Limit DHCP requests with iptables - problem: Router

Mr Dash Four mr.dash.four at googlemail.com
Sun Sep 9 04:12:30 UTC 2012


> We are seeing a lot of induced IO wait due to processing/logging of
> unwanted DHCP requests from **known** MAC addresses (broken printers,
> mis-behaving clients, etc.) and were very interested in this thread. 
> After some hopeful testing with iptables based on some clues in this
> thread, we have abandoned this approach after one of our admins
> discovered the following article confirming that ISC DHCP uses raw
> sockets which get processed before iptables, rendering iptables-based
> solutions useless for these type of problems:
> 
>    
> https://deepthought.isc.org/article/AA-00378/0/Why-does-DHCP-use-raw-sockets.html
> 
>  
> 
> Our limited testing confirms this fact.  Other solutions in this space
> would seem to be external filtering in front of the DHCP servers
> (possible), fixing broken clients (valiant but impractical at scale), or
> enhancing dhcpd with the ability to allow for administrator-configured
> filtering.   This last one seems the most attractive for several
> reasons.  
Very helpful and it opened my eyes, thank you.

> Any other possible solution approaches?
After reading the above, I took a "non-standard" approach which did the trick, so I thought to share it - if you are using SELinux and are familiar with creating/implementing security policies do what I did - create one such policy and prevent dhclient from ever attempting to get anywhere near to access of raw packets or raw socket connections. That way the beast is well and truly caged, forever! Tried and tested with great success.



More information about the dhcp-users mailing list