How can I block all traffic to/from an bridged interface while allowing DHCP?
I have a PC (running Fedora 20) that is being used as a "software switch" to control the network connectivity of some external devices. There are eight such devices; the PC has two 4-port Ethernet cards in addition to its own Ethernet connection to the outside world. By default, the eight device interfaces are forwarded to the external interface with no filtering.
The desired functionality is the ability to block all traffic to and from a given device. Currently, we are doing this using bridge link set dev <device> state 0
, which sets the bridge state of the device to "disabled". However, this appears to also block DHCP traffic from the device. The network's DHCP server is accessible via the external interface, so it seems like the bridge is blocking this traffic, meaning that if the device tries to renew its IP, this fails; this is problematic in terms of the tests I'm trying to perform on the device.
What I'd like to do is to block all traffic except DHCP across the bridge, for a given device. It seems like the bridge
command can't do this, so I'd probably want to leave the bridge state as "forwarding" permanently. Having done some research, it seems like ebtables
is the tool I need, but configuring it seems to need more knowledge of DHCP and networking than I have! From reading a few ebtables
tutorials, I think I need to allow traffic on ports 67 and 68 (I believe these are the only ports used for DHCP?) and block all other traffic.
So my questions are:
- Is it possible to configure
ebtables
to do what I want? - Is
ebtables
the best tool for the job and/or are there any abstraction layers on top of it that would make it easier to configure? (I'm thinking offerm
foriptables
.) - Assuming I'm heading in the right direction, how would I configure
ebtables
to block all traffic bar DHCP?
Yes, you need ebtables to apply netfilter rules on a bridge.
The match rule is ip
with parameters --ip-source-port
and --ip-destination-port
.
You'd configure ebtables to allow the traffic you want, then an explicit drop for any other traffic.
The DHCP client port is UDP 68, the DHCP server port is UDP 67.
I believe the correct command syntax and order would be:
ebtables -I INPUT -i eth0 -o eth0 -p ip -j DROP
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 68 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 68 -j ACCEPT
ebtables-save