ARPTABLES(8)ARPTABLES(8)NAMEarptables - administration tool for arp packet filtering
SYNOPSISarptables [-t table] -[AD] chain rule-specification [options]
arptables [-t table] -I chain [rulenum] rule-specification [options]
arptables [-t table] -R chain rulenum rule-specification [options]
arptables [-t table] -D chain rulenum [options]
arptables [-t table] -[LFZ] [chain] [options]
arptables [-t table] -N chain
arptables [-t table] -X [chain]
arptables [-t table] -P chain target [options]
arptables [-t table] -E old-chain-name new-chain-name
DESCRIPTION
Arptables is used to set up, maintain, and inspect the tables of ARP
packet filter rules in the Linux kernel. Several different tables may
be defined. Each table contains a number of built-in chains and may
also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each
rule specifies what to do with a packet that matches. This is called a
`target', which may be a jump to a user-defined chain in the same ta‐
ble.
TARGETS
A firewall rule specifies criteria for a packet, and a target. If the
packet does not match, the next rule in the chain is the examined; if
it does match, then the next rule is specified by the value of the tar‐
get, which can be the name of a user-defined chain or one of the spe‐
cial values ACCEPT, DROP, QUEUE, or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet
on the floor. QUEUE means to pass the packet to userspace (if sup‐
ported by the kernel). RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. If the end of
a built-in chain is reached or a rule in a built-in chain with target
RETURN is matched, the target specified by the chain policy determines
the fate of the packet.
TABLES
There is normally one table ("filter") included in the arptable_filter
module. Which tables are present at any time depends on the kernel
configuration options and which modules are present.
-t, --table table
This option specifies the packet matching table which the com‐
mand should operate on. If the kernel is configured with auto‐
matic module loading, an attempt will be made to load the appro‐
priate module for that table if it is not already there.
The tables are as follows:
filter This is the default table (if no -t option is passed). It con‐
tains the built-in chains IN (for ARP packets entering the box),
OUT (for locally-generated ARP packets).
OPTIONS
The options that are recognized by arptables can be divided into
several different groups.
COMMANDS
These options specify the specific action to perform. Only one of them
can be specified on the command line unless otherwise specified below.
For all the long versions of the command and option names, you need to
use only enough letters to ensure that arptables can differentiate it
from all other options.
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain. When
the source and/or destination names resolve to more than one
address, a rule will be added for each possible address combina‐
tion.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two
versions of this command: the rule can be specified as a number
in the chain (starting at 1 for the first rule) or a rule to
match.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule
number. So, if the rule number is 1, the rule or rules are
inserted at the head of the chain. This is also the default if
no rule number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source and/or des‐
tination names resolve to multiple addresses, the command will
fail. Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is selected,
all chains are listed. As every other arptables command, it
applies to the specified table (filter is the default).
Please note that it is often used with the -n option, in order
to avoid long reverse DNS lookups. It is legal to specify the
-Z (zero) option as well, in which case the chain(s) will be
atomically listed and zeroed. The exact output is affected by
the other arguments given. The exact rules are suppressed until
you use
arptables-L -v
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is
given). This is equivalent to deleting all the rules one by
one.
-Z, --zero [chain]
Zero the packet and byte counters in all chains. It is legal to
specify the -L, --list (list) option as well, to see the coun‐
ters immediately before they are cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must
be no target of that name already.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be
no references to the chain. If there are, you must delete or
replace the referring rules before the chain can be deleted. If
no argument is given, it will attempt to delete every non-
builtin chain in the table.
-P, --policy chain target
Set the policy for the chain to the given target. See the sec‐
tion TARGETS for the legal targets. Only built-in (non-user-
defined) chains can have policies, and neither built-in nor
user-defined chains can be policy targets.
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This
is cosmetic, and has no effect on the structure of the table.
-h Help. Give a (currently very brief) description of the command
syntax.
PARAMETERS
The following parameters make up a rule specification (as used in the
add, delete, insert, replace and append commands).
-s, --source [!] address[/mask]
Source specification. Address can be either a network name, a
hostname (please note that specifying any name to be resolved
with a remote query such as DNS is a really bad idea), a network
IP address (with /mask), or a plain IP address. The mask can be
either a network mask or a plain number, specifying the number
of 1's at the left side of the network mask. Thus, a mask of 24
is equivalent to 255.255.255.0. A "!" argument before the
address specification inverts the sense of the address. The flag
--src is an alias for this option.
-d, --destination [!] address[/mask]
Destination specification. See the description of the -s
(source) flag for a detailed description of the syntax. The
flags --dst , --tgt and --target are aliases for this option.
-z, --source-hw [!] hwaddr[mask]
Specify the source hardware (MAC) address of the packet. hwaddr
(and mask, if specified) must consist of one or more 8-bit hex‐
idecimal numbers, separated by ':' characters. If the mask is
not specified, it defaults to a number of 0xff octets equal to
the length of the hwaddr specified, then 0s. The flags
--source-mac , --src-hw , and --src-mac are aliases for this
option.
-y, --target-hw [!] hwaddr[mask]
Specify the target hardware (MAC) address of the packet. This
is similar to the --src-hw option. The flags --target-mac ,
--tgt-hw , --tgt-mac , --dst-hw , and --dst-mac are all aliases
for this option.
