Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Authenticated Gateway - iptables + cron + php

Reply
Thread Tools Display Modes

Authenticated Gateway - iptables + cron + php

 
 
gaucho@lollapalooza.com.br
Guest
Posts: n/a

 
      03-15-2006, 11:33 AM
Hi,

I want to make linux gateway to authenticate every connection passing
through it... I have an Windows 2003 domain, so user account are
managed by Active Directory. I'm to make a basic authentication using
IPTABLES + CRONTAB + PHP....

it will work like that: I make a new IPTABLES chain like "FullAccess",
and put any machine with FullAccess there, an make a chain
"AuthUsers"... when a new machine without full access try to use
gateway, it checks for source IP at AuthUsers, and if it was not found,
redirects any connection and any ports to a PHP page... even if access
is not an HTTP, users have first to authenticate before any access...
at PHP page, user enter login/password an then a run a script something
like " iptables -I AuthUsers -s 192.168.0.77 -j ACCEPT ", where IP
Address can be retrieved by PHP.... at same transaction, adds a Crontab
registry to remove that authentication after 2 hours, executing
something like "iptables -D AuthUsers -s 192.168.0.77 -j ACCEPT"...

it is very simple, I guess, and if I can do this at a first moment, a
wish to make an Active Directory integration, and maybe make some AD
groups, and add some specific IPTables rules based on that groups, like
FTP Access, Bank sites Access, Messenger Access, etc...

I have this idea, but don't know what the best way to do that securely
and stable...
 
Reply With Quote
 
 
 
 
X
Guest
Posts: n/a

 
      03-15-2006, 08:08 PM
The way we accomplish this at my old job was to use iptables for the
NAT / firewall and squid for logging / authentication. Squid is
capable of running LDAP queries (which work on Windows 2003 Active
Directory) to check for various things when a user tries to go out to
the internet. You can also setup squid to be transparent, so that you
do not have to setup the "Proxy Server" on each and every client
browser.

The default squid example that I found when trying to set this up shows
a query that checks only that the user is a valid user in the Windows
2003 domain. For the company I worked for, they have an Active
Directory security group called "Internet". The LDAP query that I
ended up writing checks to make sure you are a valid domain user and
you are a member of the "Internet" group before allowing you access to
the internet. I also used ADSIEdit on one of the Domain Controllers,
not to change anything, but just to view where group memberships were
located in the hierarchy.

As far as a page that displays if you fail authentication, I do not
know what options squid has available for that.

HTH,

X
 
Reply With Quote
Reply

« Traffic Shaping Question | Wireless NIC running Linux that offers stateful inspection »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Use Iptables as only a gateway firewall Jacob Linux Networking 0 11-02-2005 09:10 PM
Problem with Linux 2.6.4 DSL Gateway using Iptables and Shorewall Jochen Demmer Linux Networking 9 09-20-2004 04:09 PM
Checking FC2 Iptables firewall config for PPPoE-enabled Gateway Max Linux Networking 1 08-29-2004 09:55 PM
nis and cron Eddie Linux Networking 0 09-09-2003 11:40 PM
RH 8.0 gateway and iptables Ramanan Linux Networking 6 09-06-2003 08:34 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11