Limit DHCP requests with iptables - problem: Router
Peter Rathlev
peter at rathlev.dk
Mon Feb 7 18:21:50 UTC 2011
On Mon, 2011-02-07 at 11:11 -0600, David Forrest wrote:
> On Mon, 7 Feb 2011, Alex Bligh wrote:
> > On 7 February 2011 15:31:46 +0100 Juergen Northe wrote:
> > > oops. Not (A)ppend but (I)nsert should work. I have not tried it yet:
> > >
> > > iptables -I INPUT -i eth0 -p udp -m udp -m multiport -m mac
> > > --mac-source XX:XX:XX:XX:XX -d 255.255.255.255 --dports 68,67 -m
> > > state --state NEW -j REJECT
> >
> > That won't work because all his dhcp queries come with the same
> > MAC address - the router which is forwarding them.
>
> Then you might try adding a limit test and -j ACCEPT .
How would that help? Or did that statement belong somewhere else? :-)
Relayed DHCP requests arrive with the MAC address of the last router on
the way to the DHCP server, so you can't match a client hardware address
with the "--mac-source" statement.
--
Peter
More information about the dhcp-users
mailing list