When testing IPv4 and IPv6 networking I'm using iptables to block or redirect certain services. I recently realized I can't do that with dhclient and I learned from jpopelka and online sources that packets coming through raw sockets aren't affected by iptables rules. I also sense a potential security problem here as administrators tend to rely on firewall features and may not be aware that some common software packages bypass it entirely. But my primary motivation is still the networking testing and I am interested in any workarounds to get DHCP and similar services rejected, dropped and redirected.
Some resources... * http://lists.netfilter.org/pipermail/netfilter-devel/2003-March/010826.html * http://louwrentius.com/why-filtering-dhcp-traffic-is-not-always-possible-with-iptables.html * https://kb.isc.org/article/AA-00379/0/How-DHCP-uses-raw-sockets.html
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 23 kernel bugs. Fedora 23 has now been rebased to 4.7.4-100.fc23. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 24 or 25, and are still experiencing this issue, please change the version to Fedora 24 or 25. If you experience different issues, please open a new bug report for those.
Raw sockets hook in at the OUTPUT chain, so you can use iptables at that point in the control flow of an ip packet, but not the pre or post routing chains. You can also use ebtables to control some traffic if your output device is a bridge. Of course, this precludes using AF_PACKET sockets as well, which bypass the entire stack and are unaffected by iptables, as well as user space controlled devices (via libraries like DPDK). The short version of the story is that iptables is really only meant to operate fully on AF_INET SOCK_STREAM or SOCK_DGRAM sockets. Any other sockets, even those that partially represent ipv4 traffic, have only limited visibility into the ip stack.