How can I block all traffic to/from an bridged interface while allowing DHCP?

networking iptables dhcp bridge

I have a PC (running Fedora 20) that is being used as a "software switch" to control the network connectivity of some external devices. There are eight such devices; the PC has two 4-port Ethernet cards in addition to its own Ethernet connection to the outside world. By default, the eight device interfaces are forwarded to the external interface with no filtering.

The desired functionality is the ability to block all traffic to and from a given device. Currently, we are doing this using bridge link set dev <device> state 0, which sets the bridge state of the device to "disabled". However, this appears to also block DHCP traffic from the device. The network's DHCP server is accessible via the external interface, so it seems like the bridge is blocking this traffic, meaning that if the device tries to renew its IP, this fails; this is problematic in terms of the tests I'm trying to perform on the device.

What I'd like to do is to block all traffic except DHCP across the bridge, for a given device. It seems like the bridge command can't do this, so I'd probably want to leave the bridge state as "forwarding" permanently. Having done some research, it seems like ebtables is the tool I need, but configuring it seems to need more knowledge of DHCP and networking than I have! From reading a few ebtables tutorials, I think I need to allow traffic on ports 67 and 68 (I believe these are the only ports used for DHCP?) and block all other traffic.

So my questions are:

  1. Is it possible to configure ebtables to do what I want?
  2. Is ebtables the best tool for the job and/or are there any abstraction layers on top of it that would make it easier to configure? (I'm thinking of ferm for iptables.)
  3. Assuming I'm heading in the right direction, how would I configure ebtables to block all traffic bar DHCP?

Yes, you need ebtables to apply netfilter rules on a bridge.

The match rule is ip with parameters --ip-source-port and --ip-destination-port.

You'd configure ebtables to allow the traffic you want, then an explicit drop for any other traffic.

The DHCP client port is UDP 68, the DHCP server port is UDP 67.

I believe the correct command syntax and order would be:

ebtables -I INPUT -i eth0 -o eth0 -p ip -j DROP
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-source-port 68 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 67 -j ACCEPT
ebtables -I INPUT -i eth0 -o eth0 -p ip --ip-protocol udp --ip-destination-port 68 -j ACCEPT
ebtables-save

Related

How do I enable nis schema in apacheDS?
How to determine performance improvement from precompiling ASP.NET site?
Unbound, exceptions to local-zone rules for specific subdomains and main domain
Configuring Pfsense via ssh
How do I condition power between a generator and a UPS?
Router limits network performance but its CPU load isn't 100%
Tunneling cassandra via ssh gives me a connection closed error
pdftk: edit PDF file in-place
Zabbix cannot connect to a PostgreSQL database
Nginx doesn't send certificate chain
How to schedule a task to run when the windows server is reboot or shutdown?
Execute Powershell Add-Computer remotely via Invoke-Command