Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: iptables and dhcp

  1. #1
    Join Date
    Dec 2008
    Beans
    189

    iptables and dhcp

    Hi,

    I have a box which is configured with iptables and gets its ip dynamically from a dhcp. Do I need to explicitly allow dhcp in my iptables script? So far, it's been working despite the fact that all unspecified incoming connections should be dropped and logged (I saw no trace of it in the logs). I read somewhere that dhcp operates with 'raw packets' which iptables can't detect...is this the case and is it true for all dhcp servers? Stranger still, I seem to be getting traces of other people's dhcp requests on my logs (because all dhcp requests go to broadcast). How come it picks up other people's requests and not the DHCPOFFER packets if dhcp interaction is done in raw packets?

    P.S. If you recommend that I explicitly allow dhcp in iptables, could you please give reference as to how? Right now, I have:
    Code:
    iptables -A INPUT -i eth0 -p udp --dport 68 --sport 67 -j ACCEPT
    That doesn't seem restrictive enough...doesn't that accept the dhcp requests of other people on my network as well?

    Thanks in advance. Please let me know if any part seems unclear.

  2. #2
    Join Date
    May 2005
    Location
    Sydney, Australia
    Beans
    281

    Re: iptables and dhcp

    So far, it's been working despite the fact that all unspecified incoming connections should be dropped and logged (I saw no trace of it in the logs)
    I would guess the reason it is working is because of timing. Your machine comes up, asks for an ip address from the dhcp server and then loads the firewall. Do you know when the firewall is loaded relative to the interface coming up?

    I read somewhere that dhcp operates with 'raw packets' which iptables can't detect
    Do you have a reference for this information? I have trouble believing it

    That doesn't seem restrictive enough...doesn't that accept the dhcp requests of other people on my network as well?
    Yes it will accept packets from any source. If you want to take it a step further then you could find out the ip address and/or mac address of the dhcp server and add clauses so you only accept packets from that machine. Depends on how restrictive you want to be.

  3. #3
    Join Date
    Dec 2008
    Beans
    189

    Re: iptables and dhcp

    I would guess the reason it is working is because of timing. Your machine comes up, asks for an ip address from the dhcp server and then loads the firewall. Do you know when the firewall is loaded relative to the interface coming up?
    My firewall script is /etc/network/if-pre-up.d/00-firewall

    Do you have a reference for this information? I have trouble believing it
    These links prove the existence of raw sockets and that they do bypass iptables:
    http://en.wikipedia.org/wiki/Raw_socket
    http://www.linuxchix.org/content/cou...ty/raw_sockets
    This link is to show that dhcp uses raw sockets:
    http://www.mail-archive.com/netfilte.../msg03189.html

    Yes it will accept packets from any source. If you want to take it a step further then you could find out the ip address and/or mac address of the dhcp server and add clauses so you only accept packets from that machine. Depends on how restrictive you want to be.
    Thanks I wasn't thinking straight on that one...

    Anyway, I talked to a couple of people today, and it does seem that dhcp uses raw sockets to communicate so that's why my iptables script wasn't blocking it..,but it is still strange that my log records other people's dhcp requests and it seems that there was one case where the dhcp server contacted my box directly (with source port 67 and dest port 68)...I don't know what that's about....

    EDIT: Fixed one of the links.

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,203
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: iptables and dhcp

    Very early on in your iptables INPUT rules should be a rule that allows packets that are RELATED,ESTABLISHED. This allows incoming respones to outgoing connections/requests back in. Such a rule will of course than allow in replies to your DHCP requests.

  5. #5
    Join Date
    Dec 2008
    Beans
    189

    Re: iptables and dhcp

    Quote Originally Posted by The Cog View Post
    Very early on in your iptables INPUT rules should be a rule that allows packets that are RELATED,ESTABLISHED. This allows incoming respones to outgoing connections/requests back in. Such a rule will of course than allow in replies to your DHCP requests.
    Yes I do have that rule (although I don't have the RELATED state included), but dhcp first works by broadcasting the DHCPOFFER no? Also, the DHCPREQUEST is broadcasted as well right? I find it hard to believe iptables will count a udp packet that is broadcasted in response to a broadcast as ESTABLISHED....

  6. #6
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,203
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: iptables and dhcp

    Quote Originally Posted by ooobooontooo View Post
    I find it hard to believe iptables will count a udp packet that is broadcasted in response to a broadcast as ESTABLISHED....
    Use of a broadcast response was noted in http://www.faqs.org/rfcs/rfc1542.html section 4.1.2 sixteen years ago as only being for supporting "older implementations". And I am sure that the writers of iptables are able to understand BOOTP/DHCP protocol quite well.

