arptables
ARPTABLES(8) ARPTABLES(8)
NAME
arptables - administration tool for arp packet filtering
SYNOPSIS
arptables [-t table] -[AD] chain rule-specification [options]
arptables [-t table] -I chain [rulenum] rule-specification [options]
arptables [-t table] -R chain rulenum rule-specification [options]
arptables [-t table] -D chain rulenum [options]
arptables [-t table] -[LFZ] [chain] [options]
arptables [-t table] -N chain
arptables [-t table] -X [chain]
arptables [-t table] -P chain target [options]
arptables [-t table] -E old-chain-name new-chain-name
DESCRIPTION
Arptables is used to set up, maintain, and inspect the tables of ARP
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called
a ‘target’, which may be a jump to a user-defined chain in the same
table.
TARGETS
A firewall rule specifies criteria for a packet, and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the
target, which can be the name of a user-defined chain or one of the
special values ACCEPT, DROP, QUEUE, or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet
on the floor. QUEUE means to pass the packet to userspace (if sup-
ported by the kernel). RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. If the end
of a built-in chain is reached or a rule in a built-in chain with tar-
get RETURN is matched, the target specified by the chain policy deter-
mines the fate of the packet.
TABLES
There is normally one table ("filter") included in the arptable_filter
module. Which tables are present at any time depends on the kernel
configuration options and which modules are present.
-t, --table table
This option specifies the packet matching table which the com-
mand should operate on. If the kernel is configured with auto-
matic module loading, an attempt will be made to load the
appropriate module for that table if it is not already there.
The tables are as follows:
filter This is the default table (if no -t option is passed). It con-
tains the built-in chains INPUT (for ARP packets entering the
box), OUTPUT (for locally-generated ARP packets).
OPTIONS
The options that are recognized by arptables can be divided
into several different groups.
COMMANDS
These options specify the specific action to perform. Only one of
them can be specified on the command line unless otherwise specified
below. For all the long versions of the command and option names, you
need to use only enough letters to ensure that arptables can differen-
tiate it from all other options.
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more than
one address, a rule will be added for each possible address
combination.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are
two versions of this command: the rule can be specified as a
number in the chain (starting at 1 for the first rule) or a
rule to match.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given
rule number. So, if the rule number is 1, the rule or rules
are inserted at the head of the chain. This is also the
default if no rule number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or
destination names resolve to multiple addresses, the command
will fail. Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected,
all chains are listed. As every other arptables command, it
applies to the specified table (filter is the default).
Please note that it is often used with the -n option, in order
to avoid long reverse DNS lookups. It is legal to specify the
-Z (zero) option as well, in which case the chain(s) will be
atomically listed and zeroed. The exact output is affected by
the other arguments given. The exact rules are suppressed until
you use
arptables -L -v
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none
is given). This is equivalent to deleting all the rules one by
one.
-Z, --zero [chain]
Zero the packet and byte counters in all chains. It is legal
to specify the -L, --list (list) option as well, to see the
counters immediately before they are cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must
be no target of that name already.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must
be no references to the chain. If there are, you must delete
or replace the referring rules before the chain can be deleted.
If no argument is given, it will attempt to delete every non-
builtin chain in the table.
-P, --policy chain target
Set the policy for the chain to the given target. See the sec-
tion TARGETS for the legal targets. Only built-in (non-user-
defined) chains can have policies, and neither built-in nor
user-defined chains can be policy targets.
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name.
This is cosmetic, and has no effect on the structure of the ta-
ble.
-h Help. Give a (currently very brief) description of the command
syntax.
PARAMETERS
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a
hostname (please note that specifying any name to be resolved
with a remote query such as DNS is a really bad idea), a net-
work IP address (with /mask), or a plain IP address. The mask
can be either a network mask or a plain number, specifying the
number of 1’s at the left side of the network mask. Thus, a
mask of 24 is equivalent to 255.255.255.0. A "!" argument
before the address specification inverts the sense of the
address. The flag --src is an alias for this option.
-d, --destination [!] address[/mask]
Destination specification. See the description of the -s
(source) flag for a detailed description of the syntax. The
flags --dst , --tgt and --target are aliases for this option.
-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet.
hwaddr (and mask, if specified) must consist of one or more
8-bit hexidecimal numbers, separated by ’:’ characters. If the
mask is not specified, it defaults to a number of 0xff octets
equal to the length of the hwaddr specified, then 0s. The
flags --source-mac , --src-hw , and --src-mac are aliases for
this option.
-y, --target-hw [!] hwaddr[mask]
Specify the target hardware (MAC) address of the packet. This
is similar to the --src-hw option. The flags --target-mac ,
--tgt-hw , --tgt-mac , --dst-hw , and --dst-mac are all aliases
for this option.
-i, --in-interface [!] name
Name of an interface via which a packet is going to be received
(only for packets entering the INPUT chain). When the "!"
argument is used before the interface name, the sense is
inverted. If the interface name ends in a "+", then any inter-
face which begins with this name will match. If this option is
omitted, any interface name will match.
