Re: DHCP Spoofing su un bridge
On Mon, Apr 7, 2008 at 11:47 PM, Vinz486 <vinz486@gmail.com> wrote:
> Posso dire a iptables: blocca solo le richiese dhcp di particolari MAC
> address che tentano di uscire da eth0?
man iptables :
MATCH EXTENSIONS
iptables can use extended packet matching modules. These are
loaded in two ways: implicitly, when -p or --protocol is specified,
or with the -m or --match options, followed by the matching
module name; after these, various extra command line options become
available, depending on the specific module. You can specify
multiple extended match modules in one line, and you can use the -h
or --help options after the module has been specified to
receive help specific to that module.
The following are included in the base package, and most of
these can be preceded by a ! to invert the sense of the match.
[...]
mac
--mac-source [!] address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets
coming
from an Ethernet device and entering the PREROUTING,
FORWARD or INPUT chains.
Quindi direi che basta un:
iptables -I FORWARD 1 -m mac --mac-source <indirizzo mac> -o eth0 -p
udp --dport 67 -j DROP
--
Dario Pilori
Linux registered user #406515
"et iam summa procul villarum culmina fumant,
maioresque cadunt altis de montibus umbrae."
Virgilio, Bucoliche (1a egloga)
Reply to: