Limit DHCP requests with iptables - problem: Router
José Queiroz
zekkerj at gmail.com
Wed Feb 9 17:29:16 UTC 2011
2011/2/9 Peter Rathlev <peter at rathlev.dk>
> On Wed, 2011-02-09 at 12:25 -0200, José Queiroz wrote:
> > 2011/2/9 Peter Rathlev <peter at rathlev.dk>
> > > The thread has since moved on to discussing different ways of
> > > detecting the misbehaving clients. And iptables alone simply cannot
> > > do what you describe.
> >
> > Yes, iptables can do it. It's just a matter of how to chain the tests.
>
> No, iptables can IMHO not do this. I don't understand why people keep
> saying it can. I provided a working example (using a string match) for a
> _known_ MAC address, but I'm pretty sure iptables cannot do it for an
> unknown MAC address.
>
> If you insist it can then please provide a working example of limiting
> DHCP requests based on the MAC address contained inside the DHCP packet
> only using iptables commands. And remember: You don't know the MAC
> address in advance.
>
>
I gave this example a few messages ago. Althought I didn't tested it, I
think is a feasible approach.
iptables -A INPUT -p udp --dport 67 --u32 "28 = 0xaa && 29 = 0xbb && 30 =
0xcc && 31 = 0xdd && 32 = 0xee && 33 = 0xff" -j BLOCK_DHCP_CLIENT
iptables -A BLOCK_DHCP_CLIENT -m recent --update --seconds 60 -j DROP
iptables -A BLOCK_DHCP_CLIENT -m recent --set -j ACCEPT
Note that we're not thinking on **discovering** a misbehaviored client with
iptables, we're thinking on blocking an **already discovered** misbehaviored
client using iptables.
If the problem is discovering a misbehaviored client, this should be done in
a full feature monitoring application, not in a low-level filter front-end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110209/4fa71920/attachment.html>
More information about the dhcp-users
mailing list