On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: > Roar: > > You are absolutely right. I just tried on one of my machines. > It still manages to get an ip and start up with ifup. I don't have an > explanation for it. Time for the Guruz to chime in.
What is the rule that you're using? What I have as a test is: $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP Assuming that your firewall runs dhcpd (67) and a client requests for an IP (68) and it works for me (the client doesn't get any IP assigned). Ramin > > Stu...... > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bj?rgum Rotvik > Sent: May 27, 2002 11:58 PM > To: [EMAIL PROTECTED] > Subject: RE: Can't block DHCP with iptables? > > On Mon, 27 May 2002, Stewart Thompson wrote: > > > Normally the iptables script runs after the interfaces have been > brought up > > by the system. > > By that time blocking DHCP is kind of irrelevant. A default policy of drop > > should block everything > > all right, but it is kind of closing the barn door after the horse has > left. > > Why not just set up the > > interface so it doesn't make a DHCP request? If there are special > > circumstances, you will have to > > give us some more details of what you are trying to accomplish. > > I can see I didn't explain good enough. > > I'm on a local machine with interface eth0 down. I manually enter the > iptables policy DROP for all three "normal" chains, and then start up > interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and > ONBOOT=n). > > In this scenario, the policy DROP exists before DHCP client starts up, but > still the DHCP client manages to assign a new IP-address. > > ifconfig shows shows that eth0 has been assigned new IP-address. ping or > any network traffic after that does not work, as expected. > > What I want to accomplish is to block all network traffic in/out up until > a certain point, and that includes DHCP. > > -- > Roar Bj?rgum Rotvik > > >
