Вот несколько выдержек из форумов, которые помогут понять причину.
It is technically necessary, because DHCP clients do not have IP addressing information when they begin the communication; everything is done using ethernet broadcasts. Such packets cannot be acquired using a standard socket bind, so the server application needs to listen at a lower level than the TCP/IP stack allows.
Unfortunately, DHCPD appears to be running on a raw socket,
instead of being an ordinary UDP process. raw sockets receive COPIES
of the normally routed packets, and those COPIES to not pass through the
iptables chains, resulting in the behaviour you are seeing.
However, the ISC DHCP server uses an Internet Socket of protocol Raw
instead of TCP or UDP. This facility, naturally, is only available to
root (uid 0, really), and receives packets before the IP Tables
processing. It also receives all Internet packet headers as well, so
it gets to do additional processing.
But because Raw sockets get packets before the IP Tables processing,
the ISC DHCP server is able to obtain an IP address through DHCP.
This seems to be consistent with a dhcp server I am running:
# netstat -anp | grep dhcp
udp 0 0 0.0.0.0:67 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
unix 2 [ ] DGRAM 24242 1785/dhcpd