Remember Ubuntu uses arptables to protect against LAN ARP attacks

.

.

.

.

.

Some time ago about one months, rent the network every day, every break about a two minutes or so to recover, so didn't care too much. Until one night, LZ is writing a blog, but the network frequently interrupted and re-connected again interrupted. To LZ finally found a connection to the Internet, not finished the blog post temporarily saved a bit, and then began to troubleshoot problems.

The ARP (1) command found that the MAC address of the gateway is not the address of the landlord router, so the first response is an ARP attack on the intranet.

So LZ open Wireshark start grab packet, found intranet 192.168.1.129 this host to the intranet frequently send ARP broadcast, and when the LZ host to the intranet to send ARP Broadcast query Gateway MAC address always it responds, this is very obvious ARP spoofing.

In fact, this is a Trojan virus to make ghosts, it deceives all the host network, will disguise itself as a gateway. This way, when the other host sends the Internet request, it will send the packet to it, it can listen to the content of the Internet freely.

First, regardless of what the ghost, for the LZ also have to hurry to write a blog, so first install an ARP firewall make up, wait for time to clean it up.

# Install Arptables firewall>$sudoApt-getInstallarptables# Writing Scripts>$ vim Arptables.SH#!/bin/SHPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Pit Stop rule: If the source Mac is not d8:5d:4c: -: c5:3c drops the packetArptables-a input-i eth0--src-mac! D8:5D:4C: -: c5:3c-J drop# Pit Stop rule: If the source Mac is not d8:5d:4c: -: c5:3c and source IP is not192.168.1.1the packet is discardedArptables-a input-i eth0--src-ip192.168.1.1--src-mac! D8:5D:4C: -: c5:3c-J drop# allows all outbound requests Arptables-A OUTPUT--destination-mac ff:ff:ff:ff:ff:ff-J accept# Giving script execution permissions>$chmod 755Arptables.SH# then add the script to the boot-up entry. # These two commands are also arptables common commands # See all the RulessudoArptables-l# Delete all the rulessudoArptables-f

Configure this ARP firewall immediately after the Internet, it seems to be a firewall so haha.

The above is configured on the LZ Ubuntu notebook, and then the LZ switched to the desktop installed Redhat, the results found that the ARP attack is still unable to surf the internet.

LZ found Redhat on the pre-installed Arptables, but in the configuration rules always prompt Permission Denied,lz is also drunk, obviously is root, do not know why do not have permission.

Helpless under had to abandon use arptables, it seems can only use the native ARP command to set a static ARP table, but found that this method is quite useful, with the same effect as arptables.

sudo 192.168. 1.1 d8:5d:4c:c5:3c

This command is to manually specify the IP and MAC of the gateway in the local ARP so that regardless of how much of the gateway address is ignored outside the broadcast, let the system directly with this manually configured gateway to deal with.

Remember Ubuntu uses arptables to protect against LAN ARP attacks