Ebtables to stop DHCP and ARP
- From: support@xxxxxxxxxxxxxxx
- Date: Thu, 26 Jul 2007 11:48:23 -0700
Here is my setup:
Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
Address Network
The bridge is there so that we can set static public IP Addresses
behind the Private IP Gateway (I have no control over this device).
This setup works great in one of our other locations, but here we have
a problem. The Gateway for the Public IP Address Network thinks that
it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
Private network and does a DHCP Discover, Offer, Request, and ACK, it
then does a Gratuitous ARP Broadcast asking who has the address it's
received, then the Public IP Gateway responds with ARP saying that the
IP address is at its MAC address. So I figure, the best way to stop
this is to use ebtables to block the DHCP and ARP from the private
addresses. Here are the commands that I am using, but aren't working:
ebtables -P FORWARD DROP
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
DROP
Any suggestions on how to block this properly in ebtables or
suggestions of any settings I may be missing?
.
- Follow-Ups:
- Re: Ebtables to stop DHCP and ARP
- From: Clifford Kite
- Re: Ebtables to stop DHCP and ARP
- Prev by Date: anyone able to et IPsec to work over IPv6?
- Next by Date: Re: ssh question
- Previous by thread: anyone able to et IPsec to work over IPv6?
- Next by thread: Re: Ebtables to stop DHCP and ARP
- Index(es):
Relevant Pages
|
|
