Forums

Skip to content

Advanced search
  • Quick links
    • Unanswered topics
    • Active topics
    • Search
  • FAQ
  • Login
  • Register
  • Board index Assistance Networking & Security
  • Search

Allowing ARP traffic with iptables

Having problems getting connected to the internet or running a server? Wondering about securing your box? Ask here.
Post Reply
Advanced search
8 posts • Page 1 of 1
Author
Message
CowboyNeal
n00b
n00b
Posts: 44
Joined: Thu May 16, 2002 6:54 pm
Location: The Netherlands

Allowing ARP traffic with iptables

  • Quote

Post by CowboyNeal » Wed Sep 25, 2002 8:52 pm

L.S.,

iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp?
Top
de4d
Apprentice
Apprentice
Posts: 181
Joined: Thu Sep 12, 2002 12:44 pm
Location: fr. i. br. (ger)

  • Quote

Post by de4d » Wed Sep 25, 2002 9:28 pm

imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.
arp is more like 'tunneling' ur ip packets

this may be (terribly) wrong - correct me if ne1 knows better.
void main(){fork();main();}
Top
CowboyNeal
n00b
n00b
Posts: 44
Joined: Thu May 16, 2002 6:54 pm
Location: The Netherlands

  • Quote

Post by CowboyNeal » Sun Sep 29, 2002 12:37 am

de4d wrote:imho arp (adress resolution protocol) is managed by the nic itself. so no arp packets are spawned by the operating system (and no arp packets are sent to o/s), and theres no need to firewall them in anyway.
arp is more like 'tunneling' ur ip packets

this may be (terribly) wrong - correct me if ne1 knows better.
If that would be the case: why does /etc/ethers and arp (including arp -s <static ip> <static mac> for binding an ip to a mac) exists? I think you mistake arp with ethernet frames, those encapsulate your ip-packet and add a mac address (your nic filters on your mac, so a 100 mbit/s network would fload your cpu).
Top
splooge
l33t
l33t
Posts: 636
Joined: Fri Aug 30, 2002 5:45 pm

  • Quote

Post by splooge » Sun Sep 29, 2002 12:30 pm

Arp is a layer 2 protocol, it's enabled by default, and has nothing to do with iptables. If you can ping your router or another workstation on your network, arp is working.
Top
TuxFriend
Apprentice
Apprentice
User avatar
Posts: 151
Joined: Wed Aug 14, 2002 6:52 pm

Re: Allowing ARP traffic with iptables

  • Quote

Post by TuxFriend » Sun Sep 29, 2002 4:45 pm

CowboyNeal wrote:L.S.,

iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp?
ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables

TuxFriend
Top
CowboyNeal
n00b
n00b
Posts: 44
Joined: Thu May 16, 2002 6:54 pm
Location: The Netherlands

Re: Allowing ARP traffic with iptables

  • Quote

Post by CowboyNeal » Wed Oct 02, 2002 10:01 pm

TuxFriend wrote:
CowboyNeal wrote:L.S.,

iptables has the -p option, so I can explicitly allow tcp, udp, icmp or gre. But how do I allow arp?
ARP is used for binding a MAC-address to an IP-address. ARP is on a lower layer then IP and TCP, UDP and ICMP are above the IP-layer. By default all ARP-traffic is allowed and will be passed to the IP-layer, if you want to change this behaviour then you need to use ebtables. It's in a development kernel (>=2.5.37) or you can find ebtables on http://users.pandora.be/bart.de.schuymer/ebtables

TuxFriend
I know how ARP is related to ip :D. The reason I asked this, is because I _am_ able to filter 'gre' (packet tunneling to my adsl-modem) and as I understand, GRE is not IP.

Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP)
Top
Zu`
l33t
l33t
Posts: 716
Joined: Sun May 26, 2002 4:18 pm
Location: BE

Re: Allowing ARP traffic with iptables

  • Quote

Post by Zu` » Wed Oct 02, 2002 11:03 pm

CowboyNeal wrote: Futhermore, one can do nasty tricks with ARP (man-in-the-middle-attack), should be in iptables! (MAC source filtering is included in iptables, and MAC is, as you said, below IP)
Perhaps this can help a bit. Quoted from here.
The most easiest way to prevent ARP poisoning at workstations and server with Open Source Operating Systems is to M-lock the ARP
cache line by line. This means when the ARP table has an valid entry like this:

212.187.0.1 ether 00:30:7B:94:31:C8 C eth0

You can lock this entry by typing: "arp -v -i eth0 -s 212.187.0.1 00:30:7B:94:31:C8" (without quotes)

Check the ARP cache again by typing "arp -nv -i eth0", the output will be:

212.187.0.1 ether 00:30:7B:94:31:C8 CM eth0

See the difference? :)
As long as you won't unlock the ARP cache, restart the eth devices or reboot the system, nobody can refresh the entry above.

Another way would be installing a (level 2!!) firewall at the workstation, but the only difference between this and my way (above) will
be the price. The firewall will exactly do the same, it's not making your system any more invulnerable or whatsoever!
If you find more useful info about this subject, please post in this thread. I find this quite interesting.

Greets
Top
CowboyNeal
n00b
n00b
Posts: 44
Joined: Thu May 16, 2002 6:54 pm
Location: The Netherlands

Re: Allowing ARP traffic with iptables

  • Quote

Post by CowboyNeal » Thu Oct 03, 2002 10:13 am

Zu` wrote: If you find more useful info about this subject, please post in this thread. I find this quite interesting.
Greets
I found ettercap a very nice tool to play around on your own lan (ok, so I used it on a LAN-party but those people don't mind, right :twisted: )
Top
Post Reply
8 posts • Page 1 of 1

Return to “Networking & Security”

Jump to
  • Assistance
  • ↳   News & Announcements
  • ↳   Frequently Asked Questions
  • ↳   Installing Gentoo
  • ↳   Multimedia
  • ↳   Desktop Environments
  • ↳   Networking & Security
  • ↳   Kernel & Hardware
  • ↳   Portage & Programming
  • ↳   Gamers & Players
  • ↳   Other Things Gentoo
  • ↳   Unsupported Software
  • Discussion & Documentation
  • ↳   Documentation, Tips & Tricks
  • ↳   Gentoo Chat
  • ↳   Gentoo Forums Feedback
  • ↳   Duplicate Threads
  • International Gentoo Users
  • ↳   中文 (Chinese)
  • ↳   Dutch
  • ↳   Finnish
  • ↳   French
  • ↳   Deutsches Forum (German)
  • ↳   Diskussionsforum
  • ↳   Deutsche Dokumentation
  • ↳   Greek
  • ↳   Forum italiano (Italian)
  • ↳   Forum di discussione italiano
  • ↳   Risorse italiane (documentazione e tools)
  • ↳   Polskie forum (Polish)
  • ↳   Instalacja i sprzęt
  • ↳   Polish OTW
  • ↳   Portuguese
  • ↳   Documentação, Ferramentas e Dicas
  • ↳   Russian
  • ↳   Scandinavian
  • ↳   Spanish
  • ↳   Other Languages
  • Architectures & Platforms
  • ↳   Gentoo on ARM
  • ↳   Gentoo on PPC
  • ↳   Gentoo on Sparc
  • ↳   Gentoo on Alternative Architectures
  • ↳   Gentoo on AMD64
  • ↳   Gentoo for Mac OS X (Portage for Mac OS X)
  • Board index
  • All times are UTC
  • Delete cookies

© 2001–2026 Gentoo Foundation, Inc.

Powered by phpBB® Forum Software © phpBB Limited

Privacy Policy

 

 

magic