Score:0

Is it possible to block dhcp traffic using iptables?

it flag

I have two devices with embedded Linux. One of them (machine A) has two network interfaces: eth that is used to connect machines together and wlan interface to connect to router via WiFi. The second machine (B) has only one eth interface. My goal is to enable access to WiFi networks on machine B. I used some iptables rules to filter packets from machine A to machine B and it works. Now, I need to block dhcp traffic on the first machine so that it does not reach the second machine. I was looking for some iptables rules to do it but I found that it is impossible with iptables. Is there any other way to block that traffic?

Thank you in advance for any help.

anx avatar
fr flag
anx
Wait, which do you want: Connect the interfaces, or prevent forwarding traffic from one to another?
user6758 avatar
it flag
@anx I would like to block only dhcp traffic from machine A to machine B, or more precisely between wlan and eth interfaces on machine A.
vidarlo avatar
ar flag
This smells like a [XY-problem](https://xyproblem.info/). When one of the steps you require is to block DHCP, you're probably taking a wrong turn somewhere.
A.B avatar
cl flag
A.B
To remove any ambiguity, can you tell if machine A is configured as an access point or is a simple wireless client? And add in the answer for each device the output of these commands (some will return some results from before but that's still needed)? `ip -br link; ip -br address; ip route` then also `ip -br link show type bridge` and finally `ip -br link show type bridge_slave`.
vidarlo avatar
ar flag
@A.B he writes that A connects to a router, which probably means that's the AP...
cn flag
"When one of the steps you require is to block DHCP, you're probably taking a wrong turn somewhere." - not necessarily. Rogue DHCP servers are a known issue. Which is why i.e. hyper-v has a mechanism to block vm's from acting as DHCP (unless disabled in the config). IBM once had the issue that people just set up DHCP servers for testing and then parts of the network got those IP's there. Hence filtering makes a LOT of sense, unless you can nail down that no one attaches a rogue DHCP server somewhere.
vidarlo avatar
ar flag
@TomTom I *completely* agree with your comment. I was thinking more specifically about the problem as presented here, with a point-to-point-link between two devices... Blocking unknown hosts acting as DHCP is prudent part of network configuration for a network with multiple devices..
Score:2
ar flag

enter image description here

I believe this is more or less the setup you envision. A connects to WiFi, and gets a IP address. B is connected to A via ethernet, and have their own (private RFC1918) IPs.

You want B to reach devices on the WiFi.

Now, A uses DHCP to get an IP on the WiFi interface. But it doesn't forward DHCP to different interfaces, unless you run a DHCP proxy. Furthermore, WLAN clients generally can't represent more than one MAC address, so somehow you'd have to assign an extra IP to A - or make A represent B's traffic on the WiFi.

The easy way to do this is to make A NAT traffic that's coming from ethernet, and forward it to wifi. This is what your home router does, and will allow B to talk to devices (and internet) on WiFi. Devices on that network will believe the traffic is coming from A, as they can't see B at all.

For how to NAT, see for instance this question.

You should not attempt to clone addresses or any similar silly ideas. IP's are meant to be unique.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.