# Allowing ARP traffic with iptables

## CowboyNeal

L.S.,

iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp?

----------

## de4d

imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.

arp is more like 'tunneling' ur ip packets

this may be (terribly) wrong - correct me if ne1 knows better.

----------

## CowboyNeal

 *de4d wrote:*   

> imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.
> 
> arp is more like 'tunneling' ur ip packets
> 
> this may be (terribly) wrong - correct me if ne1 knows better.

 

If that would be the case: why does /etc/ethers and arp (including arp -s <static ip> <static mac> for binding an ip to a mac) exists? I think you mistake arp with ethernet frames, those encapsulate your ip-packet and add a mac address (your nic filters on your mac, so a 100 mbit/s network would fload your cpu).

----------

## splooge

Arp is a layer 2 protocol, it's enabled by default, and has nothing to do with iptables.  If you can ping your router or another workstation on your network, arp is working.

----------

## TuxFriend

 *CowboyNeal wrote:*   

> L.S.,
> 
> iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp?

 

ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables

TuxFriend

----------

## CowboyNeal

 *TuxFriend wrote:*   

>  *CowboyNeal wrote:*   L.S.,
> 
> iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp? 
> 
> ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables
> ...

 

I know how ARP is related to ip  :Very Happy: . The reason I asked this, is because I _am_ able to filter 'gre' (packet tunneling to my adsl-modem) and as I understand, GRE is not IP.

Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP)

----------

## Zu`

 *CowboyNeal wrote:*   

> 
> 
> Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP)

 

Perhaps this can help a bit. Quoted from here.

 *Quote:*   

> 
> 
> The most easiest way to prevent ARP poisoning at workstations and server with Open Source Operating Systems is to M-lock the ARP
> 
> cache line by line. This means when the ARP table has an valid entry like this:
> ...

 

If you find more useful info about this subject, please post in this thread. I find this quite interesting.

Greets

----------

## CowboyNeal

 *Zu` wrote:*   

> 
> 
> If you find more useful info about this subject, please post in this thread. I find this quite interesting.
> 
> Greets

 

I found ettercap a very nice tool to play around on your own lan (ok, so I used it on a LAN-party but those people don't mind, right   :Twisted Evil:  )

----------

