Hi! On Wed, 22 Mar 2006, Martin Skarda wrote: > I'm trying to protect my dhcp server with some rules within iptables > against some DoS, and I see all the "hopefully dropped" packages in my log > target. But the drop doesn't really work: the packages are still going > through my firewall to my dhcp server. > > Here is my simple ruleset: > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 > udp dpt:67 > > > Chain MSK_DHCP (1 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix '**DHCP-Flood**' > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > All my default policies are set to drop.
Your description tells me that your packetfilter is not on the same host as your DHCP server. Assuming your DHCP server is seperate, I'd suggest putting your DHCP rules into the FORWARD chain. Back with ipvsadm (and ipchains, too, IIRC), routed packets traversed the INPUT and OUTPUT chains. With Netfilter, that isn't the case anymore. If, however your network setup is entirely different, we'd need to know that before doing more guessing. Regards & HTH, Tobias -- You don't need eyes to see, you need vision. -- gentoo-security@gentoo.org mailing list
