Limit DHCP requests with iptables - problem: Router
hramrach at centrum.cz
Wed Feb 9 15:12:01 UTC 2011
2011/2/9 José Queiroz <zekkerj at gmail.com>:
> 2011/2/9 Peter Rathlev <peter at rathlev.dk>
>> On Wed, 2011-02-09 at 10:26 +0000, Alex Bligh wrote:
>> > OP already knows the offending MAC address(es) and did not say he
>> > needed to autodetect them.
>> He actually did several times, e.g.:
>> On Tue, 2011-02-08 at 08:32 +0100, Jürgen Dietl wrote:
>> > I have about 30 K Clients. In case of a client error where the Client
>> > start spamming the server with DHCP requests I dont know which Client
>> > it is. It can be any client in the network. So I dont know the client
>> > ´s MAC address.
>> The thread has since moved on to discussing different ways of detecting
>> the misbehaving clients. And iptables alone simply cannot do what you
> Yes, iptables can do it. It's just a matter of how to chain the tests.
I would be really interested in seeing the chain as my iptables(8)
suggests that this is not possible when the only way to discriminate
the clients is by peeking a piece of packet content with --u32 or
Specifically, the recent module which seems to be most (and really
only) suitable module for detecting misbehaving clients in iptables
can only work with selected few IP header fields.
I sure could use such feature to filter non-IP protocols or uncommon
IP header fields.
More information about the dhcp-users