# Arptables script

## Cheesefoam

I know this isn't as elegant as the way the iptables script works, but I couldn't figure how to parse and save the rules like iptables does.  So I came up with this instead.

Can anyone see any problems with this particular arptables configuration?

```

#!/sbin/runscript

#Set up initial network configuration.  Set IFACE to the external

#interface.  IP address will be automatically detected.

EXTERNAL_IFACE="eth1"

EXTERNAL_IP=`ifconfig | grep -A 1 ${EXTERNAL_IFACE} | awk '/inet/{print $2}' | sed -e 's:addr\:::'`

ARPTABLES=`which arptables`

HIGH_SECURITY_IFACE="<interfaces other than the WAN you want to filter, e.g. wlan0>"

ALLOWED_MACS="<put MACS of interfaces you want to pass here>"

depend() {

   need net

}

start() {

   ebegin "Starting arptables."

   #Flush old rules.

   ${ARPTABLES} -F INPUT

   ${ARPTABLES} -F OUTPUT

   ${ARPTABLES} -F FORWARD

   #Set up the arp tables rules.  Configure as needed.

   for a in ${ALLOWED_MACS}

   do

      ${ARPTABLES} -A INPUT --source-mac ${a} -j ACCEPT

   done

   for a in ${HIGH_SECURITY_IFACE}

   do

      ${ARPTABLES} -A INPUT -i ${a} -j DROP

   done

   ${ARPTABLES} -A INPUT -i ! ${EXTERNAL_IFACE} -j ACCEPT

   ${ARPTABLES} -A INPUT -i ${EXTERNAL_IFACE} -d ${EXTERNAL_IP} -j ACCEPT

   ${ARPTABLES} -A INPUT -i ${EXTERNAL_IFACE} -j DROP

   ${ARPTABLES} -A OUTPUT -o ${EXTERNAL_IFACE} -s ${EXTERNAL_IP} -j ACCEPT

        ${ARPTABLES} -A OUTPUT -o ${EXTERNAL_IFACE} -j DROP

}

stop(){

   ebegin "Stopping arptables"

   #Flush old rules.

   ${ARPTABLES} -F INPUT

   ${ARPTABLES} -F OUTPUT

   ${ARPTABLES} -F FORWARD

}

```

In my case, this gives the following:

 *Quote:*   

> 
> 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> 
> -j ACCEPT -i * -o * --src-mac XX.XX.XX.XX.XX.XX , pcnt=0 -- bcnt=0
> ...

 

This seem like a reasonable starting ruleset for arptables?

----------

## jkt

it seems that you're using arptables only to block unauthorised wifi clients from using your network, however, better solution is to ban them from the AP, I thing iwconfig has some option for it (definitely for hostap)

----------

## Cheesefoam

No - I am using arptables to block arp packets from eth1 (my cable modem connection) and wifi0.  I've already locked down wifi0 via iptables MAC filtering and requiring users to log in via a PPTP vpn before getting access to the local network.

Besides which, I am unfortunately stuck with using ndiswrapper for my wireless nic.

I was just adding the wifi0 stuff to block extra arp packets which don't belong in the first place.  The last line of the chain is the catch-all which kills all inbound arp packets which don't belong on eth1.   I know it looks wierd, but the fifth line is to accept packets from all interfaces that are NOT eth1. Which is why wifi0 is filtered first.  I wonder if it is a bug in arptables?

This is the line that produces that rule:

 *Quote:*   

> 
> 
> ${ARPTABLES} -A INPUT -i ! ${EXTERNAL_IFACE} -j ACCEPT
> 
> 

 

...Though now that I look at result of that rule, it basically says, "All arp packets inbound in eth1 which do not come from anywhere, pass" ?!?

Wierd.  I'll look into this.

Since my last reboot (2 days ago), I've blocked 296 Megs of arp traffic.

```

-j DROP -i eth1 -o * , pcnt=11M -- bcnt=296M

```

Which means the filter is working, since it is blocking erroneous ARP packets.

----------

