[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DHCP Spoofing su un bridge

On Mon, Apr 7, 2008 at 11:47 PM, Vinz486 <vinz486@gmail.com> wrote:
>  Posso dire a iptables: blocca solo le richiese dhcp di particolari MAC
>  address che tentano di uscire da eth0?

man iptables :

MATCH EXTENSIONS
       iptables can use extended packet matching modules.  These are
loaded in two ways: implicitly, when -p or --protocol  is  specified,
       or  with  the  -m  or --match options, followed by the matching
module name; after these, various extra command line options become
       available, depending on the specific module.  You can specify
multiple extended match modules in one line, and you can use  the  -h
       or --help options after the module has been specified to
receive help specific to that module.

       The following are included in the base package, and most of
these can be preceded by a !  to invert the sense of the match.

[...]

   mac
       --mac-source [!] address
              Match source MAC address.  It must be of the form
XX:XX:XX:XX:XX:XX.  Note that this only makes  sense  for  packets
coming
              from an Ethernet device and entering the PREROUTING,
FORWARD or INPUT chains.

Quindi direi che basta un:
iptables -I FORWARD 1 -m mac --mac-source <indirizzo mac> -o eth0 -p
udp --dport 67 -j DROP

-- 
Dario Pilori
Linux registered user #406515

"et iam summa procul villarum culmina fumant,
maioresque cadunt altis de montibus umbrae."
Virgilio, Bucoliche (1a egloga)
Reply to: