# Block ARP traffic from and to all machines (default: DENY)
arptables -P INPUT DROP
arptables -P OUTPUT DROP
# Allow router (fixed ARP)
arptables -A INPUT --source-mac <ROUTER_MAC> --destination-mac <USER MAC> -j ACCEPT
onde <ROUTER_MAC>
é o mac do roteador de sub-rede.