Ebtables to stop DHCP and ARP

Here is my setup:

Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
Address Network

The bridge is there so that we can set static public IP Addresses
behind the Private IP Gateway (I have no control over this device).

This setup works great in one of our other locations, but here we have
a problem. The Gateway for the Public IP Address Network thinks that
it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
Private network and does a DHCP Discover, Offer, Request, and ACK, it
then does a Gratuitous ARP Broadcast asking who has the address it's
received, then the Public IP Gateway responds with ARP saying that the
IP address is at its MAC address. So I figure, the best way to stop
this is to use ebtables to block the DHCP and ARP from the private
addresses. Here are the commands that I am using, but aren't working:

ebtables -P FORWARD DROP
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
DROP

Any suggestions on how to block this properly in ebtables or
suggestions of any settings I may be missing?

(E-Mail Removed) wrote:
> Here is my setup:

> Private IP Address Network <==> Linux Ethernet Bridge <==> Public IP
> Address Network

> The bridge is there so that we can set static public IP Addresses
> behind the Private IP Gateway (I have no control over this device).

> This setup works great in one of our other locations, but here we have
> a problem. The Gateway for the Public IP Address Network thinks that
> it has ALL PRIVATE IP ADDRESSES. So when a new device turns on in the
> Private network and does a DHCP Discover, Offer, Request, and ACK, it
> then does a Gratuitous ARP Broadcast asking who has the address it's
> received, then the Public IP Gateway responds with ARP saying that the
> IP address is at its MAC address. So I figure, the best way to stop
> this is to use ebtables to block the DHCP and ARP from the private
> addresses. Here are the commands that I am using, but aren't working:

> ebtables -P FORWARD DROP
> ebtables -P INPUT DROP
> ebtables -P OUTPUT DROP
> ebtables -A FORWARD -p IPv4 -j ACCEPT
> ebtables -A FORWARD -p ARP -j ACCEPT
> ebtables -A INPUT -p IPv4 -j ACCEPT
> ebtables -A INPUT -p ARP -j ACCEPT
> ebtables -A OUTPUT -p IPv4 -j ACCEPT
> ebtables -A OUTPUT -p ARP -j ACCEPT

I don't know much about ebtables but guessing from what I do know about
iptables at this point you have ACCEPTed all IPv4 and all ARP whatever
so that the two rules below never come into play.

> ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
> ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j DROP
> ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src 192.168.0.0/16 -j
> DROP

Perhaps eliminating

ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT

and replacing the last two DROP rules with

ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport ! 67:68 -j ACCEPT
ebtables -A INPUT -i $PUBLIC_NET -p arp --arp-ip-src ! 192.168.0.0/16 \
-j ACCEPT

would do it.

> Any suggestions on how to block this properly in ebtables or
> suggestions of any settings I may be missing?

Sorry, but any further suggestion from me would be a *real* WAG.

Regards-
--
Clifford Kite
/* In my book, the first poster to resort to personal abuse in a Usenet
debate loses by default. - Rod Smith */

Well, that didn't do it exactly - but it pointed me in the right
direction. I will post the rules I ended up with when I'm all done.
I've only been using ebtables/iptables for a little while, so I'm
still getting the hang of it.

(E-Mail Removed) wrote:
> Well, that didn't do it exactly - but it pointed me in the right
> direction. I will post the rules I ended up with when I'm all done.
> I've only been using ebtables/iptables for a little while, so I'm
> still getting the hang of it.

Yep, I know the feeling - it takes experience to be sure. Thanks for
the follow up.

Here's something that occurred to me and might help. Replacing

ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport ! 67:68 -j ACCEPT

with

ebtables -A INPUT -i $PRIVATE_NET -d ff:ff:ff:ff:ff:ff/
ff:ff:ff:ff:ff:ff -p IPv4 --ip-dport ! 67:68 -j ACCEPT

should accept all IPv4 (not just UDP) traffic not bound for ports 67,68.
IPv4 traffic bound for those ports will dropped, but that seems rather
unlikely to cause a problem.

Regards-
--
Clifford Kite

I ended up moving the packets that I want blocked to the FORWARD chain
so I didn't have to worry about what interface it was coming in (just
in case the ethernet cables are in the wrong plug). And I moved the
rules to block the packets above the rules to allow - I forgot that
order matters with ebtables/iptables. I keep looking at it and
thinking something's wrong, but it works and fixes all the problems
I've been having! Thanks for your help.

# Clear ebtables
ebtables -F
ebtables -X

# Drop everything and build up Input and Output to accept IP and ARP
ebtables -P FORWARD DROP
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p ARP -j ACCEPT
ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p ARP -j ACCEPT
ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix
EBFW -j DROP

# Drop private IP ARP traffic and any Private responses from the
Public Internet
ebtables -A FORWARD -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --
ip-prot udp --ip-dport 67:68 -j DROP
ebtables -A FORWARD -p arp --arp-ip-src 192.168.0.0/16 -j DROP
ebtables -A FORWARD -p arp --arp-ip-dst 192.168.0.0/16 -j DROP

# Let the rest of the Packets through
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT

(E-Mail Removed) wrote:
> I ended up moving the packets that I want blocked to the FORWARD chain
> so I didn't have to worry about what interface it was coming in (just
> in case the ethernet cables are in the wrong plug).

Just for future reference, for iptables anyway, the INPUT chain is for
packets whose final destination is the local host, the OUTPUT chain
is for packets generated by the local host, and FORWARD chain is for
packets arriving on one interface and routed out another.

Regards-
--
Clifford Kite
/* Emacs vs vi:
Sort of like a Swiss Army knife versus a rapier. */