Re: [gentoo-security] problem blocking udp packets with iptables

Thu, 23 Mar 2006 06:17:12 -0800 

Hi,

On Wed, 22 Mar 2006, Tobias Klausmann wrote:



Your description tells me that your packetfilter is not on the
same host as your DHCP server.


Sorry if I did not describe the installation correctly.
The DHCP server is on the same box which I try to protect with iptables. The packets could not traverse the forward chain, because all my default policies are set to drop and forwarding generally is disabled. Even all packet counters on the forward chain will stay to zero when I'm sending some udp packets with a simple hping. There is no bridging, routing, NAT or something else defined on my box, insomuch the packets could not run eg. into the prerouting chain or jump into another target. The only rules in my iptables are shown below.
In the following output you see exactly the seven packets I sent are matched by the MSK_DHCP target within the INPUT chain: 

**snip**
persil ~ # iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source          destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0       0.0.0.0/0
    7   196 MSK_DHCP   udp  --  *      *       0.0.0.0/0       0.0.0.0/0       
udp dpt:67

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source          destination

Chain MSK_DHCP (1 references)
pkts bytes target prot opt in out source destination 
    7   196 LOG        all  --  *      *       0.0.0.0/0       0.0.0.0/0       
LOG flags 0 level 6 prefix '**DHCP-Flood**:'
    7   196 DROP       all  --  *      *       0.0.0.0/0       0.0.0.0/0

persil ~ # tail -f /var/log/messages

Mar 23 14:22:24 persil dhcpd: ip length 28 disagrees with bytes received 46.
Mar 23 14:22:24 persil dhcpd: accepting packet with data after udp payload.
Mar 23 14:22:25 persil **DHCP-Flood** :IN=eth0 OUT= 
MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22
DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=60607 PROTO=UDP SPT=68 
DPT=67 LEN=8

Mar 23 14:22:25 persil dhcpd: ip length 28 disagrees with bytes received 46.
Mar 23 14:22:25 persil dhcpd: accepting packet with data after udp payload.
Mar 23 14:22:26 persil **DHCP-Flood** :IN=eth0 OUT= MAC=00:11:2f:9e:a8:25:00:0d:61:45:4a:1e:08:00 SRC=192.168.9.22 DST=192.168.9.213 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=57557 PROTO=UDP SPT=68 DPT=67 LEN=8 

**snap**

here is my hping from the _external_ host:
**snip**
msk ~ # hping -s 68 -p 67 --keep --udp 192.168.9.213
HPING 192.168.9.213 (eth0 192.168.9.213): udp mode set, 28 headers + 0 data bytes 

--- 192.168.9.213 hping statistic ---
7 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
***snap**


I would be much obliged if you could point out my mistake,

kindly Martin
--
gentoo-security@gentoo.org mailing list

Reply via email to