[Gáspár Lajos]

[...]
> Use "netstat -lnp |grep dhcp". You can see that dhcpd has open 2 sockets.
> One is UDP socket for reply packet transmission, the second one is raw
> socket for request recieving.
>
> The raw socket has one important attribute: it recieves packets before
> netfilter. The same mechanism is used by tcpdump/libcap.
>
>   
Are you saying that We CAN NOT "protect" the DHCP-server with iptables?
> Therefore dhcpd can recieve packet even if they are blocked by
> netfilter. This is feature, not a bug. I have not idea why ISC' DHCP
> sever is implemented in this manner, but it is. (May be because of indirect
> broadcast destination IP address in DISCOVERY client request.)
>
> -- Petr
>   
Swifty

Re: DHCP works but iptables should have dropped

[Petr Pisar]

On 2007-10-15, Gáspár Lajos <swifty@freemail.hu> wrote:
>> The raw socket has one important attribute: it recieves packets before
>> netfilter. The same mechanism is used by tcpdump/libcap.
>>
> Are you saying that We CAN NOT "protect" the DHCP-server with iptables?
>
The way how you say it is bad but it's true.

OTOH, how do you want to protect server before malicous packets which
have source address 0.0.0.0? It makes no sense. Just omit the interface
name in argument list of dhcpd and be happy ;)

-- Petr