Block DHCP in Bridge

block.sh

ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-source-port 67 -j DROP
ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-source-port 68 -j DROP
ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -I INPUT -i eno2 -p ip --ip-protocol udp --ip-destination-port 68 -j DROP


ebtables -I INPUT 0 -i eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I OUTPUT 0 -o eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -I FORWARD 0 -o eno2 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP


iptables -I FORWARD -m physdev --physdev-out eno2 -p udp --dport 67:68 -j DROP
iptables -I FORWARD -m physdev --physdev-in eno2 -p udp --dport 67:68 -j DROP
iptables -I INPUT -m physdev --physdev-in eno2 -p udp --dport 67:68 -j DROP

Hi, thank you for taking the time to answer my question!

I found a solution that works:

# Do not forward DHCP requests to the mobile access point network.
ebtables -I FORWARD -p ip --ip-destination 255.255.255.255 --ip-protocol udp --ip-source-port 68 --ip-destination-port 67 -j DROP

# Drop DHCP requests sent from the mobile access point network.
ebtables -I INPUT --in-interface enp+ -p ip --ip-destination 255.255.255.255 --ip-protocol udp --ip-source-port 68 --ip-destination-port 67 -j DROP

The Raspberry Pi runs the bridge in my setup:

 LTE Access Point w/ DHCP ------ (enp*) Raspberry Pi w/ DHCP (eth0) ------ Switch ----- Some Host

No issues as long as both DHCP servers hand out different ranges of addresses.

好用！