How can I prevent it with iptables and how can I see if my computers are doing this ?

ARP or Address Resolution Protocol, is used to translate IP addresses to MAC addresses on a local network.
I'm not sure iptables (= packet filtering based on TCP/IP packet headers mostly) can do that trick, since that
seems to work at a higher level in the TCP/IP stack.

But then again, I maybe wrong. My experience with TCP/IP network stacks is already getting old...

You would actually want to use arptables.

https://www.linux-magazine.com/issue...irewalling.pdf (page 28)
http://linuxcommand.org/man_pages/arptables8.html
http://ebtables.sourceforge.net/

AFAIK you can't completely defend against arp spoofing
It is inherent to the unauthentication on Layer2 of OSI systems.
You need an encrypted layer 2 mechanism (I don't know such) or tunnel everything in encrypted IP datagrams. IPSec for DNS, HTTP,...
As a tool for monitoring MAC changes and detect some possible arp spoofing, have a look at arpwatch.
Arptables can also help you.
For sensitive server, disable arp on interfaces (ifconfig eth0 -arp) and use static arp tables.

To stop ARP poisoning use network switches with MAC (to port) binding features.

EDIT: and I believe the word "spoofing" is being used incorrectly here. The MAC address IS being "spoofed"/impersonated, but ARP (the cache) is being "poisoned".

Sorry for being a stickler but I got to get this stuff straight for my Security+ test.

Do you have a "local" network that you are worried about? Being layer 2 and all, MAC addresses can't be futzed with by say hackers from The Internet unless a node on your LAN has been comprimised. If you have a small enough network, you could just turn ARP off on all the nodes and set up static ARP tables. Not a fun task on even a tiny network.

Either way, lots of good information here already, definitly read the links int0x80 posted and if you have an immediate concern, maybe give some details on what is happening to make you suspect. If you are just concerned then read up so you can decide whether this is a real threat to your network, or just something you read about and now have fear of the unknown. I would say it's a pretty low risk on a wired LAN, the exception being the more freedom the users there have (Live CDs, can install software, physical access to network devices) and a little higher risk on a wireless network.

Oh yea, I belive Crito is correct, the accurate terms would be "MAC spoofing" and "ARP table poisoning"

On wireless LANs you can futz with the MAC addresses (nice term Darin ). If you do have a wireless network, this is something to consider. But as Darin recommended, on a small, wired network you could potentially use static ARP tables.

Well, you can easily mess with the MAC address on a wired LAN also. MAC spoofing is just one of the key tools used to "hack" a wireless network and you don't need physical access to get on a wireless network, you just have to be in range of the WAP.

If you really want to figure out how it's done, there's no replacement for actually doing it yourself. Download the Linux program "Hunt" and give it a try.

Just noticed the Hunt homepage is down (was going to link to it)... guess someone got upset about it. anyway, I found Fedora Core 4 RPMs somewhere (don;'t remember ATM) and just found this page that might help track it down: http://linux.maruhn.com/sec/hunt.html

USE ON YOUR OWN COMPUTERS ON YOUR OWN LAN AND AT YOUR OWN RISK (OR DON'T USE IT AT ALL.)

Changing its mac address is standard in linux
A swiss knife tool for ARP.
http://64.233.179.104/search?q=cache...sk.org/+arp-sk