On Saturday 10 January 2004 11:20 pm, Håkan Engblom wrote:
> Hi,
>
> I've run in to a strange problem. I have a dhcp-server on a 2.4.22 kernel
> with a 1.2.8 iptables. The dhcp-server is configured only to offer
> IP-addresses to one single mac-address (it is a single host on a private
> network)
>
> However I'd like to block all other mac-addresses on this interface since I
> plan to have a W-LAN here as well. (to prevent attackers from using
> potential exploits in the dhcp-server)
>
> The mac-filter works fine for http, telnet, ssh aso, I can see the
> drop-counter increasing and no traffic is let through (when I change the
> mac-address in the iptables-config to something else than what I have on my
> "dhcp-client-host"). BUT the dhcp-server keeps sending offers and ack's
> evethough the incoming discover/request is blocked by iptables.
DHCP operates at a rather "lower level" than normal TCP/IP services - as it
must do, if you think about the fact that the clients involved in the
communications do not have IP addresses until the protocol is complete.
Therefore you find that the DHCP server binds itself to the networking stack
rather lower down than netfilter / iptables (which is IP-based, after all,
and therefore doesn't see traffic which communicates purely between ethernet
addresses), and you cannot block (or log) DHCP activity using netfilter.
I can think of two choices for doing what you want:
1. Configure the DHCP server to respond only to selected MAC address/es.
2. Use ebtables to manage the ethernet layer in the way you are trying to use
iptables at present.
Regards,
Antony.
--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.
- Antoine de Saint-Exupery
Please reply to the list;
please don't CC me.
