Limit DHCP requests with iptables - problem: Router
Alex Bligh
alex at alex.org.uk
Wed Feb 9 10:26:20 UTC 2011
--On 9 February 2011 10:46:16 +0100 Michal Suchanek <hramrach at centrum.cz>
wrote:
>>>>> This is not possible when you want to match arbitrary part of the
>>>>> packet,
>>>>
>>>> citation missing
>>>>
>>> iptables(8)
>>
>> search for the option "--u32"
>>
> I know it's there, as well as string. However, it cannot be used with
> modules such as recent, or hashlimit which requires you to know the
> pattern in advance
So why can't you put all the packets matching with --u32 into a separate
chain (if necessary one per broken printer) using -j, then do the
rate limiting / recent stuff there on all packets in the chain?
> and you cannot use iptables alone to determine the
> ofending address.
OP already knows the offending MAC address(es) and did not say he
needed to autodetect them.
Yes, you'd have to do this manually, yes it's not particularly maintainable,
and yes, OP would be better patching dhcpd (as I said earlier), but that
doesn't mean it is *impossible* with iptables. Very little is impossible
with iptables (I think it probably contains a built in version of dunnet
if only one knew the appropriate CLI command), though whether or not it
is usable is a different matter.
--
Alex Bligh
More information about the dhcp-users
mailing list