3

Here is the output of my iptables-save command. The last rule and default policy is to DROP any packets that dont match any thing.

Generated by iptables-save v1.4.9 on Wed Aug 3 21:00:05 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76:6239]
-A INPUT -p -m tcp --dport 8080 -j ACCEPT
-A INPUT -p -m tcp --dport 2222 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j DROP

But surprisingly, DHCP and every other traffic is getting through... Please advise how to allow connections on port 8080 and port 2222 only and drop everything else.

Network Diagram

The iptables rules are being set on the FedoraRouter Machine. And this FedoraRouter machine is running Apache and SSH on port 8080 and 2222 respectively.

The clients FedoraClient and WinXP-Client need to have access to these services only. I cannot block them by IP because i'll be adding in more computers in future, anything other than HTTP and SSH traffic needs to be dropped in general.

Based on the current setup - It is allowing DHCP packets to the router, the router is infact running DHCP and i need to block it.

Thanks!

Jasdeep Singh
  • 237
  • 1
  • 4
  • 8
  • "Getting through" what? Where is the traffic coming from? Where is it going to? What is this mystery machine that you're putting these rules onto? – womble Aug 04 '11 at 01:09
  • please refer to the network diagram above.. FedoraClient is the machine that is running iptables and the current setup is allowing DHCP on the router to talk to the clients.. which i dont want. it needs to block the DHCP packets. Thanks in advance! – Jasdeep Singh Aug 04 '11 at 01:19
  • 1
    Your comment and question don't match... is the firewall on FedoraClient or FedoraRouter? And if you don't want DHCP, why are you running it? – womble Aug 04 '11 at 01:34
  • I'm sorry that was a typo. It's FedoraRouter that is running the iptables. Answer below by mizi is exactly what i wanted. – Jasdeep Singh Aug 04 '11 at 18:45

1 Answers1

4

ISC dhcpd, for various rather annoying reasons uses raw sockets to perform it's network I/O. For other technical reasons, raw sockets bypass iptables processing (including the inappropriately named raw table), which makes iptables ineffective for filtering DHCP server traffic when the firewall and host are on the same machine.

You can read about raw sockets here http://www.linuxchix.org/content/courses/security/raw_sockets.

DHCP traffic is broadcasted anyway, and it's not easy to block it on a per-client basis. So why wouldn't you just shut the dhcpd daemon down?

mizi
  • 92
  • 4
  • Care to investigate before commenting and downvoting? http://pastebin.com/fY3r1piE – mizi Aug 06 '11 at 22:22
  • Does tcpdump implement some kind of magic that dhcpd is just incapable of? You should really read about RAW sockets and promiscuous mode http://en.wikipedia.org/wiki/Raw_socket – mizi Aug 06 '11 at 22:30
  • Sure they did. My point is that dhcpd works the way tcpdump does - it sees packets before iptables, unltimately bypassing it. So it's not possible to block **incoming** dhcp requests. I'm not sure about outgoing replies though, high chances they aren't get blocked as well. Anyway, blocking outgoing packets may achieve the goal of rendering dhcpd deaf, but it does nothing from the security point of view, should a security vulnerability found in dhcpd. – mizi Aug 06 '11 at 23:41
  • https://lists.isc.org/pipermail/dhcp-users/2010-January/010723.html link broken. – adrelanos Sep 23 '16 at 18:06