LinuxCommandLibrary

arptables

Filter ARP packets

TLDR

List all ARP rules in the filter table

$ sudo arptables [[-L|--list]]
copy

Append a rule to drop ARP packets from a specific IP address
$ sudo arptables [[-A|--append]] INPUT [[-s|--source-ip]] [192.168.0.1] [[-j|--jump]] DROP
copy

Delete a specific rule from the INPUT chain by its rule number
$ sudo arptables [[-D|--delete]] INPUT [rule_number]
copy

Flush all rules in the filter table
$ sudo arptables [[-F|--flush]]
copy

Set the default policy of the OUTPUT chain to ACCEPT
$ sudo arptables [[-P|--policy]] OUTPUT ACCEPT
copy

Save the current ARP rules to a file
$ sudo arptables-save > [path/to/file]
copy

SYNOPSIS

arptables [-t table] {
  -L|-n|-v [chain[rulenum]] |
  -N|-X [chain] |
  -P chain target |
  -A|-D|-C chain [rulenum] [match] [-j target] |
  -I|-R chain rulenum [match] [-j target]
}

PARAMETERS

-t, --table table
    Table to operate on (default: filter, only table)

-A, --append
    Append rule to selected chain

-D, --delete
    Delete rule from chain by number or spec

-I, --insert
    Insert rule at position in chain

-R, --replace
    Replace rule at specific position

-L, --list
    List rules in chain or all chains

-N, --new-chain
    Create new user-defined chain

-X, --delete-chain
    Delete chain(s)

-P, --policy
    Set policy for chain (ACCEPT|DROP)

-F, --flush
    Flush rules in chain or all

-Z, --zero
    Zero counters in chain

-E
    Rename chain (syntax: -E old new)

-n, --numeric
    Numeric output (no hostname lookup)

-v, --verbose
    Verbose output

-[!] interface
    Match interface (+ for wildcard, ! negate)

--opcode code
    Opcode: 1=request, 2=reply

--htype type
    Hardware type (e.g., 1=ETHER)

--hlen len
    Hardware address length

--srcaddr ip[/mask]
    Sender IP address

--srcmac mac[/mask]
    Sender MAC address

--targetaddr ip[/mask]
    Target IP address

--targetmac mac[/mask]
    Target MAC address

--devaddr mac[/mask]
    Device/interface MAC

-j, --jump target
    Jump to chain/target: ACCEPT|DROP|RETURN

DESCRIPTION

arptables is a userspace utility for managing netfilter ARP tables in the Linux kernel. It enables configuration of filtering rules for ARP (Address Resolution Protocol) packets, which resolve IP addresses to MAC addresses at layer 2. Unlike iptables, which processes IP packets, arptables intercepts ARP traffic early in the network stack via dedicated netfilter hooks.

Rules are stored in chains within the filter table (the only supported table), including built-in chains INPUT, FORWARD, and OUTPUT. Matches specify packet attributes like opcode (request/reply), hardware type/length, sender/target IP/MAC addresses, and interface MAC. Targets decide packet fate: ACCEPT, DROP, RETURN, or custom chains.

This tool is useful for anti-spoofing (e.g., blocking invalid ARP sources), traffic control across bridges/VLANs, and logging. Load kernel modules like arp_tables and arp_filter for operation. Rules persist until flushed or system reboot unless saved/restored via scripts.

Modern alternatives like nftables offer broader features, but arptables remains for legacy systems.

CAVEATS

Only filter table; no NAT/mangle. Requires kernel CONFIG_NETFILTER_XTABLES_ARPTABLES and modules arp_tables, arp_filter. Deprecated; use nftables instead. Not in all modern distros.

TARGETS

Supported: ACCEPT, DROP, RETURN. User-defined chains allowed.

EXAMPLE

arptables -A INPUT --opcode 1 --srcmac ! 00:11:22:33:44:55 -j DROP
Drops ARP requests except from specific MAC.

HISTORY

Introduced in Linux kernel 2.4.18 (2003) with netfilter ARP tables extension. Part of xtables toolsuite. Maintained through kernel 5.x but superseded by nftables since kernel 3.13 (2013).

SEE ALSO

iptables(8), ebtables(8), nft(8), arping(8)

Copied to clipboard