I tried nmap -S(<IP_Address>: Spoof source address) feature. I set up two computers in two different networks(192.168.1.0/30 and 192.168.2.0/30). Both computers see each other. If I do..
Code:
[root@ /]# nmap -S 192.168.2.2 -e fxp0 -PN -T4 -F 192.168.1.2 2>/dev/null
Starting Nmap 5.00 ( http://nmap.org ) at 2010-11-08 12:25 EET
Warning: Giving up on port early because retransmission cap hit.
Interesting ports on 192.168.1.2:
Not shown: 97 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 51.91 seconds
[root@ /]#
..where 192.168.2.2 is the legitime source IP address of the network interface, I can see packages in 192.168.1.2 computer from 192.168.2.2 using tcpdump. However, if I do
nmap -S 8.8.8.8 -e fxp0 -PN -T4 -F 192.168.1.2 2>/dev/null, results are following:
Code:
[root@ /]# nmap -S 8.8.8.8 -e fxp0 -PN -T4 -F 192.168.1.2 2>/dev/null
Starting Nmap 5.00 ( http://nmap.org ) at 2010-11-08 12:33 EET
All 100 scanned ports on 192.168.1.2 are filtered
Nmap done: 1 IP address (1 host up) scanned in 25.81 seconds
[root@ /]#
..which is totally fine as packages can't return to 192.168.1.2, but strange is that I can't see no packages from 8.8.8.8 IP if I check traffic in 192.168.1.2 using tcpdump. Any ideas, what might cause the situation, where packages withc fake scr IP can't reach the destination?