ebtables

Manage Ethernet frame filtering and NAT

SYNOPSIS

ebtables [-t table] command [chain] [rulespec] [options]

    Specifies the table to use: filter, nat, or broute. Defaults to filter.

-A
    Append one or more rules to the end of the selected chain.

-D
    Delete rule (1 = first) from chain .

-D
    Delete the first rule that matches the .

-I []
    Insert one or more rules in the selected chain as the given . If is omitted, the rule(s) are inserted at the beginning of the chain.

-R
    Replace rule in chain .

-L []
    List the rules in the selected chain. If no chain is specified, all rules in all chains are listed.

-F []
    Flush the selected chain. If no chain is specified, all chains are flushed.

-Z []
    Zero the packet and byte counters in the selected chain. If no chain is specified, all chains are zeroed.

-N
    Create a new user-defined chain.

-X []
    Delete the user-defined chain. If no chain is specified, all user-defined chains are deleted.

-P
    Set the policy for chain to .

-E
    Rename the user defined chain to a new name.

-j
    Specifies the target of the rule. This could be another chain or a special target like ACCEPT, DROP, RETURN, CONTINUE, MARK, LOG, REDIRECT, SNAT, DNAT, or TOS.

-p
    Protocol to match: ipv4, ipv6, arp, rarp, 802_3, ipx, appletalk, bridge-proto, vlan.

--in-interface
    Match packets arriving on the specified interface.

--out-interface
    Match packets leaving via the specified interface.

--source
    Source MAC address to match.

--destination
    Destination MAC address to match.

--proto
    Ethernet protocol (ethertype) to match.

--vlan-id
    VLAN ID to match.

--log
    Log matching packets.

DESCRIPTION

ebtables is a Linux command-line tool used to manage the Ethernet frame packet filtering table. It works at the data link layer (Layer 2 of the OSI model), allowing you to filter network traffic based on MAC addresses, Ethernet types (ethertype), VLAN IDs, and other Ethernet frame characteristics. Unlike iptables, which operates on IP packets, ebtables focuses on Ethernet frames. This makes it useful for bridging environments where IP addresses might not be readily available or for implementing security policies based on MAC addresses.
ebtables can perform Network Address Translation (NAT) operations on Ethernet frames, similar to how iptables performs NAT on IP packets. This can be used to rewrite source or destination MAC addresses. It is commonly employed in bridging firewalls and transparent proxies.
The ebtables rules are organized into tables (e.g., filter, nat, broute) and chains. The filter table is the most common, providing standard filtering capabilities. The nat table is used for NAT operations, and the broute table is less frequently used but supports bridging before routing decisions.

CAVEATS

ebtables rules are applied before iptables rules in the FORWARD chain, when bridging is enabled. Incorrect configuration of ebtables can disrupt network connectivity. Be careful when flushing rules.

TARGETS

ACCEPT: Let the frame pass.
DROP: Drop the frame.
RETURN: Stop traversing this chain and resume at the next rule in the previous chain.
CONTINUE: Continue to the next rule in the same chain.
SNAT: Source Network Address Translation. Modifies the source MAC address.
DNAT: Destination Network Address Translation. Modifies the destination MAC address.

TABLES AND CHAINS

filter: This table is the default table and contains the INPUT, OUTPUT, and FORWARD chains.
nat: Used for Network Address Translation (NAT). Contains the PREROUTING, POSTROUTING, and INPUT chains.
broute: Used for bridging before routing. Contains the BROUTING chain.

RULE SPECIFICATION

Rules are defined using various matching criteria (e.g., --source, --destination, --proto, --in-interface) and a target (e.g., ACCEPT, DROP, SNAT, DNAT). The rules are processed in order, and the first rule that matches the frame determines the action to be taken.

HISTORY

ebtables was developed to provide similar filtering capabilities to iptables but at the Ethernet frame level. It's designed for bridging environments where packet filtering based on MAC addresses and other Layer 2 characteristics is required. The usage has grown to encompass transparent proxies and other network setups where control over Ethernet frames is necessary. Development is ongoing to maintain compatibility with newer kernels and incorporate new features.