Filtering ARP traffic with Linux arptables
Most Linux system administrators will be familiar with iptables on Linux. Less known is the arptables utility, which controls filtering arp packets.
Installation of arptables
The arptables utility is easy to set-up, as the main functionality is already implemented in the Linux kernel. Just install the arptables package on your favorite Linux distribution.
- Debian / Ubuntu:
apt install arptables - Red Hat:
yum install arptables
Configuration example
To show the effect of filtering traffic, we will show an example by filtering router traffic and blocking it. This way we won’t be able to connect to the internet.
With the arp command we can query the current list of known ARP addresses.
# arp
Address HWtype HWaddress Flags Mask Iface
System.cisofy.com ether 00:a7:22:23:d1:f3 C eth0
Router.cisofy.com ether d8:d7:21:22:5a:8d C eth0
Arptables can block traffic by filtering out the IP. So let’s query the arp list again, now in numeric format.
# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.1.20 ether 00:a7:22:23:d1:f3 C eth0
192.168.1.1 ether d8:d7:21:22:5a:f4 C eth0
Time to block the router (192.168.1.1):
arptables -A INPUT -s 192.168.1.1 -j DROP
So we dropped traffic to this IP adress, right? Let’s try!
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.645 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.370 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.370/0.507/0.645/0.139 ms
Well, that didn’t work like intended. We dropped ARP related traffic to the IP address, but not on IP level. This is also visible in the arp -n list:
# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.1.20 ether 00:a7:22:23:d1:f3 C eth0
192.168.1.1 ether d8:d7:21:22:5a:f4 C eth0
So to make this work, we simply have to flush the ARP cache. We delete the related ARP entry:
# arp -d 192.168.1.1
# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.1.20 ether 00:a7:22:23:d1:f3 C eth0
192.168.1.1 (incomplete) eth0
The arp utility will show an incomplete entry. It knows that recently some traffic passed by, but the MAC address is unknown.
Let’s ping again:
# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.21 icmp_seq=1 Destination Host Unreachable
From 192.168.1.21 icmp_seq=2 Destination Host Unreachable
That looks better!
Specific traffic filtering
Back to our original mission: only allow our router to exchange ARP packets. Block ARP traffic from all machines (default: DENY)
arptables -P INPUT DROP
Allow the router by defining an ACCEPT statement with a fixed ARP address.
arptables -A INPUT --source-mac d8:d7:21:22:5a:f4 -j ACCEPT
All ARP packets are blocked now. Each system which will transmitting traffic will end up as an (incomplete) entry.
Enable all ARP traffic
If we want to allow traffic again:
arptables -P INPUT ACCEPT
Then flush.
arptables --flush
Flushing the full ARP cache can also be done with ip utility:
`ip -s neighbour flush all```
Conclusion
Arptables is a very powerful utility to filter traffic and avoid an unexpected router taking over our connectivity. However, keep in mind that connectivity is not fully blocked. Only ARP traffic is blocked (layer 2/3 on the OSI model). If someone is able to manually add an entry to the ARP table, traffic is able to flow again.
