Re: iptables not blocking dhcp traffic (dhclient)
On Mon, Mar 24, 2003 at 05:23:06PM +0100, Remy C. Cool wrote:
> Why is it that the dhclient program on this machine still get's it IP
> from the dhcp server and why don't I get the DHCP traffic in the log?
> The rules are installed before networking is initialized. (The
> logging works for any other traffic on this box.)
Because ISC DHCP does not use UDP sockets, it uses
raw and/or packet sockets. It effectively gets a _copy_
of the packet, and that copy does not go through the
netfilter framework.
Same thing as why tcpdump sees packets your firewall
rules drop.
> Also when I create a rule which sets ICMP incomming to REJECT and try
> to telnet to the machine, the 'telnetting' machine does not get the
> icmp port unreachable message but times out. When doing this with my
> old ipchains box, the message was recieved and did not have to wait
> on a timeout. Is this normal behaviour for iptables or does it has to
> be something else?
Uh? You set ICMP incoming to REJECT on machine A, and then telnet
from machine B to machine A? That doesn't have anything to do with
ICMP going _to_ machine A. That's TCP SYN B->A and then possible,
if the packet was rejected, an ICMP error A->B.
As always, if in doubt make the rule in question a LOG rule, and
see if it matches anything at all. In this case, it probably
doesn't.
--
:(){ :|:&};:
Reply to: