Limit DHCP requests with iptables - problem: Router
Michal Suchanek
hramrach at centrum.cz
Wed Feb 9 18:45:15 UTC 2011
2011/2/9 José Queiroz <zekkerj at gmail.com>:
>
>
> 2011/2/9 Peter Rathlev <peter at rathlev.dk>
>>
>> On Wed, 2011-02-09 at 12:25 -0200, José Queiroz wrote:
>> > 2011/2/9 Peter Rathlev <peter at rathlev.dk>
>> > > The thread has since moved on to discussing different ways of
>> > > detecting the misbehaving clients. And iptables alone simply cannot
>> > > do what you describe.
>> >
>> > Yes, iptables can do it. It's just a matter of how to chain the tests.
>>
>> No, iptables can IMHO not do this. I don't understand why people keep
>> saying it can. I provided a working example (using a string match) for a
>> _known_ MAC address, but I'm pretty sure iptables cannot do it for an
>> unknown MAC address.
>>
>> If you insist it can then please provide a working example of limiting
>> DHCP requests based on the MAC address contained inside the DHCP packet
>> only using iptables commands. And remember: You don't know the MAC
>> address in advance.
>>
>
>
> I gave this example a few messages ago. Althought I didn't tested it, I
> think is a feasible approach.
>
> iptables -A INPUT -p udp --dport 67 --u32 "28 = 0xaa && 29 = 0xbb && 30 =
> 0xcc && 31 = 0xdd && 32 = 0xee && 33 = 0xff" -j BLOCK_DHCP_CLIENT
>
This will definitely not work. The --u32 28 = 0xaa searches for
packets containing 0x000000aa at offset 28. Together with 29 = 0xbb it
will not match any packets.
You could possibly use --u32 28 = 0xaabbccdd && 30 & 0xfffff = 0xeeff
(this seems to be the right order from the examples).
Alternatively, there is the string module. Not sure about the exact
syntax, the documentation is not very specific. Probably something
like:
iptables -A INPUT -p udp --dport 67 -m string --from 28 --to 34
--hex-string aabbccddeeff
Thanks
Michal
More information about the dhcp-users
mailing list