0

I'm running ISC DHCP deamon on centOS and want to block unwanted(by clients MAC address) discovery messages before they reach dhcpd.

how can I do this with iptables or anything else?

misha
  • 13
  • 1
  • 3
  • If you've got "unwanted clients" on your network I'd recommend blocking them on your infrastructure (switches) and/or remove them physically. Disabling their DHCP doesn't prevent them from using a static address. – Zac67 Jul 10 '23 at 10:47

1 Answers1

0

The Linux netfilter firewall has the ability to match on MAC address and then simply filter the DHCP protocol (UDP port 67,68) messages:

/sbin/iptables -I INPUT -m mac --mac-source 00:11:22:33:44:55 -p udp --sport 67:68 --dport 67:68  -j DROP

Although a better alternative is probably to configure your DHCP server to ignore requests from certain MAC addresses as described in this Q&A

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • can I match wildcard mac 11:22:33:* ? – misha Oct 20 '17 at 14:36
  • I think the required form is `xx:xx:xx:xx:xx:xx` but I don't know if `xx:xx:xx:*:*:*` works. Why don't you go and test that? – HBruijn Oct 20 '17 at 14:56
  • still getting discovery messages after adding following rule : sbin/iptables -I INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP – misha Oct 23 '17 at 12:13
  • You did replace the sample MAC address with the actual MAC you're trying to block, right? – HBruijn Oct 23 '17 at 12:19
  • yes I did.I found that all the requests are from same mac addr(GW dhcp server is using) so, inspecting just layer 2 mac will not help. it needs to inspect dhcp message headers. – misha Oct 23 '17 at 12:27
  • iptables can match, but it's probably too late with ISC DHCP server: https://kb.isc.org/docs/aa-00378 . RAW sockets bypass iptables. – A.B Oct 03 '22 at 15:13