Set Up Static ARP Table

One way to mitigate man-in-the-middle (or mitm for short) attacks is to set up static arp tables.  I’d like to show you how this is done both in CentOS and Ubuntu.

Adding By Hand (CentOS & Ubuntu)

To add a static ARP entry to the local ARP table, run the following command as root:

arp -s <ip address> <mac address>


arp -s e0:db:55:ce:13:fd

If you get an error saying “-bash: arp: command not found,” you need to install the ‘net-tools’ package.

To see the arp table, run:

arp -a


? ( at d0:67:e5:46:50:dd [ether] on em1 ( at 00:0e:2f:c1:8b:59 [ether] on em1
gateway ( at e0:db:55:ce:13:f [ether] PERM on em1

Notice the “PERM” on the last entry.  That is the static arp entry we just created.

Using A Flat File (CentOS & Ubuntu)

Adding all the entries you might need can be tedious.  Put the entries in a file, instead.  A common file to use is /etc/ethers.

The file format is:

<ip address> <mac address>

<ip address> <mac address>

To load the file into the arp table from /etc/ethers, run the following command as root:

arp -f /etc/ethers

You should then be able to run ‘arp -a’ and see the PERM entries as shown above.

To remove an arp entry run the following as root:

arp -d <ip addr>

Persistence Across System Reboots (CentOS)

However, these rule will not remain after a reboot.  To make them persistent, we’ll create a script called /sbin/ifup-local as root:

vi /sbin/ifup-local

Put the following contents into it:

arp -f /etc/ethers

Then, we’ll make it executable:

chmod +x /sbin/ifup-local

Technically, this script will execute any time the NIC is brought up, which generally happens when the system is booting up.

Reboot, and check your arp table with ‘arp -a’.

Persistence Across System Reboots (Ubuntu)

We are going to edit a file called /etc/rc.local as root:

vi /etc/rc.local

Then, we put our arp commands in one per line:


arp -s <ip address> <mac address>
arp -s <ip address> <mac address>
exit 0

Of course we have to make it executable:

chmod +x /etc/rc.local

Reboot, and check your arp table with ‘arp -a’.