User Tools

Site Tools


make_a_dd-wrt_bridge_silently_eat_dhcp_traffic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic [2008/04/11 21:08]
tkbletsc
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic [2008/04/11 21:17] (current)
tkbletsc
Line 60: Line 60:
 I took the original ebt_ip.o, and ran "gzip -c ebt_ip.o | uuencode -m -", which means "​compress with gzip, then uuencode with base-64 mode"​. ​ This turns the binary file into safe ASCII. ​ We then wrap all this ASCII in that giant pile of "echo ... >> /​tmp/​ebt_ip.o.gz.u64"​ commands. ​ We then decode it back into binary with "gzip -cd ... | uudecode -"​. ​ Then we load the required modules: ''​ebtables'',​ ''​ebtable_filter'',​ and our hacked up ''/​tmp/​ebt_ip.o''​. ​ Finally, we input the ebtables rule to drop all the DHCP packets it sees. I took the original ebt_ip.o, and ran "gzip -c ebt_ip.o | uuencode -m -", which means "​compress with gzip, then uuencode with base-64 mode"​. ​ This turns the binary file into safe ASCII. ​ We then wrap all this ASCII in that giant pile of "echo ... >> /​tmp/​ebt_ip.o.gz.u64"​ commands. ​ We then decode it back into binary with "gzip -cd ... | uudecode -"​. ​ Then we load the required modules: ''​ebtables'',​ ''​ebtable_filter'',​ and our hacked up ''/​tmp/​ebt_ip.o''​. ​ Finally, we input the ebtables rule to drop all the DHCP packets it sees.
  
-===== WRONG INFORMATION ===== 
-**This was my first pass; it didn't work.  Preserved for comedy value.** 
- 
-After some trial and error, I found the iptables rules that would do that: 
- 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP 
- 
-The only question then is how to make these rules get applied automatically at bootup. ​ [[http://​linuxwhore.com/​modules.php?​name=News&​file=article&​sid=155&​mode=thread&​order=0&​thold=0|This article]] covers that: just use the '​rc_firewall'​ value in the nvram. ​ At the router'​s command prompt: 
- 
-  nvram set rc_firewall="​iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP" 
-  nvram commit 
- 
-Reboot, and presto, the bridge is eating all DHCP traffic: 
- 
-<​file>​ 
-# iptables -t mangle -vL 
-Chain PREROUTING (policy ACCEPT 262 packets, 50464 bytes) 
- pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination 
-    0     0 DROP       ​udp ​ --  any    any     ​anywhere ​            ​anywhere ​           udp dpt:bootpc 
-   37 14776 DROP       ​udp ​ --  any    any     ​anywhere ​            ​anywhere ​           udp dpt:​bootps ​ <=== Counter shows 37 DHCP packets have been eaten! 
-    0     0 DROP       ​udp ​ --  any    any     ​anywhere ​            ​anywhere ​           udp spt:bootpc 
-    0     0 DROP       ​udp ​ --  any    any     ​anywhere ​            ​anywhere ​           udp spt:bootps 
-</​file>​ 
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic.txt ยท Last modified: 2008/04/11 21:17 by tkbletsc