What is ebtables? (Ethernet bridge frame table administration)
The ebtables utility enables basic Ethernet frame filtering on a Linux bridge, logging, MAC NAT and brouting. It only provides basic IP filtering, the full-fledged IP filtering on a Linux bridge is done with iptables. The so-called bridge-nf code makes iptables see the bridged IP packets and enables transparent IP NAT. The firewalling tools iptables and ebtables can be used together and are complementary. ebtables tries to provide the bridge firewalling that iptables cannot provide, namely the filtering of non-IP traffic.
What can ebtables do?
- Ethernet protocol filtering.
- MAC address filtering.
- Simple IP header filtering.
- ARP header filtering.
- 802.1Q VLAN filtering.
- In/Out interface filtering (logical and physical device).
- MAC address nat.
- Frame counters.
- Ability to add, delete and insert rules; flush chains; zero counters.
- Brouter facility.
- Ability to atomically load a complete table, containing the rules you made, into the kernel. See the man page and the examples section.
- Support for user defined chains.
- Support for marking frames and matching marked frames.
apt-get update && apt-get install ebtables
ebtables -t nat -A PREROUTING -d 00:11:22:33:44:55 -i eth0 -j dnat --to-destination 54:44:33:22:11:00
ebtables -A FORWARD -s 00:11:22:33:44:55 -p IPV4 -j ACCEPT ebtables -A FORWARD -s 00:11:22:33:44:55 -j DROP
# suppose there is no route to 192.168.0.0 yet route add -net 192.168.0.0 netmask 255.255.255.0 dev br0 ifconfig br0 0.0.0.0 arp -s 192.168.0.255 ff:ff:ff:ff:ff:ff iptables -t nat -A PREROUTING -j DNAT --to-destination 192.168.0.255
The bridge device should not have an address in the range of 192.168.0.0/24, because if it does, the routing code won't decide to send the packet out through the bridge device.
ebtables -A FORWARD -p IPv4 --ip-src 172.16.1.4 -s ! 00:11:22:33:44:55 -j DROP
This is an anti-spoofing filter rule. It says that the computer using IP address 172.16.1.4 has to be the one that uses ethernet card 00:11:22:33:44:55 to send this traffic.
Note: this can also be done using iptables. In iptables it would look like this:
iptables -A FORWARD -s 172.16.1.4 -m mac --mac-source ! 00:11:22:33:44:55 -j DROP
The difference is that the frame will be dropped earlier if the ebtables rule is used, because ebtables inspects the frame before iptables does. Also note the subtle difference in what is considered the default type for a source address: an IP address in iptables, a MAC address in ebtables.
If you have many such rules, you can also use the
among match to speed up the filtering.
ebtables -N MATCHING-MAC-IP-PAIR ebtables -A FORWARD -p IPv4 --among-dst 00:11:22:33:44:55=172.16.1.4,00:11:33:44:22:55=172.16.1.5 \ -j MATCHING-MAC-IP-PAIR
We first make a new user-defined chain
MATCHING-MAC-IP-PAIR and we send all traffic with matching MAC-IP source address pair to that chain, using the
among match. The filtering in the
MATCHING-MAC-IP-PAIR chain can then assume that the MAC-IP source address pairs are correct.