1ARPTABLES(8) System Manager's Manual ARPTABLES(8)
2
6 arptables - ARP table administration
7
9 arptables [-t table] -[AD] chain rule-specification [options]
10 arptables [-t table] -[RI] chain rulenum rule-specification [options]
11 arptables [-t table] -D chain rulenum [options]
12 arptables [-t table] -[LFZ] [chain] [options]
13 arptables [-t table] -[NX] chain
14 arptables [-t table] -E old-chain-name new-chain-name
15 arptables [-t table] -P chain target [options]
16
18 arptables is a user space tool, it is used to set up and maintain the
19 tables of ARP rules in the Linux kernel. These rules inspect the ARP
20 frames which they see. arptables is analogous to the iptables user
21 space tool, but arptables is less complicated.
22 CHAINS
25 The kernel table is used to divide functionality into different sets of
26 rules. Each set of rules is called a chain. Each chain is an ordered
27 list of rules that can match ARP frames. If a rule matches an ARP
28 frame, then a processing specification tells what to do with that
29 matching frame. The processing specification is called a 'target'. How‐
30 ever, if the frame does not match the current rule in the chain, then
31 the next rule in the chain is examined and so forth. The user can cre‐
32 ate new (user-defined) chains which can be used as the 'target' of a
33 rule.
34 TARGETS
37 A firewall rule specifies criteria for an ARP frame and a frame pro‐
38 cessing specification called a target. When a frame matches a rule,
39 then the next action performed by the kernel is specified by the tar‐
40 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
41 RETURN, an 'extension' (see below) or a user-defined chain.
42 ACCEPT means to let the frame through. DROP means the frame has to be
44 dropped. CONTINUE means the next rule has to be checked. This can be
45 handy to know how many frames pass a certain point in the chain or to
46 log those frames. RETURN means stop traversing this chain and resume
47 at the next rule in the previous (calling) chain. For the extension
48 targets please see the TARGET EXTENSIONS section of this man page.
49 TABLES
51 There is only one ARP table in the Linux kernel. The table is filter.
52 You can drop the '-t filter' argument to the arptables command. The -t
53 argument must be the first argument on the arptables command line, if
54 used.
55 -t, --table
57 filter, is the only table and contains two (Linux kernels 2.4.X)
58 or three (Linux kernels 2.6.0 and later) built-in chains: INPUT
59 (for frames destined for the host), OUTPUT (for locally-gener‐
60 ated frames) and FORWARD (for frames being forwarded by the
61 bridge code). The FORWARD chain doesn't exist in Linux 2.4.X
62 kernels.
63
65 After the initial arptables command line argument, the remaining argu‐
66 ments can be divided into several different groups. These groups are
67 commands, miscellaneous commands, rule-specifications, match-exten‐
68 sions, and watcher-extensions.
69 COMMANDS
71 The arptables command arguments specify the actions to perform on the
72 table defined with the -t argument. If you do not use the -t argument
73 to name a table, the commands apply to the default filter table. With
74 the exception of the -Z command, only one command may be used on the
75 command line at a time.
76 -A, --append
78 Append a rule to the end of the selected chain.
79 -D, --delete
81 Delete the specified rule from the selected chain. There are two
82 ways to use this command. The first is by specifying an interval
83 of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
84 ative numbers is allowed, for more details about using negative
85 numbers, see the -I command. The second usage is by specifying
86 the complete rule as it would have been specified when it was
87 added.
88 -I, --insert
90 Insert the specified rule into the selected chain at the speci‐
91 fied rule number. If the current number of rules equals N, then
92 the specified number can be between -N and N+1. For a positive
93 number i, it holds that i and i-N-1 specify the same place in
94 the chain where the rule should be inserted. The number 0 speci‐
95 fies the place past the last rule in the chain and using this
96 number is therefore equivalent with using the -A command.
97 -R, --replace
99 Replaces the specified rule into the selected chain at the spec‐
100 ified rule number. If the current number of rules equals N,
101 then the specified number can be between 1 and N. i specifies
102 the place in the chain where the rule should be replaced.
103 -P, --policy
105 Set the policy for the chain to the given target. The policy can
106 be ACCEPT, DROP or RETURN.
107 -F, --flush
109 Flush the selected chain. If no chain is selected, then every
110 chain will be flushed. Flushing the chain does not change the
111 policy of the chain, however.
112 -Z, --zero
114 Set the counters of the selected chain to zero. If no chain is
115 selected, all the counters are set to zero. The -Z command can
116 be used in conjunction with the -L command. When both the -Z
117 and -L commands are used together in this way, the rule counters
118 are printed on the screen before they are set to zero.
