I have a box connected to a largish local IPv4 network (no IPv6 at all) through a single Ethernet interface; normally, it is assigned an IP address from the 172.16.0.0 range.
From time to time, however, somebody plugs in a DHCP server by mistake, and I get an address from the 192.168.0.0 range (and a bogus set of routes). Is there a way of telling dhcpcd (or another DHCP client for Linux) to only accept offers from a specific IP range? Or perhaps a way to filter DHCPOFFER at iptables level, dropping bogus offers?
DHCPCD's manpage lists blacklist and whitelist options, but these seem to apply to the server's IP address, which is in the correct/expected range.
I am only in control of this box (and a few others in a similar role); network management is beyond my control.
Rather than trying to configure DHCP clients to only use specific DHCP servers (the point of DHCP is to be dynamic, hard coding which servers to use would negate this), I would suggest configuring the network to only allow configured servers to run DHCP, this then prevents "rogue" DHCP servers from being able to operate.
Iff the DHCP server's IP address is stable and you only expect to use the client in a single network, you can use the
whitelistoption in/etc/dhcpcd.confA looser possibility, if you know that rogue servers come from a well-defined IP range, is the
blacklistoption:If whitelist is used, blacklist is ignored.
Note that DHCP address assignment is a very trusting protocol by default: neither of these are bullet-proof, and wouldn't protect you much: they're simple doorstops against unintentional misconfigurations.