Command documentation sourced from the linux-command project This comprehensive command reference is part of the linux-command documentation project.
arptables - ARP packet filtering and management
The arptables command is a powerful network administration tool used for filtering and managing ARP (Address Resolution Protocol) packets in Linux. It provides administrators with fine-grained control over ARP traffic, enabling enhanced network security, ARP spoofing prevention, and custom ARP handling policies. As part of the netfilter framework, arptables operates at the data link layer (Layer 2) to filter ARP packets based on source/destination MAC addresses, IP addresses, and packet types. This tool is essential for securing local networks against ARP poisoning attacks and implementing network access control policies.
Basic Syntax
arptables [OPTIONS] [COMMAND] [CHAIN] [RULE_SPECIFICATION]
arptables [-t table] [-A chain] [-I chain [rulenum]] [-D chain [rulenum]]
arptables [-C chain] [-R chain rulenum rule] [-L [chain]]
arptables [-F [chain]] [-Z [chain]] [-N chain] [-X [chain]]
arptables [-E old-chain new-chain] [-P chain target]
arptables [-h] [-V] [--atomic file] [--modprobe command]
Common Commands
Chain Management
-A chain- Append rule to chain-I chain [rulenum]- Insert rule into chain-D chain [rulenum]- Delete rule from chain-R chain rulenum- Replace rule in chain-L [chain]- List rules in chain-F [chain]- Flush all rules from chain-Z [chain]- Zero counters in chain-N chain- Create new user-defined chain-X [chain]- Delete user-defined chain-E old new- Rename chain-P chain target- Set policy for built-in chain
Table Operations
-t table- Specify table (default: filter)
Built-in Tables and Chains
Filter Table (default)
- INPUT - ARP packets destined for the local system
- OUTPUT - ARP packets generated by the local system
- FORWARD - ARP packets being forwarded through the system
Rule Specifications
Packet Matching
-s [!] address[/mask]- Source IP address-d [!] address[/mask]- Destination IP address--src-mac [!] address[/mask]- Source MAC address--dst-mac [!] address[/mask]- Destination MAC address-i [!] interface- Input interface-o [!] interface- Output interface--opcode [!] code- ARP opcode (request=1, reply=2)--h-type [!] type- Hardware type (1=Ethernet)--proto-type [!] type- Protocol type (0x0800=IP)
Actions/Targets
ACCEPT- Accept the packetDROP- Drop the packetREJECT- Reject the packetQUEUE- Pass packet to userspaceMARK- Set packet markRETURN- Return to calling chainDNAT- Destination NATSNAT- Source NATMASQUERADE- Masquerade source address
Common Options
General Options
-v, --verbose- Verbose output-n, --numeric- Numeric output (no DNS lookups)-x, --exact- Expand numbers--line-numbers- Print line numbers--modprobe=command- Module loading command--atomic=file- Atomic operations using file
Display Options
-c, --counters- Show packet/byte counters--version- Show version information-h, --help- Show help message
Usage Examples
Basic ARP Filtering
Viewing ARP Rules
# List all ARP rules with verbose output
arptables -L -v -n
# List rules with line numbers and counters
arptables -L --line-numbers -c
# List specific chain rules
arptables -L INPUT
# Show raw rule output
arptables -L -v -n --exact
Basic Rule Management
# Flush all ARP rules
arptables -F
# Set default policy to DROP
arptables -P INPUT DROP
arptables -P OUTPUT DROP
# Zero all counters
arptables -Z
# Create custom chain
arptables -N SECURITY
ARP Security Rules
Preventing ARP Spoofing
# Allow ARP requests/replies only from trusted MAC addresses
arptables -A INPUT --src-mac 00:11:22:33:44:55 -j ACCEPT
arptables -A INPUT --src-mac aa:bb:cc:dd:ee:ff -j ACCEPT
# Drop all other ARP packets
arptables -A INPUT -j DROP
# Allow outgoing ARP only to trusted networks
arptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
arptables -A OUTPUT -j DROP
Static ARP Protection
