1ARPTABLES(8) ARPTABLES(8)
2
6 arptables - administration tool for arp packet filtering
7
9 arptables [-t table] -[AD] chain rule-specification [options]
10 arptables [-t table] -I chain [rulenum] rule-specification [options]
11 arptables [-t table] -R chain rulenum rule-specification [options]
12 arptables [-t table] -D chain rulenum [options]
13 arptables [-t table] -[LFZ] [chain] [options]
14 arptables [-t table] -N chain
15 arptables [-t table] -X [chain]
16 arptables [-t table] -P chain target [options]
17 arptables [-t table] -E old-chain-name new-chain-name
18
20 Arptables is used to set up, maintain, and inspect the tables of ARP
21 packet filter rules in the Linux kernel. Several different tables may
22 be defined. Each table contains a number of built-in chains and may
23 also contain user-defined chains.
24 Each chain is a list of rules which can match a set of packets. Each
26 rule specifies what to do with a packet that matches. This is called a
27 `target', which may be a jump to a user-defined chain in the same ta‐
28 ble.
29
32 A firewall rule specifies criteria for a packet, and a target. If the
33 packet does not match, the next rule in the chain is the examined; if
34 it does match, then the next rule is specified by the value of the tar‐
35 get, which can be the name of a user-defined chain or one of the spe‐
36 cial values ACCEPT, DROP, QUEUE, or RETURN.
37 ACCEPT means to let the packet through. DROP means to drop the packet
39 on the floor. QUEUE means to pass the packet to userspace (if sup‐
40 ported by the kernel). RETURN means stop traversing this chain and
41 resume at the next rule in the previous (calling) chain. If the end of
42 a built-in chain is reached or a rule in a built-in chain with target
43 RETURN is matched, the target specified by the chain policy determines
44 the fate of the packet.
45
47 There is normally one table ("filter") included in the arptable_filter
48 module. Which tables are present at any time depends on the kernel
49 configuration options and which modules are present.
50 -t, --table table
52 This option specifies the packet matching table which the com‐
53 mand should operate on. If the kernel is configured with auto‐
54 matic module loading, an attempt will be made to load the appro‐
55 priate module for that table if it is not already there.
56 The tables are as follows:
58 filter This is the default table (if no -t option is passed). It con‐
60 tains the built-in chains IN (for ARP packets entering the box),
61 OUT (for locally-generated ARP packets).
62 OPTIONS
65 The options that are recognized by arptables can be divided into
66 several different groups.
67 COMMANDS
69 These options specify the specific action to perform. Only one of them
70 can be specified on the command line unless otherwise specified below.
71 For all the long versions of the command and option names, you need to
72 use only enough letters to ensure that arptables can differentiate it
73 from all other options.
74 -A, --append chain rule-specification
76 Append one or more rules to the end of the selected chain. When
77 the source and/or destination names resolve to more than one
78 address, a rule will be added for each possible address combina‐
79 tion.
80 -D, --delete chain rule-specification
82 -D, --delete chain rulenum
83 Delete one or more rules from the selected chain. There are two
84 versions of this command: the rule can be specified as a number
85 in the chain (starting at 1 for the first rule) or a rule to
86 match.
87 -I, --insert chain [rulenum] rule-specification
89 Insert one or more rules in the selected chain as the given rule
90 number. So, if the rule number is 1, the rule or rules are
91 inserted at the head of the chain. This is also the default if
92 no rule number is specified.
93 -R, --replace chain rulenum rule-specification
95 Replace a rule in the selected chain. If the source and/or des‐
96 tination names resolve to multiple addresses, the command will
97 fail. Rules are numbered starting at 1.
98 -L, --list [chain]
100 List all rules in the selected chain. If no chain is selected,
101 all chains are listed. As every other arptables command, it
102 applies to the specified table (filter is the default).
103 Please note that it is often used with the -n option, in order
104 to avoid long reverse DNS lookups. It is legal to specify the
105 -Z (zero) option as well, in which case the chain(s) will be
106 atomically listed and zeroed. The exact output is affected by
107 the other arguments given. The exact rules are suppressed until
108 you use
109 arptables -L -v
110 -F, --flush [chain]
112 Flush the selected chain (all the chains in the table if none is
113 given). This is equivalent to deleting all the rules one by
114 one.
