Two computers with same MAC

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Vlad Adomnicai <vlada@xana.ro>
To: netfilter@lists.netfilter.org
Subject: Two computers with same MAC
Date: Tue, 25 May 2004 06:21:36 +0300	[thread overview]
Message-ID: <40B2BBC0.1080709@xana.ro> (raw)

Hi,
   I have a problem on a local LAN.
   I have tested and seen that two computers with the same IP and MAC 
can use the network at the same time with no problems. I'm interested in 
a way to allow only the right owner of the ip and mac to pass through a 
linux router and on to the internet.

    ROUTER   ---> SW   ----> Client1
                                  |
                                  --------->Client2.

   If client2 changes first it's MAC to the one of the Client1, then 
changes the IP to the one of the Client1's computer, none of the 
computers will get an IP Conflict and both computers will pass through 
the router insetead of a iptables rule set on forward.
    itpables -A FORWARD -o eth1 -s IP1 -m mac --mac-source MAC1 -j ACCEPT
    iptables -A FORWARD -o eth1 -j REJECT

  Any one knows a way to stop Client2 from passsing the router? (both 
Client1 and Client2 are running windows).
  I have thought to serveral solutions but each one of them has drawbacks.
   1. VPN access for clients:  allowing only 1 connection form an IP the 
problem is solved. The trouble is that the network is big (400-800 
users) and for local traffic the routers CPU's will be greatly overcome 
(about 100 clients / router).
   2. Somehow tinkering with the IP options from clients and marking 
them in a certain way then from iptables detecting the special marking ( 
like using unused fields from the ethernet packet or something like 
this). I don't know if it is possible from linux, and if it is possible 
from windows for all the packets it sends. If it is possible, then even 
if Client2 will try to replicate the change, if I change the value each 
5 minutes let's say and change also the rules each 5 minutes on the 
router, I can make it impossible for him to pass the router for more 
than 5 minutes before having to look again for the value.
   3. Managed Switches with MAC set on their ports. This ideea is very 
expensive.
   4. Something done to the switch or a certain brand of switches that 
doesn't allow this to happen.

  I welcome gladly and advice possible. ( I would prefere a solution 
based on iptables and IP options (maybe TTL changes if it can be done 
for the entire windows system).

Vlad Adomnicai

                 reply	other threads:[~2004-05-25  3:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40B2BBC0.1080709@xana.ro \
    --to=vlada@xana.ro \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox