How to block DHCPv4/v6, ARP, RADVD with ebtables/iptables on bridge?

How to block DHCPv4/v6, ARP, RADVD with ebtables/iptables on bridge?

[Linus Lüssing]

[-- Attachment #1: Type: text/plain, Size: 2382 bytes --]

I'm having the following setup here on every router with OpenWRT.

- A bridge br-mesh over the interfaces bat0, eth0.4 and ath0. bat0
  is the virtual mesh-interface which connects every router with
another using the routing daemon/protocol batman-adv, which means,
that virtually every router's bat0 is directly connected to the
others. eth0.4 is a vlan over two LAN-Ports on every router, ath0
is a wlan-interface in ap-mode.

- Every router is running radvd and a DHCPv4-daemon.

My goal now is, to have local IPv4-addresses on every router,
therefore I want to block all ARP-packages and DHCPv4-traffic over
the bat0 interface. As every router is announcing the same IPv6
unique local prefix, I also want to get rid of the
radvd-announcements over bat0 to save traffic created by
multicasts/broadcasts. Also the announcing of "evil" IPv6 default
gateways shall be reduced this way. So finally I would also like
to block DHCPv6-servers over bat0.

So far I've found out the following rules for ebtables to block
DHCPv4+ARP (would be nice, if someone could confirm that they
would work the way I want to).

----------------
#Block DHCPv4 over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A INPUT --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol IPv4
--ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0
--protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0
--protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP

#Block ARP over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0
--protocol ARP -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0
--protocol ARP -j DROP
----------------

So now I'm having more trouble to find the right rules to block
DHCPv6 and radvd over bat0. Thanks for the help in advance.

PS: I'm aware of the fact, that people can make a manuel
arp-entries and that IPv4-traffic is (therefore) not blocked
entirely. But this is not a problem, in fact it's intended like
this.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 835 bytes --]

Re: How to block DHCPv4/v6, ARP, RADVD with ebtables/iptables on bridge?

[Petr Pisar]

On 2009-04-14, Linus Lüssing <linus.luessing@web.de> wrote:
>
> So now I'm having more trouble to find the right rules to block
> DHCPv6 and radvd over bat0. Thanks for the help in advance.
>
DHCPv6 uses UDP/547 on server and UDP/546 on client with link scope
unicast or mutlicast addresses.

Router Advertisment utilizes ICMP6, Router solicitation type to
link scope multicast ff02::02 by client and Router advertisment type to
link scope multicast ff01::01 by server. Source addresses are link scope
unicast addresses in both directions.

-- Petr