Re: Ebtables to stop DHCP and ARP

I ended up moving the packets that I want blocked to the FORWARD chain
so I didn't have to worry about what interface it was coming in (just
in case the ethernet cables are in the wrong plug). And I moved the
rules to block the packets above the rules to allow - I forgot that
order matters with ebtables/iptables. I keep looking at it and
thinking something's wrong, but it works and fixes all the problems
I've been having! Thanks for your help.

# Clear ebtables
ebtables -F
ebtables -X

# Drop everything and build up Input and Output to accept IP and ARP
ebtables -P FORWARD DROP
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix
EBFW -j DROP

# Drop private IP ARP traffic and any Private responses from the
Public Internet
ebtables -A FORWARD -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --
ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -p arp --arp-ip-src 192.168.0.0/16 -j DROP
ebtables -A FORWARD -p arp --arp-ip-dst 192.168.0.0/16 -j DROP

# Let the rest of the Packets through
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT

.

Relevant Pages

  • Re: Ebtables to stop DHCP and ARP
    ... behind the Private IP Gateway. ... then the Public IP Gateway responds with ARP saying that the ... this is to use ebtables to block the DHCP and ARP from the private ...
    (comp.os.linux.networking)
  • Ebtables to stop DHCP and ARP
    ... behind the Private IP Gateway. ... then the Public IP Gateway responds with ARP saying that the ... ebtables -P FORWARD DROP ...
    (comp.os.linux.networking)