ebtables

Ethernet bridge frame filtering firewall

TLDR

List all rules

$ sudo ebtables -L

List rules with line numbers

$ sudo ebtables -L --Ln

Block MAC address

$ sudo ebtables -A INPUT -s [00:11:22:33:44:55] -j DROP

Allow only specific MAC

$ sudo ebtables -A INPUT -s ! [00:11:22:33:44:55] -j DROP

Drop packets by protocol

$ sudo ebtables -A FORWARD -p IPv4 -j DROP

Flush all rules

$ sudo ebtables -F

Save rules to file

$ sudo ebtables-save > [rules.txt]

SYNOPSIS

ebtables [options] [command] [rule]

ebtables filters Ethernet frames at the link layer (Layer 2) in Linux bridges. It controls traffic passing through a bridge based on MAC addresses, VLAN tags, and Ethernet protocols, complementing iptables which operates at Layer 3.
Ebtables uses chains (INPUT, OUTPUT, FORWARD) and tables (filter, nat, broute) similar to iptables. It's essential for bridge firewall configurations and MAC-based access control.

PARAMETERS

-L, --list

List all rules.

-A chain

Append rule to chain.

-D chain

Delete rule from chain.

-I chain [num]

Insert rule at position.

-F [chain]

Flush rules (all or specific chain).

-P chain target

Set chain policy.

-p protocol

Match protocol (IPv4, IPv6, ARP).

-s mac

Source MAC address.

-d mac

Destination MAC address.

-i interface

Input interface.

-o interface

Output interface.

-j target

Jump to target (ACCEPT, DROP, CONTINUE).

CAVEATS

Only applies to bridged traffic. Requires kernel bridge-nf support. Legacy tool; nftables provides unified filtering for modern systems. Must be used in conjunction with iptables for IP-level filtering. Rules don't persist across reboots without save/restore.

HISTORY

ebtables was developed for the Linux kernel in the early 2000s to provide Ethernet frame filtering for bridges. It was modeled after iptables to provide familiar syntax. The project is now considered legacy, with nftables recommended for new deployments.