1 |
Hi, |
2 |
|
3 |
On Wed, 22 Mar 2006, Tobias Klausmann wrote: |
4 |
|
5 |
> |
6 |
> Your description tells me that your packetfilter is not on the |
7 |
> same host as your DHCP server. |
8 |
|
9 |
Sorry if I did not describe the installation correctly. |
10 |
|
11 |
The DHCP server is on the same box which I try to protect with iptables. |
12 |
The packets could not traverse the forward chain, because all my default |
13 |
policies are set to drop and forwarding generally is disabled. Even all |
14 |
packet counters on the forward chain will stay to zero when I'm sending |
15 |
some udp packets with a simple hping. There is no bridging, routing, NAT |
16 |
or something else defined on my box, insomuch the packets could not run |
17 |
eg. into the prerouting chain or jump into another target. The only rules |
18 |
in my iptables are shown below. |
19 |
|
20 |
In the following output you see exactly the seven packets I sent are |
21 |
matched by the MSK_DHCP target within the INPUT chain: |
22 |
|
23 |
**snip** |
24 |
persil ~ # iptables -nvL |
25 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
26 |
pkts bytes target prot opt in out source destination |
27 |
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 |
28 |
7 196 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 |
29 |
|
30 |
Chain FORWARD (policy DROP 0 packets, 0 bytes) |
31 |
pkts bytes target prot opt in out source destination |
32 |
|
33 |
Chain MSK_DHCP (1 references) |
34 |
pkts bytes target prot opt in out source |
35 |
destination |
36 |
7 196 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix '**DHCP-Flood**:' |
37 |
7 196 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 |
38 |
|
39 |
persil ~ # tail -f /var/log/messages |
40 |
|
41 |
Mar 23 14:22:24 persil dhcpd: ip length 28 disagrees with bytes received 46. |
42 |
Mar 23 14:22:24 persil dhcpd: accepting packet with data after udp payload. |
43 |
Mar 23 14:22:25 persil **DHCP-Flood** :IN=eth0 OUT= MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22 |
44 |
DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=60607 PROTO=UDP SPT=68 DPT=67 LEN=8 |
45 |
|
46 |
Mar 23 14:22:25 persil dhcpd: ip length 28 disagrees with bytes received 46. |
47 |
Mar 23 14:22:25 persil dhcpd: accepting packet with data after udp payload. |
48 |
Mar 23 14:22:26 persil **DHCP-Flood** :IN=eth0 OUT= MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22 |
49 |
DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=57557 PROTO=UDP SPT=68 DPT=67 LEN=8 |
50 |
|
51 |
**snap** |
52 |
|
53 |
here is my hping from the _external_ host: |
54 |
**snip** |
55 |
msk ~ # hping -s 68 -p 67 --keep --udp 192.168.9.213 |
56 |
HPING 192.168.9.213 (eth0 192.168.9.213): udp mode set, 28 headers + 0 |
57 |
data bytes |
58 |
|
59 |
--- 192.168.9.213 hping statistic --- |
60 |
7 packets tramitted, 0 packets received, 100% packet loss |
61 |
round-trip min/avg/max = 0.0/0.0/0.0 ms |
62 |
***snap** |
63 |
|
64 |
|
65 |
I would be much obliged if you could point out my mistake, |
66 |
|
67 |
kindly Martin |
68 |
-- |
69 |
gentoo-security@g.o mailing list |