Block ARP requests (or broadcast message, if possible) from A SPECIFIC HOST in a subnet

networking router firewall iptables broadcast

6,216

I have achieved this requirement in 2 ways on Linux devices. I am still looking for ways to achieve this on Windows devices.

By entering a static ARP entry for my gateway and then disabling ARP.
Using arptable

First Method

ip neighbor add 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

The above command needs ip-full package on OpenWrt systems. eth0 is my WAN interface. If there is already an entry for the gateway, use:

ip neighbor replace 172.xx.xxx.1 lladdr 84:xx:xx:xx:xx:80 nud permanent dev eth0

Now disable ARP. Use any one of the commands.

ip link set dev eth0 arp off
ifconfig eth0 -arp

To re-enable later, use:

ip link set dev eth0 arp on
ifconfig eth0 arp

Second Method

This one is using arptables package. First, I have allowed my gateway. Then I have also allowed ARP in my LAN (br-lan interface) and finally blocked all other ARP

arptables -A INPUT -i eth0 -s 172.xx.xxx.1 --source-mac ac:xx:xx:xx:xx:xx -j ACCEPT
arptables -A INPUT -i br-lan -j ACCEPT
arptables -P INPUT DROP

^{You should modify the arptables rules according to your own requirements. the above rules will also stop you from pinging eth0 hosts because their ARP responses will be blocked too. You can add another rule "arptables -A INPUT -i eth0 --destination-mac e4:xx:xx:xx:xx:xx -j ACCEPT" where e4:xx:xx:xx:xx:xx is your eth0 MAC. This will allow all unicast ARP packets including ARP responses sent to your device.}

6,216

Sourav Ghosh

Master of Science in physics from the University of Hyderabad.

Updated on September 18, 2022

Comments

Sourav Ghosh over 1 year

My ISP provide username-password for authentication and also register the client's MAC address for authentication.

I am concerned about someone misusing my connection while I am not using it. Usernames are easy to guess (clients can't change usernames, only passwords can be changed) and if anyone finds MAC address and password, they can use my connection.

Now, the ISP don't use private VLAN, so MAC addresses are easy to get. A simple ARP broadcast requests from a host within my subnet will reveal my MAC and I am not relying on password because the authentication page doesn't use HTTPS. So, my passwords are sent in plain text.

In this scenario, I want to block/drop/reject ARP request (or any broadcast requests) from any host within my subnet but the gateway.

I have looked this question and this question but the OP tried to block all ARP requests. Of course, this is a bad idea because then I won't get any internet traffic from the gateway. I just want to block ARP request (if possible any broadcast request) from any random host in my subnet, but only allow broadcast/ARP from my gateway.

I am using OpenWrt in my wireless router. So, I think Linux solutions will work and if possible, please also provide Windows solution.
- Wiffzack about 7 years
  
  arptable is propably the solution you need. Make your Route static and block all.
- MaQleod about 7 years
  
  You can usually set a static ARP entry (dependent on OS of course), so if you do that for your gateway, you'll never lose it and can block all other ARP.
- Sourav Ghosh about 7 years
  
  @MaQleod But what about when the gateway wants to send me a packet? it needs to broadcast for my MAC. I have to reply to that ARP.
- MaQleod about 7 years
  
  Chances are it won't be a problem. Most ISP routers will keep ARP tables for around 20 minutes (most enterprise routers are set high for this) and most of them will usually be able to update ARP tables from incoming packets - so it would just take packets from you to the router for it to know where you are and how to reach you, without the need to send ARPs to you at all. So if your machine ARPs the gateway every 2-5 minutes, or whatever your refresh is set to, good chance you're updating its ARP as well each time.
acgbox about 4 years

launch an arp spoofing attack with netcut or tuxcut and you will see that your arptables rules do not stop superuser.com/questions/1532095/…
Sourav Ghosh about 4 years

arptables is used for ARP packet filtering. It won't help you to detect ARP spoofing. If you configure each hosts with proper arptables rules, then you can probably prevent an ARP spoof attack. arptables -A INPUT --source 192.168.1.10 --source-mac 14:cc:21:3a:YY:YY -j ACCEPT. Add rules for each trusted IP-MAC pair and do this on all hosts. In this way, the hosts will reject spoofed ARP packets.