Arptables - Manage ARP Packet Filter Rules with Examples

ARP stands for Address Resolution Protocol, it's a telecommunication protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. In general ARP is used to convert an IP address to a physical address such as an Ethernet address (also known as a MAC address).

arptables is similar with iptables, you can use it to set up, maintain, and inspect the tables of ARP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets.

Install arptables

arptables is available in the repository of most Linux distributions, you can install it on CentOS / Fedora / RHEL using yum:

# yum install arptables

and on Debian / Ubuntu using apt-get:

# apt-get install arptables

Important arptables options and parameters

Here are the most important arptables options:

-A - Append one or more rules to the end of the selected chain.
-D - Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
-L - List all rules in the selected chain. Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.
-F - Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
-N - Create a new user-defined chain by the given name. There must be no target of that name already.
-X - Delete the optional user-defined chain specified.
-P - Set the policy for the chain to the given target.

And the most important parameters:

-s - Source specification. Address can be either a network name, a network IP address or a plain IP address.
-d - Destination specification (same options as -s).
--source-mac - Specify the source hardware (MAC) address of the packet. hwaddr (and mask, if specified) must consist of one or more 8-bit hexidecimal numbers, separated by ':' characters.
--destination-mac - Specify the target hardware (MAC) address of the packet. This is similar to the --source-mac option (same options as --source-mac).
-i - Name of an interface via which a packet is going to be received (only for packets entering the IN chain). When the "!" argument is used before the interface name, the sense is inverted.
-o - Name of an interface via which a packet is going to be sent (for packets entering the OUT chain). When the "!" argument is used before the interface name, the sense is inverted.
-j - This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), or one of the special builtin targets which decide the fate of the packet immediately. Unlike iptables, extensions are not yet implemented. If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

Arptables Examples

1. To block all traffic in unless it matches rule in the table:

# arptables -P INPUT DROP

2. Block all arp traffic for a specific IP address:

# arptables -A INPUT -s -j DROP

3. List all rules currently active:

# arptables --list -n

4. Block a specific MAC address

arptables -A INPUT --source-mac 00:0c:19:f9:ed:f2 -j DROP

3 Comments... add one

  1. I cannot get arptables to work on broadcast arp traffic based on the requested IP
    Eg who has
    is-at MAC

    Above is based on tcpdump I am using proxy_arp and haven't found a way to stop the above behavior on a per IP level. Even adding a static ARP entry seems to be ignored or overwrittten by proxy_arp.




Leave a Comment