Re: DHCP issue - iptables rules not hit when using ebtables - MAC based firewall bypass

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

fvancrae@telenet.be a écrit :
> 
> I am using ebtables on my firewall to have one consumer device (client) 
> bypass the firewall entirely and act as if it is directly connected to 
> the internet.
> 
> For this I create a bridge (non transparant) and specify a MAC based 
> rule in the BROUTING chain
> -s MAC -i eth1 -j ACCEPT
> -d MAC -i eth0 -j ACCEPT
> BROUTING POLICY DROP

This seems incomplete to me. How do you deal with broadcast frames 
received on eth0 such as ARP requests for your device IP address ?

> eth0 is my routers WLAN interface
> eth1 is my routers LAN interface
> 
> Then I wanted to block the DHCP request for that MAC on my firewall (who 
> is DHCPD)
> but it seems that no iptable or ebtable rule can be used to block this 
> packet (or even an outgoing packet of my DHCPD)
> 
> My client always gets an IP inside my LAN.

Does the DHCP server listen on eth0 or the bridge interface ? Some DHCP 
softwares (either client or server side) are bound directly to the 
network interface and thus bypass iptables and ebtables. So I guess you 
might either blacklist the device MAC address in the DHCP server 
configuration if possible, or have it listening on the bridge interface 
(and add ebtables rules to avoid DHCP traffic from leaking through eth0).