arptables

List all ARP rules in the filter table

$ sudo arptables [[-L|--list]]

$ sudo arptables [[-A|--append]] INPUT [[-s|--source-ip]] [192.168.0.1] [[-j|--jump]] DROP

$ sudo arptables [[-D|--delete]] INPUT [rule_number]

$ sudo arptables [[-F|--flush]]

$ sudo arptables [[-P|--policy]] OUTPUT ACCEPT

$ sudo arptables-save > [path/to/file]

arptables -[ACD] chain rule-specification [options] -j target
arptables -[RI] chain rule-number rule-specification [options] -j target
arptables -[LFZ] [chain] [options]
arptables -[NX] chain
arptables -P chain target [options]
arptables -E old-chain-name new-chain-name
arptables -S [chain] [options]
arptables -D chain rule-number [options]

-A, --append chain rule-specification
    Append one or more rules to the end of the specified chain.

-C, --check chain rule-specification
    Check if a rule matching the specification exists in a chain.

-D, --delete chain rule-specification
    Delete one or more rules matching the specification from a chain.

-D, --delete chain rule-number
    Delete a rule at a specific number within a chain.

-I, --insert chain [rule-number] rule-specification
    Insert one or more rules at the specified position (default is 1) in a chain.

-R, --replace chain rule-number rule-specification
    Replace a rule at a specific position in a chain.

-L, --list [chain]
    List all rules in the specified chain, or all chains if none is specified.

-F, --flush [chain]
    Flush (delete all rules in) the specified chain, or all chains if none is specified.

-Z, --zero [chain]
    Zero the packet and byte counters for the specified chain or all chains.

-N, --new-chain chain
    Create a new user-defined chain.

-X, --delete-chain [chain]
    Delete the specified user-defined chain. Can only be deleted if empty.

-P, --policy chain target
    Set the default policy for a built-in chain (e.g., ACCEPT, DROP).

-E, --rename-chain old-chain-name new-chain-name
    Rename a user-defined or built-in chain.

-S, --save [chain]
    Print the rules in a format suitable for using with arptables-restore.

-j, --jump target
    Specify the target of the rule (e.g., ACCEPT, DROP, LOG).

-s, --source-mac address[/mask]
    Match source MAC address(es).

-d, --destination-mac address[/mask]
    Match destination MAC address(es).

--source-ip address[/mask]
    Match source IP address(es) within the ARP payload.

--destination-ip address[/mask]
    Match destination IP address(es) within the ARP payload.

-i, --in-interface name[+]
    Match packets arriving via the specified interface.

-o, --out-interface name[+]
    Match packets leaving via the specified interface.

--arp-opcode opcode
    Match the ARP operation code (e.g., request, reply, or numeric code).

--hw-type type
    Match hardware type (e.g., Ethernet or numeric code).

--protocol-type type
    Match protocol type (e.g., IP or numeric code).

arptables is a user-space utility program used to configure the Linux kernel's Address Resolution Protocol (ARP) tables. It functions similarly to iptables but specifically for ARP packets. System administrators can define rules within predefined chains (like INPUT and OUTPUT) to inspect and act upon incoming and outgoing ARP traffic.

Rules can match various characteristics of an ARP packet, including source and destination MAC addresses, source and destination IP addresses (as contained within the ARP payload), network interfaces, and the ARP operation code (opcode) such as request or reply. Based on these matches, packets can be subjected to targets like ACCEPT, allowing the packet to pass; DROP, discarding the packet; REJECT, discarding the packet and sending an ARP reject reply; or LOG, recording information about the packet.

This tool is a part of the Netfilter framework and is primarily used for security purposes, such as preventing or mitigating ARP spoofing attacks, enforcing network access policies based on MAC/IP bindings, or debugging network issues by logging specific ARP traffic.

arptables only filters ARP packets; it does not affect IP, IPv6, or other layer 3+ traffic.
Its usage is less common than IP filtering tools like iptables or nftables as most filtering is done at the IP layer.
Complex network setups or sophisticated attacks might require additional security measures beyond arptables.

arptables rules are organized into chains. The default table contains built-in chains: INPUT (for incoming ARP packets) and OUTPUT (for outgoing ARP packets). Each rule specifies matching conditions and a target action (e.g., ACCEPT, DROP) to be applied to matching packets.

Rules can match specific ARP operation codes. Common ones include:
1: ARP Request
2: ARP Reply
3: RARP Request
4: RARP Reply
These can often be specified by name or numeric code.

arptables was developed as part of the Linux Netfilter project to provide dedicated filtering capabilities for ARP packets, complementing the IP-level filtering offered by iptables. It addresses the need for security and control at the data link layer (Layer 2) for the ARP protocol, which is fundamental to local network communication.

iptables(8), nftables(8), arp(8), ip(8)