The netfilter.org “nftables” project: https://netfilter.org/projects/nftables/

These rules disable most inter-LAN connectivity. The host wil talk to the gateway, DNS, NTP and DHCP servers. Other nodes might pick up broadcast traffic, but will not be able to communicate with this endpoint.

• Create a file with MAC addresses you want to be able to communicate with. Or dynamically generate it at boot (/dev/shm/maclist).

  ####################### 
  # Firewall inet
  #######################
  
  # Flush ruleset and create chains for inet
  nft flush ruleset
  nft add table inet filter
  nft add chain inet filter INPUT   { type filter hook input   priority 0 \; policy drop \; }
  nft add chain inet filter OUTPUT  { type filter hook output  priority 0 \; policy accept \; }
  nft add chain inet filter FORWARD { type filter hook forward priority 0 \; policy drop \; }
  
  # Accept established, drop invalid
  nft add rule inet filter INPUT ct state {established, related} accept
  nft add rule inet filter INPUT ct state invalid drop
  nft add rule inet filter INPUT iifname lo accept
  
  # Disable all IPv4 ICMP and drop IPv6 ping
  nft add rule inet filter INPUT ip protocol icmp drop
  nft add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type echo-request drop
  
  # Allow IPv6 configuration
  nft add rule inet filter INPUT ip6 nexthdr icmpv6  icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
  
  
  ####################### 
  # Firewall ARP
  #######################
  
  # Create chains with same naming convention as arptables.
  nft add table arp filter
  nft add chain arp filter INPUT   { type filter hook input   priority 0 \; }
  nft add chain arp filter OUTPUT  { type filter hook output  priority 0 \; }
  nft add chain arp filter FORWARD { type filter hook forward priority 0 \; }
  
  # Allow requests from addresses in the defined neighbour list.
  while read line
  do
    nft add rule arp filter INPUT arp operation  request ether saddr $line counter accept
  done <<< $(</dev/shm/maclist)
  
  # Allow incoming reply's.
  nft add rule arp filter INPUT arp operation  reply counter accept
  
  # Log incoming dropped ARP packages.
  nft add rule arp filter INPUT   log prefix \"INPUT   FILTER ARP: \"
  
  # Default drop. 
  nft chain arp filter INPUT { policy drop \; }
  nft chain arp filter FORWARD { policy drop \; }

• Show current ruleset:

  # nft list ruleset
  table inet filter {
          chain INPUT {
                  type filter hook input priority 0; policy drop;
                  ct state { established, related} accept
                  ct state invalid drop
                  iifname "lo" accept
                  ip protocol icmp drop
                  icmpv6 type echo-request drop
                  icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
          }
  
          chain OUTPUT {
                  type filter hook output priority 0; policy accept;
          }
  
          chain FORWARD {
                  type filter hook forward priority 0; policy drop;
          }
  }
  table arp filter {
          chain INPUT {
                  type filter hook input priority 0; policy drop;
                  arp operation request ether saddr aa:bb:cc:dd:ee:f0 counter packets 3544 bytes 163024 accept
                  arp operation request ether saddr aa:bb:cc:dd:ee:f1 counter packets 10 bytes 460 accept
                  arp operation request ether saddr aa:bb:cc:dd:ee:f2 counter packets 322 bytes 14812 accept
                  arp operation reply counter packets 3120 bytes 143520 accept
                  log prefix "INPUT FILTER ARP: "
          }
  
          chain OUTPUT {
                  type filter hook output priority 0; policy accept;
          }
  
          chain FORWARD {
                  type filter hook forward priority 0; policy drop;
          }
  }