Faking $_SERVER[‘REMOTE_ADDR’] in intranet?

I’ve looked around for an answer to this question, but the answers are always situational – so here’s mine:

If a hacker is on a limited, local network, can they fake the IP in $_SERVER[‘REMOTE_ADDR’]? (and out of curiosity – how?)

I understand that when it comes to the internet, any variable such as this can be wrangled into whatever you want. But in a local, wired network that may not even be connected to the internet at all, can they fake this address? I’m assuming that Mr.MissionImpossible is crawling along the ceiling with a notebook and Ethernet cable into one of the switches. The response in this scenario won’t matter – but running the PHP script should only be limited from certain location(s).

Thanks in advance!

I don’t know for definite if this can be faked in general, I would guess it probably can if you know what you’re doing. But an intranet is a TCP/IP network with, in the case of a website, a HTTP layer over the top. The environment is essentially the same.

So if it can be done on the public internet, it can be done on your internal network too.