|
Hi,
I experiment trouble with netfilter on rh9. I
configured my firewall with the following rules just to accept, for the
moment, SSH sessions, everything else is dropped.
$IPTABLES -P INPUT
DROP
$IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP $IPTABLES -A INPUT -i $LO_IFACE -j
ACCEPT
$IPTABLES -A OUTPUT -o $LO_IFACE -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 22 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -j LOG --log-level warning
--log-prefix "DROP input packet died: "
$IPTABLES -A OUTPUT -j LOG --log-level warning --log-prefix "DROP output packet died: " It works fine, excepted for DHCP/BOOTP requests. In
fact, the firewall (single interface with IP address 192.168.2.110) is also a
DHCP server and responds to BOOTP requests as shown below :
[root@xxxxxx root]# tcpdump port 67 or 68 tcpdump: listening on eth0 17:10:30.925605 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0x9a499735 flags:0x8000 [|bootp] 17:10:31.005330 192.168.2.1.bootps > 255.255.255.255.bootpc: xid:0x9a499735 flags:0x8000 Y:192.168.2.110 S:192.168.2.1 ether 0:90:f5:c:80:a0 [|bootp] [tos 0x10] netfilter log messages are show below
:
Jun 12 17:28:29 pluton kernel: DROP input packet
died: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:90:f5:0c:80:a0:08:00 SRC=""
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=55877 PROTO=UDP SPT=68
DPT=67 LEN=308
Jun 12 17:28:29 pluton kernel: DROP output packet died: IN= OUT=eth0 SRC="" DST=192.168.2.110 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63703 SEQ=0 Can you explain me why a BOOTP response is sent
even though this is dropped by iptables rules ?
Many
thanks,
Regards, Yoann. |
