arptables



ARPTABLES(8)                                                      ARPTABLES(8)




NAME

       arptables - administration tool for arp packet filtering


SYNOPSIS

       arptables [-t table] -[AD] chain rule-specification [options]
       arptables [-t table] -I chain [rulenum] rule-specification [options]
       arptables [-t table] -R chain rulenum rule-specification [options]
       arptables [-t table] -D chain rulenum [options]
       arptables [-t table] -[LFZ] [chain] [options]
       arptables [-t table] -N chain
       arptables [-t table] -X [chain]
       arptables [-t table] -P chain target [options]
       arptables [-t table] -E old-chain-name new-chain-name


DESCRIPTION

       Arptables  is  used  to set up, maintain, and inspect the tables of ARP
       packet filter rules in the Linux kernel.  Several different tables  may
       be  defined.   Each  table contains a number of built-in chains and may
       also contain user-defined chains.

       Each chain is a list of rules which can match a set of  packets.   Each
       rule specifies what to do with a packet that matches.  This is called a
       ‘target’, which may be a jump to a user-defined chain in the  same  ta-
       ble.



TARGETS

       A  firewall rule specifies criteria for a packet, and a target.  If the
       packet does not match, the next rule in the chain is the  examined;  if
       it does match, then the next rule is specified by the value of the tar-
       get, which can be the name of a user-defined chain or one of  the  spe-
       cial values ACCEPT, DROP, QUEUE, or RETURN.

       ACCEPT  means to let the packet through.  DROP means to drop the packet
       on the floor.  QUEUE means to pass the packet  to  userspace  (if  sup-
       ported  by  the  kernel).   RETURN means stop traversing this chain and
       resume at the next rule in the previous (calling) chain.  If the end of
       a  built-in  chain is reached or a rule in a built-in chain with target
       RETURN is matched, the target specified by the chain policy  determines
       the fate of the packet.


TABLES

       There  is normally one table ("filter") included in the arptable_filter
       module.  Which tables are present at any time  depends  on  the  kernel
       configuration options and which modules are present.

       -t, --table table
              This  option  specifies the packet matching table which the com-
              mand should operate on.  If the kernel is configured with  auto-
              matic module loading, an attempt will be made to load the appro-
              priate module for that table if it is not already there.

              The tables are as follows:

       filter This is the default table (if no -t option is passed).  It  con-
              tains  the  built-in  chains INPUT (for ARP packets entering the
              box), OUTPUT (for locally-generated ARP packets).


       OPTIONS
              The options that are recognized by arptables can be divided into
              several different groups.

   COMMANDS
       These options specify the specific action to perform.  Only one of them
       can be specified on the command line unless otherwise specified  below.
       For  all the long versions of the command and option names, you need to
       use only enough letters to ensure that arptables can  differentiate  it
       from all other options.

       -A, --append chain rule-specification
              Append one or more rules to the end of the selected chain.  When
              the source and/or destination names resolve  to  more  than  one
              address, a rule will be added for each possible address combina-
              tion.

       -D, --delete chain rule-specification
       -D, --delete chain rulenum
              Delete one or more rules from the selected chain.  There are two
              versions  of this command: the rule can be specified as a number
              in the chain (starting at 1 for the first rule)  or  a  rule  to
              match.

       -I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule
              number.  So, if the rule number is 1,  the  rule  or  rules  are
              inserted  at the head of the chain.  This is also the default if
              no rule number is specified.

       -R, --replace chain rulenum rule-specification
              Replace a rule in the selected chain.  If the source and/or des-
              tination  names  resolve to multiple addresses, the command will
              fail.  Rules are numbered starting at 1.

       -L, --list [chain]
              List all rules in the selected chain.  If no chain is  selected,
              all  chains  are  listed.   As every other arptables command, it
              applies to the specified table (filter is the default).
              Please note that it is often used with the -n option,  in  order
              to  avoid  long reverse DNS lookups.  It is legal to specify the
              -Z (zero) option as well, in which case  the  chain(s)  will  be
              atomically  listed  and zeroed.  The exact output is affected by
              the other arguments given. The exact rules are suppressed  until
              you use
               arptables -L -v

       -F, --flush [chain]
              Flush the selected chain (all the chains in the table if none is
              given).  This is equivalent to deleting all  the  rules  one  by
              one.

       -Z, --zero [chain]
              Zero the packet and byte counters in all chains.  It is legal to
              specify the -L, --list (list) option as well, to see  the  coun-
              ters immediately before they are cleared. (See above.)

