ARPTABLES(8)ARPTABLES(8)NAMEarptables - ARP table administration
SYNOPSISarptables [-t table] -[AD] chain rule-specification [options]
arptables [-t table] -[RI] chain rulenum rule-specification [options]
arptables [-t table] -D chain rulenum [options]
arptables [-t table] -[LFZ] [chain] [options]
arptables [-t table] -[NX] chain
arptables [-t table] -E old-chain-name new-chain-name
arptables [-t table] -P chain target [options]
DESCRIPTIONarptables is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect the ARP
frames which they see. arptables is analogous to the iptables user
space tool, but arptables is less complicated.
The kernel table is used to divide functionality into different sets of
rules. Each set of rules is called a chain. Each chain is an ordered
list of rules that can match ARP frames. If a rule matches an ARP
frame, then a processing specification tells what to do with that
matching frame. The processing specification is called a 'target'. How‐
ever, if the frame does not match the current rule in the chain, then
the next rule in the chain is examined and so forth. The user can cre‐
ate new (user-defined) chains which can be used as the 'target' of a
A firewall rule specifies criteria for an ARP frame and a frame pro‐
cessing specification called a target. When a frame matches a rule,
then the next action performed by the kernel is specified by the tar‐
get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
RETURN, an 'extension' (see below) or a user-defined chain.
ACCEPT means to let the frame through. DROP means the frame has to be
dropped. CONTINUE means the next rule has to be checked. This can be
handy to know how many frames pass a certain point in the chain or to
log those frames. RETURN means stop traversing this chain and resume
at the next rule in the previous (calling) chain. For the extension
targets please see the TARGET EXTENSIONS section of this man page.
There is only one ARP table in the Linux kernel. The table is filter.
You can drop the '-t filter' argument to the arptables command. The -t
argument must be the first argument on the arptables command line, if
filter, is the only table and contains two (Linux kernels 2.4.X)
or three (Linux kernels 2.6.0 and later) built-in chains: INPUT
(for frames destined for the host), OUTPUT (for locally-gener‐
ated frames) and FORWARD (for frames being forwarded by the
bridge code). The FORWARD chain doesn't exist in Linux 2.4.X
ARPTABLES COMMAND LINE ARGUMENTS
After the initial arptables command line argument, the remaining argu‐
ments can be divided into several different groups. These groups are
commands, miscellaneous commands, rule-specifications, match-exten‐
sions, and watcher-extensions.
The arptables command arguments specify the actions to perform on the
table defined with the -t argument. If you do not use the -t argument
to name a table, the commands apply to the default filter table. With
the exception of the -Z command, only one command may be used on the
command line at a time.
Append a rule to the end of the selected chain.
Delete the specified rule from the selected chain. There are two
ways to use this command. The first is by specifying an interval
of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
ative numbers is allowed, for more details about using negative
numbers, see the -I command. The second usage is by specifying
the complete rule as it would have been specified when it was
Insert the specified rule into the selected chain at the speci‐
fied rule number. If the current number of rules equals N, then
the specified number can be between -N and N+1. For a positive
number i, it holds that i and i-N-1 specify the same place in
the chain where the rule should be inserted. The number 0 speci‐
fies the place past the last rule in the chain and using this
number is therefore equivalent with using the -A command.
Replaces the specified rule into the selected chain at the spec‐
ified rule number. If the current number of rules equals N,
then the specified number can be between 1 and N. i specifies
the place in the chain where the rule should be replaced.
Set the policy for the chain to the given target. The policy can
be ACCEPT, DROP or RETURN.
Flush the selected chain. If no chain is selected, then every
chain will be flushed. Flushing the chain does not change the
policy of the chain, however.
Set the counters of the selected chain to zero. If no chain is
selected, all the counters are set to zero. The -Z command can
be used in conjunction with the -L command. When both the -Z
and -L commands are used together in this way, the rule counters
are printed on the screen before they are set to zero.
List all rules in the selected chain. If no chain is selected,
all chains are listed.
Create a new user-defined chain with the given name. The number
of user-defined chains is unlimited. A user-defined chain name
has maximum length of 31 characters.
Delete the specified user-defined chain. There must be no
remaining references to the specified chain, otherwise arptables
will refuse to delete it. If no chain is specified, all user-
defined chains that aren't referenced will be removed.
Rename the specified chain to a new name. Besides renaming a
user-defined chain, you may rename a standard chain name to a
name that suits your taste. For example, if you like PREBRIDGING
more than PREROUTING, then you can use the -E command to rename
the PREROUTING chain. If you do rename one of the standard arpt‐
ables chain names, please be sure to mention this fact should
you post a question on the arptables mailing lists. It would be
wise to use the standard name in your post. Renaming a standard
arptables chain in this fashion has no effect on the structure
or function of the arptables kernel table.
Show the version of the arptables userspace program.
Give a brief description of the command syntax.
-j, --jump target
The target of the rule. This is one of the following values:
ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
EXTENSIONS) or a user-defined chain name.
The following command line arguments make up a rule specification (as
used in the add and delete commands). A "!" option before the specifi‐
cation inverts the test for that specification. Apart from these stan‐
dard rule specifications there are some other command line arguments of
-s, --source-ip [!] address[/mask]
The Source IP specification.
-d, --destination-ip [!] address[/mask]
The Destination IP specification.
--source-mac [!] address[/mask]
The source mac address. Both mask and address are written as 6
hexadecimal numbers separated by colons.
--destination-mac [!] address[/mask]
The destination mac address. Both mask and address are written
as 6 hexadecimal numbers separated by colons.
-i, --in-interface [!] name
The interface via which a frame is received (for the INPUT and
FORWARD chains). The flag --in-if is an alias for this option.
-o, --out-interface [!] name
The interface via which a frame is going to be sent (for the
OUTPUT and FORWARD chains). The flag --out-if is an alias for
-l, --h-length length[/mask]
The hardware length (nr of bytes)
The operation code (2 bytes). Available values are: 1=Request
2=Reply 3=Request_Reverse 4=Reply_Reverse 5=DRARP_Request
6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
The hardware type (2 bytes, hexadecimal). Available values are:
The protocol type (2 bytes). Available values are: 0x800=IPv4.
arptables extensions are precompiled into the userspace tool. So there
is no need to explicitly load them with a -m option like in iptables.
However, these extensions deal with functionality supported by supple‐
mental kernel modules.
--mangle-ip-s IP address
Mangles Source IP Address to given value.
--mangle-ip-d IP address
Mangles Destination IP Address to given value.
--mangle-mac-s MAC address
Mangles Source MAC Address to given value.
--mangle-mac-d MAC address
Mangles Destination MAC Address to given value.
Target of ARP mangle operation (DROP, CONTINUE or ACCEPT --
default is ACCEPT).
This module allows you to set the skb->priority value (and thus clas-
sify the packet into a specific CBQ class).
Set the major and minor class value. The values are always
interpreted as hexadecimal even if no 0x prefix is given.
SEE ALSOiptables(8), ebtables(8), arp(8), rarp(8), ifconfig(8), route(8)
November 2011 ARPTABLES(8)