George, In fact, the server gives out DHCP IPs...this is why I'm surprised. ----- Original Message ----- From: "George Vieira" <georgev@xxxxxxxxxxxxxxxxxxxxxx> To: "Yoann" <yoann.juet@xxxxxxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Monday, June 16, 2003 2:56 PM Subject: RE: help bootp filters > If I'm not wrong, I think tcpdump works on a different layer to netfilter so even though it's dropped I think tcpdump still sees them.... but I may be wrong. > Does it eventually give out DHCP IP's or receives an IP addres or doesn't it? If DHCP isn't working then it's probably dropped but tcpdumps still sees them.. > > I just did a test from work to home which I'm defiantely blockinh port 6665 and I get the same results but I know 6665 is being dropped... yet TCPDUMP catches it before netfilter. > > Jun 16 22:52:24 newjackswing kernel: INET IN=ppp0 OUT= MAC= SRC=203.111.79.114 DST=150.101.112.146 LEN=60 TOS=0x00 PREC=0xE0 TTL=50 ID=44842 DF PROTO=TCP SPT=3698 DPT=6665 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405840402080A0B09245F0000000001030300) > > [root@xxxxxxxxxxxx /usr]# tcpdump -x port 6665 > Kernel filter, protocol ALL, datagram packet socket > tcpdump: listening on all devices > 22:52:24.984380 if134 < work.domain.com.3698 > myhome.domain.com.6665: S 614501237:614501237(0) win 5840 <mss 1412,sackOK,timestamp 185148511 0,nop,wscale 0> (DF) [tos 0xe0] > 45e0 003c af2a 4000 3206 76d8 cb6f 4f72 > 9665 7092 0e72 1a09 24a0 8b75 0000 0000 > a002 16d0 0795 0000 0204 0584 0402 080a > 0b09 245f 0000 0000 0103 0300 > > So I think I might be right? Anybody wanna shed some light with this layer stuff ;) I'm confused on that part ;P > > -----Original Message----- > From: Yoann [mailto:yoann.juet@xxxxxxxxxxx] > Sent: Mon 16-Jun-03 9:33 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Cc: > Subject: help bootp filters > > > > Hi, > > I experiment trouble with netfilter/iptables on rh9. I configured a server with the following rules just to accept, for the moment, SSH sessions, everything else is dropped. > > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > $IPTABLES -P OUTPUT DROP > > $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT > $IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT > > $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT > > $IPTABLES -A INPUT -j LOG --log-level warning --log-prefix "DROP input packet died: " > $IPTABLES -A OUTPUT -j LOG --log-level warning --log-prefix "DROP output packet died: " > > It works fine, excepted for DHCP/BOOTP requests. In fact, the server (single interface with IP address 192.168.2.110) is also a DHCP server and responds to BOOTP requests as shown below : > > [root@xxxxxx root]# tcpdump port 67 or 68 > tcpdump: listening on eth0 > 17:10:30.925605 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9a499735 flags:0x8000 [|bootp] > 17:10:31.005330 192.168.2.1.bootps > 255.255.255.255.bootpc: xid:0x9a499735 flags:0x8000 Y:192.168.2.110 S:192.168.2.1 ether 0:90:f5:c:80:a0 [|bootp] [tos 0x10] > > netfilter log messages are show below : > > Jun 12 17:28:29 pluton kernel: DROP input packet died: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:90:f5:0c:80:a0:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=55877 PROTO=UDP SPT=68 DPT=67 LEN=308 > Jun 12 17:28:29 pluton kernel: DROP output packet died: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.110 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63703 SEQ=0 > > Can you explain me why a BOOTP response is sent even though such packets (seem to be) dropped by iptables rules ? > > Many thanks, > Regards, > Yoann. > > _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France
