From: "Linus Lüssing" <linus.luessing@web.de>
To: netfilter@vger.kernel.org
Subject: How to block DHCPv4/v6, ARP, RADVD with ebtables/iptables on bridge?
Date: Tue, 14 Apr 2009 22:50:07 +0200 [thread overview]
Message-ID: <20090414205007.GA5663@Linus-Debian> (raw)
[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]
I'm having the following setup here on every router with OpenWRT.
- A bridge br-mesh over the interfaces bat0, eth0.4 and ath0. bat0
is the virtual mesh-interface which connects every router with
another using the routing daemon/protocol batman-adv, which means,
that virtually every router's bat0 is directly connected to the
others. eth0.4 is a vlan over two LAN-Ports on every router, ath0
is a wlan-interface in ap-mode.
- Every router is running radvd and a DHCPv4-daemon.
My goal now is, to have local IPv4-addresses on every router,
therefore I want to block all ARP-packages and DHCPv4-traffic over
the bat0 interface. As every router is announcing the same IPv6
unique local prefix, I also want to get rid of the
radvd-announcements over bat0 to save traffic created by
multicasts/broadcasts. Also the announcing of "evil" IPv6 default
gateways shall be reduced this way. So finally I would also like
to block DHCPv6-servers over bat0.
So far I've found out the following rules for ebtables to block
DHCPv4+ARP (would be nice, if someone could confirm that they
would work the way I want to).
----------------
#Block DHCPv4 over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A INPUT --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0
--protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0
--protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
#Block ARP over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0
--protocol ARP -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0
--protocol ARP -j DROP
----------------
So now I'm having more trouble to find the right rules to block
DHCPv6 and radvd over bat0. Thanks for the help in advance.
PS: I'm aware of the fact, that people can make a manuel
arp-entries and that IPv4-traffic is (therefore) not blocked
entirely. But this is not a problem, in fact it's intended like
this.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 835 bytes --]
next reply other threads:[~2009-04-14 20:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-14 20:50 Linus Lüssing [this message]
2009-04-16 9:57 ` How to block DHCPv4/v6, ARP, RADVD with ebtables/iptables on bridge? Petr Pisar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090414205007.GA5663@Linus-Debian \
--to=linus.luessing@web.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.