       -N, --new-chain chain
              Create  a  new user-defined chain by the given name.  There must
              be no target of that name already.

       -X, --delete-chain [chain]
              Delete the optional user-defined chain specified.  There must be
              no  references  to  the chain.  If there are, you must delete or
              replace the referring rules before the chain can be deleted.  If
              no  argument  is  given,  it  will  attempt to delete every non-
              builtin chain in the table.

       -P, --policy chain target
              Set the policy for the chain to the given target.  See the  sec-
              tion  TARGETS  for  the legal targets.  Only built-in (non-user-
              defined) chains can have  policies,  and  neither  built-in  nor
              user-defined chains can be policy targets.

       -E, --rename-chain old-chain new-chain
              Rename the user specified chain to the user supplied name.  This
              is cosmetic, and has no effect on the structure of the table.

       -h     Help.  Give a (currently very brief) description of the  command
              syntax.

   PARAMETERS
       The  following  parameters make up a rule specification (as used in the
       add, delete, insert, replace and append commands).

       -s, --source [!] address[/mask]
              Source specification.  Address can be either a network  name,  a
              hostname  (please  note  that specifying any name to be resolved
              with a remote query such as DNS is a really bad idea), a network
              IP address (with /mask), or a plain IP address.  The mask can be
              either a network mask or a plain number, specifying  the  number
              of 1’s at the left side of the network mask.  Thus, a mask of 24
              is equivalent to  255.255.255.0.   A  "!"  argument  before  the
              address specification inverts the sense of the address. The flag
              --src is an alias for this option.

       -d, --destination [!] address[/mask]
              Destination  specification.   See  the  description  of  the  -s
              (source)  flag  for  a  detailed description of the syntax.  The
              flags --dst , --tgt and --target are aliases for this option.

       -z, --source-hw [!] hwaddr[mask]
              Specify the source hardware (MAC) address of the packet.  hwaddr
              (and  mask, if specified) must consist of one or more 8-bit hex-
              idecimal numbers, separated by ’:’ characters.  If the  mask  is
              not  specified,  it defaults to a number of 0xff octets equal to
              the  length  of  the  hwaddr  specified,  then  0s.   The  flags
              --source-mac  ,  --src-hw  ,  and --src-mac are aliases for this
              option.

       -y, --target-hw [!] hwaddr[mask]
              Specify the target hardware (MAC) address of the  packet.   This
              is  similar  to  the  --src-hw option.  The flags --target-mac ,
              --tgt-hw , --tgt-mac , --dst-hw , and --dst-mac are all  aliases
              for this option.

       -i, --in-interface [!] name
              Name  of an interface via which a packet is going to be received
              (only for packets entering the INPUT chain).  When the "!" argu-
              ment  is  used before the interface name, the sense is inverted.
              If the interface name ends in a "+", then  any  interface  which
              begins  with  this  name will match.  If this option is omitted,
              any interface name will match.

       -o, --out-interface [!] name
              Name of an interface via which a packet is going to be sent (for
              packets  entering  the  OUTPUT chain).  When the "!" argument is
              used before the interface name, the sense is inverted.   If  the
              interface  name  ends  in a "+", then any interface which begins
              with this name will match.   If  this  option  is  omitted,  any
              interface name will match.

       -a, --arhln [!] value[mask]
              Specify  the  hardware  address  length of the packet.  Both the
              value and mask must be 8-bit  hexidecimal  numbers.   Note  that
              packets  with  an incorrect hardware address length field may be
              dropped by the lower-level layers of the  network  stack,  which
              may limit the usefulness of this option.

       -p, --arpop [!] value[mask]
              Specify the arp operation field of the packet.  The value may be
              either  a  16-bit  hexidecimal  number  or  one  of  the   names
              "Request",    "Reply",    "Request_Reverse",    "Reply_Reverse",
              "DRARP_Request", "DRARP_Reply", "DRARP_Error",  "InARP_Request",
              or  "ARP_NAK".  The mask (if specified) must be a 16-bit hexide-
              cicmal number.

       -H, --arhrd [!] value[mask]
              Specify the hardware type field of the packet.  The value may be
              either  a 16-bit hexidecimal number or the name "Ethernet".  The
              mask (if specified) must be a 16-bit hexidecimal number.

       -w, --arpro [!] value[value]
              Specify the protocol type field of the packet.  The value may be
              eithe  a 16-bit hexidecimal numebr or the name "IPV4".  The mask
              (if specified) must be a 16-bit hexidecimal number.

       -j, --jump target
              This specifies the target of the rule; i.e., what to do  if  the
              packet  matches  it.   The  target  can  be a user-defined chain
              (other than the one this rule is in),  or  one  of  the  special
              builtin targets which decide the fate of the packet immediately.
              Unlike iptables, extensions are not yet  implemented.   If  this
              option is omitted in a rule, then matching the rule will have no
              effect on the packet’s fate, but the counters on the  rule  will
              be incremented.

       -c, --set-counters PKTS BYTES
              This enables the administrator to initialize the packet and byte
              counters of a rule (during INSERT, APPEND, REPLACE  operations).

   OTHER OPTIONS
       The following additional options can be specified:

       -v, --verbose
              Verbose  output.   This  option  makes the list command show the
              interface name, the rule options (if any), and  the  TOS  masks.
              The  packet  and  byte counters are also listed, with the suffix
              ’K’, ’M’ or ’G’ for 1000, 1,000,000 and 1,000,000,000  multipli-
              ers  respectively  (but  see  the  -x flag to change this).  For
              appending, insertion,  deletion  and  replacement,  this  causes
              detailed information on the rule or rules to be printed.

       -n, --numeric
              Numeric  output.   IP addresses and port numbers will be printed
              in numeric format.  By default, the program will try to  display
              them  as host names, network names, or services (whenever appli-
              cable).

       -x, --exact
              Expand numbers.  Display the exact value of the packet and  byte
              counters,  instead  of only the rounded number in K’s (multiples
              of 1000) M’s (multiples of 1000K) or G’s (multiples  of  1000M).
              This option is only relevant for the -L command.

       --line-numbers
              When  listing  rules,  add line numbers to the beginning of each
              rule, corresponding to that rule’s position in the chain.

       --modprobe=command
              When adding or inserting rules into a chain, use command to load
              any necessary modules (targets, match extensions, etc).


   MANGLE OPTIONS
       The kernel mangle module supports the following options

       --mangle-ip-s IP address
              Change  the  source  IP  address  of the packet to the specified
              value.

       --mangle-ip-d IP address
              Change the destination IP address of the packet to the specified
              value.

       --mangle-hw-s hardware address
              CHange  the  source  hardware (MAC) address of the packet to the
              specified value.

       --mangle-hw-d hardware address
              Change the destination hardware (MAC) address of the  packet  to
              the specified value.

       --mangle-target  target"
              Disposition of the packet.  Valid targets are DROP, CONTINUE, or
              ACCEPT.  If no --mangle-target option is specified, the  default
              is ACCEPT.



EXAMPLES

       Let’s  say  you  have  a  machine  with two ip addresses aaaa and bbbb.
       Address aaaa is only for the use of machine  cccc.   No  other  machine
       should  be  allowed to connect to it.  Iptables rules are configured to
       enforce this requirement.
              # Configure iptables to NAT any attempt to use aaaa on
              # outgoing packets to machines other than cccc to use
              # bbbb instead
              iptables -t nat -A POSTROUTING -s aaaa ! -d cccc \
                  -j SNAT --to bbbb

              # Ignore arp requests from machines other than cccc for
              # address aaaa.
              arptables -A IN ! -s cccc -d aaaa -j DROP

              # Mangle any outgoing requests from address aaaa to any
              # machine but cccc to use address bbbb instead.
              arptables -A OUT -s aaaa ! -d cccc -j mangle \
                  --mangle-ip-s bbbb


DIAGNOSTICS

       Various error messages are printed to standard error.  The exit code is
       0 for correct functioning.  Errors which appear to be caused by invalid
       or abused command line parameters cause an exit code of  2,  and  other
       errors cause an exit code of 1.


BUGS

       The -L -v output is excessively wide.

       The short option names were chosen at random.

       Well... the counters are not reliable on sparc64.



SEE ALSO

       arptables-save(8), arptables-restore(8), iptables(8), iptables-save(8),
       iptables-restore(8),   ip6tables(8),   ip6tables-save(8),    ip6tables-
       restore(8).

       See http://www.netfilter.org/.


AUTHORS

       Jay  Fenlason <fenlason@redhat.com> wrote arptables, which was based on
       the iptables code by Rusty Russell, in early consultation with  Michael
       Neuling.

       The  iptables man page was written by Herve Eychenne <rv@wallfire.org>,
       Jay Fenlason <fenlason@redhat.com> adapted it for arptables.



                                 Mar 09, 2002                     ARPTABLES(8)

Man(1) output converted with man2html