Re: Ebtables to stop DHCP and ARP
- From: Clifford Kite <kite@xxxxxxxxxxxxxxxxx>
- Date: Sat, 28 Jul 2007 20:51:40 -0500
support@xxxxxxxxxxxxxxx wrote:
Here is my setup:
Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
Address Network
The bridge is there so that we can set static public IP Addresses
behind the Private IP Gateway (I have no control over this device).
This setup works great in one of our other locations, but here we have
a problem. The Gateway for the Public IP Address Network thinks that
it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
Private network and does a DHCP Discover, Offer, Request, and ACK, it
then does a Gratuitous ARP Broadcast asking who has the address it's
received, then the Public IP Gateway responds with ARP saying that the
IP address is at its MAC address. So I figure, the best way to stop
this is to use ebtables to block the DHCP and ARP from the private
addresses. Here are the commands that I am using, but aren't working:
ebtables -P FORWARD DROP
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
I don't know much about ebtables but guessing from what I do know about
iptables at this point you have ACCEPTed all IPv4 and all ARP whatever
so that the two rules below never come into play.
ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
DROP
Perhaps eliminating
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
and replacing the last two DROP rules with
ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport ! 67:68 -j ACCEPT
ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src ! 192.168.0.0/16 \
-j ACCEPT
would do it.
Any suggestions on how to block this properly in ebtables or
suggestions of any settings I may be missing?
Sorry, but any further suggestion from me would be a *real* WAG. :)
Regards-
--
Clifford Kite
/* In my book, the first poster to resort to personal abuse in a Usenet
debate loses by default. - Rod Smith */
.
- Follow-Ups:
- Re: Ebtables to stop DHCP and ARP
- From: support
- Re: Ebtables to stop DHCP and ARP
- References:
- Ebtables to stop DHCP and ARP
- From: support
- Ebtables to stop DHCP and ARP
- Prev by Date: AT&T Global Network Client + Debian + Internet Connection
- Next by Date: "broken pipe" errors using sftp under fc6
- Previous by thread: Ebtables to stop DHCP and ARP
- Next by thread: Re: Ebtables to stop DHCP and ARP
- Index(es):
Relevant Pages
|
