Linux with Arptables anti-ARP attack __linux

mac for binding gateways

Arp-s 192.168.1.1 00-1d-0f-2a-7f-e2
Arp-s 192.168.1.12 00-1f-d0-de-2c-2b

configuration: The most effective way to prevent ARP is to allow only the ARP packet of the gateway, I now ip:59.37.172.1 the Environment Gateway Mac:00:23:89:4d:29:12

This machine ip:59.37.172.81 mac:00:e0:81:d2:75:c5

Another machine ip:59.37.172.80

Require only to be allowed to communicate with the gateway (this is like crap, not and gateway communication data How can we go out?)

# arptables-a INPUT--src-ip 59.37.172.81--src-mac 00:23:89:4d:29:12-j ACCEPT

#arptables-A INPUT--src-ip 59.37.172.1--src-mac00:e0:81:d2:75:c5-j ACCEPT

#arptables –P INPUT DROP

Open Arptables Service: Chkconfig arptables on

Arptables can be considered as the ARP firewall under Linux

Arptables is a user space that manages the ARP rules table in the kernel, and rules check handles ARP data frames. (Arptables is similar to iptable, but simpler than iptables, it needs to be loaded into the kernel module arptable_filter).

Normally, Arptable_filter has only one table filter, and the filter table is the default if-T table name is not specified.
The filter table has two chains, one is in, the ARP packet that is sent out, and the other is out, which represents the ARP packet sent by the machine.

INPUT (The source host of the sending frame), OUTPUT (locally generated frames), FORWARD (frames forwarded by the bridge Code).

Built-in action: ACCEPT release ARP packet; drop throw away ARP packet; CONTINUE continue with the next rule; Return does not continue to match in this chain and returns to the next rule in the previous chain.

Extended action: Mangle:mangle ARP Package
--mangle-ip-s IP Address
Mangles Source IP address to given value.
--mangle-ip-d IP Address
Mangles destination IP address to given value.
--mangle-mac-s MAC Address
Mangles Source MAC address to given value.
--mangle-mac-d MAC Address
Mangles destination MAC address to given value.
--mangle-target Target
Target of ARP mangle operation (DROP, CONTINUE or ACCEPT--default is ACCEPT).

From Baidu Encyclopedia:

The

has two classes, one for the command class, including
-A,--append chain rule-specification append rules
-D,--delete chain rule-specification Delete the specified rule
-D,- -delete chain Rulenum Delete the rule at the specified location
-i,--insert chain [rulenum] rule-specification Insert Miscellaneous
-R,--replace chain Rulenum, Rul E-specification Replacement Rule
-L,--list [chain] list rules
-F,--flush [chain] Delete all rules
-Z,--zero [chain] empty all counts
-N,--new-c Hain chain New Chain
-X,--delete-chain [chain] Delete chain
-p,--policy chain target Specifies the default target
-E,--rename-chain Old-chain, new-c Hain rename chain
-H, help
Another class is parameter
-S,--source [!] address[/mask] Source address
-D,--destination [!] address[/mask] Destination address
-Z, --SOURCE-HW [!] hwaddr[mask] Source mac
-y,--TARGET-HW [!] hwaddr[mask] Purpose mac
-I,--in-interface [!] name is affected by this packet's NIC
-O ,--out-interface [!] name to send the packet's NIC
-A,--ARHLN [!] value[mask]
-P,--arpop [!] Value[mask]
-H,--ARHRD [!] VA Lue[mask]
-W,--arpro [!] Value[value]
-j,--jump target jumps to target
-C,--set-counters pkts bytes Count
combines some applications to familiarize yourself with ARPT Ables

Arptables-f Clear Filter All rules

Arptables-l-N List Filter all rules
2. Configure Arptables
Linux server's gateway Mac is 00:24:51:e9:c7:10, the same network segment another server 192.168.1.10 (host name is nh-blade-67) MAC address is 00:17:a4:a8:68:11.

To configure the ARP firewall with the command line:
On the eth0 if the source IP is 192.168.1.10, and the source Mac is not 00:17:a4:a8:68:11, then prohibit this data frame.

CODE:/usr/local/sbin/arptables-a input-i eth0--src-ip 192.168.1.10 --src-mac! 00:17:a4:a8:68:11-j DROP
On the eth0 if the source Mac is not 00:24:51:e9:c7:10 (the MAC address of the Gateway), prohibit this data frame, the access of this pin to the external network .

CODE:/usr/local/sbin/arptables-a input-i eth0--src-mac! 00:24:51:e9:c7:10-j DROP
Note: The order of the Add ARP firewall policy cannot be wrong, the statement for the Gateway MAC address must be last, otherwise the IP access policy of this network segment cannot take effect.

Write the above policy to the configuration file:
/usr/local/sbin/arptables-save >/etc/sysconfig/arptables

Why and how to use Arptables

have been only to engage in iptables, because yesterday and crazy, safe and cautious, so look at the next to prevent ARP spoofing.


Remember that there was an ARP similar iptables things, so Google a bit, is arptables, after the installation of the online tutorial, feeling and iptables command is very similar, are so


Root@lk:/home/cclove # [Ip|arp]tables-a Input–-src-mac! [MAC address]-j DROP




Then there is a feeling, with iptables can achieve arptables function.


Of course not.


Because when you need to send a packet to an unknown destination MAC address, the packet completes the network layer encapsulation to the data link layer, because the destination MAC address is not known, the ARP request is triggered and the MAC address of the destination IP address is requested.


This shows that the ARP protocol is whenThe data packet shows its effect when the data link layer needs to be sent out.and iptables just work on the network layer, to this simply can not control.


Look at the Iptables man Manual, you can only specify the source address
Mac
[!] --mac-source Address
Match source MAC address. It must be of the form
XX:XX:XX:XX:XX:XX. This is makes sense for packets
Coming from a Ethernet device and entering the prerouting, for‐
WARD or INPUT chains.




That is, you can only specify the MAC address on the input chain to restrict packet entry, although the MAC address is the data link layer, but in the Linux device-driven kernel code there is a SK_BUFF structure, which contains the destination address of the MAC address, So iptables can specify the source MAC address filter packets, but because the packet is encapsulated in the network layer is not a MAC address, so the output chain can not specify the destination MAC address to limit packets.


looks like we're going to have to use Arptables.。


First install Arptables, in Ubuntu:
Root@lk:/home/cclove # Apt-get Install Arptables




Then set the default policy to deny ARP queries for all hosts by default:
Root@lk:/home/cclove # arptables-p INPUT DROP




View the routing table to determine the gateway IP, there is the UG logo is:
Root@lk:/home/cclove # Route-n
Kernel IP routing Table
Target Gateway Subnet Mask flag Hop reference use interface
10.0.33.0 0.0.0.0 255.255.255.128 U 1 0 0 eth0
172.16.37.0 0.0.0.0 255.255.255.0 U 0 0 0 Vmnet8
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 Vmnet1
0.0.0.0 10.0.33.1 0.0.0.0 UG 0 0 0 eth0




Then look at the MAC address of the gateway:
Root@lk:/home/cclove #arp-n | grep 10.0.33.1
10.0.33.1 ether 00:23:89:4d:27:e1 C eth0




Add a record to allow ARP queries for gateways:
root@lk:/home/cclove# arptables-a INPUT--src-mac 00:23:89:4d:27:e1-j ACCEPT




This is OK, the LAN other computer ARP query has been filtered out, of course, FTP, samba and other file sharing can not be carried out.


You can then add the MAC address of other computers that you want to contact with ARP queries, just as you would add a gateway address.


Or you can specify an IP segment just like Iptables by specifying only the MAC address:
Root@lk:/home/cclove # arptables-a Input-s 192.168.1.0/24-j ACCEPT