Limit DHCP requests with iptables - problem: Router

José Queiroz zekkerj at gmail.com
Tue Feb 8 19:28:44 UTC 2011


2011/2/8 Ingen Schenau, Jeroen van (ICTS) <j.vaningenschenau at utwente.nl>

> Hi,
>
> > The second one is filter by the fields of the request. You may use the
> > "u32" iptables module to do it, as sugested by Alan Bligh in the very
> > first response to your thread. This may also be combined with the
> > "limit" and/or the "recent" iptables modules, giving you a way to
> > control how long a specific client have to wait before it can re-send
> > the dhcp request.
> >
> > iptables -A INPUT -p udp --dport 67 --u32 "28 = 0xaa && 29 = 0xbb &&
> > 30 = 0xcc && 31 = 0xdd && 32 = 0xee && 33 = 0xff" -j BLOCK_DHCP_CLIENT
> >
> > iptables -A BLOCK_DHCP_CLIENT -m recent --update --seconds 60 -j DROP
> > iptables -A BLOCK_DHCP_CLIENT -m recent --set -j ACCEPT
> >
> > This will match the CHADDR field having the MAC "aa-bb-cc-dd-ee" (and
> > not the source mac address of the frame) and divert processing to a
> > new chain (you need to create it with "iptables -N" first). In this
> > chain, we'll accept the first request, and drop any subsequent
> > requests within 60 seconds from the last one.
> >
> > As "normal" clients will not trigger this new chain, they'll not get
> > blocked.
>
> Just checking: if a client does a DHCPDISCOVER, it's generally responded
> to immediately. Suppose the server sends an OFFER; wouldn't the
> following DHCPREQUEST from the client be dropped by the rules above?
>
>
Only if the DISCOVER/REQUEST/INFO is coming from the offending mac-address,
as marked by the CHADDR field.
Well-behaviored clients shall not be affected.



> To be on the safe side, I'd personally prefer to limit any DHCP client
> to about 10 pps; in our network setup, both DHCP servers receive each
> discover twice because we have two access routers on each segment with
> both DHCP servers configured as helpers. So in a normal DHCP
> transaction, our servers each receive 4 packets from a client within one
> second.
>
>


>
> Regards,
>
> Jeroen van Ingen
> ICT Service Centre
> University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110208/ee4eb49a/attachment.html>


More information about the dhcp-users mailing list