Filtering ARP traffic with Linux arptables about:reader?url=[Link]
[Link]
Filtering ARP traffic with Linux
arptables
Michael Boelen
4-5 minutes
Most Linux system administrators will be familiar with iptables
on Linux. Less known is the arptables utility, which controls
filtering arp packets.
Installation
The arptables utility is easy to set-up, as the main functionality
is already implemented in the Linux kernel. Just install the
arptables package on your favorite Linux distribution.
Red Hat / CentOS / Fedora
yum install arptables
Debian / Ubuntu
apt-get install arptables
Configuration example
1 of 6 8/1/19, 9:03 PM
�Filtering ARP traffic with Linux arptables about:reader?url=[Link]
To show the effect of filtering traffic, we will show an example
by filtering router traffic and blocking it. This way we won’t be
able to connect to the internet.
With the arp command we can query the current list of known
ARP addresses.
root@ubuntu:/data# arp
Address HWtype
HWaddress Flags Mask
Iface
[Link] ether
[Link] C eth0
[Link] ether
[Link] C eth0
Arptables can block traffic by filtering out the IP. So let’s query
the arp list again, now in numeric format.
root@ubuntu:/data# arp -n
Address HWtype
HWaddress Flags Mask
Iface
[Link] ether
[Link] C eth0
[Link] ether
[Link] C eth0
Time to block the router ([Link]):
root@ubuntu:/data# arptables -A INPUT -s
2 of 6 8/1/19, 9:03 PM
�Filtering ARP traffic with Linux arptables about:reader?url=[Link]
[Link] -j DROP
So we dropped traffic to this IP adress, right? Let’s try!
root@ubuntu:/data# ping [Link]
PING [Link] ([Link]) 56(84) bytes
of data.
64 bytes from [Link]: icmp_seq=1 ttl=64
time=0.645 ms
64 bytes from [Link]: icmp_seq=2 ttl=64
time=0.370 ms
^C
--- [Link] ping statistics ---
2 packets transmitted, 2 received, 0% packet
loss, time 1000ms
rtt min/avg/max/mdev = 0.370/0.507/0.645
/0.139 ms
Well, that didn’t work like intended. We dropped ARP related
traffic to the IP address, but not on IP level. This is also visible
in the arp -n list:
root@ubuntu:/data# arp -n
Address HWtype
HWaddress Flags Mask
Iface
[Link] ether
[Link] C eth0
[Link] ether
[Link] C eth0
3 of 6 8/1/19, 9:03 PM
�Filtering ARP traffic with Linux arptables about:reader?url=[Link]
So to make this work, we simply have to flush the ARP cache.
We delete the related ARP entry:
root@ubuntu:/data# arp -d [Link]
root@ubuntu:/data# arp -n
Address HWtype
HWaddress Flags Mask
Iface
[Link] ether
[Link] C eth0
[Link]
(incomplete) eth0
The arp utility will show an incomplete entry. It knows that
recently some traffic passed by, but the MAC address is
unknown.
Let’s ping again:
root@ubuntu:/data# ping [Link]
PING [Link] ([Link]) 56(84) bytes
of data.
From [Link] icmp_seq=1 Destination Host
Unreachable
From [Link] icmp_seq=2 Destination Host
Unreachable
That looks better!
Specific traffic filtering
4 of 6 8/1/19, 9:03 PM
�Filtering ARP traffic with Linux arptables about:reader?url=[Link]
Back to our original mission: only allow our router to
exchange ARP packets.
root@ubuntu:/data# Block ARP traffic from all
machines (default: DENY)
arptables -P INPUT DROP
root@ubuntu:/data# Allow router (fixed ARP)
arptables -A INPUT --source-mac
[Link] -j ACCEPT
All ARP packets are blocked now. Each system which will
transmitting traffic will end up as an (incomplete) entry.
Enable all ARP traffic
If we want to allow traffic again:
root@ubuntu:/data# arptables -P INPUT ACCEPT
root@ubuntu:/data# arptables --flush
Flushing the full ARP cache can be done with ip utility:
root@ubuntu:/data# ip -s neighbour flush all
Conclusion
Arptables is a very powerful utility to filter traffic and avoid an
unexpected router taking over our connectivity. However, keep
in mind that connectivity is not fully blocked. Only ARP traffic
is blocked (layer 2/3 on the OSI model). If someone is able to
5 of 6 8/1/19, 9:03 PM
�Filtering ARP traffic with Linux arptables about:reader?url=[Link]
manually add an entry to the ARP table, traffic is able to flow
again.
6 of 6 8/1/19, 9:03 PM
