Limit DHCP requests with iptables - problem: Router
Michal Suchanek
hramrach at centrum.cz
Tue Feb 8 23:10:37 UTC 2011
On 8 February 2011 23:30, Alex Bligh <alex at alex.org.uk> wrote:
>
>
> --On 8 February 2011 08:17:51 +0000 Simon Hobson <dhcp1 at thehobsons.co.uk>
> wrote:
>
>> My understanding is that the recent module for iptables can do this. But
>> I'm not sure if it can track arbitrary parts of the packet,
>
> My understanding is it can (*), and there have been various examples
> (including yours) of how to do this. I'm not quite sure why people
> are claiming iptables is only capable of examining ip and "tcp/udp"
> headers, particularly when others have provided working examples.
iptables provide most options with ip headers. They can match on
arbitrary part of the packet but they can do more for IP headers, you
can construct rules that automatically single out the broken client
based on some ip headers if the ip headers were significant.
This is not possible when you want to match arbitrary part of the
packet, you have to process the packets in your own program.
Even the standard logging would not capture arbitrary parts of packets
and you have to resort to nfqueue or ulog.
As the OP says that the mac address of the offending client(s) is not
known in advance you can insert an iptables rule that blocks them but
only after you analyze packets by an external program to determine
what to block.
Thanks
Michal
More information about the dhcp-users
mailing list