I have a raspberry pi and hostapd and iptables are running on my pi. However iptables cannot block the wifi clients from communicating with each other, thus I cannot prevent them from sending out ARP packets with iptables. It's not possible to run one AP for each client on my pi, since I have only one WLAN interface.
Is there a way to prevent ARP poisoning with those tools? If impossible, how to detect it and find out the source of the attack?
You could try to set up a layer 2 firewall via IPTables but I don't see an easy implementation. Maybe you'd like to have a look to ARPTables: https://linux.die.net/man/8/arptables
If you want to detect (not prevent!) ARP spoofing attacks you can use several tools, for example ARPWatch. This tool sends messages to syslog so you can monitor changes on your ARP table. https://linux.die.net/man/8/arpwatch
Also there is an active tool that prevents ARP spoofing attacks on different scenarios (DCHP, static, etc.) although it requires an "agent" in each host which may be not ideal depending on your needs: https://manpages.debian.org/stretch/arpon/arpon.8.en.html
In any case, and given your scenario (I assume a small home network) another quick fix may be to set up manually the ARP table of your host. For doing so you can use the command (note that after reboot changes will be lost):
arp -s [IP address] [MAC address]
By doing so, you tell your host kernel to associate an IP with a MAC and other requests that will try to overwrite this value will be ignored. For a more elaborated way of doing this, you could do a script that adds a list of all the IP-MAC within your network that you trust and run it at boot time avoiding possible already-spoofed networks issues.
This has a limitation if you have a host that moves from network to another (Mobile phone or a laptop) unless the script detects the exact network that you're connected to and have multiple lists of trusted IP-MAC. This solution though is highly static and difficult to mantain in large/dynamic enviroments.
