0% found this document useful (0 votes)
165 views6 pages

Filtering ARP Traffic With Linux Arptables

This document discusses using the Linux utility arptables to filter ARP traffic. Arptables controls ARP packet filtering similarly to how iptables controls regular IP packet filtering. The document provides an example of using arptables to block the router's ARP traffic, which prevents connectivity until the ARP cache is flushed. Specific ARP traffic can be filtered by source MAC address. Arptables is useful for avoiding unauthorized routers but does not fully block connectivity if ARP entries are manually added.

Uploaded by

list_course
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
165 views6 pages

Filtering ARP Traffic With Linux Arptables

This document discusses using the Linux utility arptables to filter ARP traffic. Arptables controls ARP packet filtering similarly to how iptables controls regular IP packet filtering. The document provides an example of using arptables to block the router's ARP traffic, which prevents connectivity until the ARP cache is flushed. Specific ARP traffic can be filtered by source MAC address. Arptables is useful for avoiding unauthorized routers but does not fully block connectivity if ARP entries are manually added.

Uploaded by

list_course
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

linux-audit.com

Filtering ARP traffic with Linux


arptables
Michael Boelen
4-5 minutes

Most Linux system administrators will be familiar with iptables


on Linux. Less known is the arptables utility, which controls
filtering arp packets.

Installation

The arptables utility is easy to set-up, as the main functionality


is already implemented in the Linux kernel. Just install the
arptables package on your favorite Linux distribution.

Red Hat / CentOS / Fedora

yum install arptables

Debian / Ubuntu

apt-get install arptables

Configuration example

1 of 6 8/1/19, 9:03 PM
Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

To show the effect of filtering traffic, we will show an example


by filtering router traffic and blocking it. This way we won’t be
able to connect to the internet.

With the arp command we can query the current list of known
ARP addresses.

root@ubuntu:/data# arp
Address                  HWtype 
HWaddress           Flags Mask           
Iface
System.cisofy.com        ether  
00:a7:22:23:d1:f3   C                     eth0
Router.cisofy.com        ether  
d8:d7:21:22:5a:8d   C                     eth0

Arptables can block traffic by filtering out the IP. So let’s query
the arp list again, now in numeric format.

root@ubuntu:/data# arp -n
Address                  HWtype 
HWaddress           Flags Mask           
Iface
192.168.1.20             ether  
00:a7:22:23:d1:f3   C                     eth0
192.168.1.1              ether  
d8:d7:21:22:5a:f4   C                     eth0

Time to block the router (192.168.1.1):

root@ubuntu:/data# arptables -A INPUT -s

2 of 6 8/1/19, 9:03 PM
Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

192.168.1.1 -j DROP

So we dropped traffic to this IP adress, right? Let’s try!

root@ubuntu:/data# ping 192.168.1.1


PING 192.168.1.1 (192.168.1.1) 56(84) bytes
of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64
time=0.645 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64
time=0.370 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet
loss, time 1000ms
rtt min/avg/max/mdev = 0.370/0.507/0.645
/0.139 ms

Well, that didn’t work like intended. We dropped ARP related


traffic to the IP address, but not on IP level. This is also visible
in the arp -n list:

root@ubuntu:/data# arp -n
Address                  HWtype 
HWaddress           Flags Mask           
Iface
192.168.1.20             ether  
00:a7:22:23:d1:f3   C                     eth0
192.168.1.1              ether  
d8:d7:21:22:5a:f4   C                     eth0

3 of 6 8/1/19, 9:03 PM
Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

So to make this work, we simply have to flush the ARP cache.


We delete the related ARP entry:

root@ubuntu:/data# arp -d 192.168.1.1


root@ubuntu:/data# arp -n
Address                  HWtype 
HWaddress           Flags Mask           
Iface
192.168.1.20             ether  
00:a7:22:23:d1:f3   C                     eth0
192.168.1.1                     
(incomplete)                              eth0

The arp utility will show an incomplete entry. It knows that


recently some traffic passed by, but the MAC address is
unknown.

Let’s ping again:

root@ubuntu:/data# ping 192.168.1.1


PING 192.168.1.1 (192.168.1.1) 56(84) bytes
of data.
From 192.168.1.21 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.21 icmp_seq=2 Destination Host
Unreachable

That looks better!

Specific traffic filtering

4 of 6 8/1/19, 9:03 PM
Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

Back to our original mission: only allow our router to


exchange ARP packets.

root@ubuntu:/data# Block ARP traffic from all


machines (default: DENY)
arptables -P INPUT DROP

root@ubuntu:/data# Allow router (fixed ARP)


arptables -A INPUT --source-mac
d8:d7:21:22:5a:f4 -j ACCEPT

All ARP packets are blocked now. Each system which will
transmitting traffic will end up as an (incomplete) entry.

Enable all ARP traffic

If we want to allow traffic again:

root@ubuntu:/data# arptables -P INPUT ACCEPT

root@ubuntu:/data# arptables --flush

Flushing the full ARP cache can be done with ip utility:

root@ubuntu:/data# ip -s neighbour flush all

Conclusion

Arptables is a very powerful utility to filter traffic and avoid an


unexpected router taking over our connectivity. However, keep
in mind that connectivity is not fully blocked. Only ARP traffic
is blocked (layer 2/3 on the OSI model). If someone is able to

5 of 6 8/1/19, 9:03 PM
Filtering ARP traffic with Linux arptables about:reader?url=https://linux-audit.com/filtering...

manually add an entry to the ARP table, traffic is able to flow


again.

6 of 6 8/1/19, 9:03 PM

You might also like