    Without the RELATED rule, you may find that FTP data transfers time out - they happen on a different port to the control messages that initiate them, and I think the RELATED rule is to cover that kind of situation.
    Last edited by The Cog; July 12th, 2009 at 08:44 PM.

  7. #7
    Join Date
    Dec 2008
    Beans
    189

    Re: iptables and dhcp

    Quote Originally Posted by The Cog View Post
    Use of a broadcast response was noted in http://www.faqs.org/rfcs/rfc1542.html section 4.1.2 sixteen years ago as only being for supporting "older implementations". And I am sure that the writers of iptables are able to understand BOOTP/DHCP protocol quite well.

    Without the RELATED rule, you may find that FTP data transfers time out - they happen on a different port to the control messages that initiate them, and I think the RELATED rule is to cover that kind of situation.
    Excellent link. Thank you. I look forward to reading it. So are you saying that it is the ESTABLISHED rule which allows dhcp traffic rather than raw sockets?

    Regarding the RELATED rule, I don't really use ftp, and I can always use passive mode if I wanted to. The only use for the RELATED state that I have is for icmp and I take care of that in a different chain. Thank you for your suggestion though.

  8. #8
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,203
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: iptables and dhcp

    Quote Originally Posted by ooobooontooo View Post
    So are you saying that it is the ESTABLISHED rule which allows dhcp traffic rather than raw sockets?
    I have never found a need to configure iptables to permit packets in to port 68 explicitly. I assume this is because iptables sees the outgoing broadcast and knows to allow replies back in. I also assume this is part of the ESTABLISHED rule. It might be interesting to try DHCP with and without that rule in place to see the difference, but I haven't done so.

  9. #9
    Join Date
    Oct 2005
    Location
    Lab, Slovakia
    Beans
    10,312

    Re: iptables and dhcp

    Just to chip in on FTP:
    Netfilter has a special FTP tracking module that allows it to make FTP work despite the port changes. There is a similar tracker for RPC used with NFS.

  10. #10
    Join Date
    Nov 2006
    Location
    Belgium
    Beans
    3,025
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables and dhcp

    I was going to call 'bovine excrement' on most of this thread (dhcp uses udp ports 67 and 68 - that'd be udp sockets, not raw sockets; ESTABLISHED and RELATED don't mean a thing in a stateless protocol such as udp ... ; you need to explicitely allow traffic out to udp/67 and in from udp/67 for dhcp to work across a firewall ; .... ) ...
    when I thought I'd better check before running my mouth of

    so, i released my dhcp lease, brought down my eth0
    , including IPv6, setup iptables to DROP everything anywhere, (at some point, I even added explicit DROP rules for DHCP ...) and run dhclient to try and get an IP address. guess what ...

    Code:
    Listening on LPF/eth0/00:50:04:35:38:32
    Sending on   LPF/eth0/00:50:04:35:38:32
    Sending on   Socket/fallback
    DHCPRELEASE on eth0 to 192.168.1.1 port 67
    send_packet: Operation not permitted
    
    root@knix:~# ifconfig eth0 inet6 down
    root@knix:~# ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:50:04:35:38:32 
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:8899 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6949 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:10620603 (10.1 MB)  TX bytes:927036 (905.3 KB)
              Interrupt:20 Base address:0xa000 
    
    lo        Link encap:Local Loopback  
              <snip>
    
    
    root@knix:~# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    DROP       udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc 
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination         
    DROP       udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps 
    
    root@knix:~# dhclient
    There is already a pid file /var/run/dhclient.pid with pid 134519072
    Internet Systems Consortium DHCP Client V3.0.6
    Copyright 2004-2007 Internet Systems Consortium.
    All rights reserved.
    For info, please visit http://www.isc.org/sw/dhcp/
    
    Listening on LPF/eth0/00:50:04:35:38:32
    Sending on   LPF/eth0/00:50:04:35:38:32
    Sending on   Socket/fallback
    DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
    DHCPOFFER of 192.168.1.251 from 192.168.1.1
    DHCPREQUEST of 192.168.1.251 on eth0 to 255.255.255.255 port 67
    DHCPACK of 192.168.1.251 from 192.168.1.1
    bound to 192.168.1.251 -- renewal in 16968 seconds.
    root@knix:~#
    so, did I miss something ? what exactly is happening here ?
    Last edited by koenn; July 13th, 2009 at 08:09 PM. Reason: colloquial term for 'bovine excrement' didn't pass the forum's language filter

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •