Re: (DHCP) Ebtables ruleset isn't working, any ideas?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 20 May 2009, Miguel Ghobangieno wrote:

> I can't get DHCP to work through the firewall, I've tried everything, even:
> ebtables -A FORWARD -p IPv4 --ip-sport 67:68 -j ACCEPT
> ebtables -A FORWARD -p IPv4 --ip-dport 67:68 -j ACCEPT

You deduced that you have to use numbers and not names. Why don't you 
follow that? Probably you need

ebtables -A FORWARD -p 0x800 --ip-proto udp --ip-sport 67:68 -j ACCEPT

But it's really strange and suspicious that names do not work,
something is really broken on your system. Have you got a correct  
/etc/ethertypes file? Does you run the ebtables commands in chroot?
 
> Other things I tried:
> ebtables -A FORWARD -i eth0 -o eth1 -p 0x800 --ip-src 192.168.0.1 --ip-proto udp --ip-sport 67:68 -j ACCEPT
> ebtables -A FORWARD -i eth1 -o eth0 -p 0x800 --ip-dst 255.255.255.255/255.255.255.255 --ip-proto udp --ip-dport 67:68 -j ACCEPT

Could you draw the topology of your network? For example, if your firewall 
is the dhcp server, then the chains are definitely wrong above. Or maybe 
the interfaces are mixed up.

Why don't you log the packets??
 
> and before that:
> ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.1 --ip-proto udp --ip-sport 68 -j ACCEPT
> ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.1 --ip-proto udp --ip-dport 67 -j ACCEPT

These rules makes no sense to me.

> Kernel (newest stable w/grsecurity patch):
> 
> 2.6.29.3-grsec

If you have got grsecurity enabled and the dhcp server runs on the 
firewall, then grsec must be tuned too.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux