On Mon, May 27, 2002 at 10:13:11AM +0200, Roar Bj?rgum Rotvik wrote: > I have a problem blocking DHCP request/response with iptables. > > Am I wrong to assume that setting default policy for INPUT/OUTPUT/FORWARD > to DROP would block any traffic on any interface? > > The problem is that 'ifup eth0', where eth0 uses DHCP, still get a > IP address defined from the DHCP server, even after setting default policy > to DROP. > > Is this a bug in iptables, or can I block DHCP in another way?
I assume you're using the ISC DHCP server? It uses raw sockets to grab packets, which bypasses the need to pick those packets up in userspace, so even if iptables drops the packet, it still gets to see it. There's not really a way to force iptables to work around that. Myabe you can configure your DHCP server to assign the system in question a bogus address? -- Derrik Pates | Sysadmin, Douglas School | #linuxOS on EFnet [EMAIL PROTECTED] | District (dsdk12.net) | #linuxOS on OPN