-o, --out-interface [!] name
Name of an interface via which a packet is going to be sent
(for packets entering the OUTPUT chain). When the "!" argument
is used before the interface name, the sense is inverted. If
the interface name ends in a "+", then any interface which
begins with this name will match. If this option is omitted,
any interface name will match.
-a, --arhln [!] value[mask]
Specify the hardware address length of the packet. Both the
value and mask must be 8-bit hexidecimal numbers. Note that
packets with an incorrect hardware address length field may be
dropped by the lower-level layers of the network stack, which
may limit the usefulness of this option.
-p, --arpop [!] value[mask]
Specify the arp operation field of the packet. The value may
be either a 16-bit hexidecimal number or one of the names
"Request", "Reply", "Request_Reverse", "Reply_Reverse",
"DRARP_Request", "DRARP_Reply", "DRARP_Error", "InARP_Request",
or "ARP_NAK". The mask (if specified) must be a 16-bit hexide-
cicmal number.
-H, --arhrd [!] value[mask]
Specify the hardware type field of the packet. The value may
be either a 16-bit hexidecimal number or the name "Ethernet".
The mask (if specified) must be a 16-bit hexidecimal number.
-w, --arpro [!] value[value]
Specify the protocol type field of the packet. The value may
be eithe a 16-bit hexidecimal numebr or the name "IPV4". The
mask (if specified) must be a 16-bit hexidecimal number.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the
packet matches it. The target can be a user-defined chain
(other than the one this rule is in), or one of the special
builtin targets which decide the fate of the packet immedi-
ately. Unlike iptables, extensions are not yet implemented.
If this option is omitted in a rule, then matching the rule
will have no effect on the packet’s fate, but the counters on
the rule will be incremented.
-c, --set-counters PKTS BYTES
This enables the administrator to initialize the packet and
byte counters of a rule (during INSERT, APPEND, REPLACE opera-
tions).
OTHER OPTIONS
The following additional options can be specified:
-v, --verbose
Verbose output. This option makes the list command show the
interface name, the rule options (if any), and the TOS masks.
The packet and byte counters are also listed, with the suffix
’K’, ’M’ or ’G’ for 1000, 1,000,000 and 1,000,000,000 multipli-
ers respectively (but see the -x flag to change this). For
appending, insertion, deletion and replacement, this causes
detailed information on the rule or rules to be printed.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed
in numeric format. By default, the program will try to display
them as host names, network names, or services (whenever appli-
cable).
-x, --exact
Expand numbers. Display the exact value of the packet and byte
counters, instead of only the rounded number in K’s (multiples
of 1000) M’s (multiples of 1000K) or G’s (multiples of 1000M).
This option is only relevant for the -L command.
--line-numbers
When listing rules, add line numbers to the beginning of each
rule, corresponding to that rule’s position in the chain.
--modprobe=command
When adding or inserting rules into a chain, use command to
load any necessary modules (targets, match extensions, etc).
MANGLE OPTIONS
The kernel mangle module supports the following options
--mangle-ip-s IP address
Change the source IP address of the packet to the specified
value.
--mangle-ip-d IP address
Change the destination IP address of the packet to the speci-
fied value.
--mangle-hw-s hardware address
CHange the source hardware (MAC) address of the packet to the
specified value.
--mangle-hw-d hardware address
Change the destination hardware (MAC) address of the packet to
the specified value.
--mangle-target target"
Disposition of the packet. Valid targets are DROP, CONTINUE,
or ACCEPT. If no --mangle-target option is specified, the
default is ACCEPT.
EXAMPLES
Let’s say you have a machine with two ip addresses aaaa and bbbb.
Address aaaa is only for the use of machine cccc. No other machine
should be allowed to connect to it. Iptables rules are configured to
enforce this requirement.
# Configure iptables to NAT any attempt to use aaaa on
# outgoing packets to machines other than cccc to use
# bbbb instead
iptables -t nat -A POSTROUTING -s aaaa ! -d cccc \
-j SNAT --to bbbb
# Ignore arp requests from machines other than cccc for
# address aaaa.
arptables -A IN ! -s cccc -d aaaa -j DROP
# Mangle any outgoing requests from address aaaa to any
# machine but cccc to use address bbbb instead.
arptables -A OUT -s aaaa ! -d cccc -j mangle \
--mangle-ip-s bbbb
DIAGNOSTICS
Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
invalid or abused command line parameters cause an exit code of 2, and
other errors cause an exit code of 1.
BUGS
The -L -v output is excessively wide.
The short option names were chosen at random.
Well... the counters are not reliable on sparc64.
SEE ALSO
arptables-save(8), arptables-restore(8), iptables(8), iptables-
save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8),
ip6tables-restore(8).
See http://www.netfilter.org/.
AUTHORS
Jay Fenlason <fenlason@redhat.com> wrote arptables, which was based on
the iptables code by Rusty Russell, in early consultation with Michael
Neuling.
The iptables man page was written by Herve Eychenne <rv@wallfire.org>,
Jay Fenlason <fenlason@redhat.com> adapted it for arptables.
Mar 09, 2002 ARPTABLES(8)
