Block LAN DHCP broadcast

Hello and thank you for the help.

I am running iptables v1.3.7 on a LAN router and I need to
block DHCP
requests. New machines on the router should be prevented
from
broadcasting DHCP, forcing only that router to handle DHCP.

Can this be done? Seems like I have been trying for days
without success.

-- Gnarlie
http://Gnarlodious.com/

Assuming that all your hosts are connected to a single
broadcast-domain
LAN,
that your firewall box is the layer 3 default gateway for
internet-connections for your hosts and that you're talking
about
preventing all other hosts on this lan to respond to dhcp
broadcasts,
that's pretty much impossible.

DHCP packets are not passing through your router box on
their way
between
an assumed evil dhcp host and your normal hosts.

You could try to find some sort of filter options in your
switching
hardware
to control the flow of broadcasts and/or dhcp packets.

Or you could try using some form of dhcp authentication.

Or you could have a seperate VLAN for each of your hosts
and only allow them to communicate via your router
(possibly creating a performance bottle neck though...)


On Mon, 2007-07-16 at 07:52 -0600, Gnarlodious wrote:
> Hello and thank you for the help.
> 
> I am running iptables v1.3.7 on a LAN router and I need
to block DHCP
> requests. New machines on the router should be
prevented from
> broadcasting DHCP, forcing only that router to handle
DHCP.
> 
> Can this be done? Seems like I have been trying for
days without success.
> 
> -- Gnarlie
> http://Gnarlodious.com/

Thanks for the quick response. Not sure I understand all of
that...
Yes, this LAN is all on one IP range. The routers are all
connected
with ethernet.

I don't want to block client computers, but I understand
that if I
drop DHCP ports 67 and 68 to and from other routers then
DHCP will be
handled by the router the computer is connected to. Is that
right?

So, these are existing connections I need to block. Using
iptables, is
there a way using IP or MAC address to limit DHCP broadcast
to other
routers?

-- Gnarlie


On 7/16/07, Thomas Jacob wrote:
> Assuming that all your hosts are connected to a single
broadcast-domain
> LAN,
> that your firewall box is the layer 3 default gateway
for
> internet-connections for your hosts and that you're
talking about
> preventing all other hosts on this lan to respond to
dhcp broadcasts,
> that's pretty much impossible.
>
> DHCP packets are not passing through your router box on
their way
> between
> an assumed evil dhcp host and your normal hosts.
>
> You could try to find some sort of filter options in
your switching
> hardware
> to control the flow of broadcasts and/or dhcp packets.
>
> Or you could try using some form of dhcp
authentication.
>
> Or you could have a seperate VLAN for each of your
hosts
> and only allow them to communicate via your router
> (possibly creating a performance bottle neck
though...)
>
>
> On Mon, 2007-07-16 at 07:52 -0600, Gnarlodious wrote:
> > Hello and thank you for the help.
> >
> > I am running iptables v1.3.7 on a LAN router and I
need to block DHCP
> > requests. New machines on the router should be
prevented from
> > broadcasting DHCP, forcing only that router to
handle DHCP.
> >
> > Can this be done? Seems like I have been trying
for days without success.
> >
> > -- Gnarlie
> > http://Gnarlodious.com/
>
>
>
>

On Mon, 2007-07-16 at 08:38 -0600, Gnarlodious wrote:
> Thanks for the quick response. Not sure I understand
all of that...
> Yes, this LAN is all on one IP range. The routers are
all connected
> with ethernet.
> 
> I don't want to block client computers, but I
understand that if I
> drop DHCP ports 67 and 68 to and from other routers
then DHCP will be
> handled by the router the computer is connected to. Is
that right?

AFAIK, DHCP request aren't usually passed on by (Linux)
routers
(Pseudo-UDP/IP-Packet to 255.255.255.255/FF:FF:FF:FF:FF:FF
Port), and if
they were, you could probably simply stop them  by filtering
everything
to udp
destination port 68. What makes you think that your router
passes
on DHCP requests?

On the contrary, one usually does have to put in
a bit of effort to allow dhcp over routers (=> dhcp
relay)...

On 7/16/07, Thomas Jacob wrote:
> What makes you think that your router passes
> on DHCP requests?
Because computers connected to the modem will obtain a
Linksys DHCP
range, and computer's connected to a Linksys router may
obtain a modem
DHCP.

I have a DSL modem/router at the terminal end of a chain of
Linksys
routers, and the modem is not very configurable. I need to
block DHCP
at the Linksys so the modem is invisible to the routers. I
tried
disabling DHCP on the modem, but it has a server running
from it and
the server requires DHCP to be running. I could let the
router handle
the server's DHCP request, but then I would need to have
another
device on the UPS battery. I want to have only two devices
taking
power from the UPS battery, the modem and the server.

