Filtering ARP traffic with Linux arptables

Filtering ARP traffic with Linux arptables

Most Linux system administrators will be familiar with iptables on Linux. Less known is the arptables utility, which controls filtering arp packets.

Installation

The arptables utility is easy to set-up, as the main functionality is already implemented in the Linux kernel. Just install the arptables package on your favorite Linux distribution.

Red Hat / CentOS / Fedora

yum install arptables

Debian / Ubuntu

apt-get install arptables

Configuration example

To show the effect of filtering traffic, we will show an example by filtering router traffic and blocking it. This way we won’t be able to connect to the internet.

With the arp command we can query the current list of known ARP addresses.

root@ubuntu:/data# arp
 Address                  HWtype  HWaddress           Flags Mask            Iface
 System.cisofy.com        ether   00:a7:22:23:d1:f3   C                     eth0
 Router.cisofy.com        ether   d8:d7:21:22:5a:8d   C                     eth0

Arptables can block traffic by filtering out the IP. So let’s query the arp list again, now in numeric format.

root@ubuntu:/data# arp -n
 Address                  HWtype  HWaddress           Flags Mask            Iface
 192.168.1.20             ether   00:a7:22:23:d1:f3   C                     eth0
 192.168.1.1              ether   d8:d7:21:22:5a:f4   C                     eth0

Time to block the router (192.168.1.1):

root@ubuntu:/data# arptables -A INPUT -s 192.168.1.1 -j DROP

So we dropped traffic to this IP adress, right? Let’s try!

root@ubuntu:/data# ping 192.168.1.1
 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.645 ms
 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.370 ms
 ^C
 --- 192.168.1.1 ping statistics ---
 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
 rtt min/avg/max/mdev = 0.370/0.507/0.645/0.139 ms

Well, that didn’t work like intended. We dropped ARP related traffic to the IP address, but not on IP level. This is also visible in the arp -n list:

root@ubuntu:/data# arp -n
 Address                  HWtype  HWaddress           Flags Mask            Iface
 192.168.1.20             ether   00:a7:22:23:d1:f3   C                     eth0
 192.168.1.1              ether   d8:d7:21:22:5a:f4   C                     eth0

So to make this work, we simply have to flush the ARP cache. We delete the related ARP entry:

root@ubuntu:/data# arp -d 192.168.1.1
root@ubuntu:/data# arp -n
 Address                  HWtype  HWaddress           Flags Mask            Iface
 192.168.1.20             ether   00:a7:22:23:d1:f3   C                     eth0
 192.168.1.1                      (incomplete)                              eth0

The arp utility will show an incomplete entry. It knows that recently some traffic passed by, but the MAC address is unknown.

Let’s ping again:

root@ubuntu:/data# ping 192.168.1.1
 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
 From 192.168.1.21 icmp_seq=1 Destination Host Unreachable
 From 192.168.1.21 icmp_seq=2 Destination Host Unreachable

That looks better!

Specific traffic filtering

Back to our original mission: only allow our router to exchange ARP packets.

root@ubuntu:/data# Block ARP traffic from all machines (default: DENY)
arptables -P INPUT DROP

root@ubuntu:/data# Allow router (fixed ARP)
arptables -A INPUT --source-mac d8:d7:21:22:5a:f4 -j ACCEPT

All ARP packets are blocked now. Each system which will transmitting traffic will end up as an (incomplete) entry.

Enable all ARP traffic

If we want to allow traffic again:

root@ubuntu:/data# arptables -P INPUT ACCEPT
root@ubuntu:/data# arptables --flush

Flushing the full ARP cache can be done with ip utility:

root@ubuntu:/data# ip -s neighbour flush all

Conclusion

Arptables is a very powerful utility to filter traffic and avoid an unexpected router taking over our connectivity. However, keep in mind that connectivity is not fully blocked. Only ARP traffic is blocked (layer 2/3 on the OSI model). If someone is able to manually add an entry to the ARP table, traffic is able to flow again.

facebooktwittergoogle_plusredditpinterestlinkedinmail

How to clear the ARP cache on Linux?

