URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 56263
[ Назад ]

Исходное сообщение
"Фильтрация по MAC-пдресу"

Отправлено Torion , 08-Май-05 02:56 
Пытаюсь заблокировать получение IP-адресов на DHCP-сервере с помощью iptables. Но "вражеские" машины все равно их получают. Может грамотные люди подскажут что я делаю не так?

[root@torion sysconfig]# uname -a
Linux torion.ru 2.4.22-1.2154.nptl.asp #1 Wed Jan 14 20:17:27 MSK 2004 i686 athlon i386 GNU/Linux

[root@torion sysconfig]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source        destination
BadMAC     all  --  anywhere      anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source        destination
BadMAC     all  --  anywhere      anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source        destination

Chain BadMAC (2 references)
target     prot opt source        destination
DROP       all  --  anywhere      anywhere     MAC 00:30:84:49:05:01

[root@torion sysconfig]# cat iptables
# Generated by iptables-save v1.2.9 on Sun Nov  7 05:32:27 2004
:PREROUTING ACCEPT [4184067:638270079]
:INPUT ACCEPT [822764:69877207]
:FORWARD ACCEPT [3357849:567972120]
:OUTPUT ACCEPT [1197941:1420665250]
:POSTROUTING ACCEPT [4555780:1988636890]
# Completed on Sun Nov  7 05:32:27 2004
# Generated by iptables-save v1.2.9 on Sun Nov  7 05:32:27 2004
:BadMAC - [0:0]
-A BadMAC -m mac --mac-source 00:30:84:49:05:01 -j DROP
============= cut ===================


Сообщения в этом обсуждении
"Фильтрация по MAC-пдресу"
Отправлено jonatan , 08-Май-05 13:35 
Вот несколько выдержек из форумов, которые помогут понять причину.

It is technically necessary, because DHCP clients do not have IP addressing information when they begin the communication; everything is done using ethernet broadcasts. Such packets cannot be acquired using a standard socket bind, so the server application needs to listen at a lower level than the TCP/IP stack allows.
Unfortunately, DHCPD appears to be running on a raw socket,
instead of being an ordinary UDP process. raw sockets receive COPIES
of the normally routed packets, and those COPIES to not pass through the
iptables chains, resulting in the behaviour you are seeing.
However, the ISC DHCP server uses an Internet Socket of protocol Raw
instead of TCP or UDP.  This facility, naturally, is only available to
root (uid 0, really), and receives packets before the IP Tables
processing.  It also receives all Internet packet headers as well, so
it gets to do additional processing.

But because Raw sockets get packets before the IP Tables processing,
the ISC DHCP server is able to obtain an IP address through DHCP.
This seems to be consistent with a dhcp server I am running:

# netstat -anp | grep dhcp
udp 0 0*
raw 0 0* 7
unix 2 [ ] DGRAM 24242 1785/dhcpd