# Allow ARP responses only for our own IP
arptables -A INPUT --dst-mac 00:1a:2b:3c:4d:5e -j ACCEPT
# Allow legitimate ARP requests
arptables -A INPUT --opcode request -j ACCEPT
# Drop suspicious ARP packets
arptables -A INPUT --opcode reply -j DROP
Gateway ARP Filtering
# Protect gateway from ARP poisoning
arptables -A INPUT -s 192.168.1.1 --src-mac 00:aa:bb:cc:dd:ee -j ACCEPT
arptables -A INPUT -s 192.168.1.254 --src-mac 00:ff:ee:dd:cc:bb -j ACCEPT
# Allow ARP broadcasts
arptables -A INPUT -d 255.255.255.255 -j ACCEPT
# Block everything else
arptables -A INPUT -j DROP
Network Access Control
Interface-Based Filtering
# Apply different rules per interface
arptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
arptables -A INPUT -i wlan0 -s 10.0.0.0/24 -j ACCEPT
arptables -A INPUT -j DROP
# Control ARP responses on specific interface
arptables -A OUTPUT -o eth1 --dst-mac 00:de:ad:be:ef:00 -j ACCEPT
VLAN and Segmentation
# Filter ARP traffic between VLANs
arptables -A FORWARD -i eth0.10 -o eth0.20 -j DROP
arptables -A FORWARD -i eth0.20 -o eth0.10 -j DROP
# Allow ARP within same VLAN
arptables -A FORWARD -i eth0.10 -o eth0.10 -j ACCEPT
arptables -A FORWARD -i eth0.20 -o eth0.20 -j ACCEPT
Advanced ARP Management
ARP Rate Limiting
# Create rate limiting chain
arptables -N RATE-LIMIT
# Allow limited ARP requests (using MARK for rate limiting)
arptables -A RATE-LIMIT -m limit --limit 10/second --limit-burst 20 -j ACCEPT
arptables -A RATE-LIMIT -j DROP
# Apply rate limiting to INPUT chain
arptables -A INPUT -j RATE-LIMIT
ARP Logging and Monitoring
# Log suspicious ARP activity
arptables -A INPUT -j LOG --log-prefix "ARP-INPUT: "
arptables -A OUTPUT -j LOG --log-prefix "ARP-OUTPUT: "
# Log ARP packets from unknown sources
arptables -A INPUT --src-mac ! 00:11:22:33:44:55 -j LOG --log-prefix "UNKNOWN-MAC: "
Practical Examples
Network Security
Enterprise ARP Security
#!/bin/bash
# Comprehensive ARP security configuration
# Clear existing rules
arptables -F
# Set default policies
arptables -P INPUT DROP
arptables -P OUTPUT DROP
arptables -P FORWARD DROP
# Allow loopback (for any ARP communication)
arptables -A INPUT -i lo -j ACCEPT
arptables -A OUTPUT -o lo -j ACCEPT
# Trusted servers (MAC-IP binding)
TRUSTED_SERVERS=(
"192.168.1.10:00:11:22:33:44:55"
"192.168.1.20:aa:bb:cc:dd:ee:ff"
"192.168.1.30:11:22:33:44:55:66"
)
for server in "${TRUSTED_SERVERS[@]}"; do
IP=${server%:*}
MAC=${server#*:}
arptables -A INPUT -s "$IP" --src-mac "$MAC" -j ACCEPT
arptables -A OUTPUT -d "$IP" --dst-mac "$MAC" -j ACCEPT
done
# Allow ARP broadcasts for network discovery
arptables -A INPUT -d 255.255.255.255 -j ACCEPT
arptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
# Log and drop everything else
arptables -A INPUT -j LOG --log-prefix "ARP-DROP: "
arptables -A INPUT -j DROP
arptables -A OUTPUT -j LOG --log-prefix "ARP-DROP: "
arptables -A OUTPUT -j DROP
echo "ARP security rules applied successfully"
DHCP Environment Protection
# Protect DHCP servers and clients
arptables -A INPUT --opcode request --src-mac ! 00:00:00:00:00:00 -j ACCEPT
arptables -A INPUT --opcode reply -j ACCEPT
# Allow DHCP server responses
arptables -A INPUT -s 192.168.1.1 --src-mac 00:aa:bb:cc:dd:ee -j ACCEPT
# Block ARP spoofing attempts
arptables -A INPUT --opcode reply -s 192.168.1.0/24 -j DROP
System Administration
ARP Table Backup and Restore
# Save current ARP rules
arptables-save > /etc/arptables.rules
# Restore ARP rules
arptables-restore < /etc/arptables.rules
# Create periodic backup script
#!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
arptables-save > /backup/arptables_backup_$DATE.rules
ARP Monitoring Script
#!/bin/bash
# Monitor ARP traffic and detect anomalies
LOG_FILE="/var/log/arptables_monitor.log"
THRESHOLD=100 # Packets per minute
while true; do
COUNTER=$(arptables -L -v -n | grep "INPUT" | awk '{print $1}')
TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")
