If I'm not wrong, I think tcpdump works on a different layer to netfilter so even though it's dropped I think tcpdump still sees them.... but I may be wrong.
Does it eventually give out DHCP IP's or receives an IP addres or doesn't it? If DHCP isn't working then it's probably dropped but tcpdumps still sees them..
I just did a test from work to home which I'm defiantely blockinh port 6665 and I get the same results but I know 6665 is being dropped... yet TCPDUMP catches it before netfilter.
Jun 16 22:52:24 newjackswing kernel: INET IN=ppp0 OUT= MAC= SRC=203.111.79.114 DST=150.101.112.146 LEN=60 TOS=0x00 PREC=0xE0 TTL=50 ID=44842 DF PROTO=TCP SPT=3698 DPT=6665 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405840402080A0B09245F0000000001030300)
[root@xxxxxxxxxxxx /usr]# tcpdump -x port 6665
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on all devices
22:52:24.984380 if134 < work.domain.com.3698 > myhome.domain.com.6665: S 614501237:614501237(0) win 5840 <mss 1412,sackOK,timestamp 185148511 0,nop,wscale 0> (DF) [tos 0xe0]
45e0 003c af2a 4000 3206 76d8 cb6f 4f72
9665 7092 0e72 1a09 24a0 8b75 0000 0000
a002 16d0 0795 0000 0204 0584 0402 080a
0b09 245f 0000 0000 0103 0300
So I think I might be right? Anybody wanna shed some light with this layer stuff ;) I'm confused on that part ;P
-----Original Message-----
From: Yoann [mailto:yoann.juet@xxxxxxxxxxx]
Sent: Mon 16-Jun-03 9:33 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Cc:
Subject: help bootp filters
Hi,
I experiment trouble with netfilter/iptables on rh9. I configured a server with the following rules just to accept, for the moment, SSH sessions, everything else is dropped.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j LOG --log-level warning --log-prefix "DROP input packet died: "
$IPTABLES -A OUTPUT -j LOG --log-level warning --log-prefix "DROP output packet died: "
It works fine, excepted for DHCP/BOOTP requests. In fact, the server (single interface with IP address 192.168.2.110) is also a DHCP server and responds to BOOTP requests as shown below :
[root@xxxxxx root]# tcpdump port 67 or 68
tcpdump: listening on eth0
17:10:30.925605 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9a499735 flags:0x8000 [|bootp]
17:10:31.005330 192.168.2.1.bootps > 255.255.255.255.bootpc: xid:0x9a499735 flags:0x8000 Y:192.168.2.110 S:192.168.2.1 ether 0:90:f5:c:80:a0 [|bootp] [tos 0x10]
netfilter log messages are show below :
Jun 12 17:28:29 pluton kernel: DROP input packet died: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:90:f5:0c:80:a0:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=55877 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 12 17:28:29 pluton kernel: DROP output packet died: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.110 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63703 SEQ=0
Can you explain me why a BOOTP response is sent even though such packets (seem to be) dropped by iptables rules ?
Many thanks,
Regards,
Yoann.