Any help to solve this problem with software would be
greatly
appreciated. These routers are Linksys WRT54GL with BusyBox
v1.6.0 and
iptables v1.3.7.

> On the contrary, one usually does have to put in
> a bit of effort to allow dhcp over routers (=> dhcp
relay)...
In the BusyBox setup, DHCP broadcast is on by default, and
apparently
a little hard to disable.

-- Gnarlie

Gnarlodious wrote:
> On 7/16/07, Thomas Jacob wrote:
> >What makes you think that your router passes
> >on DHCP requests?
> Because computers connected to the modem will obtain a
Linksys DHCP
> range, and computer's connected to a Linksys router may
obtain a modem
> DHCP.
> 
> I have a DSL modem/router at the terminal end of a
chain of Linksys
> routers, and the modem is not very configurable. I need
to block DHCP
> at the Linksys so the modem is invisible to the
routers. I tried
> disabling DHCP on the modem, but it has a server
running from it and
> the server requires DHCP to be running. I could let the
router handle
> the server's DHCP request, but then I would need to
have another
> device on the UPS battery. I want to have only two
devices taking
> power from the UPS battery, the modem and the server.

A diagram might be more helpful.

> Any help to solve this problem with software would be
greatly
> appreciated. These routers are Linksys WRT54GL with
BusyBox v1.6.0 and
> iptables v1.3.7.
> 
> >On the contrary, one usually does have to put in
> >a bit of effort to allow dhcp over routers (=>
dhcp relay)...
> In the BusyBox setup, DHCP broadcast is on by default,
and apparently
> a little hard to disable.

DHCP is broadcast when one requests an IP.  That's why it's
D(ynamic)HCP.

>From what it sounds like, you have several routers
attached to the same
network as the dsl modem.  There's really no way to stop
DHCP across that. 
The best way I can think of is to have a system (computer,
router, whatever
running linux) with 2 bridged interfaces and block DHCP
traffic going across
the bridge.  I did this at work with a spare PC so that my
part of the
network would see my BOOTP server and not the DHCP server
that is also on
the network.  (HINT, use ebtables!)

-- 
 Lab tests show that use of micro$oft causes cancer in lab
animals
 Got Gas???

You mean you installed the "dhcp-relay" package
and then
your box does relay dhcp messages? Sure, but it shouldn't
do that if you didn't install that package and just switched
on IP
routing,
or  should it?


On Mon, 2007-07-16 at 12:07 -0400, Raciel wrote:
> YouŽre wrong i had working a debian based firewall
since november 23 of
> 2006 and always relay DHCP broadcast without
configuring anything just
> install it and it works just fine actually i am using
debian Etch RC-1
> i thing iŽll going to figure out how make some sort of
DHCP autentication
> before introduce the packets flow into the firewall
itself
> Thank you very much for your kindly response
> Best regards

No.

-gc

Gnarlodious wrote:
> Hello and thank you for the help.
>
> I am running iptables v1.3.7 on a LAN router and I need
to block DHCP
> requests. New machines on the router should be
prevented from
> broadcasting DHCP, forcing only that router to handle
DHCP.
>
> Can this be done? Seems like I have been trying for
days without success.
>
> -- Gnarlie
> http://Gnarlodious.com/

Please keep list mail on the list.

Gnarlodious wrote:
> On 7/16/07, Wakko Warner wrote:
> >Gnarlodious wrote:
> >> I would need to have another
> >> device on the UPS battery. I want to have only
two devices taking
> >> power from the UPS battery, the modem and the
server.
> >
> >A diagram might be more helpful.
> http://etc
.Gnarlodious.com/Images/Lan1.png

So you have a dsl connection with 3 computers and a wireless
router
connected directly to it.  I would assume that you want to
keep those 3
computers from getting an IP via DHCP from the dsl modem? 
From the
networking perspective, unless the ups is actually
networked, has nothing to
do with the network.  (Personally, I would assign a static
IP to the UPS).

Does the DSL modem have a built in hub?

>From the AP1 you have 2 PCs and another wireless router.
 Are these getting
their IP from AP1?

>From AP2 you have 2 PCs and nothing else.  Since I don't
know the interfaces
on the AP devices, I don't know if they are routing traffic
or switching
traffic.

I guess the real question is, does the 4 devices connected
(according to
your diagram) directly to your DSL modem have non-private
IPs?
(private IP ranges: http://tools.ietf.
org/html/rfc1918 section 3).

> >DHCP is broadcast when one requests an IP.  That's
why it's D(ynamic)HCP.
> OK, I'm starting to understand that what I want can't
be done.
> 
> >The best way I can think of is to have a system
(computer, router, whatever
> >running linux) with 2 bridged interfaces and block
DHCP traffic going 
> >across
> >the bridge.
> Any page that explains how to set that up? I'm not a
network pro...

