Mailing List Archive

Assuming that all your hosts are connected to a single broadcast-domain
LAN,
that your firewall box is the layer 3 default gateway for
internet-connections for your hosts and that you're talking about
preventing all other hosts on this lan to respond to dhcp broadcasts,
that's pretty much impossible.

DHCP packets are not passing through your router box on their way
between
an assumed evil dhcp host and your normal hosts.

You could try to find some sort of filter options in your switching
hardware
to control the flow of broadcasts and/or dhcp packets.

Or you could try using some form of dhcp authentication.

Or you could have a seperate VLAN for each of your hosts
and only allow them to communicate via your router
(possibly creating a performance bottle neck though...)


On Mon, 2007-07-16 at 07:52 -0600, Gnarlodious wrote:
> Hello and thank you for the help.
>
> I am running iptables v1.3.7 on a LAN router and I need to block DHCP
> requests. New machines on the router should be prevented from
> broadcasting DHCP, forcing only that router to handle DHCP.
>
> Can this be done? Seems like I have been trying for days without success.
>
> -- Gnarlie
> http://Gnarlodious.com/

Thanks for the quick response. Not sure I understand all of that...
Yes, this LAN is all on one IP range. The routers are all connected
with ethernet.

I don't want to block client computers, but I understand that if I
drop DHCP ports 67 and 68 to and from other routers then DHCP will be
handled by the router the computer is connected to. Is that right?

So, these are existing connections I need to block. Using iptables, is
there a way using IP or MAC address to limit DHCP broadcast to other
routers?

-- Gnarlie


On 7/16/07, Thomas Jacob wrote:
> Assuming that all your hosts are connected to a single broadcast-domain
> LAN,
> that your firewall box is the layer 3 default gateway for
> internet-connections for your hosts and that you're talking about
> preventing all other hosts on this lan to respond to dhcp broadcasts,
> that's pretty much impossible.
>
> DHCP packets are not passing through your router box on their way
> between
> an assumed evil dhcp host and your normal hosts.
>
> You could try to find some sort of filter options in your switching
> hardware
> to control the flow of broadcasts and/or dhcp packets.
>
> Or you could try using some form of dhcp authentication.
>
> Or you could have a seperate VLAN for each of your hosts
> and only allow them to communicate via your router
> (possibly creating a performance bottle neck though...)
>
>
> On Mon, 2007-07-16 at 07:52 -0600, Gnarlodious wrote:
> > Hello and thank you for the help.
> >
> > I am running iptables v1.3.7 on a LAN router and I need to block DHCP
> > requests. New machines on the router should be prevented from
> > broadcasting DHCP, forcing only that router to handle DHCP.
> >
> > Can this be done? Seems like I have been trying for days without success.
> >
> > -- Gnarlie
> > http://Gnarlodious.com/
>
>
>
>

On Mon, 2007-07-16 at 08:38 -0600, Gnarlodious wrote:
> Thanks for the quick response. Not sure I understand all of that...
> Yes, this LAN is all on one IP range. The routers are all connected
> with ethernet.
>
> I don't want to block client computers, but I understand that if I
> drop DHCP ports 67 and 68 to and from other routers then DHCP will be
> handled by the router the computer is connected to. Is that right?

AFAIK, DHCP request aren't usually passed on by (Linux) routers
(Pseudo-UDP/IP-Packet to 255.255.255.255/FF:FF:FF:FF:FF:FF Port), and if
they were, you could probably simply stop them by filtering everything
to udp
destination port 68. What makes you think that your router passes
on DHCP requests?

On the contrary, one usually does have to put in
a bit of effort to allow dhcp over routers (=> dhcp relay)...

On 7/16/07, Thomas Jacob wrote:
> What makes you think that your router passes
> on DHCP requests?
Because computers connected to the modem will obtain a Linksys DHCP
range, and computer's connected to a Linksys router may obtain a modem
DHCP.

I have a DSL modem/router at the terminal end of a chain of Linksys
routers, and the modem is not very configurable. I need to block DHCP
at the Linksys so the modem is invisible to the routers. I tried
disabling DHCP on the modem, but it has a server running from it and
the server requires DHCP to be running. I could let the router handle
the server's DHCP request, but then I would need to have another
device on the UPS battery. I want to have only two devices taking
power from the UPS battery, the modem and the server.

Any help to solve this problem with software would be greatly
appreciated. These routers are Linksys WRT54GL with BusyBox v1.6.0 and
iptables v1.3.7.

> On the contrary, one usually does have to put in
> a bit of effort to allow dhcp over routers (=> dhcp relay)...
In the BusyBox setup, DHCP broadcast is on by default, and apparently
a little hard to disable.

