Problem with iptables logging dhcp messages

fabioca · 01-01-2017, 10:19 PM

I have a problem capturing dhcp messages with IPTables.

If I run

Code:

tcpdump -n -i lan src 192.168.69.1 and udp port 67

I can clearly see the DHCP replies going from the server (192.168.69.1) source port 67 to destination port 68.

Code:

12:09:16.678311 IP 192.168.69.1.67 > 192.168.69.4.68: BOOTP/DHCP, Reply, length 300
12:10:38.361074 IP 192.168.69.1.67 > 192.168.69.37.68: BOOTP/DHCP, Reply, length 300
12:12:03.224814 IP 192.168.69.1.67 > 192.168.69.34.68: BOOTP/DHCP, Reply, length 300

I am trying to log the same messages with iptables, so I insert the following rules:

Code:

iptables -t filter -I INPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "FIL-INP:"
iptables -t filter -I OUTPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "FIL-OUT:"
iptables -t filter -I FORWARD 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "FIL-FOR:"
iptables -t nat -I INPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "NAT-INP:"
iptables -t nat -I OUTPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "NAT-OUT:"
iptables -t nat -I PREROUTING 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "NAT-PRE:"
iptables -t nat -I POSTROUTING 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "NAT-POS:"
iptables -t mangle -I PREROUTING 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "MAN-PRE:"
iptables -t mangle -I POSTROUTING 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "MAN-POS:"
iptables -t mangle -I INPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "MAN-INP:"
iptables -t mangle -I OUTPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "MAN-OUT:"
iptables -t mangle -I FORWARD 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "MAN-FOR:"
iptables -t raw -I PREROUTING 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "RAW-PRE:"
iptables -t raw -I OUTPUT 1 -s 192.168.69.1 -p udp -m udp --sport 67 -j LOG --log-prefix "RAW-OUT:"

But none of the rules is hit and nothing gets logged. What is special about these dhcp replies? Why they do not match my filter criteria?

lazydog · 01-03-2017, 12:31 PM

First question is what is the IP address of your DHCP server? Is it 192.168.69.1? And is this also the system where you are trying to LOG the DCHP requests?

IF the DHCP server and IPTABLES are the same system then try the following:

Code:

iptables -I OUTPUT 1 --dport 68 -j LOG --log-prefix "DHCP-Reply: "

If they are not on the same system then try:

Code:

iptables -I FORWARD 1 --dport 68 -j LOG --log-prefix "DHCP-Reply: "

fabioca · 01-07-2017, 11:26 AM

Tried what suggested, but it still does not work.

After some more search I think I found out the reason.

In my raw table I am filtering for

Code:

iptables -t nat -A PREROUTING -m rpfilter --invert -j DROP

This drops the incoming dhcp messages from 0.0.0.0:68 to 255:255:255:255.67

No incoming message, no reply!

Despite that the dhcp exchange still succeeds, because I am using ISC's dhcp server, which apparently has the ability to intercept messages at a lower network level, therefore in effect bypassing the firewall.

lazydog · 01-07-2017, 02:50 PM

I highly doubt that DHCP can bypass the firewall. This is more of a case that something else is handing out the DCHP address and not your system. You should be able to look at the logs on that system requesting the IP Address and it should show you what device gave it to him.

fabioca · 01-07-2017, 08:58 PM

There are no other dhcp servers. And I can see incoming and outgoing packets in tcpdump, but not in netfilter.

What I mentioned below is based on this thread:
https://www.mail-archive.com/dnsmasq.../msg10962.html
which states:
"ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before the netfilter subsystem."

lazydog · 01-09-2017, 06:55 AM

So you are seeing the complete transaction in tcpdump? Discovery Offer Request Acknowledge? Even your link states that the whole process is not possible.

I believe that since your system had an ip addrerss before it is just using it again.
Have you tried to release the address and obtain a new one?

fabioca · 02-17-2017, 06:31 PM

No, tcpdump only shows 2 of the DORA messages, however this seems sufficient for dhcpd to do its job: it has been working fine for at least 1 year now, including for new wireless devices of guests visiting my house for the first time.

Anyway, I have now modified the reverse filtering logic (disabled it in the kernel and selectively activated it in iptables), so that I can see the full set of DORA messages passing thorugh ipfilter.