OpenWrt Forum Archive

Topic: How to block DHCPv4/v6, ARP and RADVD with ebtables on bridge

The content of this topic has been archived on 9 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
T_X
10 Apr 2009, 18:31

I'm having the following setup here on every router with OpenWRT.

- A bridge br-mesh over the interfaces bat0, eth0.4 and ath0. bat0 is the virtual mesh-interface which connects every router with another using the routing daemon/protocol batman-adv. eth0.4 is a vlan over two LAN-Ports on every router, ath0 is a wlan-interface in ap-mode.

- Every router is running radvd and a DHCPv4-daemon.

My goal now is, to have local IPv4-addresses on every router, therefore I want to block all ARP-packages and DHCPv4-traffic over the bat0 interface. As every router is announcing the same IPv6 unique local prefix, I also want to get rid of the radvd-announcements over bat0 to save traffic created by multicasts/broadcasts. Also the announcing of "evil" IPv6 default gateways shall be reduced this way. So finally I would also like to block DHCPv6-servers over bat0.

So far I've found out the following rules for ebtables to block DHCPv4+ARP (would be nice, if someone could confirm that they would work the way I want to).

#Block DHCPv4 over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A INPUT --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol IPv4 --ip-protocol udp --ip-destination-port 67 -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0 --protocol IPv4 --ip-protocol udp --ip-source-port 68 -j DROP

#Block ARP over the Mesh-network
ebtables -A INPUT --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface ath0 --out-interface bat0 --protocol ARP -j DROP
ebtables -A FORWARD --in-interface eth0.4 --out-interface bat0 --protocol ARP -j DROP

So now I'm having more trouble to find the right rules to block DHCPv6 and radvd over bat0. Thanks for the help in advance.

PS: I'm aware of the fact, that people can make a manuel arp-entries and that IPv4-traffic is (therefore) not blocked entirely. But this is not a problem, in fact it's intended like this.

Post #2
GreenSkol
17 Apr 2009, 19:21

Hi,

Normally you should use eb6tables and not ebtables to filter IPv6, just the same way you use ip6tables and not iptables.

The discussion might have continued from here.