-- Gnarlie

Gnarlodious wrote:
> On 7/16/07, Thomas Jacob wrote:
> >What makes you think that your router passes
> >on DHCP requests?
> Because computers connected to the modem will obtain a Linksys DHCP
> range, and computer's connected to a Linksys router may obtain a modem
> DHCP.
>
> I have a DSL modem/router at the terminal end of a chain of Linksys
> routers, and the modem is not very configurable. I need to block DHCP
> at the Linksys so the modem is invisible to the routers. I tried
> disabling DHCP on the modem, but it has a server running from it and
> the server requires DHCP to be running. I could let the router handle
> the server's DHCP request, but then I would need to have another
> device on the UPS battery. I want to have only two devices taking
> power from the UPS battery, the modem and the server.

A diagram might be more helpful.

> Any help to solve this problem with software would be greatly
> appreciated. These routers are Linksys WRT54GL with BusyBox v1.6.0 and
> iptables v1.3.7.
>
> >On the contrary, one usually does have to put in
> >a bit of effort to allow dhcp over routers (=> dhcp relay)...
> In the BusyBox setup, DHCP broadcast is on by default, and apparently
> a little hard to disable.

DHCP is broadcast when one requests an IP. That's why it's D(ynamic)HCP.

>From what it sounds like, you have several routers attached to the same
network as the dsl modem. There's really no way to stop DHCP across that.
The best way I can think of is to have a system (computer, router, whatever
running linux) with 2 bridged interfaces and block DHCP traffic going across
the bridge. I did this at work with a spare PC so that my part of the
network would see my BOOTP server and not the DHCP server that is also on
the network. (HINT, use ebtables!)

--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???

You mean you installed the "dhcp-relay" package and then
your box does relay dhcp messages? Sure, but it shouldn't
do that if you didn't install that package and just switched on IP
routing,
or should it?


On Mon, 2007-07-16 at 12:07 -0400, Raciel wrote:
> You´re wrong i had working a debian based firewall since november 23 of
> 2006 and always relay DHCP broadcast without configuring anything just
> install it and it works just fine actually i am using debian Etch RC-1
> i thing i´ll going to figure out how make some sort of DHCP autentication
> before introduce the packets flow into the firewall itself
> Thank you very much for your kindly response
> Best regards

No.

-gc

Gnarlodious wrote:
> Hello and thank you for the help.
>
> I am running iptables v1.3.7 on a LAN router and I need to block DHCP
> requests. New machines on the router should be prevented from
> broadcasting DHCP, forcing only that router to handle DHCP.
>
> Can this be done? Seems like I have been trying for days without success.
>
> -- Gnarlie
> http://Gnarlodious.com/

Please keep list mail on the list.

Gnarlodious wrote:
> On 7/16/07, Wakko Warner wrote:
> >Gnarlodious wrote:
> >> I would need to have another
> >> device on the UPS battery. I want to have only two devices taking
> >> power from the UPS battery, the modem and the server.
> >
> >A diagram might be more helpful.
> http://etc.Gnarlodious.com/Images/Lan1.png

So you have a dsl connection with 3 computers and a wireless router
connected directly to it. I would assume that you want to keep those 3
computers from getting an IP via DHCP from the dsl modem? From the
networking perspective, unless the ups is actually networked, has nothing to
do with the network. (Personally, I would assign a static IP to the UPS).

Does the DSL modem have a built in hub?

>From the AP1 you have 2 PCs and another wireless router. Are these getting
their IP from AP1?

>From AP2 you have 2 PCs and nothing else. Since I don't know the interfaces
on the AP devices, I don't know if they are routing traffic or switching
traffic.

I guess the real question is, does the 4 devices connected (according to
your diagram) directly to your DSL modem have non-private IPs?
(private IP ranges: http://tools.ietf.org/html/rfc1918 section 3).

> >DHCP is broadcast when one requests an IP. That's why it's D(ynamic)HCP.
> OK, I'm starting to understand that what I want can't be done.
>
> >The best way I can think of is to have a system (computer, router, whatever
> >running linux) with 2 bridged interfaces and block DHCP traffic going
> >across
> >the bridge.
> Any page that explains how to set that up? I'm not a network pro...

The man page for ebtables and brctl. You'll need a linux kernel with
bridging (802.1d support), ebtables enabled (Personaly, I just enable all
the netfilter modules and let the system decide at runtime which onces to
load), the drivers for 2 nics (I used 3c905b cards on a celeron 600 pc,
throughput is around 8-9mb/sec).

> And thanks for the hint about ebtables.

You could probably do it with iptables on a bridging interface, but ebtables
might be easier.

--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???

Hi, thanks for all the interest. This firmware runs on all WiFi
routers with a Broadcom chipset, including some Linksys models,
Buffalo, Asus and others. It is Linux with a complement of utilities
for networking, so it comes defaulted to network by simply plugging it
in. The router is made so you can add or remove it from the network
and it all keeps working. It's great.

The "UPS" in my diagram is an Uninterruptable Power Supply, not a
computer. I included it to illustrate the miserly power requirements
of the two devices that it feeds. It does not have a network
connection, but it talks to the server through USB.

The DSL modem is also an access point/router, it has 4 ethernet ports
and WiFi, which is disabled. Unfortunately it is somewhat limited in
capability. The server is connected with a static IP address and is
internet accessible, sort of a limited DMZ setup. The modemrouter
needs to have spare DHCP available for power failure emergency use,
otherwise I could set the DHCP range to nil and not bother with this
problem.

Along the Ethernet Backbone there are several more devices than what I
I drew, that was just a minimal example. This leg of the network is
inaccessible from the internet. All routers are WRT54GLs with full
Linux routing capabilities. All WRTs have a static IP, are connected
on LAN ports and connections cascade nicely. The only problem is that
the WRTs include the modemrouter in their DHCP broadcast. This is what
I am trying to prevent. The modemrouter also broadcasts DHCP to the
WRTs, so I want blocking both ways.

All PCs on the network are simple clients. There is no NAT or anything
fancy here. I don't know if a "dhcp relay daemon is running", how
would I find out? The reason I thought this would work is, I did try
an iptables command that caused the problem computer to obtain the
correct IP address when I renewed the DHCP lease. That was a
broad-brush solution, though, because I also lost all Zeroconf
broadcasting. So I thought I needed to focus the blockage more.

I don't know if the WRT can run plugged into the modem with the WAN
port. if that would allow DHCP filtering maybe that is a solution.

Thanks for all the ideas, I hope I'm on the right track.

-- Gnarlie


On 7/16/07, Wakko Warner wrote:
> Please keep list mail on the list.
>
> Gnarlodious wrote:
> > On 7/16/07, Wakko Warner wrote:
> > >Gnarlodious wrote:
> > >> I would need to have another
> > >> device on the UPS battery. I want to have only two devices taking
> > >> power from the UPS battery, the modem and the server.
> > >
> > >A diagram might be more helpful.
> > http://etc.Gnarlodious.com/Images/Lan1.png
>
> So you have a dsl connection with 3 computers and a wireless router
> connected directly to it. I would assume that you want to keep those 3
> computers from getting an IP via DHCP from the dsl modem? From the
> networking perspective, unless the ups is actually networked, has nothing to
> do with the network. (Personally, I would assign a static IP to the UPS).
>
> Does the DSL modem have a built in hub?
>
> From the AP1 you have 2 PCs and another wireless router. Are these getting
> their IP from AP1?
>
> From AP2 you have 2 PCs and nothing else. Since I don't know the interfaces
> on the AP devices, I don't know if they are routing traffic or switching
> traffic.
>
> I guess the real question is, does the 4 devices connected (according to
> your diagram) directly to your DSL modem have non-private IPs?
> (private IP ranges: http://tools.ietf.org/html/rfc1918 section 3).
>
> > >DHCP is broadcast when one requests an IP. That's why it's D(ynamic)HCP.
> > OK, I'm starting to understand that what I want can't be done.
> >
> > >The best way I can think of is to have a system (computer, router,
> whatever
> > >running linux) with 2 bridged interfaces and block DHCP traffic going
> > >across
> > >the bridge.
> > Any page that explains how to set that up? I'm not a network pro...
>
> The man page for ebtables and brctl. You'll need a linux kernel with
> bridging (802.1d support), ebtables enabled (Personaly, I just enable all
> the netfilter modules and let the system decide at runtime which onces to
> load), the drivers for 2 nics (I used 3c905b cards on a celeron 600 pc,
> throughput is around 8-9mb/sec).
>
> > And thanks for the hint about ebtables.
>
> You could probably do it with iptables on a bridging interface, but ebtables
> might be easier.
>
> --
> Lab tests show that use of micro$oft causes cancer in lab animals
> Got Gas???
>

Please do not top post.

Gnarlodious wrote:
> Hi, thanks for all the interest. This firmware runs on all WiFi
> routers with a Broadcom chipset, including some Linksys models,
> Buffalo, Asus and others. It is Linux with a complement of utilities
> for networking, so it comes defaulted to network by simply plugging it
> in. The router is made so you can add or remove it from the network
> and it all keeps working. It's great.
>
> The "UPS" in my diagram is an Uninterruptable Power Supply, not a
> computer. I included it to illustrate the miserly power requirements
> of the two devices that it feeds. It does not have a network
> connection, but it talks to the server through USB.

As far as a networking diagram, it shouldn't have been shown. The diagram
you have is just what devices are plugged in to other devices so there's no
way to tell what network or networks are there.

> The DSL modem is also an access point/router, it has 4 ethernet ports
> and WiFi, which is disabled. Unfortunately it is somewhat limited in
> capability. The server is connected with a static IP address and is
> internet accessible, sort of a limited DMZ setup. The modemrouter
> needs to have spare DHCP available for power failure emergency use,
> otherwise I could set the DHCP range to nil and not bother with this
> problem.

You really don't want more than 1 DHCP server on a network (There are cases
where it's ok which is beyond the scope of this message).

> Along the Ethernet Backbone there are several more devices than what I
> I drew, that was just a minimal example. This leg of the network is
> inaccessible from the internet. All routers are WRT54GLs with full
> Linux routing capabilities. All WRTs have a static IP, are connected
> on LAN ports and connections cascade nicely. The only problem is that
> the WRTs include the modemrouter in their DHCP broadcast. This is what
> I am trying to prevent. The modemrouter also broadcasts DHCP to the
> WRTs, so I want blocking both ways.

So basically you're just using the AP1 and AP2 as a switch. This would mean
that the diagram depicts one single network.

> All PCs on the network are simple clients. There is no NAT or anything
> fancy here. I don't know if a "dhcp relay daemon is running", how
> would I find out? The reason I thought this would work is, I did try
> an iptables command that caused the problem computer to obtain the
> correct IP address when I renewed the DHCP lease. That was a
> broad-brush solution, though, because I also lost all Zeroconf
> broadcasting. So I thought I needed to focus the blockage more.

If you didn't setup a DHCP relay, you don't have one (I doubt the devices
you mention would have such a beast)

> I don't know if the WRT can run plugged into the modem with the WAN
> port. if that would allow DHCP filtering maybe that is a solution.

If you have the dsl modem plugged in to the wan port on one of the wrts, the
dhcp traffic would stay on the lan side of the wrt. This is what the wrt
was designed to do.

If your dsl modem (being that it is also a router) is more limited than the
wrt, I'd recommend setting the dsl modem to bridged mode (if it's not
already) and use one of the other routers for your network. This is the
same basic setup that I have at home.

I have a dsl modem/router in bridged mode, a dedicated computer as the
fireall/nat/router and the rest of my network goes through it.

> Thanks for all the ideas, I hope I'm on the right track.
>
> -- Gnarlie
>
>
> On 7/16/07, Wakko Warner wrote:
> >Please keep list mail on the list.
> >
> >Gnarlodious wrote:
> >> On 7/16/07, Wakko Warner wrote:
> >> >Gnarlodious wrote:
> >> >> I would need to have another
> >> >> device on the UPS battery. I want to have only two devices taking
> >> >> power from the UPS battery, the modem and the server.
> >> >
> >> >A diagram might be more helpful.
> >> http://etc.Gnarlodious.com/Images/Lan1.png
> >
> >So you have a dsl connection with 3 computers and a wireless router
> >connected directly to it. I would assume that you want to keep those 3
> >computers from getting an IP via DHCP from the dsl modem? From the
> >networking perspective, unless the ups is actually networked, has nothing
> >to
> >do with the network. (Personally, I would assign a static IP to the UPS).
> >
> >Does the DSL modem have a built in hub?
> >
> >From the AP1 you have 2 PCs and another wireless router. Are these getting
> >their IP from AP1?
> >
> >From AP2 you have 2 PCs and nothing else. Since I don't know the
> >interfaces
> >on the AP devices, I don't know if they are routing traffic or switching
> >traffic.
> >
> >I guess the real question is, does the 4 devices connected (according to
> >your diagram) directly to your DSL modem have non-private IPs?
> >(private IP ranges: http://tools.ietf.org/html/rfc1918 section 3).
> >
> >> >DHCP is broadcast when one requests an IP. That's why it's
> >D(ynamic)HCP.
> >> OK, I'm starting to understand that what I want can't be done.
> >>
> >> >The best way I can think of is to have a system (computer, router,
> >whatever
> >> >running linux) with 2 bridged interfaces and block DHCP traffic going
> >> >across
> >> >the bridge.
> >> Any page that explains how to set that up? I'm not a network pro...
> >
> >The man page for ebtables and brctl. You'll need a linux kernel with
> >bridging (802.1d support), ebtables enabled (Personaly, I just enable all
> >the netfilter modules and let the system decide at runtime which onces to
> >load), the drivers for 2 nics (I used 3c905b cards on a celeron 600 pc,
> >throughput is around 8-9mb/sec).
> >
> >> And thanks for the hint about ebtables.
> >
> >You could probably do it with iptables on a bridging interface, but
> >ebtables
> >might be easier.
> >
> >--
> > Lab tests show that use of micro$oft causes cancer in lab animals
> > Got Gas???
> >
>
--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???