Announcement

Collapse
No announcement yet.

iptables but dhcp allowed

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    iptables but dhcp allowed

    Hi, I am triing to make a very restrictive firewall ...

    I am using iptables. I have noted that even if iptables
    have the rule to drop any input or output packet ...
    dhcp traffic will be doned and the computer is
    right configured (but then I can't make any connection,
    as expected).

    Why this behaviour ? Is because dhcp is enabled under
    network preferences ?

    There are another protocols that does not be filtered
    by iptables ?

    How to be more selective selecting all traffic ?

    And what abut ip6 ?

    Many thanks in advance to all :-)


    #2
    Re: iptables but dhcp allowed


    DHCP runs over UDP (not TCP) on ports 67 & 68. You need to ensure you are filtering the correct protocol.

    Now the larger question - why are you filtering this? Seems a better idea to manually configure the network settings and disable DHCP.

    \\uSlacker
    'a turtle on the information highway since 1989'

    Comment


      #3
      Re: iptables but dhcp allowed

      Simply I am starting configuring the firewall throught iptables. The first rule was to block all ... then I will add rules to allow the desired traffic. At the end I like to use DHCP ... but I was wondered that even without an explicit rule ... the DHCP traffic are not blocked ...
      And this make me think that I am making some errors anywhere ... and it is not nice that a firewall isn't right configured without know this ;-)

      Comment


        #4
        Re: iptables but dhcp allowed


        Two things occur to me. Understand, I've not used iptables.

        - is your iptable config currently blocking TCP and UDP traffic?

        - DHCP happens pretty early in the boot process. During boot, does iptables start first?

        \\uSlacker
        'a turtle on the information highway since 1989'

        Comment


          #5
          Re: iptables but dhcp allowed

          yes ... I am blocking all

          iptables -F
          iptables -X
          iptables -Z

          iptables -P INPUT DROP
          iptables -P OUTPUT DROP
          iptables -P FORWARD DROP

          even with this dhcp traffic will pass throght !!!

          You are right ... DHCP will come very early ... but I have for example
          called dhclient after boot and traffic will be done !!!

          Note that others connections like browsing (TCP) or ntp (UDP) will
          not pass ... odd stuff this !!!

          What are you using as firewall ? Not iptables ?

          Bye!

          Comment


            #6
            Re: iptables but dhcp allowed

            This is indeed an interesting problem. I got to learn something about the Linux kernel and DHCP today. As always google is your friend

            a short reply I found elsewhere:
            You did. But it doesn't matter much, because the problem is that the
            dhcpd brings its own set of IP operations (yuck!) and handles
            interfaces in packet mode. So you probably have to go to ethernet level
            in order to effectively manage that... Googling showed up this in
            Shorewall's DHCP how-to:

            ---snip
            Note

            For most operations, DHCP software interfaces to the Linux IP stack at
            a level below Netfilter. Hence, Netfilter (and therefore Shorewall)
            cannot be used effectively to police DHCP. The “dhcp� interface option
            described in this article allows for Netfilter to stay out of DHCP's
            way for those operations that can be controlled by Netfilter and
            prevents unwanted logging of DHCP-related traffic by
            Shorewall-generated Netfilter logging rules.
            ---snip

            So shorewall basically only offers the option to keep out of dhcpd's
            way completely.

            Maybe you can reach your goal by setting up a filtering bridge to a
            dummy device on which dhcpd can listen. Or you just rely on QoS/Traffic
            shaping, if that's possible...

            -hwh
            Hope this explains it.

            \\uSlacker
            'a turtle on the information highway since 1989'

            Comment


              #7
              Re: iptables but dhcp allowed

              I have found this:

              http://archivum.info/netfilter/2002-05/msg00882.html

              that says that dhcp traffic work "under" iptables ;-)

              I will not block dhcp, I use it !! But only I was wondered
              that more iptables tutorial and even firestarter
              firewall having options for dhcp enabling, and for me
              work always At the end I don't allow dhcp at
              iptables level ... I leave that the client make it
              at a lower level ...

              Now I trust the information, I have collected. The allowed
              dhcp traffic is not a problem ... I know now that this "is
              normal" ... I hope

              The same comes on another computer, and now I
              have asked to a friend of mine to try the same code ...

              PS: if I am not wrong, even firestarter with all traffic
              blocked, no dhcp, will leave dhcp traffic do !!!

              Comment

              Working...
              X