Ebtables to stop DHCP and ARP - Networking

This is a discussion on Ebtables to stop DHCP and ARP - Networking ; Here is my setup: Private IP Address Network Linux Ethernet Bridge Public IP Address Network The bridge is there so that we can set static public IP Addresses behind the Private IP Gateway (I have no control over this device). ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Ebtables to stop DHCP and ARP

  1. Ebtables to stop DHCP and ARP

    Here is my setup:

    Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
    Address Network

    The bridge is there so that we can set static public IP Addresses
    behind the Private IP Gateway (I have no control over this device).

    This setup works great in one of our other locations, but here we have
    a problem. The Gateway for the Public IP Address Network thinks that
    it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
    Private network and does a DHCP Discover, Offer, Request, and ACK, it
    then does a Gratuitous ARP Broadcast asking who has the address it's
    received, then the Public IP Gateway responds with ARP saying that the
    IP address is at its MAC address. So I figure, the best way to stop
    this is to use ebtables to block the DHCP and ARP from the private
    addresses. Here are the commands that I am using, but aren't working:

    ebtables -P FORWARD DROP
    ebtables -P INPUT DROP
    ebtables -P OUTPUT DROP
    ebtables -A FORWARD -p IPv4 -j ACCEPT
    ebtables -A FORWARD -p ARP -j ACCEPT
    ebtables -A INPUT -p IPv4 -j ACCEPT
    ebtables -A INPUT -p ARP -j ACCEPT
    ebtables -A OUTPUT -p IPv4 -j ACCEPT
    ebtables -A OUTPUT -p ARP -j ACCEPT
    ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
    ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
    ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
    DROP

    Any suggestions on how to block this properly in ebtables or
    suggestions of any settings I may be missing?


  2. Re: Ebtables to stop DHCP and ARP

    support@isotech-inc.com wrote:
    > Here is my setup:


    > Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
    > Address Network


    > The bridge is there so that we can set static public IP Addresses
    > behind the Private IP Gateway (I have no control over this device).


    > This setup works great in one of our other locations, but here we have
    > a problem. The Gateway for the Public IP Address Network thinks that
    > it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
    > Private network and does a DHCP Discover, Offer, Request, and ACK, it
    > then does a Gratuitous ARP Broadcast asking who has the address it's
    > received, then the Public IP Gateway responds with ARP saying that the
    > IP address is at its MAC address. So I figure, the best way to stop
    > this is to use ebtables to block the DHCP and ARP from the private
    > addresses. Here are the commands that I am using, but aren't working:


    > ebtables -P FORWARD DROP
    > ebtables -P INPUT DROP
    > ebtables -P OUTPUT DROP
    > ebtables -A FORWARD -p IPv4 -j ACCEPT
    > ebtables -A FORWARD -p ARP -j ACCEPT
    > ebtables -A INPUT -p IPv4 -j ACCEPT
    > ebtables -A INPUT -p ARP -j ACCEPT
    > ebtables -A OUTPUT -p IPv4 -j ACCEPT
    > ebtables -A OUTPUT -p ARP -j ACCEPT


    I don't know much about ebtables but guessing from what I do know about
    iptables at this point you have ACCEPTed all IPv4 and all ARP whatever
    so that the two rules below never come into play.

    > ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
    > ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
    > ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
    > DROP


    Perhaps eliminating

    ebtables -A INPUT -p IPv4 -j ACCEPT
    ebtables -A INPUT -p ARP -j ACCEPT

    and replacing the last two DROP rules with

    ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
    ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport ! 67:68 -j ACCEPT
    ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src ! 192.168.0.0/16 \
    -j ACCEPT

    would do it.

    > Any suggestions on how to block this properly in ebtables or
    > suggestions of any settings I may be missing?


    Sorry, but any further suggestion from me would be a *real* WAG.

    Regards-
    --
    Clifford Kite
    /* In my book, the first poster to resort to personal abuse in a Usenet
    debate loses by default. - Rod Smith */


  3. Re: Ebtables to stop DHCP and ARP

    Well, that didn't do it exactly - but it pointed me in the right
    direction. I will post the rules I ended up with when I'm all done.
    I've only been using ebtables/iptables for a little while, so I'm
    still getting the hang of it.


  4. Re: Ebtables to stop DHCP and ARP

    support@isotech-inc.com wrote:
    > Well, that didn't do it exactly - but it pointed me in the right
    > direction. I will post the rules I ended up with when I'm all done.
    > I've only been using ebtables/iptables for a little while, so I'm
    > still getting the hang of it.


    Yep, I know the feeling - it takes experience to be sure. Thanks for
    the follow up.

    Here's something that occurred to me and might help. Replacing

    ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
    ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport ! 67:68 -j ACCEPT

    with

    ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
    ff:ff:ff:ff:ff:ff -p IPv4 --ip-dport ! 67:68 -j ACCEPT

    should accept all IPv4 (not just UDP) traffic not bound for ports 67,68.
    IPv4 traffic bound for those ports will dropped, but that seems rather
    unlikely to cause a problem.

    Regards-
    --
    Clifford Kite

  5. Re: Ebtables to stop DHCP and ARP

    I ended up moving the packets that I want blocked to the FORWARD chain
    so I didn't have to worry about what interface it was coming in (just
    in case the ethernet cables are in the wrong plug). And I moved the
    rules to block the packets above the rules to allow - I forgot that
    order matters with ebtables/iptables. I keep looking at it and
    thinking something's wrong, but it works and fixes all the problems
    I've been having! Thanks for your help.

    # Clear ebtables
    ebtables -F
    ebtables -X

    # Drop everything and build up Input and Output to accept IP and ARP
    ebtables -P FORWARD DROP
    ebtables -P INPUT DROP
    ebtables -P OUTPUT DROP
    ebtables -A INPUT -p IPv4 -j ACCEPT
    ebtables -A INPUT -p ARP -j ACCEPT
    ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW
    ebtables -A OUTPUT -p IPv4 -j ACCEPT
    ebtables -A OUTPUT -p ARP -j ACCEPT
    ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix
    EBFW -j DROP

    # Drop private IP ARP traffic and any Private responses from the
    Public Internet
    ebtables -A FORWARD -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --
    ip-prot udp --ip-dport 67:68 -j DROP
    ebtables -A FORWARD -p arp --arp-ip-src 192.168.0.0/16 -j DROP
    ebtables -A FORWARD -p arp --arp-ip-dst 192.168.0.0/16 -j DROP

    # Let the rest of the Packets through
    ebtables -A FORWARD -p IPv4 -j ACCEPT
    ebtables -A FORWARD -p ARP -j ACCEPT


  6. Re: Ebtables to stop DHCP and ARP

    support@isotech-inc.com wrote:
    > I ended up moving the packets that I want blocked to the FORWARD chain
    > so I didn't have to worry about what interface it was coming in (just
    > in case the ethernet cables are in the wrong plug).


    Just for future reference, for iptables anyway, the INPUT chain is for
    packets whose final destination is the local host, the OUTPUT chain
    is for packets generated by the local host, and FORWARD chain is for
    packets arriving on one interface and routed out another.

    Regards-
    --
    Clifford Kite
    /* Emacs vs vi:
    Sort of like a Swiss Army knife versus a rapier. */

+ Reply to Thread