Re: Can't block DHCP with iptables?
Derrik Pates touched on this earlier in the thread, but I'll try and clarify a bit. The DNCP server of the ISC (Internet Software Consortium, http://www.isc.org) uses a different type of network access in Linux, so to speak. Normally, when programs need network access, they open up an Internet socket of the correct protocol (TCP/UDP), which gets any packets destined for it and can send packets after the kernel has applied all IP Tables rules to them. So if you have a policy of DROP/REJECT or you have a rule that matches a packet to.from this socket that DROP/REJECTs it, the socket will not receive or be able to send that packet. However, the ISC DHCP server uses an Internet Socket of protocol Raw instead of TCP or UDP. This facility, naturally, is only available to root (uid 0, really), and receives packets before the IP Tables processing. It also receives all Internet packet headers as well, so it gets to do additional processing. But because Raw sockets get packets before the IP Tables processing, the ISC DHCP server is able to obtain an IP address through DHCP. More information (possibly not in a useful state) can be found in the man pages for socket, ip, tcp, udp, http://nodevice.com/sections/ManIndex/man1275.html, and, of course, the source code. On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik -- In a display of perverse brilliance, Carl the repairman mistakes a room humidifier for a mid-range computer but manages to tie it into the network anyway. -- The 5th Wave Evan Cofsky, The UNIX Man, [EMAIL PROTECTED]
Re: Can't block DHCP with iptables?
Roar Bjørgum Rotvik [EMAIL PROTECTED] writes: In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. Iptables only deals with IP packets. DHCP-clients don't use the IP-stack, but uses raw sockets to talk directly to the network interface. Very simplified, what you have is this: eth0 +--- iptables - IP-stack |filtering Raw socket | DHCP-client /Marcus -- ---+-- Marcus Sundberg [EMAIL PROTECTED] | Firewalls with SIP NAT Firewall Developer, Ingate Systems AB | http://www.ingate.com/
RE: Can't block DHCP with iptables?
On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik
RE: Can't block DHCP with iptables?
Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik
Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. What is the rule that you're using? What I have as a test is: $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP Assuming that your firewall runs dhcpd (67) and a client requests for an IP (68) and it works for me (the client doesn't get any IP assigned). Ramin Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bj?rgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bj?rgum Rotvik
Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. For both of you, does tcpdump and/or the DHCP server show communication taking place, or are you just going by the fact that the interface has an address? Is this definitely a *new* *valid* [1] address, rather than the host just re-using the old one because it can't contact a DHCP server? [1] Not in the 169.254.0.0 range -- FunkyJesus System Administration Team
RE: Can't block DHCP with iptables?
Hi Ramin: The situation Roar was talking about was with a policy of drop all. on all chains. I would think that would cover the rule before and any other Equivalent rule wouldn't it? Stu. -Original Message- From: Ramin Alidousti [mailto:[EMAIL PROTECTED]] Sent: May 28, 2002 10:21 AM To: Stewart Thompson Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Can't block DHCP with iptables? On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. What is the rule that you're using? What I have as a test is: $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP Assuming that your firewall runs dhcpd (67) and a client requests for an IP (68) and it works for me (the client doesn't get any IP assigned). Ramin Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bj?rgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bj?rgum Rotvik
RE: Can't block DHCP with iptables?