-i, --in-interface [!] name
Name of an interface via which a packet is going to be received
(only for packets entering the IN chain). When the "!" argument
is used before the interface name, the sense is inverted. If
the interface name ends in a "+", then any interface which
begins with this name will match. If this option is omitted,
any interface name will match.
-o, --out-interface [!] name
Name of an interface via which a packet is going to be sent (for
packets entering the OUT chain). When the "!" argument is used
before the interface name, the sense is inverted. If the inter‐
face name ends in a "+", then any interface which begins with
this name will match. If this option is omitted, any interface
name will match.
-a, --arhln [!] value[mask]
Specify the hardware address length of the packet. Both the
value and mask must be 8-bit hexidecimal numbers. Note that
packets with an incorrect hardware address length field may be
dropped by the lower-level layers of the network stack, which
may limit the usefulness of this option.
-p, --arpop [!] value[mask]
Specify the arp operation field of the packet. The value may be
either a 16-bit hexidecimal number or one of the names
"Request", "Reply", "Request_Reverse", "Reply_Reverse",
"DRARP_Request", "DRARP_Reply", "DRARP_Error", "InARP_Request",
or "ARP_NAK". The mask (if specified) must be a 16-bit hexide‐
cicmal number.
-H, --arhrd [!] value[mask]
Specify the hardware type field of the packet. The value may be
either a 16-bit hexidecimal number or the name "Ethernet". The
mask (if specified) must be a 16-bit hexidecimal number.
-w, --arpro [!] value[value]
Specify the protocol type field of the packet. The value may be
eithe a 16-bit hexidecimal numebr or the name "IPV4". The mask
(if specified) must be a 16-bit hexidecimal number.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the
packet matches it. The target can be a user-defined chain
(other than the one this rule is in), or one of the special
builtin targets which decide the fate of the packet immediately.
Unlike iptables, extensions are not yet implemented. If this
option is omitted in a rule, then matching the rule will have no
effect on the packet's fate, but the counters on the rule will
be incremented.
-c, --set-counters PKTS BYTES
This enables the administrator to initialize the packet and byte
counters of a rule (during INSERT, APPEND, REPLACE operations).
OTHER OPTIONS
The following additional options can be specified:
-v, --verbose
Verbose output. This option makes the list command show the
interface name, the rule options (if any), and the TOS masks.
The packet and byte counters are also listed, with the suffix
'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
ers respectively (but see the -x flag to change this). For
appending, insertion, deletion and replacement, this causes
detailed information on the rule or rules to be printed.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed
in numeric format. By default, the program will try to display
them as host names, network names, or services (whenever appli‐
cable).
-x, --exact
Expand numbers. Display the exact value of the packet and byte
counters, instead of only the rounded number in K's (multiples
of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
This option is only relevant for the -L command.
--line-numbers
When listing rules, add line numbers to the beginning of each
rule, corresponding to that rule's position in the chain.
--modprobe=command
When adding or inserting rules into a chain, use command to load
any necessary modules (targets, match extensions, etc).
MANGLE OPTIONS
The kernel mangle module supports the following options
--mangle-ip-s IP address
Change the source IP address of the packet to the specified
value.
--mangle-ip-d IP address
Change the destination IP address of the packet to the specified
value.
--mangle-hw-s hardware address
CHange the source hardware (MAC) address of the packet to the
specified value.
--mangle-hw-d hardware address
Change the destination hardware (MAC) address of the packet to
the specified value.
--mangle-target target"
Disposition of the packet. Valid targets are DROP, CONTINUE, or
ACCEPT. If no --mangle-target option is specified, the default
is ACCEPT.
EXAMPLES
Let's say you have a machine with two ip addresses aaaa and bbbb.
Address aaaa is only for the use of machine cccc. No other machine
should be allowed to connect to it. Iptables rules are configured to
enforce this requirement.
# Configure iptables to NAT any attempt to use aaaa on
# outgoing packets to machines other than cccc to use
# bbbb instead
iptables -t nat -A POSTROUTING -s aaaa ! -d cccc \
-j SNAT --to bbbb
# Ignore arp requests from machines other than cccc for
# address aaaa.
arptables-A IN ! -s cccc -d aaaa -j DROP
# Mangle any outgoing requests from address aaaa to any
# machine but cccc to use address bbbb instead.
arptables-A OUT -s aaaa ! -d cccc -j mangle \
--mangle-ip-s bbbb
DIAGNOSTICS
Various error messages are printed to standard error. The exit code is
0 for correct functioning. Errors which appear to be caused by invalid
or abused command line parameters cause an exit code of 2, and other
errors cause an exit code of 1.
BUGS
The -L -v output is excessively wide.
The short option names were chosen at random.
Well... the counters are not reliable on sparc64.
SEE ALSOarptables-save(8), arptables-restore(8), iptables(8), iptables-save(8),
iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-
restore(8).
See http://www.netfilter.org/.
AUTHORS
Jay Fenlason <fenlason@redhat.com> wrote arptables, which was based on
the iptables code by Rusty Russell, in early consultation with Michael
Neuling.
The iptables man page was written by Herve Eychenne <rv@wallfire.org>,
Jay Fenlason <fenlason@redhat.com> adapted it for arptables.
Mar 09, 2002 ARPTABLES(8)