115 -Z, --zero [chain]
117 Zero the packet and byte counters in all chains. It is legal to
118 specify the -L, --list (list) option as well, to see the coun‐
119 ters immediately before they are cleared. (See above.)
120 -N, --new-chain chain
122 Create a new user-defined chain by the given name. There must
123 be no target of that name already.
124 -X, --delete-chain [chain]
126 Delete the optional user-defined chain specified. There must be
127 no references to the chain. If there are, you must delete or
128 replace the referring rules before the chain can be deleted. If
129 no argument is given, it will attempt to delete every non-
130 builtin chain in the table.
131 -P, --policy chain target
133 Set the policy for the chain to the given target. See the sec‐
134 tion TARGETS for the legal targets. Only built-in (non-user-
135 defined) chains can have policies, and neither built-in nor
136 user-defined chains can be policy targets.
137 -E, --rename-chain old-chain new-chain
139 Rename the user specified chain to the user supplied name. This
140 is cosmetic, and has no effect on the structure of the table.
141 -h Help. Give a (currently very brief) description of the command
143 syntax.
144 PARAMETERS
146 The following parameters make up a rule specification (as used in the
147 add, delete, insert, replace and append commands).
148 -s, --source [!] address[/mask]
150 Source specification. Address can be either a network name, a
151 hostname (please note that specifying any name to be resolved
152 with a remote query such as DNS is a really bad idea), a network
153 IP address (with /mask), or a plain IP address. The mask can be
154 either a network mask or a plain number, specifying the number
155 of 1's at the left side of the network mask. Thus, a mask of 24
156 is equivalent to 255.255.255.0. A "!" argument before the
157 address specification inverts the sense of the address. The flag
158 --src is an alias for this option.
159 -d, --destination [!] address[/mask]
161 Destination specification. See the description of the -s
162 (source) flag for a detailed description of the syntax. The
163 flags --dst , --tgt and --target are aliases for this option.
164 -z, --source-hw [!] hwaddr[mask]
166 Specify the source hardware (MAC) address of the packet. hwaddr
167 (and mask, if specified) must consist of one or more 8-bit hex‐
168 idecimal numbers, separated by ':' characters. If the mask is
169 not specified, it defaults to a number of 0xff octets equal to
170 the length of the hwaddr specified, then 0s. The flags
171 --source-mac , --src-hw , and --src-mac are aliases for this
172 option.
173 -y, --target-hw [!] hwaddr[mask]
175 Specify the target hardware (MAC) address of the packet. This
176 is similar to the --src-hw option. The flags --target-mac ,
177 --tgt-hw , --tgt-mac , --dst-hw , and --dst-mac are all aliases
178 for this option.
179 -i, --in-interface [!] name
181 Name of an interface via which a packet is going to be received
182 (only for packets entering the IN chain). When the "!" argument
183 is used before the interface name, the sense is inverted. If
184 the interface name ends in a "+", then any interface which
185 begins with this name will match. If this option is omitted,
186 any interface name will match.
187 -o, --out-interface [!] name
189 Name of an interface via which a packet is going to be sent (for
190 packets entering the OUT chain). When the "!" argument is used
191 before the interface name, the sense is inverted. If the inter‐
192 face name ends in a "+", then any interface which begins with
193 this name will match. If this option is omitted, any interface
194 name will match.
195 -a, --arhln [!] value[mask]
197 Specify the hardware address length of the packet. Both the
198 value and mask must be 8-bit hexidecimal numbers. Note that
199 packets with an incorrect hardware address length field may be
200 dropped by the lower-level layers of the network stack, which
201 may limit the usefulness of this option.
202 -p, --arpop [!] value[mask]
204 Specify the arp operation field of the packet. The value may be
205 either a 16-bit hexidecimal number or one of the names
206 "Request", "Reply", "Request_Reverse", "Reply_Reverse",
207 "DRARP_Request", "DRARP_Reply", "DRARP_Error", "InARP_Request",
208 or "ARP_NAK". The mask (if specified) must be a 16-bit hexide‐
209 cicmal number.
210 -H, --arhrd [!] value[mask]
212 Specify the hardware type field of the packet. The value may be
213 either a 16-bit hexidecimal number or the name "Ethernet". The
214 mask (if specified) must be a 16-bit hexidecimal number.
