Hi Ramin:
The situation Roar was talking about was with a policy of drop all.
on all chains. I would think that would cover the rule before and any other
Equivalent rule wouldn't it?
Stu.............
-----Original Message-----
From: Ramin Alidousti [mailto:[EMAIL PROTECTED]]
Sent: May 28, 2002 10:21 AM
To: Stewart Thompson
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote:
> Roar:
>
> You are absolutely right. I just tried on one of my machines.
> It still manages to get an ip and start up with ifup. I don't have an
> explanation for it. Time for the Guruz to chime in.
What is the rule that you're using? What I have as a test is:
$IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP
Assuming that your firewall runs dhcpd (67) and a client requests
for an IP (68) and it works for me (the client doesn't get any IP
assigned).
Ramin
>
> Stu......
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bj?rgum Rotvik
> Sent: May 27, 2002 11:58 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Can't block DHCP with iptables?
>
> On Mon, 27 May 2002, Stewart Thompson wrote:
>
> > Normally the iptables script runs after the interfaces have been
> brought up
> > by the system.
> > By that time blocking DHCP is kind of irrelevant. A default policy of
drop
> > should block everything
> > all right, but it is kind of closing the barn door after the horse has
> left.
> > Why not just set up the
> > interface so it doesn't make a DHCP request? If there are special
> > circumstances, you will have to
> > give us some more details of what you are trying to accomplish.
>
> I can see I didn't explain good enough.
>
> I'm on a local machine with interface eth0 down. I manually enter the
> iptables policy DROP for all three "normal" chains, and then start up
> interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and
> ONBOOT=n).
>
> In this scenario, the policy DROP exists before DHCP client starts up, but
> still the DHCP client manages to assign a new IP-address.
>
> ifconfig shows shows that eth0 has been assigned new IP-address. ping or
> any network traffic after that does not work, as expected.
>
> What I want to accomplish is to block all network traffic in/out up until
> a certain point, and that includes DHCP.
>
> --
> Roar Bj?rgum Rotvik
>
>
>
