This tutorial is useful for protecting yourself when connecting to untrusted wireless networks. It will block all traffic that doesn't originate from your default gateway.

We will use the PREROUTING chain in the raw table. This table takes precedence above all others and is applied as soon as a packet is received on an interface.

The next step is to create ARP filtering rules, because even though standard traffic locked down, our system will still listen for and respond to arp probes. So arptables is used to filter those too. The reason for locking down arp is that on a untrustworthy public hotspot, there's a lot of mischief that can be done by broadcasting intentionally false records such as man in the middle attacks.

Even though this is an iptables solution, I've used this successfully in conjunction with firewalld

Finding the Router MAC address

In most distros, the default gateway is automatically named 'gateway' inside the output of the arp command.

$ arp | grep gateway | awk '{print $3}'

The above command doesn't work on all systems, so here's an uglier alternative

GW_MAC=`ip neigh show $(ip route list | grep -m1 default |awk '{print $3}') | awk '{print $5}'`

Block traffic that isn't coming from the gateway MAC

Warning: This blocks all traffic on your local segment, both in and out. Make sure you know what you are doing.

Traffic to other networks is not affected, because when traffic passes through a router, it will have the source mac address of the router

GW_DEV=`ip r list | grep -m1 default | awk '{print $3}'`

sudo iptables -t raw \
--insert PREROUTING \
--in-interface $GW_DEV \
--match mac ! --mac-source $GW_MAC \
--jump DROP

Blocking arp traffic

sudo dnf install arptables 

sudo arptables I INPUT -i $GW_DEV ! --src-mac $GW_MAC -j DROP