Blacklisting MAC addresses, but they still take a DHCP lease
Use ebtables
instead of iptables
to block MAC addresses at layer 2:
ebtables -A INPUT -s 00:11:22:33:44:55 -j DROP
Although I think using ebtables
may be the answer, it's another layer that I did not want to add to my configuration. One of the other techs helped me make a script to parse through the blacklist of IP Addresses, and add them to a new pool, which gives out no IP address whatsover. It takes the regular blacklist (one MAC address per line) that I also spit into iptables
, and just creates the new pool.
In my /etc/dhcp/dhcpd.conf
file, I create a new class near the top:
class "blacklist" {
match hardware;
}
In my pools with the "private side of the LAN", I add this:
deny members of "blacklist";
... and at the very end, I added:
include "/etc/dhcp/blacklist.conf";
Then, I create a Python script as per below:
#!/usr/bin/perl
my $if;
my @macs;
my $line = 0;
if ($ARGV[0]) {
$if = "-i $ARGV[0]";
}
while (<stdin>) {
$line++;
next if /^$/;
next if /^\s*#/;
chomp;
if (/^([a-f0-9]{2}((:|-)[a-f0-9]{2}){5})$/) {
push(@macs, $_);
}
else {
die("syntax error on line $line\n");
}
}
open(OUT, ">/etc/dhcp/blacklist.conf");
foreach my $i (@macs) {
$i =~ tr/-/:/;
print OUT "subclass \"blacklist\" 1:$i;\n";
}
close(OUT);
I save this, then I add the Execute bit with chmod +x /usr/local/sbin/dhcpd-macblock.py
, and set a cron job that feeds the blacklist into the script every hour:
cat /etc/blacklist.txt | dhcpd-macblock.py
Every hour, it goes through, creating a new file with all the MAC addresses blocked that I don't want, and they don't even get a DHCP reservation, and my spots are slowly freeing up.