How to create a DHCP snooping rule in a Linux virtual bridge

Question

I have a Linux server (10.0.0.1) running a DHCP server and a virtual bridge. The virtual bridge connects 4 Ethernet interfaces and works as a master switch connecting my users.

The problem arise if some user accidentally creates a rogue DHCP server which answers the DHCP request before they reach the master DHCP server.

Therefore I would like to block all DHCP requests going in between the ports on the virtual switch, but not requests to/from the master DHCP server. Which ebtables rules can I set up to do this?

score 1 · Answer 1 · answered Jun 09 '15 at 18:59

1

The correct way to do this is to use ebtable's filter chain, both forward and output usually, with a ruleset matching UDP ports 67:68.

answered Jun 09 '15 at 18:59

Nihilus

21
1

score 0 · Answer 2 · answered Mar 09 '13 at 21:18

You must block DHCP responses at the Switch, is the only way, because the packets don't pass through the router (in this case the linux server), some switch have the option to make DHCP snooping. This, filter DHCP responses from ports.

I hope has been helpfull

How to create a DHCP snooping rule in a Linux virtual bridge

2 Answers2