| 1 |
Hi, |
| 2 |
|
| 3 |
On Wed, 22 Mar 2006, Tobias Klausmann wrote: |
| 4 |
|
| 5 |
> |
| 6 |
> Your description tells me that your packetfilter is not on the |
| 7 |
> same host as your DHCP server. |
| 8 |
|
| 9 |
Sorry if I did not describe the installation correctly. |
| 10 |
|
| 11 |
The DHCP server is on the same box which I try to protect with iptables. |
| 12 |
The packets could not traverse the forward chain, because all my default |
| 13 |
policies are set to drop and forwarding generally is disabled. Even all |
| 14 |
packet counters on the forward chain will stay to zero when I'm sending |
| 15 |
some udp packets with a simple hping. There is no bridging, routing, NAT |
| 16 |
or something else defined on my box, insomuch the packets could not run |
| 17 |
eg. into the prerouting chain or jump into another target. The only rules |
| 18 |
in my iptables are shown below. |
| 19 |
|
| 20 |
In the following output you see exactly the seven packets I sent are |
| 21 |
matched by the MSK_DHCP target within the INPUT chain: |
| 22 |
|
| 23 |
**snip** |
| 24 |
persil ~ # iptables -nvL |
| 25 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
| 26 |
pkts bytes target prot opt in out source destination |
| 27 |
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 |
| 28 |
7 196 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 |
| 29 |
|
| 30 |
Chain FORWARD (policy DROP 0 packets, 0 bytes) |
| 31 |
pkts bytes target prot opt in out source destination |
| 32 |
|
| 33 |
Chain MSK_DHCP (1 references) |
| 34 |
pkts bytes target prot opt in out source |
| 35 |
destination |
| 36 |
7 196 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix '**DHCP-Flood**:' |
| 37 |
7 196 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 |
| 38 |
|
| 39 |
persil ~ # tail -f /var/log/messages |
| 40 |
|
| 41 |
Mar 23 14:22:24 persil dhcpd: ip length 28 disagrees with bytes received 46. |
| 42 |
Mar 23 14:22:24 persil dhcpd: accepting packet with data after udp payload. |
| 43 |
Mar 23 14:22:25 persil **DHCP-Flood** :IN=eth0 OUT= MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22 |
| 44 |
DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=60607 PROTO=UDP SPT=68 DPT=67 LEN=8 |
| 45 |
|
| 46 |
Mar 23 14:22:25 persil dhcpd: ip length 28 disagrees with bytes received 46. |
| 47 |
Mar 23 14:22:25 persil dhcpd: accepting packet with data after udp payload. |
| 48 |
Mar 23 14:22:26 persil **DHCP-Flood** :IN=eth0 OUT= MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22 |
| 49 |
DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=57557 PROTO=UDP SPT=68 DPT=67 LEN=8 |
| 50 |
|
| 51 |
**snap** |
| 52 |
|
| 53 |
here is my hping from the _external_ host: |
| 54 |
**snip** |
| 55 |
msk ~ # hping -s 68 -p 67 --keep --udp 192.168.9.213 |
| 56 |
HPING 192.168.9.213 (eth0 192.168.9.213): udp mode set, 28 headers + 0 |
| 57 |
data bytes |
| 58 |
|
| 59 |
--- 192.168.9.213 hping statistic --- |
| 60 |
7 packets tramitted, 0 packets received, 100% packet loss |
| 61 |
round-trip min/avg/max = 0.0/0.0/0.0 ms |
| 62 |
***snap** |
| 63 |
|
| 64 |
|
| 65 |
I would be much obliged if you could point out my mistake, |
| 66 |
|
| 67 |
kindly Martin |
| 68 |
-- |
| 69 |
gentoo-security@g.o mailing list |
Archives