I've run in to a strange problem. I have a dhcp-server on a 2.4.22 kernel with a 1.2.8 iptables. The dhcp-server is configured only to offer IP-addresses to one single mac-address (it is a single host on a private network)
However I'd like to block all other mac-addresses on this interface since I plan to have a W-LAN here as well. (to prevent attackers from using potential exploits in the dhcp-server)
The mac-filter works fine for http, telnet, ssh aso, I can see the drop-counter increasing and no traffic is let through (when I change the mac-address in the iptables-config to something else than what I have on my "dhcp-client-host"). BUT the dhcp-server keeps sending offers and ack's evethough the incoming discover/request is blocked by iptables.
What makes this even more strange is that the "DROP-counters" when using "iptables -L -v" increases, and at the same time the dhcp server responds to the requests.
I'm using Internet Software Consortium DHCP Server V3.0.1rc11
The machine has only one physical interface whith two IP's one private and one for public. The IP-address offered by the dhcp-server is private (as seen below)
Does anyone have a clue ?
br Håkan Engblom
Some "logs" :
00:30:88:00:63:10 is my DSL-connection (having to accepted packets during this test)
X.X.X.X is my public IP.
(This is not the complete iptables, but it is teh interesting part for this matter)
00:08:29.540872 0.0.0.0 -> 255.255.255.255 DHCP DHCP Discover - Transaction ID 0xae749e48
00:08:29.541303 X.X.X.X -> 10.0.0.217 DHCP DHCP Offer - Transaction ID 0xae749e48
00:08:29.542117 0.0.0.0 -> 255.255.255.255 DHCP DHCP Request - Transaction ID 0xae749e48
00:08:29.542299 X.X.X.X -> 10.0.0.217 DHCP DHCP ACK - Transaction ID 0xae749e48
# date
Sun Jan 11 00:08:08 CET 2004
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 mactable all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 DROP !icmp -- any any anywhere anywhere state INVALID
0 0 eth0_in all -- eth0 any !10.0.0.0/24 anywhere
0 0 eth0_1_in all -- eth0 any anywhere anywhere
0 0 common all -- any any anywhere anywhere
Chain mactable (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere MAC 01:01:01:01:01:01
0 0 RETURN all -- any any anywhere anywhere MAC 00:30:88:00:63:10
0 0 RETURN all -- any any anywhere anywhere MAC 00:90:D0:AF:A3:F1
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:mac:DROP:'
0 0 DROP all -- any any anywhere anywhere
# date
Sun Jan 11 00:08:36 CET 2004
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 948 mactable all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 DROP !icmp -- any any anywhere anywhere state INVALID
2 288 eth0_in all -- eth0 any !10.0.0.0/24 anywhere
0 0 eth0_1_in all -- eth0 any anywhere anywhere
0 0 common all -- any any anywhere anywhere
Chain mactable (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere MAC 01:01:01:01:01:01
2 288 RETURN all -- any any anywhere anywhere MAC 00:30:88:00:63:10
0 0 RETURN all -- any any anywhere anywhere MAC 00:90:D0:AF:A3:F1
2 660 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:mac:DROP:'
2 660 DROP all -- any any anywhere anywhere
#
_________________________________________________________________ Lättare att hitta drömresan med MSN Resor http://www.msn.se/resor/
