Using ebtables( Ethernet bridge frame table administration) in Debian Squeeze

Valic —  April 13, 2011 — 1 Comment

What is ebtables? (Ethernet bridge frame table administration)

The ebtables utility enables basic Ethernet frame filtering on a Linux bridge, logging, MAC NAT and brouting. It only provides basic IP filtering, the full-fledged IP filtering on a Linux bridge is done with iptables. The so-called bridge-nf code makes iptables see the bridged IP packets and enables transparent IP NAT. The firewalling tools iptables and ebtables can be used together and are complementary. ebtables tries to provide the bridge firewalling that iptables cannot provide, namely the filtering of non-IP traffic.

What can ebtables do?

  • Ethernet protocol filtering.
  • MAC address filtering.
  • Simple IP header filtering.
  • ARP header filtering.
  • 802.1Q VLAN filtering.
  • In/Out interface filtering (logical and physical device).
  • MAC address nat.
  • Logging.
  • Frame counters.
  • Ability to add, delete and insert rules; flush chains; zero counters.
  • Brouter facility.
  • Ability to atomically load a complete table, containing the rules you made, into the kernel. See the man page and the examples section.
  • Support for user defined chains.
  • Support for marking frames and matching marked frames.

Install ebtables:

apt-get update && apt-get install ebtables

Using ebtables:


ebtables -t nat -A PREROUTING -d 00:11:22:33:44:55 -i eth0 -j dnat --to-destination 54:44:33:22:11:00

Only forward IPv4 for a specific MAC address:

ebtables -A FORWARD -s 00:11:22:33:44:55 -p IPV4 -j ACCEPT
ebtables -A FORWARD -s 00:11:22:33:44:55 -j DROP

Changing the destination IP and MAC address to the respective broadcast addresses:

# suppose there is no route to yet
route add -net netmask dev br0
ifconfig br0
arp -s ff:ff:ff:ff:ff:ff
iptables -t nat -A PREROUTING -j DNAT --to-destination

The bridge device should not have an address in the range of, because if it does, the routing code won't decide to send the packet out through the bridge device.

Associate IP addresses to MAC addresses (anti-spoofing rules):

ebtables -A FORWARD -p IPv4 --ip-src -s ! 00:11:22:33:44:55 -j DROP

This is an anti-spoofing filter rule. It says that the computer using IP address has to be the one that uses ethernet card 00:11:22:33:44:55 to send this traffic.
Note: this can also be done using iptables. In iptables it would look like this:

iptables -A FORWARD -s -m mac --mac-source ! 00:11:22:33:44:55 -j DROP

The difference is that the frame will be dropped earlier if the ebtables rule is used, because ebtables inspects the frame before iptables does. Also note the subtle difference in what is considered the default type for a source address: an IP address in iptables, a MAC address in ebtables.

If you have many such rules, you can also use the among match to speed up the filtering.

ebtables -A FORWARD -p IPv4 --among-dst 00:11:22:33:44:55=,00:11:33:44:22:55= \

We first make a new user-defined chain MATCHING-MAC-IP-PAIR and we send all traffic with matching MAC-IP source address pair to that chain, using the among match. The filtering in the MATCHING-MAC-IP-PAIR chain can then assume that the MAC-IP source address pairs are correct.


Posts Twitter Facebook

Editor in Chief at Debian-Tutorials, Linux enthusiast.

Trackbacks and Pingbacks:

  1. Creating a Wireless Access Point with Debian Linux « Agent Oss - October 31, 2011

    […] you need firewalling on your bridge, look at ebtables (… […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.