Limit DHCP requests with iptables - problem: Router
Ingen Schenau, Jeroen van (ICTS)
j.vaningenschenau at utwente.nl
Tue Feb 8 15:04:36 UTC 2011
Hi,
> The second one is filter by the fields of the request. You may use the
> "u32" iptables module to do it, as sugested by Alan Bligh in the very
> first response to your thread. This may also be combined with the
> "limit" and/or the "recent" iptables modules, giving you a way to
> control how long a specific client have to wait before it can re-send
> the dhcp request.
>
> iptables -A INPUT -p udp --dport 67 --u32 "28 = 0xaa && 29 = 0xbb &&
> 30 = 0xcc && 31 = 0xdd && 32 = 0xee && 33 = 0xff" -j BLOCK_DHCP_CLIENT
>
> iptables -A BLOCK_DHCP_CLIENT -m recent --update --seconds 60 -j DROP
> iptables -A BLOCK_DHCP_CLIENT -m recent --set -j ACCEPT
>
> This will match the CHADDR field having the MAC "aa-bb-cc-dd-ee" (and
> not the source mac address of the frame) and divert processing to a
> new chain (you need to create it with "iptables -N" first). In this
> chain, we'll accept the first request, and drop any subsequent
> requests within 60 seconds from the last one.
>
> As "normal" clients will not trigger this new chain, they'll not get
> blocked.
Just checking: if a client does a DHCPDISCOVER, it's generally responded
to immediately. Suppose the server sends an OFFER; wouldn't the
following DHCPREQUEST from the client be dropped by the rules above?
To be on the safe side, I'd personally prefer to limit any DHCP client
to about 10 pps; in our network setup, both DHCP servers receive each
discover twice because we have two access routers on each segment with
both DHCP servers configured as helpers. So in a normal DHCP
transaction, our servers each receive 4 packets from a client within one
second.
Regards,
Jeroen van Ingen
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
More information about the dhcp-users
mailing list