I have a PC (running Fedora 20) that is being used as a "software switch" to control the network connectivity of some external devices. There are eight such devices; the PC has two 4-port Ethernet cards in addition to its own Ethernet connection to the outside world. By default, the eight device interfaces are forwarded to the external interface with no filtering.
The desired functionality is the ability to block all traffic to and from a given device. Currently, we are doing this using bridge link set dev <device> state 0
, which sets the bridge state of the device to "disabled". However, this appears to also block DHCP traffic from the device. The network's DHCP server is accessible via the external interface, so it seems like the bridge is blocking this traffic, meaning that if the device tries to renew its IP, this fails; this is problematic in terms of the tests I'm trying to perform on the device.
What I'd like to do is to block all traffic except DHCP across the bridge, for a given device. It seems like the bridge
command can't do this, so I'd probably want to leave the bridge state as "forwarding" permanently. Having done some research, it seems like ebtables
is the tool I need, but configuring it seems to need more knowledge of DHCP and networking than I have! From reading a few ebtables
tutorials, I think I need to allow traffic on ports 67 and 68 (I believe these are the only ports used for DHCP?) and block all other traffic.
So my questions are:
- Is it possible to configure
ebtables
to do what I want? - Is
ebtables
the best tool for the job and/or are there any abstraction layers on top of it that would make it easier to configure? (I'm thinking offerm
foriptables
.) - Assuming I'm heading in the right direction, how would I configure
ebtables
to block all traffic bar DHCP?