You may want to look at this, http://www.securiteam.com/exploits/6F00B1561Q.html IP spoofing, don't forget that you may also want to do proxy spoofing/redirecting and smtp spoofing/redirecting. Products such as Birdstep, Nomadix, Zyxel VSG 1200 all ready do this for you, typically a hotspot solutions, but expensive. /Fredrik -----Original Message----- From: Herman [mailto:Herman@xxxxxxxxxxxxxxxxxxxxx] Sent: 30. oktober 2003 00:36 To: john zurowski; netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Handling a clients fixed IP address On Wednesday 29 October 2003 9:04 pm, john zurowski wrote: > I've been using iptables without problems for almost a year now. A > situation has however occured where I would like to allow access to users > with fixed IP addresses onto the LAN in order to gain access to the > internet. The situation is complicated because the client devices may be > assigned fixed IP addresses which do not match our subnet or point at our > gateway. Can iptables be configured in such a way that this could be > handled > transparently i.e. without the client having to set up dhcp client service? > > _________________________________________________________________ > Tired of 56k? Get a FREE BT Broadband connection > http://www.msn.co.uk/specials/btbroadband Hmm, as I understand it: A visitor plugs a 'foreign' laptop into the wall in your meeting room and starts a browser, then he expects to connect to say www.cnn.com without having to change *any* settings on his machine, which may be configured to talk to a non-existant gateway IP address. We hope that your guest IP and Gateway settings do not clash with an existing IP address on your network. If you are concerned about clashes, then you would need either a dedicated interface or a virtual LAN interface to separate the meeting room from the rest of the place. Well, this clearly calls for NAT, but it won't be simple. I think you have to look at "-m state --state NEW, ESTABLISHED, RELATED" and "SNAT" to cause every new previously unknown connection attempt and whatever follows from that, to be redirected to the External IP on the firewall machine. I think the simplest case would be if you use a dedicated interface or VLAN, say eth3 if it is dedicated hardware or eth1.1 if it is a VLAN and then SNAT whatever arrives on that interface to the outside IP address of the firewall. Since the packets would be addressed to a non-existant gateway machine, you would need to do DNAT too. I have a feeling that this problem can be solved with iptables and it would be interesting if one of the real iptables gurus can comment. Cheers, -- Herman
