bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-26 03:06 UTC
[Bug 730] New: DHCP request (and other?) traffic bypasses iptables/netfilter
http://bugzilla.netfilter.org/show_bug.cgi?id=730
Summary: DHCP request (and other?) traffic bypasses
iptables/netfilter
Product: netfilter/iptables
Version: linux-2.6.x
Platform: x86_64
OS/Version: Ubuntu
Status: NEW
Severity: major
Priority: P5
Component: unknown
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: rcl24 at drexel.edu
Estimated Hours: 0.0
Created an attachment (id=357)
--> (http://bugzilla.netfilter.org/attachment.cgi?id=357)
My iptables ruleset for filter
Running Ubuntu 11.04 with iptables 1.4.10-1ubuntu1 and Ubuntu kernel
2.6.38-10-generic on x86-64 architecture.
I have my server configured to act as a NAT router connecting a private LAN to
the Internet. The Internet is connected to eth0 and the LAN is connected to
eth1. DHCP provides addressing and configuration for the LAN machines. I have
an iptables setup to protect the server from both the Internet and the
computers on the LAN with a DROP by default policy for both interfaces.
Internet <--> (eth0) Server (eth1) <--> LAN
While auditing my iptables configuration, I realized that I had never allowed
port 67 access via eth1, and yet, the machines on my LAN were able to reach my
DHCP server. At first I suspected that the basic firewall setup (Ubuntu's
UFW)
had a liberal policy that allowed that traffic. However, by manually reading
the rules, I determined that inbound traffic to port 67 should be blocked by
the rules. I will attach my iptables filter rules as the file iptables.txt.
When I run wireshark and connect a computer to my LAN, I see a UDP packet come
into eth1 with source address 0.0.0.0:68 to destination 255.255.255.255:67.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-26 03:07 UTC
[Bug 730] DHCP request (and other?) traffic bypasses iptables/netfilter
http://bugzilla.netfilter.org/show_bug.cgi?id=730 --- Comment #1 from Robert Lange <rcl24 at drexel.edu> 2011-07-26 05:07:20 --- Created an attachment (id=358) --> (http://bugzilla.netfilter.org/attachment.cgi?id=358) First syslog trace connecting a client to the LAN with DHCP packets traced -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-26 03:07 UTC
[Bug 730] DHCP request (and other?) traffic bypasses iptables/netfilter
http://bugzilla.netfilter.org/show_bug.cgi?id=730 --- Comment #2 from Robert Lange <rcl24 at drexel.edu> 2011-07-26 05:07:59 --- Created an attachment (id=359) --> (http://bugzilla.netfilter.org/attachment.cgi?id=359) Second syslog trace of connecting a client to LAN, with DHCP packets traced -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-27 01:15 UTC
[Bug 730] DHCP request (and other?) traffic bypasses iptables/netfilter
http://bugzilla.netfilter.org/show_bug.cgi?id=730 --- Comment #3 from Robert Lange <rcl24 at drexel.edu> 2011-07-27 03:15:45 --- I just confirmed this bug on a brand new install of Ubuntu 11.04 in a clean-room environment and a default UFW/iptables ruleset. This bug exists, even if the 1st rule in the INPUT chain is an unconditional drop of all UDP packets to destination port 67. Syslog trace confirms that the firewall drops the packet, but dhcpd receives the packet anyway and processes it. By the way, I use isc-dhcp-server 4.1.1-P1-15ubuntu9, which is based on the ISC DHCP server. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-27 18:13 UTC
[Bug 730] DHCP request (and other?) traffic bypasses iptables/netfilter
http://bugzilla.netfilter.org/show_bug.cgi?id=730
Robert Lange <rcl24 at drexel.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #4 from Robert Lange <rcl24 at drexel.edu> 2011-07-27
20:13:10 ---
Per Mark Andrews of isc.org:
"DHCP uses packet filters and these tie into the IP stack before the
firewall."
A different topic, but the explanation is also relevant here:
https://lists.isc.org/pipermail/dhcp-users/2010-January/010723.html
Apparently dhcpd uses raw sockets to maximize its robustness and reliability in
dealing with DHCP. Also, it uses as a fallback a UDP socket, and it was the
packets to this fallback that iptables was dropping.
So, if your DHCP server operates on the same machine as your firewall, don't
expect your firewall to stop traffic to it.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Reasonably Related Threads
- [Bug 599] netfilter/iptables leaking traffic when long chains are defined
- Disable netfilter for bridged traffic
- [Bug 1407] New: Segfault with iptables-nft-restore when flush rules included
- [Bug 1320] New: iptables hashlimit - problem with traffic limitation
- [Bug 1400] New: "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines