# how to block mac addresses from dhcp

## the1spicymeatbal

I set up a DHCP server with squid running using webmin.  I can look in the DHCP panel of webmin to see the active leases....my question is how can i block one of the mac addresses from being able to connect ?

----------

## nemo_

do you just want to tell your dhcpd server to not serve a lease to this MAC address or do you want your whole server not to speak to this MAC at all ?

the first option requires a change in dhcpd.conf and the second would take an iptables rule (beware that the MAC address will only be seen correctly if the systems are in the same physical ethernet LAN)

----------

## the1spicymeatbal

if not leasing an IP to the MAC address would keep it from connecting, then that is all I need.  If I have to block it via the firewall, then I guess I will just do that.  So if it is possible to go the first method, then i'd rather do that. (unless it requires me restarting the dhcp server...and disconnecting everyone connected)

----------

## nemo_

well you didn't really tell us enough about your setup but assuming that your gentoo server is also the gateway to the internet/network then just blocking it on the DHCP server will not be enough to block it completely as it's very easy to just assign a fixed address manually to bypass the dhcp server.

in this case a MAC filter with iptables would probably be better (but keep in mind that the MAC address can also be changed, alltho it may not be so easy to figure out, especially on windows).

so I would just go with something like that :

```
 iptables -A INPUT -i $INTERFACE -m mac --mac-source DE:AD:BE:EF:BA:BE -j DROP
```

----------

## the1spicymeatbal

thanks  a lot.....one more quick question....how would i reallow it?

----------

## DarKRaveR

In case the gentoo box is a gateway make sure to put the rule in the FORWARDING chain, not the INPUT chain ....

You can delete rules anytime by either their number withitn the chain or by specifing exactly the same rule parameters (as lond as they are unique, otherwise only the first matching rule will be removed)

EDIT:

Argh, forgot the eample:

```

iptables -D chain #rulenmuber (in other words iptables -D FORWARD #rulenumber)

```

```

iptables -D chain rulespec (iptables -D FORWARD -m mac --macousrce MAC etc.)

```

```

iptables --line-numbers -L chain

```

Gives you the numbered rules of a chain .....

----------

## nemo_

good point DarkRaveR, he probably wants to put this rule in both INPUT and FORWARD (depending if the system should be able to speak to the server or not)..

also remember that these rules wont survive a reboot so put them in /etc/conf.d/local.start if you don't have a firewall script already.

----------

## DarKRaveR

 *nemo_ wrote:*   

> good point DarkRaveR, he probably wants to put this rule in both INPUT and FORWARD (depending if the system should be able to speak to the server or not)..
> 
> also remember that these rules wont survive a reboot so put them in /etc/conf.d/local.start if you don't have a firewall script already.

 

Additional info:

Just add iptables to default (or boot) runlevel as appropriate ....

Before shutting down the first time, run /etc/init.d/iptables save

look at /etc/conf.d/iptables

You can set save/load options (usually -c for keeping the counters) and if you want to save the rules on stop ...

Makes life a lot easier, because as soon as he drops the rule somewhen, it will be gone after the next reboot ....

Especially, when you have a whole bunch of rules (a couple hundred)

----------

## micaheli

I have the exact same scenario.  However, I cannot get this working.  I'm curious if you did.. Here's my assesement of the whole dang thing:

You CANNOT block ISC DHCP as it uses AF_PACKET to bind to the port rather than SOCK_PACKET or Raw.  It comes before iptables, and therefor is immutable.  

What I'm looking for is the compile-time options/use flags to let dhcp use standard sockets rather than AF_SOCKET. Thats the money shot.

--Micah

----------

