block certain ARP Who-Has requests with ebtables



ebtables -t nat -A PREROUTING -p arp --arp-opcode request --arp-ip-dst 192.168.11.11 -j arpreply --arpreply-mac 00:11:22:33:44:55 

Difference here is that this rule operates on the NAT table and not on the FILTER table. All incoming packages on the ethernet bridge are going to pass this prerouting chain. If this special arp packages passes by, the router will answer it and delivers the correct arp address to the sender. So this is working like a very simple ARP Proxy...