0

I have two devices with embedded Linux. One of them (machine A) has two network interfaces: eth that is used to connect machines together and wlan interface to connect to router via WiFi. The second machine (B) has only one eth interface. My goal is to enable access to WiFi networks on machine B. I used some iptables rules to filter packets from machine A to machine B and it works. Now, I need to block dhcp traffic on the first machine so that it does not reach the second machine. I was looking for some iptables rules to do it but I found that it is impossible with iptables. Is there any other way to block that traffic?

Thank you in advance for any help.

Prajna Rai T
  • 149
user6758
  • 59
  • 1
  • 9

2 Answers2

2

enter image description here

I believe this is more or less the setup you envision. A connects to WiFi, and gets a IP address. B is connected to A via ethernet, and have their own (private RFC1918) IPs.

You want B to reach devices on the WiFi.

Now, A uses DHCP to get an IP on the WiFi interface. But it doesn't forward DHCP to different interfaces, unless you run a DHCP proxy. Furthermore, WLAN clients generally can't represent more than one MAC address, so somehow you'd have to assign an extra IP to A - or make A represent B's traffic on the WiFi.

The easy way to do this is to make A NAT traffic that's coming from ethernet, and forward it to wifi. This is what your home router does, and will allow B to talk to devices (and internet) on WiFi. Devices on that network will believe the traffic is coming from A, as they can't see B at all.

For how to NAT, see for instance this question.

You should not attempt to clone addresses or any similar silly ideas. IP's are meant to be unique.

vidarlo
  • 11,723
0

It is possible to block DHCP traffic using successor of the iptables - nftables. But only in low level table called netdev filter which require mentioning full interface name (and that interface must exist). Main chains in that table are ingress (weird name for input that used in switches) and egress (output)

Some testing:

table netdev filter
delete table netdev filter
table netdev filter {
        set We_ask_for_DHCP_server {
                typeof iifname
                timeout 10s
                flags dynamic
        }

    set We_just_get_answer_from_DHCP_server {
            typeof iifname
            timeout 10s
            flags dynamic
    }

    chain Log_drop_unknown_DHCP_client_searching_for_server {
            limit rate 30/minute burst 10 packets log prefix "[nft.netdev.input.dhcp-not-from-us]: " flags all
            counter drop
    }

    chain Check_if_DHCP_answer_was_asked {
            iifname == @We_ask_for_DHCP_server counter jump We_get_answer_from_DHCP_server comment "This is this PC receiving answer from a server"
            limit rate 30/minute burst 10 packets log prefix "[nft.netdev.input.dhcp-not-asked]: " flags all comment "Possibly second rogue DHCP server present"
            counter drop
    }

    chain We_asked_DHCP_server {
            delete @We_just_get_answer_from_DHCP_server { oifname }
            update @We_ask_for_DHCP_server { oifname }
            limit rate 30/minute burst 10 packets log prefix "[nft.netdev.output.dhcp]: " flags all
            counter accept comment "This is this PC asking for a server"
    }

    chain We_get_answer_from_DHCP_server {
            update @We_just_get_answer_from_DHCP_server { iifname }
            delete @We_ask_for_DHCP_server { iifname }
            limit rate 30/minute burst 10 packets log prefix "[nft.netdev.input.dhcp]: " flags all
            accept
    }

    chain ingress {
            type filter hook ingress devices = { "enp110s0", "wlo1" } priority -500; policy drop;
            udp sport == 68 udp dport == 67 counter jump Log_drop_unknown_DHCP_client_searching_for_server comment "This is some client asking for a server"
            udp sport == 67 udp dport == 68 counter jump Check_if_DHCP_answer_was_asked
            counter accept
    }

    chain egress {
            type filter hook egress devices = { "enp110s0", "wlo1" } priority -500; policy drop;
            udp sport == 68 udp dport == 67 counter jump We_asked_DHCP_server
            counter accept
    }



}

N.B. Some DHCP servers and clients may support compilation time switch to use regular sockets instead of raw ones - thus enabling use of iptables or non-netdev nftables.

avi9526
  • 175