Faking ethernet source MAC in NF_IP_POST_ROUTING

Faking ethernet source MAC in NF_IP_POST_ROUTING

[Phillip Whelan]

Hello,

Quote: (myself)
  "I've been working lately on a netfilter hook extension which Rewrites outgoing ARP packets to spoof a host's MAC address."

I already managed to solve a problem involving ARP replies automagically updating arp caches by modifying the arp payload's sender hw_addr.
(or perhaps, the tha... whatever, it works).

The kernel is now spoofing itself, etc... but, it still sends out packets with the real MAC address. This, of course confuses the end host to no ends.

In NF_IP_POST_ROUTING, the skb->mac is not NULL, but skb->mac_len is 0.
Directly modifying the skb->mac would just lead to memory corruption. 
How would I modify the source MAC address? (Im inside NF_IP_POST_ROUTING). Can I access through a negative offset from skb->data? (net/ipv4/arp.c does this, I think).

-- 
Phillip Whelan
Lead Programmer
Exis - Extreme Information Solutions/Security
http://www.exis.cl

Re: Faking ethernet source MAC in NF_IP_POST_ROUTING

[Henrik Nordstrom]

On Wed, 23 Jun 2004, Phillip Whelan wrote:

> In NF_IP_POST_ROUTING, the skb->mac is not NULL, but skb->mac_len is 0.
> Directly modifying the skb->mac would just lead to memory corruption.  
> How would I modify the source MAC address? (Im inside
> NF_IP_POST_ROUTING). Can I access through a negative offset from
> skb->data? (net/ipv4/arp.c does this, I think).

You can't from netfilter. The MAC is added very very late in the packet 
sending process, after the NF_IP_POST_ROUTING hook.

What you maybe can do if ARP is your only concern is to run ARP in
userspace and send the replies using a raw socket.

But I honestly do not understand why you want to do this. The ARP address
is configurable (see the ip link command), and there even exists patches
to allow a single Ethernet to act as multiple virtual interfaces each with
their own MAC... (look for mac vlan, can be found from the same source as
the vlan patch)

Regards
Henrik

Re: Faking ethernet source MAC in NF_IP_POST_ROUTING

[Mario]

On Wednesday 23 June 2004 19:15, Phillip Whelan wrote:
> Hello,
>
> Quote: (myself)
>   "I've been working lately on a netfilter hook extension which Rewrites
> outgoing ARP packets to spoof a host's MAC address."
>
> I already managed to solve a problem involving ARP replies automagically
> updating arp caches by modifying the arp payload's sender hw_addr. (or
> perhaps, the tha... whatever, it works).
>
> The kernel is now spoofing itself, etc... but, it still sends out packets
> with the real MAC address. This, of course confuses the end host to no
> ends.
>
> In NF_IP_POST_ROUTING, the skb->mac is not NULL, but skb->mac_len is 0.
> Directly modifying the skb->mac would just lead to memory corruption.
> How would I modify the source MAC address? (Im inside NF_IP_POST_ROUTING).
> Can I access through a negative offset from skb->data? (net/ipv4/arp.c does
> this, I think).


You can modify MAC address by using ebtables & bridge extentions.
Using ebtables on bridge device you can have multiple MACs and can do MAC SNAT 
or DNAT.iptables can't change MAC addresses because iptables is 
layer3.ebtables is layer2 and it can modify MACs.Try it! It works! Tested ;P~
You can use it also if you want to conflict huge ip classes...some ISPs are 
using this way to stop their clients using their local area networks if they 
are not paying.It can be useful in your case.