arptables

List all ARP rules in the filter table

$ sudo arptables [[-L|--list]]

$ sudo arptables [[-A|--append]] INPUT [[-s|--source-ip]] [192.168.0.1] [[-j|--jump]] DROP

$ sudo arptables [[-D|--delete]] INPUT [rule_number]

$ sudo arptables [[-F|--flush]]

$ sudo arptables [[-P|--policy]] OUTPUT ACCEPT

$ sudo arptables-save > [path/to/file]

arptables [-t table] {-A|-D} chain rule-specification
arptables [-t table] -I chain [rulenum] rule-specification
arptables [-t table] -R chain rulenum rule-specification
arptables [-t table] -D chain rulenum
arptables [-t table] {-F|-L|-Z|-N|-X|-P} [chain]
arptables [-t table] -E old-chain-name new-chain-name
arptables -V | -h

-t table, --table table
    Specifies the table to operate on. The default is 'filter'.

-A chain, --append chain
    Append a rule to the end of the specified chain.

-D chain, --delete chain
    Delete a rule from the specified chain. Can be by rule specification or number.

-I chain [rulenum], --insert chain [rulenum]
    Insert a rule at a specified position (default: 1) in the chain.

-R chain rulenum, --replace chain rulenum
    Replace a rule at a specified position in the chain.

-F [chain], --flush [chain]
    Flush (delete all rules) from a specific chain, or all chains if none specified.

-L [chain], --list [chain]
    List all rules in a specific chain, or all chains if none specified.

-Z [chain], --zero [chain]
    Zero the packet and byte counters for a specific chain/rule, or all if none specified.

-N chain, --new-chain chain
    Create a new user-defined chain.

-X [chain], --delete-chain [chain]
    Delete an empty user-defined chain. Deletes all if none specified.

-P chain target, --policy chain target
    Set the default policy for a built-in chain (e.g., ACCEPT, DROP).

-E old-chain-name new-chain-name, --rename-chain old-chain-name new-chain-name
    Rename a user-defined chain.

-p protocol, --protocol protocol
    Matches a specific ARP protocol type (e.g., ethernet, ieee802.3).

--opcode opcode
    Matches a specific ARP operation code (e.g., request, reply, drarp).

-s address[/mask], --source address[/mask]
    Matches the source IP address in the ARP packet.

-d address[/mask], --destination address[/mask]
    Matches the destination IP address in the ARP packet.

--source-mac address
    Matches the source MAC address in the ARP packet (e.g., 00:11:22:33:44:55).

--destination-mac address
    Matches the destination MAC address in the ARP packet.

-i name, --in-interface name
    Matches the incoming interface name. Only for INPUT and FORWARD chains.

-o name, --out-interface name
    Matches the outgoing interface name. Only for OUTPUT and FORWARD chains.

-j target, --jump target
    Specifies the target of the rule (e.g., ACCEPT, DROP, LOG, RETURN, or a user-defined chain).

-m match [--option...]
    Loads an extension match module and its specific options.

!
    Negates the meaning of the next match or target (e.g., ! -s 192.168.1.1).

-v, --verbose
    Produce more verbose output, showing interface name and options.

-n, --numeric
    Numeric output of IP addresses and ports, avoiding DNS lookups.

--line-numbers
    Show line numbers when listing rules.

-V, --version
    Show program version.

-h, --help
    Show help message.

-w [seconds], --wait [seconds]
    Wait for the xtables exclusive lock before proceeding. Optional timeout in seconds.

--wait-interval microseconds
    Interval to wait between attempts to acquire the xtables lock, for use with --wait.

arptables is a user-space utility that allows system administrators to configure the ARP packet filter rules in the Linux kernel. It is part of the Netfilter project, analogous to iptables for IP packets and ebtables for Ethernet frames, but specifically designed to handle Address Resolution Protocol (ARP) packets. By defining rules, administrators can filter ARP requests and replies based on various criteria such as MAC addresses, IP addresses, and network interfaces. This capability is crucial for enhancing network security, enabling protection against common attacks like ARP spoofing, man-in-the-middle attacks, and denial-of-service attempts related to ARP.

Rules are processed sequentially within predefined chains (like INPUT, OUTPUT, FORWARD) or custom user-defined chains. Each rule specifies criteria for matching an ARP packet and a target action to take if a match occurs, such as ACCEPT (allow the packet) or DROP (discard the packet). arptables provides a flexible framework for fine-grained control over ARP traffic, contributing significantly to overall network integrity and stability.

arptables operates exclusively on ARP packets, unlike iptables (IP) or ebtables (Ethernet frames).
Rule persistence requires saving the configuration (e.g., using arptables-save and arptables-restore, or integrating with systemd/init scripts) as rules are lost upon reboot.
It requires root privileges to configure.
Rules are processed sequentially within a chain; misconfigured rules can inadvertently block legitimate ARP traffic.

arptables uses tables to organize rules, similar to iptables. The primary table is filter, which is implicitly used if no table is specified. Within this table, there are three built-in chains:
INPUT: For ARP packets destined to the local host's ARP stack.
OUTPUT: For ARP packets originating from the local host.
FORWARD: For ARP packets being routed through the host (typically less common for ARP, but exists for completeness).
Administrators can also create custom user-defined chains to group rules logically, which can be jumped to from built-in chains.

When an ARP packet matches a rule, the rule's target determines the action to take. Common targets include:
ACCEPT: Allows the ARP packet to pass.
DROP: Discards the ARP packet.
LOG: Logs information about the matching packet to the kernel log, then continues to the next rule.
RETURN: Stops processing rules in the current chain and returns to the calling chain (or the default policy if it was a built-in chain).
User-defined chains can also be specified as targets, allowing for modular rule sets.

arptables is an integral component of the Linux Netfilter framework, developed alongside iptables and ebtables to provide comprehensive packet filtering capabilities across different network layers. Its inception was driven by the need for granular control over Address Resolution Protocol (ARP) traffic, specifically to mitigate network security threats like ARP spoofing and related man-in-the-middle attacks. As part of the wider Netfilter ecosystem, its development and usage patterns closely mirror those of its IP-layer counterpart, making it a familiar tool for network administrators accustomed to Linux firewalling concepts.

iptables(8), ebtables(8), nft(8), arptables-save(8), arptables-restore(8), arp(8)