Created
April 27, 2020 01:24
-
-
Save racerxdl/5dea890b77be0528c8c3b848a5223df5 to your computer and use it in GitHub Desktop.
Block DHCP in Bridge
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-source-port 67 -j DROP | |
| ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-source-port 68 -j DROP | |
| ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-destination-port 67 -j DROP | |
| ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-destination-port 68 -j DROP | |
| ebtables -I INPUT 0 -i eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP | |
| ebtables -I OUTPUT 0 -o eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP | |
| ebtables -I FORWARD 0 -o eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP | |
| iptables -I FORWARD -m physdev --physdev-out eno2 -p udp --dport 67:68 -j DROP | |
| iptables -I FORWARD -m physdev --physdev-in eno2 -p udp --dport 67:68 -j DROP | |
| iptables -I INPUT -m physdev --physdev-in eno2 -p udp --dport 67:68 -j DROP |
Hi @agross, the only reason why I did three blocks is because they do bit different stuff. The first two blocks are rules for blocking traffic over bridges, the second one blocks DHCP traffics locally.
I'm not really sure if ebtables can do what you want, it might be possible to filter by origin.
Hi, thank you for taking the time to answer my question!
I found a solution that works:
# Do not forward DHCP requests to the mobile access point network.
ebtables -I FORWARD -p ip --ip-destination 255.255.255.255 --ip-protocol udp --ip-source-port 68 --ip-destination-port 67 -j DROP
# Drop DHCP requests sent from the mobile access point network.
ebtables -I INPUT --in-interface enp+ -p ip --ip-destination 255.255.255.255 --ip-protocol udp --ip-source-port 68 --ip-destination-port 67 -j DROP
The Raspberry Pi runs the bridge in my setup:
LTE Access Point w/ DHCP ------ (enp*) Raspberry Pi w/ DHCP (eth0) ------ Switch ----- Some Host
No issues as long as both DHCP servers hand out different ranges of addresses.
好用!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Could you please explain what these rules mean and why there are three groups?
My goal is to block DHCP traffic traversing a bridge. But the host running the bridge should be able to hand out addresses via DHCP.