3

I have a network with a central router that runs dd-wrt. Connected to it are several enduser devices. One port however is reserved for a special device that runs a DHCP server. I call it special because I cannot turn DHCP off on it. Actually though, I do want my dd-wrt router to provide DHCP.

How do I setup a rule (I presume it has to be iptables based?) to block any and all DHCP traffic to and from that one device?

Note that I want the device to still be on the same subnet and reachable from all other devices for different services.

PiMaker
  • 151
  • 1
  • 5

2 Answers2

4

The fact that DHCP uses UDP port 67 for the server and UDP port 68 for clients, you can make ip table rules like these:

iptables -A FORWARD -p udp -d that-one-device-ip-address --dport 67 -j DROP
iptables -A FORWARD -p udp -s that-one-device-ip-address --sport 68 -j DROP
user1677104
  • 186
  • 3
0

To block by MAC address you would replace -s $ip_address with -m mac --mac-source $mac_address. There isn't a parallel --mac-destination command (in some cases you may be able to work around it; see https://superuser.com/q/977997/247806).

But iptables won't block DHCP traffic (see https://unix.stackexchange.com/q/447440/103025).

Roger Dueck
  • 131
  • 5
  • 17