119 -L, --list
121 List all rules in the selected chain. If no chain is selected,
122 all chains are listed.
123 -N, --new-chain
125 Create a new user-defined chain with the given name. The number
126 of user-defined chains is unlimited. A user-defined chain name
127 has maximum length of 31 characters.
128 -X, --delete-chain
130 Delete the specified user-defined chain. There must be no
131 remaining references to the specified chain, otherwise arptables
132 will refuse to delete it. If no chain is specified, all user-
133 defined chains that aren't referenced will be removed.
134 -E, --rename-chain
136 Rename the specified chain to a new name. Besides renaming a
137 user-defined chain, you may rename a standard chain name to a
138 name that suits your taste. For example, if you like PREBRIDGING
139 more than PREROUTING, then you can use the -E command to rename
140 the PREROUTING chain. If you do rename one of the standard arpt‐
141 ables chain names, please be sure to mention this fact should
142 you post a question on the arptables mailing lists. It would be
143 wise to use the standard name in your post. Renaming a standard
144 arptables chain in this fashion has no effect on the structure
145 or function of the arptables kernel table.
146 MISCELLANOUS COMMANDS
149 -V, --version
150 Show the version of the arptables userspace program.
151 -h, --help
153 Give a brief description of the command syntax.
154 -j, --jump target
156 The target of the rule. This is one of the following values:
157 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
158 EXTENSIONS) or a user-defined chain name.
159 -c, --set-counters PKTS BYTES
161 This enables the administrator to initialize the packet and byte
162 counters of a rule (during INSERT, APPEND, REPLACE operations).
163 RULE-SPECIFICATIONS
166 The following command line arguments make up a rule specification (as
167 used in the add and delete commands). A "!" option before the specifi‐
168 cation inverts the test for that specification. Apart from these stan‐
169 dard rule specifications there are some other command line arguments of
170 interest.
171 -s, --source-ip [!] address[/mask]
173 The Source IP specification.
174 -d, --destination-ip [!] address[/mask]
176 The Destination IP specification.
177 --source-mac [!] address[/mask]
179 The source mac address. Both mask and address are written as 6
180 hexadecimal numbers separated by colons.
181 --destination-mac [!] address[/mask]
183 The destination mac address. Both mask and address are written
184 as 6 hexadecimal numbers separated by colons.
185 -i, --in-interface [!] name
187 The interface via which a frame is received (for the INPUT and
188 FORWARD chains). The flag --in-if is an alias for this option.
189 -o, --out-interface [!] name
191 The interface via which a frame is going to be sent (for the
192 OUTPUT and FORWARD chains). The flag --out-if is an alias for
193 this option.
194 -l, --h-length length[/mask]
196 The hardware length (nr of bytes)
197 --opcode code[/mask]
199 The operation code (2 bytes). Available values are: 1=Request
200 2=Reply 3=Request_Reverse 4=Reply_Reverse 5=DRARP_Request
201 6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
202 --h-type type[/mask]
204 The hardware type (2 bytes, hexadecimal). Available values are:
205 1=Ethernet.
206 --proto-type type[/mask]
208 The protocol type (2 bytes). Available values are: 0x800=IPv4.
209 TARGET-EXTENSIONS
212 arptables extensions are precompiled into the userspace tool. So there
213 is no need to explicitly load them with a -m option like in iptables.
214 However, these extensions deal with functionality supported by supple‐
215 mental kernel modules.
216 mangle
218 --mangle-ip-s IP address
219 Mangles Source IP Address to given value.
220 --mangle-ip-d IP address
222 Mangles Destination IP Address to given value.
223 --mangle-mac-s MAC address
225 Mangles Source MAC Address to given value.
226 --mangle-mac-d MAC address
228 Mangles Destination MAC Address to given value.
229 --mangle-target target
231 Target of ARP mangle operation (DROP, CONTINUE or ACCEPT --
232 default is ACCEPT).
233 CLASSIFY
235 This module allows you to set the skb->priority value (and thus clas-
236 sify the packet into a specific CBQ class).
237 --set-class major:minor
240 Set the major and minor class value. The values are always
242 interpreted as hexadecimal even if no 0x prefix is given.
243
246 See http://netfilter.org/mailinglists.html
247
249 iptables(8), ebtables(8), arp(8), rarp(8), ifconfig(8), route(8)
250 See http://ebtables.sf.net
252 November 2011 ARPTABLES(8)