if [ "$COUNTER" -gt "$THRESHOLD" ]; then
echo "$TIMESTAMP - High ARP activity detected: $COUNTER packets" >> "$LOG_FILE"
# Send alert to administrator
echo "ARP warning: High activity detected" | mail -s "ARP Alert" admin@example.com
fi
sleep 60
done
Development and Testing
ARP Packet Testing
# Test ARP rule effectiveness
arptables -A INPUT --src-mac 00:11:22:33:44:55 -j ACCEPT
arptables -A INPUT -j DROP
# Send test ARP packet
arping -c 1 -s 192.168.1.100 192.168.1.1
# Check if packet was accepted
arptables -L -v -n
ARP Rule Performance Testing
# Benchmark ARP rules
arptables -F
# Add complex rules for testing
for i in {1..1000}; do
arptables -A INPUT --src-mac "00:11:22:33:44:$(printf "%02x" $i)" -j ACCEPT
done
# Test performance
time arptables -L -n
# Clear rules
arptables -F
Advanced Usage
Atomic Rule Management
Safe Rule Updates
# Use atomic operations for safe updates
arptables --atomic /tmp/arptables.atomic -L
# Apply rules atomically
arptables --atomic /tmp/arptables.atomic -F
arptables --atomic /tmp/arptables.atomic -A INPUT -j ACCEPT
arptables --atomic /tmp/arptables.atomic --commit
# Create backup before changes
arptables-save > /etc/arptables.backup
arptables --atomic /tmp/arptables.atomic -L
Chain Management
Custom Chain Structures
# Create security chain hierarchy
arptables -N TRAFFIC_FILTER
arptables -N MAC_VALIDATION
arptables -N LOGGING
# Chain redirects
arptables -A INPUT -j TRAFFIC_FILTER
arptables -A TRAFFIC_FILTER -j MAC_VALIDATION
arptables -A MAC_VALIDATION -j LOGGING
# Add specific rules to chains
arptables -A MAC_VALIDATION --src-mac 00:11:22:33:44:55 -j ACCEPT
arptables -A LOGGING -j LOG --log-prefix "ARP-MATCH: "
arptables -A LOGGING -j DROP
Network Segmentation
Multi-Segment Network Control
# Control ARP between network segments
# Management network (192.168.1.0/24)
arptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP
arptables -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP
# Guest network isolation
arptables -A FORWARD -s 192.168.100.0/24 -d 192.168.100.0/24 -j DROP
# DMZ restricted access
arptables -A FORWARD -s 192.168.200.0/24 -j ACCEPT
arptables -A FORWARD -d 192.168.200.0/24 -j DROP
Integration and Automation
System Integration
Systemd Service for ARP Rules
# /etc/systemd/system/arptables.service
[Unit]
Description=ARP Tables Firewall
Before=network-pre.target
Wants=network-pre.target
DefaultDependencies=no
[Service]
Type=oneshot
ExecStart=/usr/sbin/arptables-restore /etc/arptables.rules
ExecReload=/usr/sbin/arptables-restore /etc/arptables.rules
ExecStop=/usr/sbin/arptables -F
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
# Enable and start service
systemctl enable arptables.service
systemctl start arptables.service
Network Interface Integration
# /etc/network/if-up.d/arptables
#!/bin/bash
# Apply ARP rules when interface comes up
if [ "$IFACE" = "eth0" ]; then
arptables -A INPUT -i "$IFACE" -j ACCEPT
arptables -A OUTPUT -o "$IFACE" -j ACCEPT
fi
Automation Scripts
Dynamic ARP Protection
#!/bin/bash
# Dynamic ARP protection based on network topology
NETWORK_SCAN="192.168.1.0/24"
KNOWN_HOSTS_FILE="/etc/arp_known_hosts"
# Scan network for active hosts
arp-scan "$NETWORK_SCAN" | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" | while read line; do
IP=$(echo "$line" | grep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | head -1)
MAC=$(echo "$line" | grep -E "([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}" | head -1)
if [ -n "$IP" ] && [ -n "$MAC" ]; then
# Add rule for discovered host
arptables -A INPUT -s "$IP" --src-mac "$MAC" -j ACCEPT
echo "$IP:$MAC" >> "$KNOWN_HOSTS_FILE"
fi
done
# Set default drop policy
arptables -A INPUT -j DROP
ARP Rule Validation Script
#!/bin/bash
# Validate and repair ARP rules
REQUIRED_RULES=(
"--src-mac 00:11:22:33:44:55 -j ACCEPT"
"-s 192.168.1.0/24 -j ACCEPT"
)
echo "Checking ARP rules..."
