Re: iptables and bootp

[Martin Josefsson]

On Mon, 2004-05-24 at 16:41, Christoph Pleger wrote:
> Hello,
> 
> I'm using the following commands to drop all traffic to and from the
> bootp-port of one of my machines:
> 
> iptables -I INPUT -i eth0 -p tcp --destination-port bootps -j DROP
> iptables -I INPUT -i eth0 -p udp --destination-port bootps -j DROP
> iptables -I OUTPUT -o eth0 -p tcp --source-port bootps -j DROP
> iptables -I OUTPUT -o eth0 -p udp --source-port bootps -j DROP
> 
> But this machine gives a reply to another machine's bootp-request that
> was created by the program "bootpc" (it is not possible that that answer
> comes from another bootp-Server). Iptables-Statistics show that
> UDP-packets to the bootps-port have been dropped, but obviously that has
> not really happened (as shown by tcpdump). Dropped outgoing packets from
> port bootps do not appear in the statistics. 
> 
> When I change the port number in the above commands (for example, to
> 20003), the packets are actually blocked.
> 
> Does somebody have any advice?

The bootp-server uses raw sockets, iptables can't (and shouldn't) block
that. By the time iptables gets the packet, the bootp-server already got
a copy of the packet.
The bootp-server uses raw sockets in order to among other things be able
to send replies to a specific macaddress.

linux-kernel isn't the correct list for this. Please look at
http://www.netfilter.org/mailinglists.html

-- 
/Martin

Attachment: signature.asc
Description: This is a digitally signed message part