1 |
Hi All, |
2 |
|
3 |
I'm trying to protect my dhcp server with some rules within iptables |
4 |
against some DoS, and I see all the "hopefully dropped" packages in my log |
5 |
target. But the drop doesn't really work: the packages are still going |
6 |
through my firewall to my dhcp server. |
7 |
|
8 |
Here is my simple ruleset: |
9 |
|
10 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
11 |
pkts bytes target prot opt in out source destination |
12 |
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 |
13 |
0 0 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 |
14 |
|
15 |
|
16 |
Chain MSK_DHCP (1 references) |
17 |
pkts bytes target prot opt in out source destination |
18 |
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix '**DHCP-Flood**' |
19 |
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 |
20 |
|
21 |
|
22 |
All my default policies are set to drop. |
23 |
|
24 |
My testing environment is the ISC dhcp server: net-misc/dhcp-3.0.1-r1 and |
25 |
a simple hping. |
26 |
|
27 |
I see exact the same number of udp packets I sent are reaching the dhcp |
28 |
server (shown in my syslog) is also shown in the iptables packet counter. |
29 |
|
30 |
This behavior was tested on diffrent Kernel Versions: 2.6.15-gentoo-r1 and |
31 |
-r7, also on a older vanilla one. |
32 |
|
33 |
Where is my mistake? I could not believe that this is really a bug? |
34 |
|
35 |
thanks for a answer, |
36 |
Martin |
37 |
|
38 |
-- |
39 |
gentoo-security@g.o mailing list |