Limit DHCP requests with iptables - problem: Router
Peter Rathlev
peter at rathlev.dk
Mon Feb 7 17:02:02 UTC 2011
On Mon, 2011-02-07 at 14:44 +0100, Jürgen Dietl wrote:
> On Mon, 2011-02-07 at 12:50 +0000, Simon Hobson wrote:
> > Shouldn't be too hard to match, it's in a fixed place - I think it
> > starts at byte 28 in the packet and is 16 bytes long.
...
> thanx a lot - I will try.
Some trial and error (and apparently success) leads me to believe that
that this will work as intended:
$ iptables -I INPUT 1 -p udp --dport 67 -m string --algo bm --from 55 --to 61 --hex-string "|02 bc ac f8 4c fd|" -j REJECT --reject-with icmp-port-unreachable
The "from" and "to" parameters were found be iterative searching. From
tcpdump I'd say that the client hardware address starts at byte 56 from
the start of the IP header, but that somehow doesn't match.
The "to" arguments is somewhat irrelevant, since the algo searches for
at least the length of the specified string. I don't know if there's any
performance benefit in specifying it.
Speaking of performance, this might not scale terribly well. I imagine a
string search like this is expensive.
--
Peter
More information about the dhcp-users
mailing list