# DHCP question with iptables rules

## d2_racing

Hi everyone, I would like to understand how is possible that I still receive a valid ip adress from my wrt54g router even if I run this firewall rules from my laptop :

```

#!/bin/bash

# Constantes

IPT=/sbin/iptables

IPTS="/sbin/iptables-save"

IPTR="/sbin/iptables-restore"

# Interface qui est dans votre réseau

WAN_IFACE="eth0"

# Interface Loopback

LOOP_IFACE="lo"

LOOP_IP="127.0.0.1"

$IPT -P INPUT ACCEPT

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

# Les tables sont effacées.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X

$IPT -t nat -X

$IPT -t mangle -X

# Le comportement par défaut est de bloquer le trafic.

$IPT -P INPUT   DROP

$IPT -P OUTPUT  DROP

$IPT -P FORWARD DROP

$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPT -A INPUT -i $LOOP_IFACE -j ACCEPT

$IPT -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT

$IPT -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options

$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT -p tcp  -m multiport --dports 21,22,25,80,110,443,873,1024 -j ACCEPT

$IPT -A OUTPUT -p udp  -m multiport --dports 53 -j ACCEPT

$IPT -A OUTPUT -p icmp -m limit --limit 1/s -j ACCEPT

$IPTABLES -A OUTPUT -o ! $LOOP_IFACE -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

$IPTABLES -A OUTPUT -o $LOOP_IFACE  -j ACCEPT

```

For what I know now, dhcp communication use UDP: 67 and UDP:68 , so I actually block the output from my laptop and I still have a valid IP and I can surf the net.

Can someone explain to me how it's that possible ?

The one thing that I can think of is that it may use ICMP to get the job done.

----------

## francofallica

You're perfectly right DHCP and for that mater BOOTP uses UDP 67 & 68. 

I'm not quite sure but I think this line makes the trick

 *Quote:*   

> 
> 
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
> 
> 

 

Because first you're machine sends a DHCPDISCOVER so it initializes the connection (tough I think the ESTABLISHED keyword is only for TCP but I don't know about the RELATED) 

hope that helps

franco

----------

## f4u5t

 *francofallica wrote:*   

> You're perfectly right DHCP and for that mater BOOTP uses UDP 67 & 68. 
> 
> I'm not quite sure but I think this line makes the trick
> 
>  *Quote:*   
> ...

 

The odd thing is that there seems to be no OUTPUT rule that allow the initial DHCPDISCOVER. I'd run tcpdump and/or look at the dhclient logs to see if it is getting out. Otherwise dhclient may be using zero-conf and assigning a link-local address. What's your IP?

----------

## d2_racing

192.168.1.100 on my laptop.

And my /etc/conf.d/net is empty.

----------

## d2_racing

Maybe dhcp use arp packet so that's why it pass.

----------

## UberLord

DHCP clients operate on the same layer that firewalls do, so a firewall cannot block DHCP. [1]

For this reason you can configure kernels to not have this generic interface which the DHCP clients use.

Packet Filter on Linux, BPF on *BSD.

[1] Some DHCP servers unicast the DHCP_ACK message via the broadcast socket and some DHCP clients only listen for ACK via the ip bound socket so depending on end to end software a firewall could partially block DHCP.

----------

## d2_racing

Thanks for the info  :Razz: 

----------

