ebtables fix changing source MAC

ebtables fix changing source MAC

[otik]

Hi all,

I need to connect LINUX to ethernet device. Everything would work except 
that device after SYN packet starts to send packet with 
changing/random/mascilious MAC. It seems linux would drop such(mac and 
IP not match records) packet. This is expected to reduce 
Inject/Man-On-Side attack.

Device computer is too expensive to be replaced. Also original box can 
comunicate with it with no problem making change with no point. Original 
solution runs on Windows which seems to be more permissive on this 
issue. I can confirm this. I ran simple SW to resend stream on Windows 
and all communications was ok. However i can not use this solution in 
production.

The things are even more complicated as my Linux box is located 12 hour 
fly and another 4 driving, with no internet access. I got last shot to 
try it, so I'm waiting even your brain storm ideas.

My basic idea was to have ebtables SNAT rule, but I need it to run 
before routing decision to work. As I understand SNAT works on 
postrouting - too late. Im running bridge on my box to remove need have 
external switch.

Oto

Re: ebtables fix changing source MAC

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Oto,

You can use arptables to do that. ebtables can't do that.

arptables -A INPUT -s StupidEthernetDeviceIP --destination-mac MyOwnMacAddress -j mangle --mangle-mac-s TheMACAddressIwant

You can of course replace the -s StupidEthernetDeviceIP with another filter. However, as you are using a bridge device and probably
a lot of other devices communicate over the virtual bridge, you should construct a filter for a rule
that guarantees (either by logical constraint or physical constraint [e.g: The only device connected to eth0 is the stupid ethernet device, assuming eth0 is slaved to br0])
that only traffic from that host is mangled. Otherwise, you will not be able to establish a connection to any other host.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.04.2015 um 09:26 schrieb otik@e-posta.sk:
> Hi all,
>
> I need to connect LINUX to ethernet device. Everything would work except that device after SYN packet starts to send packet with changing/random/mascilious MAC. It seems linux would drop such(mac and IP not match records) packet. This is expected to reduce Inject/Man-On-Side attack.
>
> Device computer is too expensive to be replaced. Also original box can comunicate with it with no problem making change with no point. Original solution runs on Windows which seems to be more permissive on this issue. I can confirm this. I ran simple SW to resend stream on Windows and all communications was ok. However i can not use this solution in production.
>
> The things are even more complicated as my Linux box is located 12 hour fly and another 4 driving, with no internet access. I got last shot to try it, so I'm waiting even your brain storm ideas.
>
> My basic idea was to have ebtables SNAT rule, but I need it to run before routing decision to work. As I understand SNAT works on postrouting - too late. Im running bridge on my box to remove need have external switch.
>
> Oto
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVH+laAAoJEDg5KY9j7GZYWsUQAImanjlFoTA17WHSpyoFfDJk
eSMv2hatWODkrUjG4y+nabJKcgEIP+Hg+WgaOVcWjdGPlJ65EWnrr/Q6j5GcYY7l
x9zR/9YsysiNaDQbGBh9r6+rvKot/F8Putm6/dzL1GwX5jBrCLjhGQX2qi8VKyRP
3xqYwXEZ/iple24r729V9X+W1LHTqMHCvx+X3XpSeE5srddTA7eSWxMRNGdNJ7ib
YLn3cOEyYRfP5qtHJNzvjjzf2wPvFAWGdVTw9fqOGM2Asb/C21K3mkPT9nLUGbIx
VvaFI7t6uo0NQCUShhS+SbHGNrUfFD2EJfhkweMLd0CB2SomUDB1V66TRwtIJZgx
NQ+/HVdlL8fs93j634VScYITtBiRLXgF4p/n/nTDisbDltbtT7Hd+AuHwhTUJwds
VUy23PsG2zQUeNQiN6mkmsgF/uG5lGyPygFdprkm5bv7QbTtdCAep8ZUY1KqwdTT
BHWRYVUHi9YiSy8SifVfej0BrljGFF9QNu7t9IVEso5HCmI/h99qbowfbPtZwN57
/v8vpKtP/+bAOFnpjVPTTC0oPY/+LCUYeTzy4+B3FHuZkXHb4vZxkQBpVPonSs0B
NeGkoyXVj8+Els98Fv+oI4dVMnFrDAHWqrJR+3uejD01OrY7Q0fa5MU5ZbW2cJQa
gRQo3WBaC5XKU5zyNM0S
=Ntuh
-----END PGP SIGNATURE-----

Re: ebtables fix changing source MAC

[otik]

On 2015-04-04 15:38, Noel Kuntze wrote:
> Hello Oto,
>
> You can use arptables to do that. ebtables can't do that.
>
> arptables -A INPUT -s StupidEthernetDeviceIP --destination-mac MyOwnMacAddress -j mangle --mangle-mac-s TheMACAddressIwant
>
> You can of course replace the -s StupidEthernetDeviceIP with another filter. However, as you are using a bridge device and probably
> a lot of other devices communicate over the virtual bridge, you should construct a filter for a rule
> that guarantees (either by logical constraint or physical constraint [e.g: The only device connected to eth0 is the stupid ethernet device, assuming eth0 is slaved to br0])
> that only traffic from that host is mangled. Otherwise, you will not be able to establish a connection to any other host.

Thanks for proposed solution it seems to be good on first look. I'll 
test it on end of the month. And let you know.
I never heard of arptables before, but all got its first time :)

As I wrote I got just one shot, so if anybody have other solution pls 
let me know.

>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
>