Countering ARP spoofing with iptables

Mardi 19 décembre 2023, par Jérémy DE COCK

Many use a DHCP server to manage the assignment of IP addresses within their network(s) (ISC-DHCP, Dnsmasq, Microsoft DHCP Server, etc.). But very few protect themselves from ARP spoofing, which is a very famous old attack, but which is still as formidable as ever. Protecting against it requires resources in terms of equipment, e.g. a switch with anti arp spoofing mechanisms or supporting 802.1X, or technical expertise, e.g. fixing the ARP table on the machine hosting the DHCP service.

Maybe not so new, but still a threat, so here is our solution...

Solution

In the DHCP service configuration, we have all our @MAC / @IP pairs and we know that Netfilter provides a module for managing MAC addresses with IPTables rules. Based on this, we've developed a script that will retrieve this information and generate our firewall rules. Of course, we've added a few extra features...

Prerequisites

The script requires several things: firstly, it is a BASH script, so it must be run on a Linux environment that has BASH (which shouldn't be a problem these days).

The script will directly set up the iptables rules on the machine and also save them in the /etc/iptables.rules file. Nftables is therefore not managed and the value of the output file must be modified directly in the code.

As mentioned above, a Kernel module is required for the script to function properly, but in reality 3 are needed:

• CONFIGNETFILTERXTMATCHMAC : to compare MAC addresses in rules
• CONFIGNETFILTERXT_MARK : to define markers on rules
• CONFIGNETFILTERXTMATCHMARK : to compare markers on rules

To check that these modules are activated or can be activated, simply use the following command:

$ cat /boot/config-`uname -r` | grep [MODULE] | grep "y\|m" 

In our case, we use ISC-DHCP, the script gets the @MAC / @IP pairs stored in the file /etc/dhcp/dhcpd.conf:

host test { hardware ethernet a1:b2:c3:d4:c5:6e; fixed-address 192.168.1.15; } 

How it works?

1) If we run the script on our test machine, it will automatically retrieve the IP addresses assigned to the various interfaces mounted on the machine: physical + bridges. 2) It will then retrieve the @MAC / @IP pairs stored in /etc/dhcp/dhcpd.conf. 3) The IPMACCHECK string will be created in the MANGLE table. 4) All rules relating to interfaces found on the machine, IP addresses / networks whitelisted by the user are set in the IPMACCHECK chain, they set a marker to 1 if they are triggered. The last rule set up corresponds to a default rule which sets a marker to 0 if and only if no marker has been set up to that point. 5) A rule is placed in the FORWARD chain of the MANGLE table to redirect all traffic to IPMACCHECK (FORWARD since we only want to filter traffic from our secondary interfaces). 6) A final rule is placed in the FORWARD chain of the FILTER table to reject all packets with a marker set to 0. 7) The rules are saved in the /etc/iptables.rules file.

If you want to see an example of how to use the tool, we encourage you to check it out on our Github.