for rule in "${REQUIRED_RULES[@]}"; do
if ! arptables -L | grep -q "$rule"; then
echo "Missing rule: $rule"
echo "Adding missing rule..."
arptables -A INPUT $rule
fi
done
# Verify default policies
INPUT_POLICY=$(arptables -L INPUT | grep "policy" | awk '{print $3}')
OUTPUT_POLICY=$(arptables -L OUTPUT | grep "policy" | awk '{print $3}')
if [ "$INPUT_POLICY" != "DROP" ]; then
echo "Warning: INPUT policy is not DROP"
fi
echo "ARP rule validation complete"
Troubleshooting
Common Issues
Rule Not Matching
# Debug rule matching issues
# Enable logging for specific rules
arptables -A INPUT --src-mac 00:11:22:33:44:55 -j LOG --log-prefix "ARP-TEST: "
arptables -A INPUT --src-mac 00:11:22:33:44:55 -j ACCEPT
# Check logs for matches
tail -f /var/log/messages | grep ARP-TEST
# Verify rule syntax
arptables -C INPUT --src-mac 00:11:22:33:44:55 -j ACCEPT
Performance Issues
# Monitor ARP rule performance
# Check rule counters frequently
watch -n 1 'arptables -L -v -n | head -20'
# Identify high-traffic rules
arptables -L -v -n | sort -k2,2nr | head -10
# Optimize rule order (most frequent matches first)
arptables -F
arptables -A INPUT --src-mac most_common_mac -j ACCEPT
arptables -A INPUT -s most_common_network -j ACCEPT
ARP Table Corruption
# Clear and rebuild ARP rules
arptables -F
arptables -X
# Reset policies
arptables -P INPUT ACCEPT
arptables -P OUTPUT ACCEPT
arptables -P FORWARD ACCEPT
# Restore from backup
if [ -f /etc/arptables.rules ]; then
arptables-restore < /etc/arptables.rules
else
echo "Warning: No backup file found, creating empty ruleset"
arptables-save > /etc/arptables.rules
fi
Debugging Tools
ARP Traffic Analysis
# Monitor ARP packets with tcpdump
tcpdump -i eth0 -nn -e arp
# Check ARP cache
arp -n
# Monitor ARP table changes
watch -n 1 'arp -n'
# Check ARP packets per second
tcpdump -i eth0 -c 100 arp | wc -l
Rule Effectiveness Testing
# Test specific ARP packet
arping -c 1 -s 192.168.1.100 192.168.1.1
# Check if rule matched
arptables -L INPUT -v -n
# Test with different source MAC
arping -c 1 -s 192.168.1.100 --source-mac aa:bb:cc:dd:ee:ff 192.168.1.1
Related Commands
iptables- IPv4 packet filtering and NATip6tables- IPv6 packet filteringebtables- Ethernet bridge frame table administrationarp- Display and manipulate the ARP cachearping- Send ARP REQUEST to a neighbour hosttcpdump- Dump traffic on a networknmap- Network exploration and security auditingnetstat- Print network connectionsss- Utility to investigate sockets
Best Practices
- Use specific MAC-IP bindings to prevent ARP spoofing
- Implement defense-in-depth with multiple security layers
- Log suspicious ARP activity for monitoring and incident response
- Regularly backup ARP rules using
arptables-save - Test rules in staging environment before production deployment
- Monitor ARP rule performance and optimize rule order
- Use atomic operations for safe rule updates
- Document all rules with comments for maintainability
- Implement rate limiting to prevent ARP flooding attacks
- Separate trusted and untrusted networks with different rule sets
Performance Tips
- Order rules by frequency - most common matches first
- Use specific matches to avoid unnecessary processing
- Minimize complex rules and break them into simpler ones
- Regular rule cleanup removes unused or redundant rules
- Use counters to identify hot rules for optimization
- Consider hardware acceleration if available
- Batch rule operations for better performance
- Monitor system resources under heavy ARP traffic
- Use appropriate logging levels to avoid performance impact
- Test with production traffic levels before deployment
The arptables command provides essential ARP layer security for Linux networks, offering powerful filtering capabilities that complement traditional IP-based firewalls. Its granular control over ARP traffic makes it invaluable for preventing network-level attacks and implementing sophisticated network access control policies. When properly configured and maintained, arptables significantly enhances network security by ensuring that only legitimate ARP communications are permitted, protecting against ARP poisoning, spoofing, and other ARP-based vulnerabilities.