Below I have tried to copy the relevant things out of my filters. The rule should drop every thing except packets to my internal network.
# Abbreviation for the iptables program: I=/usr/local/sbin/iptables ALLINTNETWORK="10.0.0.0" # The 10.0.0.0/8 network ALLINTNETMASK="255.0.0.0" ALLINTNET="$ALLINTNETWORK/$ALLINTNETMASK" INTIF="eth0" $I -A if-LogDrop-int $LIMIT -j LOG --log-prefix "Bad input packet, internal: " $I -A if-LogDrop-int -j DROP $I -A if-LogDrop -i $INTIF -j if-LogDrop-int $I -A i-int -s $ALLINTNET -j ACCEPT $I -A i-int -j if-LogDrop $I -A INPUT -i $INTIF -j i-int Ramin Alidousti wrote: > What/where is the rule which drops this packet? This is only the log... > > Ramin > > On Wed, Feb 27, 2002 at 09:47:53PM +0100, Torben Nielsen wrote: > > > It seems that the normal DHCP problem is to get it to work because the filters >drops the packets. My > > problem to understand why DHCP work as my rules drops the DHCP broadcast request. > > > > > > Feb 27 21:30:29 gandalf kernel: Bad input packet, internal: IN=eth0 OUT= > > MAC=ff:ff:ff:ff:ff:ff:00:10:5a:b3:ba:a2:08:00 SRC=0.0.0.0 DST=255.255.255.255 >LEN=328 TOS=0x00 > > PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 > > Feb 27 21:30:29 gandalf dhcpd: Dynamic and static leases present for 10.148.30.6. > > Feb 27 21:30:29 gandalf dhcpd: Remove host declaration LD or remove 10.148.30.6 > > Feb 27 21:30:29 gandalf dhcpd: from the dynamic address pool for 10.148.30.0 > > Feb 27 21:30:29 gandalf dhcpd: DHCPREQUEST for 10.148.30.6 from 00:10:5a:b3:ba:a2 >via eth0 > > Feb 27 21:30:29 gandalf dhcpd: DHCPACK on 10.148.30.6 to 00:10:5a:b3:ba:a2 via eth0 > > > > > > The first log is from my netfilter rule just before the packet (a DHCP broadcast) >is dropped. After > > this the DHCP daemon starts to act on the packet as receiving the packet just >dropped. As far as I > > can see by logging all packet there comes no new packets before the DHCP daemon >start to answer. > > > > Is there a simple explanation on this or do I have to try to reduce the complexity >of my filters so > > they are understandelable without to much effort. > > > > Regards > > > > Torben > > > >
