Filtering ARP traffic with Linux arptables

Filtering ARP traffic with Linux arptables

Most Linux system administrators will be familiar with iptables on Linux. Less known is the arptables utility, which controls filtering arp packets.

Installation

The arptables utility is easy to set-up, as the main functionality is already implemented in the Linux kernel. Just install the arptables package on your favorite Linux distribution.

Red Hat / CentOS / Fedora

yum install arptables

Debian / Ubuntu

apt-get install arptables

Configuration example

To show the effect of filtering traffic, we will show an example by filtering router traffic and blocking it. This way we won’t be able to connect to the internet.

With the arp command we can query the current list of known ARP addresses.

Arptables can block traffic by filtering out the IP. So let’s query the arp list again, now in numeric format.

Time to block the router (192.168.1.1):

So we dropped traffic to this IP adress, right? Let’s try!

Well, that didn’t work like intended. We dropped ARP related traffic to the IP address, but not on IP level. This is also visible in the arp -n list:

So to make this work, we simply have to flush the ARP cache. We delete the related ARP entry:

The arp utility will show an incomplete entry. It knows that recently some traffic passed by, but the MAC address is unknown.

Let’s ping again:

That looks better!

Specific traffic filtering

Back to our original mission: only allow our router to exchange ARP packets.

All ARP packets are blocked now. Each system which will transmitting traffic will end up as an (incomplete) entry.

Enable all ARP traffic

If we want to allow traffic again:

Flushing the full ARP cache can be done with ip utility:

Conclusion

Arptables is a very powerful utility to filter traffic and avoid an unexpected router taking over our connectivity. However, keep in mind that connectivity is not fully blocked. Only ARP traffic is blocked (layer 2/3 on the OSI model). If someone is able to manually add an entry to the ARP table, traffic is able to flow again.

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page