We want to isolate our server in our local LAN, so any computer in our LAN couldn't connect to it meanwhile server MAC address is unknown.
Facts
Router IP: 192.168.1.1 MAC: 00:14:6c:4f:66:70
Server IP: 192.168.1.12 MAC: 00:0d:61:00:85:2f
Server OS: Debian 5.0
Server network configuration (/etc/network/interfaces)
We'll see two cases. In the first case we can configure the router ARP table, so in its ARP table exist Server IP and Server MAC. In the second case we can't configure router ARP table.
The first case is more secure, because we don't spread ARP Requests and Reply between router and server:
Case 1
Configure the router ARP table like that:
Server IP: 192.168.1.12 MAC: 00:0d:61:00:85:2f
Server network configuration:
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
# Disable the use of the ARP protocol on this interface.
# So eth0 will not create ARP packets.
# This hack works because ifup configure network like that:
# ifconfig ${DEVICE} ${IPADDR} \
# netmask ${NETMASK} broadcast \
# ${BROADCAST} ${ARP:+arp}
broadcast 192.168.1.255 -arp
gateway 192.168.1.1
# Trusted IP and ARP (In this case only the router)
up arp -s 192.168.1.1 00:14:6c:4f:66:70
Case 2
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.1.12
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
up arptables -F
up arptables -P INPUT DROP
up arptables -P OUTPUT DROP
up arptables -P FORWARD DROP
# Trusted IP and ARP (In this case only the router)
# Only ACCEPT connections from trusted gateway.
up arptables -A INPUT -s 192.168.1.1 \
--source-mac 00:14:6c:4f:66:70 -j ACCEPT
# Send replies only to the trusted hosts.
up arptables -A OUTPUT -d 192.168.1.1 \
--destination-mac 00:14:6c:4f:66:70 -j ACCEPT
# Add static entry into the ARP table to link your trusted host to its own MAC.
up arp -s 192.168.1.1 00:14:6c:4f:66:70
Conclusion
The first configuration is more secure and we don't have to use arptables. However we have to configure statically router and server ARP tables. If in our LAN we trust another PC, we have to edit server configuration adding PC's MAC. In PC computer we have to add Server's MAC address statically too. Remember Server can't create ARP replies (we have disabled server ARP).
In the second configuration, we don't have to configure statically the router. Moreover, if we add a new trusted PC, we only have to edit Server configuration (add PC MAC in ARP table and append chaing in arptables). However we are spreading ARP Reply and Requests, so any computer can see them.
Sources:
http://www.experts-exchange.com/Networking/Linux_Networking/Q_21428737.html
https://bugzilla.redhat.com/show_bug.cgi?id=12111
http://abulmagd.blogspot.com/2008/08/arptables-and-arp-poisoningnetcut.html