DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "fvancrae@telenet.be" <fvancrae@telenet.be>
To: netfilter@vger.kernel.org
Subject: DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass
Date: Sat, 27 Jun 2009 09:57:34 +0200	[thread overview]
Message-ID: <4A45D0EE.50400@telenet.be> (raw)

How can I block the DHCP request or answer for a specific MAC adress 
using iptables/ebtables?

I am using ebtables on my firewall to have one consumer device (client) 
bypass the firewall entirely and act as if it is directly connected to 
the internet.

For this I create a bridge (non transparant) and specify a MAC based 
rule in the BROUTING chain
 -s MAC -i eth1 -j ACCEPT
 -d MAC -i eth0 -j ACCEPT
 BROUTING POLICY DROP

eth0 is my routers WLAN interface
eth1 is my routers LAN interface

Then I wanted to block the DHCP request for that MAC on my firewall (who 
is DHCPD)
but it seems that no iptable or ebtable rule can be used to block this 
packet (or even an outgoing packet of my DHCPD)

My client always gets an IP inside my LAN.

!!This entire setup however works if I disable my DHCPD temporarily, 
boot my client (=get an external IP)
so it is really only a problem of blocking DHCP requests/responses!!

In document 'ebtables/iptables interaction on a Linux-based bridge'
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
I was led to believe that iptables FILTER chain INPUT and OUTPUT are 
still traversed

My bridge config:

brctl adbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up

TIA,
Frederic

next             reply	other threads:[~2009-06-27  7:57 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-06-27  7:57 fvancrae [this message]
2009-06-27  9:36 ` DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A45D0EE.50400@telenet.be \
    --to=fvancrae@telenet.be \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox