0

I have two devices with embedded Linux. One of them (machine A) has two network interfaces: eth that is used to connect machines together and wlan interface to connect to router via WiFi. The second machine (B) has only one eth interface. My goal is to enable access to WiFi networks on machine B. I used some iptables rules to filter packets from machine A to machine B and it works. Now, I need to block dhcp traffic on the first machine so that it does not reach the second machine. I was looking for some iptables rules to do it but I found that it is impossible with iptables. Is there any other way to block that traffic?

Thank you in advance for any help.

Prajna Rai T
  • 149
  • 5
user6758
  • 59
  • 1
  • 6
  • Wait, which do you want: Connect the interfaces, or prevent forwarding traffic from one to another? – anx Jun 20 '21 at 19:22
  • @anx I would like to block only dhcp traffic from machine A to machine B, or more precisely between wlan and eth interfaces on machine A. – user6758 Jun 20 '21 at 19:27
  • 4
    This smells like a [XY-problem](https://xyproblem.info/). When one of the steps you require is to block DHCP, you're probably taking a wrong turn somewhere. – vidarlo Jun 20 '21 at 19:58
  • 1
    To remove any ambiguity, can you tell if machine A is configured as an access point or is a simple wireless client? And add in the answer for each device the output of these commands (some will return some results from before but that's still needed)? `ip -br link; ip -br address; ip route` then also `ip -br link show type bridge` and finally `ip -br link show type bridge_slave`. – A.B Jun 20 '21 at 22:35
  • @A.B he writes that A connects to a router, which probably means that's the AP... – vidarlo Jun 20 '21 at 22:54
  • "When one of the steps you require is to block DHCP, you're probably taking a wrong turn somewhere." - not necessarily. Rogue DHCP servers are a known issue. Which is why i.e. hyper-v has a mechanism to block vm's from acting as DHCP (unless disabled in the config). IBM once had the issue that people just set up DHCP servers for testing and then parts of the network got those IP's there. Hence filtering makes a LOT of sense, unless you can nail down that no one attaches a rogue DHCP server somewhere. – TomTom Jun 22 '21 at 13:26
  • @TomTom I *completely* agree with your comment. I was thinking more specifically about the problem as presented here, with a point-to-point-link between two devices... Blocking unknown hosts acting as DHCP is prudent part of network configuration for a network with multiple devices.. – vidarlo Jun 22 '21 at 14:00

1 Answers1

2

enter image description here

I believe this is more or less the setup you envision. A connects to WiFi, and gets a IP address. B is connected to A via ethernet, and have their own (private RFC1918) IPs.

You want B to reach devices on the WiFi.

Now, A uses DHCP to get an IP on the WiFi interface. But it doesn't forward DHCP to different interfaces, unless you run a DHCP proxy. Furthermore, WLAN clients generally can't represent more than one MAC address, so somehow you'd have to assign an extra IP to A - or make A represent B's traffic on the WiFi.

The easy way to do this is to make A NAT traffic that's coming from ethernet, and forward it to wifi. This is what your home router does, and will allow B to talk to devices (and internet) on WiFi. Devices on that network will believe the traffic is coming from A, as they can't see B at all.

For how to NAT, see for instance this question.

You should not attempt to clone addresses or any similar silly ideas. IP's are meant to be unique.

vidarlo
  • 6,654
  • 2
  • 18
  • 31