The man page for ebtables and brctl.  You'll need a linux
kernel with
bridging (802.1d support), ebtables enabled (Personaly, I
just enable all
the netfilter modules and let the system decide at runtime
which onces to
load), the drivers for 2 nics (I used 3c905b cards on a
celeron 600 pc,
throughput is around 8-9mb/sec).

> And thanks for the hint about ebtables.

You could probably do it with iptables on a bridging
interface, but ebtables
might be easier.

-- 
 Lab tests show that use of micro$oft causes cancer in lab
animals
 Got Gas???

Hi, thanks for all the interest. This firmware runs on all
WiFi
routers with a Broadcom chipset, including some Linksys
models,
Buffalo, Asus and others. It is Linux with a complement of
utilities
for networking, so it comes defaulted to network by simply
plugging it
in. The router is made so you can add or remove it from the
network
and it all keeps working. It's great.

The "UPS" in my diagram is an Uninterruptable
Power Supply, not a
computer. I included it to illustrate the miserly power
requirements
of the two devices that it feeds. It does not have a
network
connection, but it talks to the server through USB.

The DSL modem is also an access point/router, it has 4
ethernet ports
and WiFi, which is disabled. Unfortunately it is somewhat
limited in
capability. The server is connected with a static IP address
and is
internet accessible, sort of a limited DMZ setup. The
modemrouter
needs to have spare DHCP available for power failure
emergency use,
otherwise I could set the DHCP range to nil and not bother
with this
problem.

Along the Ethernet Backbone there are several more devices
than what I
I drew, that was just a minimal example. This leg of the
network is
inaccessible from the internet. All routers are WRT54GLs
with full
Linux routing capabilities. All WRTs have a static IP, are
connected
on LAN ports and connections cascade nicely. The only
problem is that
the WRTs include the modemrouter in their DHCP broadcast.
This is what
I am trying to prevent. The modemrouter also broadcasts DHCP
to the
WRTs, so I want blocking both ways.

All PCs on the network are simple clients. There is no NAT
or anything
fancy here. I don't know if a "dhcp relay daemon is
running", how
would I find out? The reason I thought this would work is, I
did try
an iptables command that caused the problem computer to
obtain the
correct IP address when I renewed the DHCP lease. That was
a
broad-brush solution, though, because I also lost all
Zeroconf
broadcasting. So I thought I needed to focus the blockage
more.

I don't know if the WRT can run plugged into the modem with
the WAN
port. if that would allow DHCP filtering maybe that is a
solution.

Thanks for all the ideas, I hope I'm on the right track.

-- Gnarlie


On 7/16/07, Wakko Warner wrote:
> Please keep list mail on the list.
>
> Gnarlodious wrote:
> > On 7/16/07, Wakko Warner wrote:
> > >Gnarlodious wrote:
> > >> I would need to have another
> > >> device on the UPS battery. I want to have
only two devices taking
> > >> power from the UPS battery, the modem and
the server.
> > >
> > >A diagram might be more helpful.
> > http://etc
.Gnarlodious.com/Images/Lan1.png
>
> So you have a dsl connection with 3 computers and a
wireless router
> connected directly to it.  I would assume that you want
to keep those 3
> computers from getting an IP via DHCP from the dsl
modem?  From the
> networking perspective, unless the ups is actually
networked, has nothing to
> do with the network.  (Personally, I would assign a
static IP to the UPS).
>
> Does the DSL modem have a built in hub?
>
> From the AP1 you have 2 PCs and another wireless
router.  Are these getting
> their IP from AP1?
>
> From AP2 you have 2 PCs and nothing else.  Since I
don't know the interfaces
> on the AP devices, I don't know if they are routing
traffic or switching
> traffic.
>
> I guess the real question is, does the 4 devices
connected (according to
> your diagram) directly to your DSL modem have
non-private IPs?
> (private IP ranges: http://tools.ietf.
org/html/rfc1918 section 3).
>
> > >DHCP is broadcast when one requests an IP. 
That's why it's D(ynamic)HCP.
> > OK, I'm starting to understand that what I want
can't be done.
> >
> > >The best way I can think of is to have a
system (computer, router,
> whatever
> > >running linux) with 2 bridged interfaces and
block DHCP traffic going
> > >across
> > >the bridge.
> > Any page that explains how to set that up? I'm not
a network pro...
>
> The man page for ebtables and brctl.  You'll need a
linux kernel with
> bridging (802.1d support), ebtables enabled (Personaly,
I just enable all
> the netfilter modules and let the system decide at
runtime which onces to
> load), the drivers for 2 nics (I used 3c905b cards on a
celeron 600 pc,
> throughput is around 8-9mb/sec).
>
> > And thanks for the hint about ebtables.
>
> You could probably do it with iptables on a bridging
interface, but ebtables
> might be easier.
>
> --
>  Lab tests show that use of micro$oft causes cancer in
lab animals
>  Got Gas???
>