I'm running ISC DHCP deamon on centOS and want to block unwanted(by clients MAC address) discovery messages before they reach dhcpd.
how can I do this with iptables or anything else?
Asked
Active
Viewed 3,454 times
1 Answers
0
The Linux netfilter firewall has the ability to match on MAC address and then simply filter the DHCP protocol (UDP port 67,68) messages:
/sbin/iptables -I INPUT -m mac --mac-source 00:11:22:33:44:55 -p udp --sport 67:68 --dport 67:68 -j DROP
Although a better alternative is probably to configure your DHCP server to ignore requests from certain MAC addresses as described in this Q&A
HBruijn
- 72,524
- 21
- 127
- 192
-
can I match wildcard mac 11:22:33:* ? – misha Oct 20 '17 at 14:36
-
I think the required form is `xx:xx:xx:xx:xx:xx` but I don't know if `xx:xx:xx:*:*:*` works. Why don't you go and test that? – HBruijn Oct 20 '17 at 14:56
-
still getting discovery messages after adding following rule : sbin/iptables -I INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP – misha Oct 23 '17 at 12:13
-
You did replace the sample MAC address with the actual MAC you're trying to block, right? – HBruijn Oct 23 '17 at 12:19
-
yes I did.I found that all the requests are from same mac addr(GW dhcp server is using) so, inspecting just layer 2 mac will not help. it needs to inspect dhcp message headers. – misha Oct 23 '17 at 12:27