Block or Forward ARP Traffic with IPtables

G5 Cyber Security

1 month ago

TL;DR

This guide shows you how to control Address Resolution Protocol (ARP) traffic using IPtables on a Linux system. You can either block unwanted ARP requests/replies, or forward them for specific purposes like network monitoring. It’s important to understand that manipulating ARP can disrupt your network if done incorrectly.

Understanding ARP and Why Control it?

ARP translates IP addresses into MAC addresses on a local network. Malicious actors can use ARP spoofing (or poisoning) to intercept traffic by associating the wrong MAC address with an IP address. Controlling ARP with IPtables adds a layer of cyber security.

Prerequisites

A Linux system (e.g., Ubuntu, Debian, CentOS).
Root or sudo access.
Basic familiarity with the command line.

Step-by-Step Guide

Check Existing IPtables Rules: Before making changes, see what rules are already in place.
```
sudo iptables -L
```
Blocking All ARP Traffic (Not Recommended for Normal Use): This is a drastic measure and will likely break network connectivity. Only use this for testing or very specific isolated scenarios.
```
sudo iptables -A INPUT -p arp --arp-in --in-interface eth0 -j DROP
```
Replace eth0 with your actual network interface name (use ip addr show to find it).
Blocking Specific ARP Requests/Replies: This is more targeted. You can block based on source MAC address, or other criteria.
```
sudo iptables -A INPUT -i eth0 -p arp --arp-src 00:11:22:33:44:55 -j DROP
```
Replace eth0 with your interface and 00:11:22:33:44:55 with the MAC address you want to block.
Forwarding Specific ARP Traffic (For Monitoring): This allows you to capture ARP packets for analysis using tools like Wireshark.
```
sudo iptables -A INPUT -i eth0 -p arp --arp-src 192.168.1.100 -j LOG --log-prefix "ARP Forwarded: "
```
Replace eth0 with your interface and 192.168.1.100 with the IP address whose ARP traffic you want to log. The logs will typically be found in /var/log/kern.log or similar, depending on your distribution.
Saving IPtables Rules: IPtables rules are not persistent by default; they’ll disappear after a reboot.
- Debian/Ubuntu:
```
sudo apt-get install iptables-persistent
```
  During installation, you’ll be prompted to save the current rules.
- CentOS/RHEL:
```
sudo yum install iptables-services
```
```
sudo service iptables save
```
```
sudo chkconfig iptables on
```
Restoring IPtables Rules: If you need to revert to saved rules.
- Debian/Ubuntu: The rules are automatically loaded at boot.
- CentOS/RHEL:
```
sudo service iptables restart
```
Deleting IPtables Rules: Remove unwanted or incorrect rules.
```
sudo iptables -D INPUT 
```
Find the rule_number using sudo iptables -L --line-numbers.

Important Considerations

Testing: Always test changes in a controlled environment before applying them to a production network.
Interface Names: Double-check your interface names using ip addr show. Incorrect interface names will lead to unexpected results.
Specificity: Be as specific as possible with your rules to avoid blocking legitimate traffic.
ARP Cache: After making changes, you may need to clear the ARP cache on affected machines:
```
sudo ip -s neigh flush all
```