> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Piotr Holubniak > Sent: Thursday, September 29, 2005 1:22 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: iptables spof address problem [snip] > This is not a question of routing Layer 2. All computers are > in one local network in the same subnet, so there is no need > to route pakets. > This seems to me that even if data arrives to NIC of Linux > computer with netfilter, from computer with MAC address, this > MAC address is unseen to netfilter, because before it is > passed to netfilter, TCP/IP stack tries to resolve MAC > sending ARP lookup. Sa finally netfilter gets wrong MAC. > Not sender but ARP lookup. > > Tell me if I am wrong. > > Regards > > PiotrH If there's no routing involved and your hosts are on the same subnet, then it is trivial to spoof the MAC of another machine, especially in the scenario you describe. What you say is correct. It is not the fault of netfilter or the kernel stack, it's just impossible to tell the difference between two computers sending the exact same packet on the same subnet. It's like printing out two copies of the same paper on two different copiers. Which one came from which copier? You can't tell. In fact it would probably be easier to figure that out as opposed to MAC spoofing. Derick Anderson
