dhcpd takes and puts packets by netlink sockets which bypass the whole IP stack. So in short, you cannot filter the requests nor the response. Ramin On Sun, Jan 11, 2004 at 12:20:06AM +0100, Håkan Engblom wrote: > Hi, > > I've run in to a strange problem. I have a dhcp-server on a 2.4.22 kernel > with a 1.2.8 iptables. The dhcp-server is configured only to offer > IP-addresses to one single mac-address (it is a single host on a private > network) > > However I'd like to block all other mac-addresses on this interface since I > plan to have a W-LAN here as well. (to prevent attackers from using > potential exploits in the dhcp-server) > > The mac-filter works fine for http, telnet, ssh aso, I can see the > drop-counter increasing and no traffic is let through (when I change the > mac-address in the iptables-config to something else than what I have on my > "dhcp-client-host"). BUT the dhcp-server keeps sending offers and ack's > evethough the incoming discover/request is blocked by iptables. > > What makes this even more strange is that the "DROP-counters" when using > "iptables -L -v" increases, and at the same time the dhcp server responds > to the requests. > > I'm using Internet Software Consortium DHCP Server V3.0.1rc11 > > The machine has only one physical interface whith two IP's one private and > one for public. The IP-address offered by the dhcp-server is private (as > seen below) > > Does anyone have a clue ? > > br Håkan Engblom > > Some "logs" : > > 00:30:88:00:63:10 is my DSL-connection (having to accepted packets during > this test) > > X.X.X.X is my public IP. > > (This is not the complete iptables, but it is teh interesting part for this > matter) > > 00:08:29.540872 0.0.0.0 -> 255.255.255.255 DHCP DHCP Discover - > Transaction ID 0xae749e48 > 00:08:29.541303 X.X.X.X -> 10.0.0.217 DHCP DHCP Offer - Transaction ID > 0xae749e48 > 00:08:29.542117 0.0.0.0 -> 255.255.255.255 DHCP DHCP Request - > Transaction ID 0xae749e48 > 00:08:29.542299 X.X.X.X -> 10.0.0.217 DHCP DHCP ACK - Transaction ID > 0xae749e48 > > > > # date > Sun Jan 11 00:08:08 CET 2004 > # iptables -L -v > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 mactable all -- eth0 any anywhere anywhere > 0 0 ACCEPT all -- lo any anywhere anywhere > 0 0 DROP !icmp -- any any anywhere anywhere > state INVALID > 0 0 eth0_in all -- eth0 any !10.0.0.0/24 anywhere > 0 0 eth0_1_in all -- eth0 any anywhere anywhere > 0 0 common all -- any any anywhere anywhere > > Chain mactable (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- any any anywhere anywhere > MAC 01:01:01:01:01:01 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:30:88:00:63:10 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:90:D0:AF:A3:F1 > 0 0 LOG all -- any any anywhere anywhere > LOG level info prefix `Shorewall:mac:DROP:' > 0 0 DROP all -- any any anywhere anywhere > > # date > Sun Jan 11 00:08:36 CET 2004 > # iptables -L -v > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 4 948 mactable all -- eth0 any anywhere anywhere > 0 0 ACCEPT all -- lo any anywhere anywhere > 0 0 DROP !icmp -- any any anywhere anywhere > state INVALID > 2 288 eth0_in all -- eth0 any !10.0.0.0/24 anywhere > 0 0 eth0_1_in all -- eth0 any anywhere anywhere > 0 0 common all -- any any anywhere anywhere > > Chain mactable (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- any any anywhere anywhere > MAC 01:01:01:01:01:01 > 2 288 RETURN all -- any any anywhere anywhere > MAC 00:30:88:00:63:10 > 0 0 RETURN all -- any any anywhere anywhere > MAC 00:90:D0:AF:A3:F1 > 2 660 LOG all -- any any anywhere anywhere > LOG level info prefix `Shorewall:mac:DROP:' > 2 660 DROP all -- any any anywhere anywhere > # > > _________________________________________________________________ > Lättare att hitta drömresan med MSN Resor http://www.msn.se/resor/ >
