ebtables
Manage Ethernet frame filtering and NAT
SYNOPSIS
ebtables [-t table] command [chain] [rulespec] [options]
PARAMETERS
-t ebtables is a Linux command-line tool used to manage the Ethernet frame packet filtering table. It works at the data link layer (Layer 2 of the OSI model), allowing you to filter network traffic based on MAC addresses, Ethernet types (ethertype), VLAN IDs, and other Ethernet frame characteristics. Unlike iptables, which operates on IP packets, ebtables focuses on Ethernet frames. This makes it useful for bridging environments where IP addresses might not be readily available or for implementing security policies based on MAC addresses. ebtables rules are applied before iptables rules in the FORWARD chain, when bridging is enabled. Incorrect configuration of ebtables can disrupt network connectivity. Be careful when flushing rules. ACCEPT: Let the frame pass. filter: This table is the default table and contains the INPUT, OUTPUT, and FORWARD chains. Rules are defined using various matching criteria (e.g., --source, --destination, --proto, --in-interface) and a target (e.g., ACCEPT, DROP, SNAT, DNAT). The rules are processed in order, and the first rule that matches the frame determines the action to be taken. ebtables was developed to provide similar filtering capabilities to iptables but at the Ethernet frame level. It's designed for bridging environments where packet filtering based on MAC addresses and other Layer 2 characteristics is required. The usage has grown to encompass transparent proxies and other network setups where control over Ethernet frames is necessary. Development is ongoing to maintain compatibility with newer kernels and incorporate new features.
Specifies the table to use: filter, nat, or broute. Defaults to filter.
-A
Append one or more rules to the end of the selected chain.
-D
Delete rule
-D
Delete the first rule that matches the
-I
Insert one or more rules in the selected chain as the given
-R
Replace rule
-L [
List the rules in the selected chain. If no chain is specified, all rules in all chains are listed.
-F [
Flush the selected chain. If no chain is specified, all chains are flushed.
-Z [
Zero the packet and byte counters in the selected chain. If no chain is specified, all chains are zeroed.
-N
Create a new user-defined chain.
-X [
Delete the user-defined chain. If no chain is specified, all user-defined chains are deleted.
-P
Set the policy for chain
-E
Rename the user defined chain to a new name.
-j
Specifies the target of the rule. This could be another chain or a special target like ACCEPT, DROP, RETURN, CONTINUE, MARK, LOG, REDIRECT, SNAT, DNAT, or TOS.
-p
Protocol to match: ipv4, ipv6, arp, rarp, 802_3, ipx, appletalk, bridge-proto, vlan.
--in-interface
Match packets arriving on the specified interface.
--out-interface
Match packets leaving via the specified interface.
--source
Source MAC address to match.
--destination
Destination MAC address to match.
--proto
Ethernet protocol (ethertype) to match.
--vlan-id
VLAN ID to match.
--log
Log matching packets.
DESCRIPTION
ebtables can perform Network Address Translation (NAT) operations on Ethernet frames, similar to how iptables performs NAT on IP packets. This can be used to rewrite source or destination MAC addresses. It is commonly employed in bridging firewalls and transparent proxies.
The ebtables rules are organized into tables (e.g., filter, nat, broute) and chains. The filter table is the most common, providing standard filtering capabilities. The nat table is used for NAT operations, and the broute table is less frequently used but supports bridging before routing decisions.CAVEATS
TARGETS
DROP: Drop the frame.
RETURN: Stop traversing this chain and resume at the next rule in the previous chain.
CONTINUE: Continue to the next rule in the same chain.
SNAT: Source Network Address Translation. Modifies the source MAC address.
DNAT: Destination Network Address Translation. Modifies the destination MAC address.TABLES AND CHAINS
nat: Used for Network Address Translation (NAT). Contains the PREROUTING, POSTROUTING, and INPUT chains.
broute: Used for bridging before routing. Contains the BROUTING chain.RULE SPECIFICATION
HISTORY
SEE ALSO