Remember one time Ubuntu uses arptables to protect against LAN ARP attacks

Some time ago about one months, rent the network every day a break, each break about a two minutes to recover, so did not care too much. Until one night, LZ is writing a blog, but the network frequent interruption and reconnect again interrupted. Waiting for the LZ finally found a connection to the Internet has not finished the post temporarily saved a moment, and then began to troubleshoot problems.

ARP (1) command found that the MAC address of the gateway is not the address of the landlord router, so the first response is that the intranet has an ARP attack.

So LZ opened Wireshark began to grab bag, found intranet 192.168.1.129 this host to the intranet frequently send ARP broadcast, and when LZ host to the intranet send ARP Broadcast query Gateway MAC address is always its response, this is very obvious ARP deception.

In fact, this is a Trojan virus to engage in ghosts, it deceives the intranet all the host, will itself disguised as a gateway. So when the other host sent the Internet request will send the packet to it, it will be free to monitor the content of the Internet.

No matter what it is ghost, the LZ also have to hurry to write a blog, so the first install an ARP firewall make up, and so have time to clean it.

# Install arptables firewall
>$ sudo apt-get install arptables

# scripting
>$ vim arptables.sh

#!/bin/sh
PATH =/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Pit Stop rule: Discard packets
If the source Mac is not d8:5d:4c:60:c5:3c Arptables-a input-i eth0--src-mac! D8:5d:4c:60:c5:3c-j Drop
# Pit Stop rule: Discard packets arptables-a If the source Mac is not d8:5d:4c:60:c5:3c and the source IP is not 192.168.1.1
input-i Eth0--src-ip 192.168.1.1--src-mac! D8:5d:4c:60:c5:3c-j DROP
# allows all outbound requests
arptables-a OUTPUT--destination-mac ff:ff:ff:ff:ff:ff-j ACCEPT

# Give script Execute permissions
>$ chmod 755 arptables.sh

# Then add the script to the boot key.

# These two commands are also arptables common commands
# View all the rules
sudo arptables-l
# Delete all the rules
sudo arptables-f

Configure this ARP firewall immediately after the Internet, it seems that the firewall to make haha.

The above is in the LZ's Ubuntu notebook configuration, and then the LZ switched to the installed Redhat desktop, the results are still being ARP attack can not access the Internet.

LZ found Redhat has pre-installed arptables, but in the configuration rules always hint Permission denied,lz is also drunk, obviously is root, also do not know why do not have permission.

Helpless under had to abandon with arptables, it seems only with the original ARP command to set a static ARP table, but found this method is quite useful, and with arptables effect.

>$ sudo arp-s 192.168.1.1 d8:5d:4c:60:c5:3c

The command is to manually specify the IP and MAC of the gateway in the local ARP, so that regardless of the number of Gateway addresses outside the broadcast, let the system deal directly with this manually configured gateway.