DHCP Filtering with ebtables

In this example, we are assuming that you are running a DHCP server on your iptables/netfilter system and are attempting to filter out incoming requests to the server using firewall rules. If you attempted the previous example, you've probably already noticed that this does not work. This is because DHCP acts at a much lower level than iptables/netfilter can process. This particular problem calls for using ebtables (http://ebtables.sourceforge.net) as the solution as outlined in the first section of this chapter.

Example rule:

 $EBTABLES -A INPUT -s 00:11:22:33:44:55 -j DROP 

Note that this rule uses the INPUT chain. This is because the traffic is destined to the iptables/netfilter system itself. Applying the lessons learned from the simple iptables-based MAC filtering detailed previously, we can create a user-defined chain to filter out multiple MAC addresses.

Example:

 $EBTABLES -N MACFILTER $EBTABLES -A MACFILTER -s 00:11:22:33:44:55 -j ACCEPT $EBTABLES -A MACFILTER -s 00:11:22:33:44:11 -j ACCEPT $EBTABLES -A MACFILTER -s 00:11:22:33:44:22 -j ACCEPT $EBTABLES -A MACFILTER -s 00:11:22:33:44:33 -j ACCEPT $EBTABLES -A MACFILTER -j DROP 

This would be followed by an INPUT chain rule to only allow MAC addresses listed in MACFILTER to communicate with the firewall.

# eth0 is the physical interface that would be receiving the traffic.

 $EBTABLES -A INPUT -i eth0 -j MACFILTER 

Just like the MAC Filtering section here, if you only wanted to apply these rules on traffic passing through the firewall, you would use

 $EBTABLES -A FORWARD -i eth0 -j MACFILTER 

# eth0 is the physical interface that would be receiving the traffic.