How to clear the ARP cache on Linux?

In some cases you might need to clear your ARP cache. There are two common ways on Linux, using the arp or ip utility.

Clearing cache with arp

The arp utility does not accept an option to clear the full cache. Instead, it allows to flush out entries found with the -d option.

root@ubuntu:~# arp -d 192.168.1.1

After deleting, have a look with the arp utility again to see the new list:

root@ubuntu:~# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1                      (incomplete)                              eth0
192.168.1.2              ether   00:02:9b:a2:d3:f3   C                     eth0
192.168.1.3              ether   00:02:9b:d9:d1:a2   C                     eth0

Clearing cache with ip

Newer Linux distributions have the ip utility, which has a more advanced way to clear out the full ARP cache

root@ubuntu:~# ip -s -s neigh flush all
192.168.1.1 dev eth0 lladdr 00:a1:04:c6:10:14 used 757/757/28 probes 6 STALE
192.168.1.2 dev eth0 lladdr 00:02:9b:a2:d3:f3 used 2555/719/659 probes 6 STALE
192.168.1.3 dev eth0 lladdr 00:02:9b:d9:d1:a2 ref 1 used 0/0/0 probes 6 DELAY

*** Round 1, deleting 3 entries ***
*** Flush is complete after 1 round ***

The first -s will provide a more verbose output. The second one defines the neighbor table, which equals the ARP and NDISC cache.

Conclusion

Depending on your distribution, the ip utility is quicker if you want to flush out the full ARP cache. For individual entries the arp tool will do the job as quickly.

facebooktwittergoogle_plusredditpinterestlinkedinmail

Using xattrs or Extended Attributes on Linux

Using xattrs or Extended Attributes on Linux

Extended attributes, xattrs for short, are an extensible mechanism to store metadata along files. In other words, they describe some additional properties of the file. Normally this information is limited, like ownership and dates. With xattrs more information can be stored about the file.

Support for xattrs

Not all file systems have support for xattrs, but nowadays the most common ones support it (EXT4, Btrfs, ReiserFS, JFS and ZFS). To determine if your file system has xattr support enabled, check the options file of the related device:

# cat /proc/fs/ext4/sda1/options | grep xattr
user_xattr

One way to set an attribute for a file, is by adding an access control list (ACL) with the setfacl command. For example we want to allow the web server daemon to read data from /data/storage.

# setfacl -m u:www-data:r /data/storage

Running the command won’t give any output. So let’s check if something has changed:

# ls -l
total 4
drwxr-xr-x+ 2 root root 4096 Nov 18 16:00 storage

The plus sign in ls reveals there is something different than other files. Of course this is because of adding the extended attribute.

Although we could use the getfacl command to determine the permissions, we can actually use the getfattr command to see what kind of attribute is added.

# getfattr /data/storage

 

getfattr: Removing leading ‘/’ from absolute path names
# file: data/storage
system.posix_acl_access

Now we now for sure it is an ACL stored in the extended attributes of this particular file (or actually directory).

If we want to see detailed information, we can use the xattr tool for that.

Screenshot listing the extended attributes of a file

Using xattr to list extended attributes of a file

Other attributes

security.capability

The security.capability files stores Linux capabilities for the related file. Applies to binaries which are provided one or more capabilities via this file.

security.ima

For the Integrity Measurement Architecture (IMA), the file security.ima stores a hash or digital signature.

security.evm

Similar to security.ima, the Extended Verification Module (EVM) stores a hash/HMAC or digital signature in this file. The different with IMA is that it protects the metadata of the file, not the contents.

Related tools

getfacl

Installation: apt-get install acl

getfattr

Installation: apt-get install attr

xattr

Installation: apt-get install python-xattr

facebooktwittergoogle_plusredditpinterestlinkedinmail
« Older Entries