Aug 8, 2011

unable to block DHCP and other traffic on INPUT chain


Here is the output of my iptables-save command. The last rule and default policy is to DROP any packets that dont match any thing.

Generated by iptables-save v1.4.9 on Wed Aug 3 21:00:05 2011
:OUTPUT ACCEPT [76:6239]
-A INPUT -p -m tcp --dport 8080 -j ACCEPT
-A INPUT -p -m tcp --dport 2222 -j ACCEPT
-A INPUT -p icmp -j ACCEPT

But surprisingly, DHCP and every other traffic is getting through… Please advise how to allow connections on port 8080 and port 2222 only and drop everything else.

Network Diagram

The iptables rules are being set on the FedoraRouter Machine. And this FedoraRouter machine is running Apache and SSH on port 8080 and 2222 respectively.

The clients FedoraClient and WinXP-Client need to have access to these services only. I cannot block them by IP because i’ll be adding in more computers in future, anything other than HTTP and SSH traffic needs to be dropped in general.

Based on the current setup – It is allowing DHCP packets to the router, the router is infact running DHCP and i need to block it.



ISC dhcpd, for various rather annoying reasons uses raw sockets to perform it’s network I/O. For other technical reasons, raw sockets bypass iptables processing (including the inappropriately named raw table), which makes iptables ineffective for filtering DHCP server traffic when the firewall and host are on the same machine.

You can read about raw sockets here

DHCP traffic is broadcasted anyway, and it’s not easy to block it on a per-client basis. So why wouldn’t you just shut the dhcpd daemon down?

Related posts:

  1. Block All UDP traffic (to prevent ddos)
  2. ip tables port fwd duplicates packets
  3. DHCP: How can I forward DNS requests to an internet DNS server but serve local DNS requests from a local DNS server?
  4. how to use Apache mod_proxy to provide access to Tomcat webapp
  5. Unable to connect to local VSFTP server

Leave a comment