Limit DHCP requests with iptables - problem: Router

Mr Dash Four mr.dash.four at
Sun Sep 9 13:54:37 UTC 2012

> Do you mean client, or do you mean server ?
Both. I have tested this on both ends.

> If you do mean client, then your suggestion is of no help to the OP as 
> it involves modifying the client - and if you re-read his problem 
> these clients include embedded ones in (eg) printers and so on.
Hence my caveat - *if* SELinux is deployed and it is in "enforce" mode, 
otherwise the whole exercise becomes a bit pointless.

> If you mean server, then you need to explain just how this solution 
> helps - since it would appear to force conditions on the server 
> designed to prevent some of it's functions working. The people who 
> wrote the software didn't use raw sockets for fun - they used them 
> because it's required in order to send/receive certain packets 
> **required** for the DHCP protocol to work.
The solution is quite simple - it prevents the creation of raw socket 
connections by either the client or the server. I, as a network 
administrator, have a responsibility to secure the network I am 
responsible for, and since these dhcp negotiations are seemingly going 
beyond the control of netfilter, that issue is forced upon me, hence the 
steps I take to secure that network. If you know of a better way how to 
secure and control raw socket connections - either by using netfilter or 
by any other means - then I am all ears!

It does the trick, so whatever dhcp functionality was "restricted" in 
the process, it doesn't seem that important. Besides, there are other 
dhcp servers/clients out there which do not rely on/use raw socket 
connections and they function quite well.

More information about the dhcp-users mailing list