Linux Netfilter discussions
 help / color / mirror / Atom feed
* Two computers with same MAC
@ 2004-05-25  3:21 Vlad Adomnicai
  0 siblings, 0 replies; only message in thread
From: Vlad Adomnicai @ 2004-05-25  3:21 UTC (permalink / raw)
  To: netfilter

Hi,
   I have a problem on a local LAN.
   I have tested and seen that two computers with the same IP and MAC 
can use the network at the same time with no problems. I'm interested in 
a way to allow only the right owner of the ip and mac to pass through a 
linux router and on to the internet.

    ROUTER   ---> SW   ----> Client1
                                  |
                                  --------->Client2.

   If client2 changes first it's MAC to the one of the Client1, then 
changes the IP to the one of the Client1's computer, none of the 
computers will get an IP Conflict and both computers will pass through 
the router insetead of a iptables rule set on forward.
    itpables -A FORWARD -o eth1 -s IP1 -m mac --mac-source MAC1 -j ACCEPT
    iptables -A FORWARD -o eth1 -j REJECT

  Any one knows a way to stop Client2 from passsing the router? (both 
Client1 and Client2 are running windows).
  I have thought to serveral solutions but each one of them has drawbacks.
   1. VPN access for clients:  allowing only 1 connection form an IP the 
problem is solved. The trouble is that the network is big (400-800 
users) and for local traffic the routers CPU's will be greatly overcome 
(about 100 clients / router).
   2. Somehow tinkering with the IP options from clients and marking 
them in a certain way then from iptables detecting the special marking ( 
like using unused fields from the ethernet packet or something like 
this). I don't know if it is possible from linux, and if it is possible 
from windows for all the packets it sends. If it is possible, then even 
if Client2 will try to replicate the change, if I change the value each 
5 minutes let's say and change also the rules each 5 minutes on the 
router, I can make it impossible for him to pass the router for more 
than 5 minutes before having to look again for the value.
   3. Managed Switches with MAC set on their ports. This ideea is very 
expensive.
   4. Something done to the switch or a certain brand of switches that 
doesn't allow this to happen.

  I welcome gladly and advice possible. ( I would prefere a solution 
based on iptables and IP options (maybe TTL changes if it can be done 
for the entire windows system).


Vlad Adomnicai



^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2004-05-25  3:21 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-25  3:21 Two computers with same MAC Vlad Adomnicai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox