Hi All,
I'm trying to protect my dhcp server with some rules within iptables
against some DoS, and I see all the "hopefully dropped" packages in my log
target. But the drop doesn't really work: the packages are still going
through my firewall to my dhcp server.
Here is my simple ruleset:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
Chain MSK_DHCP (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix '**DHCP-Flood**'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
All my default policies are set to drop.
My testing environment is the ISC dhcp server: net-misc/dhcp-3.0.1-r1 and
a simple hping.
I see exact the same number of udp packets I sent are reaching the dhcp
server (shown in my syslog) is also shown in the iptables packet counter.
This behavior was tested on diffrent Kernel Versions: 2.6.15-gentoo-r1 and
-r7, also on a older vanilla one.
Where is my mistake? I could not believe that this is really a bug?
thanks for a answer,
Martin
--
gentoo-security@gentoo.org mailing list
I'm trying to protect my dhcp server with some rules within iptables
against some DoS, and I see all the "hopefully dropped" packages in my log
target. But the drop doesn't really work: the packages are still going
through my firewall to my dhcp server.
Here is my simple ruleset:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 MSK_DHCP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
Chain MSK_DHCP (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix '**DHCP-Flood**'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
All my default policies are set to drop.
My testing environment is the ISC dhcp server: net-misc/dhcp-3.0.1-r1 and
a simple hping.
I see exact the same number of udp packets I sent are reaching the dhcp
server (shown in my syslog) is also shown in the iptables packet counter.
This behavior was tested on diffrent Kernel Versions: 2.6.15-gentoo-r1 and
-r7, also on a older vanilla one.
Where is my mistake? I could not believe that this is really a bug?
thanks for a answer,
Martin
--
gentoo-security@gentoo.org mailing list