4

I was trying to hide my laptop from my phone's network scan app. The app is using arp requests to find devices on the network. I tried everything on iptables. It doesn't work, even if i set all the policies drop. Fortunately arptables can drop the requests. But why iptables can't do that ?

Grey
  • 353
  • 4
  • 6

2 Answers2

9

ARP and TCP/IP are different layers in the networking technology stack. If you have read about the OSI model, that applies here.

ARP is a protocol at layer 2 dealing with connecting the host to the local network.

TCP/IP are protocols dealing with connecting networks together.

iptables deals (mostly) with TCP/IP and higher layers. arptables deals with the ARP layer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    This answer is btw. IPv4-specific. The same wouldn't be true of IPv6. – rfc2460 Feb 09 '19 at 12:41
  • @rfc2460 I do not understand your comment. Can iptables drop ARP requests if the host uses IPv6? *What* wouldn't be true of IPv6? – schroeder Feb 09 '19 at 15:20
  • 1
    IPv6 doesn't use ARP at all. Instead it uses neighbor discovery which uses ICMPv6 packets sent to multicast addresses. Because ICMPv6 is just another protocol on top of IPv6 it can be filtered using `ip6tables` like any other IPv6 traffic can. – rfc2460 Feb 15 '19 at 12:48
  • @rfc2460 Right ... and how is that relevant to the question? The question is ***about*** ARP. – schroeder Feb 15 '19 at 13:25
  • 2
    I suppose you are right about that. The question wasn't all that clear to me. It's possible that the app in question simply doesn't support IPv6. If the app does support both IPv4 and IPv6 then it is going to be very relevant how each of them works. It's pointless trying to hide your hide your presence in one protocol if you can easily be seen using the other. And an ICMPv6 echo request sent to the all nodes multicast address is a simple way to detect devices on the network. – rfc2460 Feb 15 '19 at 13:34
7

Because iptables deals with TCP/IP. ARP is not TCP/IP.

You can install arptables, and use that for filtering arp requests. On a debian-related distro sudo apt install arptables should do the trick.

Then you can do

arptables -A INPUT --source-mac de:ad:be:ef:ba:be -j DROP

and so forth. man arptables will give you a full overview.

vidarlo
  • 12,850
  • 2
  • 35
  • 47