1 |
Hi! |
2 |
|
3 |
On Wed, 22 Mar 2006, Martin Skarda wrote: |
4 |
> I'm trying to protect my dhcp server with some rules within iptables |
5 |
> against some DoS, and I see all the "hopefully dropped" packages in my log |
6 |
> target. But the drop doesn't really work: the packages are still going |
7 |
> through my firewall to my dhcp server. |
8 |
> |
9 |
> Here is my simple ruleset: |
10 |
> |
11 |
> Chain INPUT (policy DROP 0 packets, 0 bytes) |
12 |
> pkts bytes target prot opt in out source destination |
13 |
> 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 |
14 |
> 0 0 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 |
15 |
> udp dpt:67 |
16 |
> |
17 |
> |
18 |
> Chain MSK_DHCP (1 references) |
19 |
> pkts bytes target prot opt in out source destination |
20 |
> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 |
21 |
> LOG flags 0 level 6 prefix '**DHCP-Flood**' |
22 |
> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 |
23 |
> |
24 |
> |
25 |
> All my default policies are set to drop. |
26 |
|
27 |
Your description tells me that your packetfilter is not on the |
28 |
same host as your DHCP server. |
29 |
|
30 |
Assuming your DHCP server is seperate, I'd suggest putting your |
31 |
DHCP rules into the FORWARD chain. Back with ipvsadm (and |
32 |
ipchains, too, IIRC), routed packets traversed the INPUT and |
33 |
OUTPUT chains. With Netfilter, that isn't the case anymore. |
34 |
|
35 |
If, however your network setup is entirely different, we'd need |
36 |
to know that before doing more guessing. |
37 |
|
38 |
Regards & HTH, |
39 |
Tobias |
40 |
|
41 |
-- |
42 |
You don't need eyes to see, you need vision. |
43 |
-- |
44 |
gentoo-security@g.o mailing list |