Tyler's wiki

User Tools

Site Tools

Trace:
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic [2008/04/11 21:08] tkbletscmake_a_dd-wrt_bridge_silently_eat_dhcp_traffic [2008/04/11 21:17] (current) tkbletsc
Line 60: Line 60:
 I took the original ebt_ip.o, and ran "gzip -c ebt_ip.o | uuencode -m -", which means "compress with gzip, then uuencode with base-64 mode" This turns the binary file into safe ASCII.  We then wrap all this ASCII in that giant pile of "echo ... >> /tmp/ebt_ip.o.gz.u64" commands.  We then decode it back into binary with "gzip -cd ... | uudecode -" Then we load the required modules: ''ebtables'', ''ebtable_filter'', and our hacked up ''/tmp/ebt_ip.o'' Finally, we input the ebtables rule to drop all the DHCP packets it sees. I took the original ebt_ip.o, and ran "gzip -c ebt_ip.o | uuencode -m -", which means "compress with gzip, then uuencode with base-64 mode" This turns the binary file into safe ASCII.  We then wrap all this ASCII in that giant pile of "echo ... >> /tmp/ebt_ip.o.gz.u64" commands.  We then decode it back into binary with "gzip -cd ... | uudecode -" Then we load the required modules: ''ebtables'', ''ebtable_filter'', and our hacked up ''/tmp/ebt_ip.o'' Finally, we input the ebtables rule to drop all the DHCP packets it sees.
  
-===== WRONG INFORMATION ===== 
-**This was my first pass; it didn't work.  Preserved for comedy value.** 
- 
-After some trial and error, I found the iptables rules that would do that: 
- 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP 
- 
-The only question then is how to make these rules get applied automatically at bootup.  [[http://linuxwhore.com/modules.php?name=News&file=article&sid=155&mode=thread&order=0&thold=0|This article]] covers that: just use the 'rc_firewall' value in the nvram.  At the router's command prompt: 
- 
-  nvram set rc_firewall="iptables -t mangle -I PREROUTING 1 -p UDP --sport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --sport 68 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 67 -j DROP 
-  iptables -t mangle -I PREROUTING 1 -p UDP --dport 68 -j DROP" 
-  nvram commit 
- 
-Reboot, and presto, the bridge is eating all DHCP traffic: 
- 
-<file> 
-# iptables -t mangle -vL 
-Chain PREROUTING (policy ACCEPT 262 packets, 50464 bytes) 
- pkts bytes target     prot opt in     out     source               destination 
-    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp dpt:bootpc 
-   37 14776 DROP       udp  --  any    any     anywhere             anywhere            udp dpt:bootps  <=== Counter shows 37 DHCP packets have been eaten! 
-    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp spt:bootpc 
-    0     0 DROP       udp  --  any    any     anywhere             anywhere            udp spt:bootps 
-</file> 
make_a_dd-wrt_bridge_silently_eat_dhcp_traffic.1207973322.txt.gz · Last modified: by tkbletsc
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki