* DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass
@ 2009-06-27 7:57 fvancrae
2009-06-27 9:36 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: fvancrae @ 2009-06-27 7:57 UTC (permalink / raw)
To: netfilter
How can I block the DHCP request or answer for a specific MAC adress
using iptables/ebtables?
I am using ebtables on my firewall to have one consumer device (client)
bypass the firewall entirely and act as if it is directly connected to
the internet.
For this I create a bridge (non transparant) and specify a MAC based
rule in the BROUTING chain
-s MAC -i eth1 -j ACCEPT
-d MAC -i eth0 -j ACCEPT
BROUTING POLICY DROP
eth0 is my routers WLAN interface
eth1 is my routers LAN interface
Then I wanted to block the DHCP request for that MAC on my firewall (who
is DHCPD)
but it seems that no iptable or ebtable rule can be used to block this
packet (or even an outgoing packet of my DHCPD)
My client always gets an IP inside my LAN.
!!This entire setup however works if I disable my DHCPD temporarily,
boot my client (=get an external IP)
so it is really only a problem of blocking DHCP requests/responses!!
In document 'ebtables/iptables interaction on a Linux-based bridge'
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
I was led to believe that iptables FILTER chain INPUT and OUTPUT are
still traversed
My bridge config:
brctl adbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up
TIA,
Frederic
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass
2009-06-27 7:57 DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass fvancrae
@ 2009-06-27 9:36 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2009-06-27 9:36 UTC (permalink / raw)
To: netfilter
Hello,
fvancrae@telenet.be a écrit :
>
> I am using ebtables on my firewall to have one consumer device (client)
> bypass the firewall entirely and act as if it is directly connected to
> the internet.
>
> For this I create a bridge (non transparant) and specify a MAC based
> rule in the BROUTING chain
> -s MAC -i eth1 -j ACCEPT
> -d MAC -i eth0 -j ACCEPT
> BROUTING POLICY DROP
This seems incomplete to me. How do you deal with broadcast frames
received on eth0 such as ARP requests for your device IP address ?
> eth0 is my routers WLAN interface
> eth1 is my routers LAN interface
>
> Then I wanted to block the DHCP request for that MAC on my firewall (who
> is DHCPD)
> but it seems that no iptable or ebtable rule can be used to block this
> packet (or even an outgoing packet of my DHCPD)
>
> My client always gets an IP inside my LAN.
Does the DHCP server listen on eth0 or the bridge interface ? Some DHCP
softwares (either client or server side) are bound directly to the
network interface and thus bypass iptables and ebtables. So I guess you
might either blacklist the device MAC address in the DHCP server
configuration if possible, or have it listening on the bridge interface
(and add ebtables rules to avoid DHCP traffic from leaking through eth0).
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-06-27 9:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-27 7:57 DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass fvancrae
2009-06-27 9:36 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.