[Bug 730] New: DHCP request (and other?) traffic bypasses iptables/netfilter

Tue Jul 26 05:06:01 CEST 2011

http://bugzilla.netfilter.org/show_bug.cgi?id=730

           Summary: DHCP request (and other?) traffic bypasses
                    iptables/netfilter
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: x86_64
        OS/Version: Ubuntu
            Status: NEW
          Severity: major
          Priority: P5
         Component: unknown
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: rcl24 at drexel.edu
   Estimated Hours: 0.0

Created an attachment (id=357)
 --> (http://bugzilla.netfilter.org/attachment.cgi?id=357)
My iptables ruleset for filter

Running Ubuntu 11.04 with iptables 1.4.10-1ubuntu1 and Ubuntu kernel
2.6.38-10-generic on x86-64 architecture.

I have my server configured to act as a NAT router connecting a private LAN to
the Internet.  The Internet is connected to eth0 and the LAN is connected to
eth1.  DHCP provides addressing and configuration for the LAN machines.  I have
an iptables setup to protect the server from both the Internet and the
computers on the LAN with a DROP by default policy for both interfaces.

Internet <--> (eth0) Server (eth1) <--> LAN

While auditing my iptables configuration, I realized that I had never allowed
port 67 access via eth1, and yet, the machines on my LAN were able to reach my
DHCP server.  At first I suspected that the basic firewall setup (Ubuntu's UFW)
had a liberal policy that allowed that traffic.  However, by manually reading
the rules, I determined that inbound traffic to port 67 should be blocked by
the rules.  I will attach my iptables filter rules as the file iptables.txt.

When I run wireshark and connect a computer to my LAN, I see a UDP packet come
into eth1 with source address 0.0.0.0:68 to destination 255.255.255.255:67.