Thanks for the excellent description Evan. -Original Message- From: Evan Cofsky [mailto:[EMAIL PROTECTED]] Sent: May 28, 2002 9:34 AM To: Stewart Thompson; [EMAIL PROTECTED] Subject: Re: Can't block DHCP with iptables? Derrik Pates touched on this earlier in the thread, but I'll try and clarify a bit. The DNCP server of the ISC (Internet Software Consortium, http://www.isc.org) uses a different type of network access in Linux, so to speak. Normally, when programs need network access, they open up an Internet socket of the correct protocol (TCP/UDP), which gets any packets destined for it and can send packets after the kernel has applied all IP Tables rules to them. So if you have a policy of DROP/REJECT or you have a rule that matches a packet to.from this socket that DROP/REJECTs it, the socket will not receive or be able to send that packet. However, the ISC DHCP server uses an Internet Socket of protocol Raw instead of TCP or UDP. This facility, naturally, is only available to root (uid 0, really), and receives packets before the IP Tables processing. It also receives all Internet packet headers as well, so it gets to do additional processing. But because Raw sockets get packets before the IP Tables processing, the ISC DHCP server is able to obtain an IP address through DHCP. More information (possibly not in a useful state) can be found in the man pages for socket, ip, tcp, udp, http://nodevice.com/sections/ManIndex/man1275.html, and, of course, the source code. On Tue, May 28, 2002 at 12:43:04AM -0700, Stewart Thompson wrote: Roar: You are absolutely right. I just tried on one of my machines. It still manages to get an ip and start up with ifup. I don't have an explanation for it. Time for the Guruz to chime in. Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: RE: Can't block DHCP with iptables? On Mon, 27 May 2002, Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. I can see I didn't explain good enough. I'm on a local machine with interface eth0 down. I manually enter the iptables policy DROP for all three normal chains, and then start up interface eth0 with 'ifup eth0' (eth0 is configured with dhcp and ONBOOT=n). In this scenario, the policy DROP exists before DHCP client starts up, but still the DHCP client manages to assign a new IP-address. ifconfig shows shows that eth0 has been assigned new IP-address. ping or any network traffic after that does not work, as expected. What I want to accomplish is to block all network traffic in/out up until a certain point, and that includes DHCP. -- Roar Bjørgum Rotvik -- In a display of perverse brilliance, Carl the repairman mistakes a room humidifier for a mid-range computer but manages to tie it into the network anyway. -- The 5th Wave Evan Cofsky, The UNIX Man, [EMAIL PROTECTED]
Re: Can't block DHCP with iptables?
On Tue, May 28, 2002 at 04:50:05PM -0400, Ramin Alidousti wrote: On Tue, May 28, 2002 at 01:17:32PM -0700, Stewart Thompson wrote: Thanks for the excellent description Evan. Yes. Truely, a very good explanation. Seconded. But I have one question: You say, the default policy DROP does not catch this situation because dhcpd uses the raw socket, bypassing netfilter. But, why is netfilter then able to filter the DHCP packets if you explicitly specify the rule, like: $IPT -t filter -A INPUT -p udp --sport 68 --dport 67 -j DROP Does this work with the *particular* DHCP software mentioned? What is the difference between a default DROP and an explicit DROP with regards to a raw socket? If this is a problem, then that means you could bypass netfilter / iptables by using raw sockets, so you could get traffic into or out of a supposedly protected box. What else uses raw sockets, anything I could test with? How about all the other protocols, like BGP ( and ICMP? ), don't they use a similar method to get in and out of a linux host. -- FunkyJesus System Administration Team
Re: Can't block DHCP with iptables?
On Mon, May 27, 2002 at 10:13:11AM +0200, Roar Bj?rgum Rotvik wrote: I have a problem blocking DHCP request/response with iptables. Am I wrong to assume that setting default policy for INPUT/OUTPUT/FORWARD to DROP would block any traffic on any interface? The problem is that 'ifup eth0', where eth0 uses DHCP, still get a IP address defined from the DHCP server, even after setting default policy to DROP. Is this a bug in iptables, or can I block DHCP in another way? I assume you're using the ISC DHCP server? It uses raw sockets to grab packets, which bypasses the need to pick those packets up in userspace, so even if iptables drops the packet, it still gets to see it. There's not really a way to force iptables to work around that. Myabe you can configure your DHCP server to assign the system in question a bogus address? -- Derrik Pates | Sysadmin, Douglas School |#linuxOS on EFnet [EMAIL PROTECTED] | District (dsdk12.net)|#linuxOS on OPN
RE: Can't block DHCP with iptables?
Roar: Normally the iptables script runs after the interfaces have been brought up by the system. By that time blocking DHCP is kind of irrelevant. A default policy of drop should block everything all right, but it is kind of closing the barn door after the horse has left. Why not just set up the interface so it doesn't make a DHCP request? If there are special circumstances, you will have to give us some more details of what you are trying to accomplish. Stu.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roar Bjørgum Rotvik Sent: May 27, 2002 1:13 AM To: [EMAIL PROTECTED] Subject: Can't block DHCP with iptables? Hello! I have a problem blocking DHCP request/response with iptables. Am I wrong to assume that setting default policy for INPUT/OUTPUT/FORWARD to DROP would block any traffic on any interface? The problem is that 'ifup eth0', where eth0 uses DHCP, still get a IP address defined from the DHCP server, even after setting default policy to DROP. Is this a bug in iptables, or can I block DHCP in another way? -- Roar Bjørgum Rotvik
Re: Can't block DHCP with iptables?
Stewart Thompson wrote: Normally the iptables script runs after the interfaces have been brought up by the system. From a security point of view, I'd suggest starting iptables _before_ networking comes up... Adam