ebtables

`ebtables` `[-t` `table` `]` `command` `[chain]` `[options]`

`-t table`
    Specifies the table to operate on: filter (default), nat, or broute.

`-A, --append chain`
    Appends one or more rules to the end of the specified chain.

`-D, --delete chain [rulenum]`
    Deletes one or more rules from the specified chain. Can specify by rule number or full rule.

`-I, --insert chain [rulenum]`
    Inserts one or more rules at the specified position (or beginning) in the chain.

`-P, --policy chain policy`
    Sets the default policy for a built-in chain (e.g., ACCEPT or DROP).

`-L, --list [chain]`
    Lists the rules in the specified chain or all chains if none is specified.

`-F, --flush [chain]`
    Flushes (deletes all rules from) the specified chain or all chains if none is specified.

`-N, --new-chain chain`
    Creates a new user-defined chain.

`-X, --delete-chain [chain]`
    Deletes a user-defined chain.

`-j, --jump target`
    Specifies the target of a rule: ACCEPT, DROP, RETURN, a user-defined chain, or an extension target like LOG.

`-p, --protocol protocol`
    Matches the Ethernet protocol type (e.g., ARP, IPv4, IPv6, 802_1Q).

`--src, --source MAC[/mask]`
    Matches the source MAC address.

`--dst, --destination MAC[/mask]`
    Matches the destination MAC address.

`-i, --in-interface name`
    Matches frames entering the bridge via the specified name interface.

`-o, --out-interface name`
    Matches frames leaving the bridge via the specified name interface.

`ebtables` is a user-space utility for configuring the Linux kernel's Ethernet bridge firewall tables. It operates at Layer 2 of the OSI model, specifically designed to filter, modify, and manage Ethernet frames within Linux bridges.

It provides three main tables:
- filter: For filtering Ethernet frames based on various Layer 2 criteria (e.g., MAC addresses, Ethernet types).
- nat: For performing Network Address Translation (NAT) on Ethernet frames, primarily used to modify source or destination MAC addresses.
- broute: (Bridge-route) For making routing decisions on bridged frames, allowing traffic to be forced to Layer 3 routing even if it's supposed to be routed.

`ebtables` is essential for implementing granular security policies and traffic control in bridged network environments, complementing higher-layer firewall tools like iptables. It enables administrators to control exactly what Ethernet frames are allowed to traverse a bridge, which ones are dropped, or how their MAC addresses are altered.

ebtables operates solely at Layer 2 (Ethernet frames) and does not inspect higher-layer protocols (like IP, TCP, UDP) by default. For Layer 3/4 filtering, iptables or nftables are required.

Rules configured with ebtables are volatile and will be lost upon system reboot unless explicitly saved using ebtables-save and restored using ebtables-restore, typically via a system service.

Its effectiveness is primarily within bridged environments; it filters traffic traversing a Linux bridge, not traffic flowing through a router.

Complexity can arise when combining ebtables with iptables or other networking tools, requiring careful consideration of packet flow through the kernel's various processing hooks.

Similar to `iptables`, `ebtables` supports various extensions that provide additional matching criteria or targets. These extensions allow for more specific filtering, such as matching IP addresses (e.g., `--ip-src`, `--ip-dst` with the `ip` protocol extension), ARP attributes, VLAN tags, and more. They are loaded dynamically when required.

Each of the three tables (filter, nat, broute) in `ebtables` contains several built-in chains, which are points where frames are processed. Common chains include PREROUTING (frames arriving at the bridge), INPUT (frames destined for the bridge itself), FORWARD (frames traversing the bridge), OUTPUT (frames generated by the bridge), and POSTROUTING (frames leaving the bridge). Users can also create their own custom chains.

`ebtables` was developed by Bart De Schutter and first integrated into the Linux kernel around version 2.4.20. Its creation addressed the need for fine-grained Ethernet frame firewalling, a capability that existing tools like `iptables` could not directly provide at Layer 2. It has since become a standard component of Linux distributions for managing traffic on bridge devices, providing a robust and stable solution for Layer 2 security and traffic control. While newer frameworks like `nftables` can also perform Layer 2 filtering, `ebtables` remains widely used for its specific focus and established presence.

brctl(8): Utility for administering Linux Ethernet bridges., iptables(8): Administration tool for IPv4 packet filtering and NAT., ip6tables(8): Administration tool for IPv6 packet filtering and NAT., arptables(8): Administration tool for ARP packet filtering., ebtables-save(8): Saves ebtables rules to a file., ebtables-restore(8): Restores ebtables rules from a file., nft(8): Successor to iptables, ip6tables, and arptables, capable of Layer 2 filtering.