Limit DHCP requests with iptables - problem: Router
Simon Hobson
dhcp1 at thehobsons.co.uk
Tue Feb 8 08:17:51 UTC 2011
Jürgen Dietl wrote:
>The only place where you can see the clients
>real mac-address is in the dhcp header.
Correct, and it's in a fixed position - as I read
"the book"* it starts at byte 28 in the packet
and is 16 bytes long. You should be able to match
this - it might need 4off u32 match rules though,
I'm not that experienced with iptables, perhaps
someone else can come up with a better way to
match such a string.
>So I look for a solution that dynamically looks
>in every packet - especially in the dhcp header
>- that arrives at the server and prohibit that
>there come too many dhcp requests from the same
>machine. In this case the server should ignore
>any packet from this client - which can be any
>client of the 30 K I mentioned before. The
>easiest way would be that intelligent is in the
>isc dhcp server because the server knows the
>real client address. But this server has no
>possibility of traffic control - except reducing
>the general rate which would limit my dhcp
>server in total.
My understanding is that the recent module for
iptables can do this. But I'm not sure if it can
track arbitrary parts of the packet, or only
source MAC or IP.
The only other option I can see is to tail the
log and spot excess requests from an individual
client. fail2ban is designed to do this in a
generic way (normally looking for login failures
etc) and block that client. In this case, you'd
need to write your own matching pattern and
action - which would again involved matching the
client MAC from the DHCP packet.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users
mailing list