215 -w, --arpro [!] value[value]
217 Specify the protocol type field of the packet. The value may be
218 eithe a 16-bit hexidecimal numebr or the name "IPV4". The mask
219 (if specified) must be a 16-bit hexidecimal number.
220 -j, --jump target
222 This specifies the target of the rule; i.e., what to do if the
223 packet matches it. The target can be a user-defined chain
224 (other than the one this rule is in), or one of the special
225 builtin targets which decide the fate of the packet immediately.
226 Unlike iptables, extensions are not yet implemented. If this
227 option is omitted in a rule, then matching the rule will have no
228 effect on the packet's fate, but the counters on the rule will
229 be incremented.
230 -c, --set-counters PKTS BYTES
232 This enables the administrator to initialize the packet and byte
233 counters of a rule (during INSERT, APPEND, REPLACE operations).
234 OTHER OPTIONS
236 The following additional options can be specified:
237 -v, --verbose
239 Verbose output. This option makes the list command show the
240 interface name, the rule options (if any), and the TOS masks.
241 The packet and byte counters are also listed, with the suffix
242 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipli‐
243 ers respectively (but see the -x flag to change this). For
244 appending, insertion, deletion and replacement, this causes
245 detailed information on the rule or rules to be printed.
246 -n, --numeric
248 Numeric output. IP addresses and port numbers will be printed
249 in numeric format. By default, the program will try to display
250 them as host names, network names, or services (whenever appli‐
251 cable).
252 -x, --exact
254 Expand numbers. Display the exact value of the packet and byte
255 counters, instead of only the rounded number in K's (multiples
256 of 1000) M's (multiples of 1000K) or G's (multiples of 1000M).
257 This option is only relevant for the -L command.
258 --line-numbers
260 When listing rules, add line numbers to the beginning of each
261 rule, corresponding to that rule's position in the chain.
262 --modprobe=command
264 When adding or inserting rules into a chain, use command to load
265 any necessary modules (targets, match extensions, etc).
266 MANGLE OPTIONS
269 The kernel mangle module supports the following options
270 --mangle-ip-s IP address
272 Change the source IP address of the packet to the specified
273 value.
274 --mangle-ip-d IP address
276 Change the destination IP address of the packet to the specified
277 value.
278 --mangle-hw-s hardware address
280 CHange the source hardware (MAC) address of the packet to the
281 specified value.
282 --mangle-hw-d hardware address
284 Change the destination hardware (MAC) address of the packet to
285 the specified value.
286 --mangle-target target"
288 Disposition of the packet. Valid targets are DROP, CONTINUE, or
289 ACCEPT. If no --mangle-target option is specified, the default
290 is ACCEPT.
291
294 Let's say you have a machine with two ip addresses aaaa and bbbb.
295 Address aaaa is only for the use of machine cccc. No other machine
296 should be allowed to connect to it. Iptables rules are configured to
297 enforce this requirement.
298 # Configure iptables to NAT any attempt to use aaaa on
299 # outgoing packets to machines other than cccc to use
300 # bbbb instead
301 iptables -t nat -A POSTROUTING -s aaaa ! -d cccc \
302 -j SNAT --to bbbb
303 # Ignore arp requests from machines other than cccc for
305 # address aaaa.
306 arptables -A IN ! -s cccc -d aaaa -j DROP
307 # Mangle any outgoing requests from address aaaa to any
309 # machine but cccc to use address bbbb instead.
310 arptables -A OUT -s aaaa ! -d cccc -j mangle \
311 --mangle-ip-s bbbb
312
314 Various error messages are printed to standard error. The exit code is
315 0 for correct functioning. Errors which appear to be caused by invalid
316 or abused command line parameters cause an exit code of 2, and other
317 errors cause an exit code of 1.
318
320 The -L -v output is excessively wide.
321 The short option names were chosen at random.
323 Well... the counters are not reliable on sparc64.
325
328 arptables-save(8), arptables-restore(8), iptables(8), iptables-save(8),
329 iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-
330 restore(8).
331 See http://www.netfilter.org/.
333
335 Jay Fenlason <fenlason@redhat.com> wrote arptables, which was based on
336 the iptables code by Rusty Russell, in early consultation with Michael
337 Neuling.
338 The iptables man page was written by Herve Eychenne <rv@wallfire.org>,
340 Jay Fenlason <fenlason@redhat.com> adapted it for arptables.
341 Mar 09, 2002 ARPTABLES(8)