-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Oto, You can use arptables to do that. ebtables can't do that. arptables -A INPUT -s StupidEthernetDeviceIP --destination-mac MyOwnMacAddress -j mangle --mangle-mac-s TheMACAddressIwant You can of course replace the -s StupidEthernetDeviceIP with another filter. However, as you are using a bridge device and probably a lot of other devices communicate over the virtual bridge, you should construct a filter for a rule that guarantees (either by logical constraint or physical constraint [e.g: The only device connected to eth0 is the stupid ethernet device, assuming eth0 is slaved to br0]) that only traffic from that host is mangled. Otherwise, you will not be able to establish a connection to any other host. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 04.04.2015 um 09:26 schrieb otik@xxxxxxxxxx: > Hi all, > > I need to connect LINUX to ethernet device. Everything would work except that device after SYN packet starts to send packet with changing/random/mascilious MAC. It seems linux would drop such(mac and IP not match records) packet. This is expected to reduce Inject/Man-On-Side attack. > > Device computer is too expensive to be replaced. Also original box can comunicate with it with no problem making change with no point. Original solution runs on Windows which seems to be more permissive on this issue. I can confirm this. I ran simple SW to resend stream on Windows and all communications was ok. However i can not use this solution in production. > > The things are even more complicated as my Linux box is located 12 hour fly and another 4 driving, with no internet access. I got last shot to try it, so I'm waiting even your brain storm ideas. > > My basic idea was to have ebtables SNAT rule, but I need it to run before routing decision to work. As I understand SNAT works on postrouting - too late. Im running bridge on my box to remove need have external switch. > > Oto > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVH+laAAoJEDg5KY9j7GZYWsUQAImanjlFoTA17WHSpyoFfDJk eSMv2hatWODkrUjG4y+nabJKcgEIP+Hg+WgaOVcWjdGPlJ65EWnrr/Q6j5GcYY7l x9zR/9YsysiNaDQbGBh9r6+rvKot/F8Putm6/dzL1GwX5jBrCLjhGQX2qi8VKyRP 3xqYwXEZ/iple24r729V9X+W1LHTqMHCvx+X3XpSeE5srddTA7eSWxMRNGdNJ7ib YLn3cOEyYRfP5qtHJNzvjjzf2wPvFAWGdVTw9fqOGM2Asb/C21K3mkPT9nLUGbIx VvaFI7t6uo0NQCUShhS+SbHGNrUfFD2EJfhkweMLd0CB2SomUDB1V66TRwtIJZgx NQ+/HVdlL8fs93j634VScYITtBiRLXgF4p/n/nTDisbDltbtT7Hd+AuHwhTUJwds VUy23PsG2zQUeNQiN6mkmsgF/uG5lGyPygFdprkm5bv7QbTtdCAep8ZUY1KqwdTT BHWRYVUHi9YiSy8SifVfej0BrljGFF9QNu7t9IVEso5HCmI/h99qbowfbPtZwN57 /v8vpKtP/+bAOFnpjVPTTC0oPY/+LCUYeTzy4+B3FHuZkXHb4vZxkQBpVPonSs0B NeGkoyXVj8+Els98Fv+oI4dVMnFrDAHWqrJR+3uejD01OrY7Q0fa5MU5ZbW2cJQa gRQo3WBaC5XKU5zyNM0S =Ntuh -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
