How can I use iptables to drop packages for an invalid ether-type?
Why do you want to drop these frames? What difference does it make? They are dropped anyway...
The reason why your iptables
approach does not work is that you mix up protocol layers. Ethernet type (meaning: the higher level protocol) 0x0800 is IP (see /etc/ethertypes
). In other words: This is not an IP packet. And as an immediate consequence Netfilter never sees it because it processes only IPv4 and IPv6 packets. For that reason there is no option for matching the ethertype in Netfilter.
Not even ebtables
seems to help here as it does not have a test for ethertype.
Some hope: traffic shaping
Maybe there is a (difficult) "solution" (for this non-problem) in abusing traffric shaping (tc
) and its Intermediate Functional Block (ifb) pseudo network interface. Usually traffic shaping is used for outgoing traffic only. With the ifb
it can be enforced on incoming traffic (I have never done that). The reason why I think this may offer an approach is that tc
offers filters beyond protocol logic. You can simply look at certain bytes in the packet. So maybe the ethertype field of incoming packets becomes accessible that way.
Next problem: Traffic shaping was not made for filtering packets but for reordering them. But maybe some of its features can be abused for dropping certain packets/frames.