Connection Sharing on demand

Hi,
I have a network in my office with about 20 desktops running XP Pro and
some of them running Win98, they all have internet connection through
ICS on an old PC running Win98.

Now, I need a way to restrict the internet connection without restring
LAN access, so I'm thinking in using that old PC to run a DHCP server
on Linux/BSD/etc to provide basic LAN connectivity, AND providing some
sort of dial-up-like connection to internet. So any user who have a
logon to connect on the internet can sit in any of the terminals and
just dial-in to get connected.
I think that can be done with some sort of "reversed" VPN (you connect
to get out, and not in), but that seems kind lame.
How can that be done? There are any recommended distros (preferably
mini-distros) made for that purpose?

Thanks in advance,
Luiz Borges

On 8 Apr 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, Luiz Borges wrote:

>I have a network in my office with about 20 desktops running XP Pro and
>some of them running Win98, they all have internet connection through
>ICS on an old PC running Win98.

Assume - old PC is dialing in now.

>Now, I need a way to restrict the internet connection without restring
>LAN access, so I'm thinking in using that old PC to run a DHCP server

Are the other 20 desktops coming and going all the time? Microsoft uses
DHCP to simplify the setup of the desktop at the cost of complexity in
the DHCP server and massive security problems. You _can_ run DHCP if
you want to, but I'd suggest looking at using static addressing.

>on Linux/BSD/etc to provide basic LAN connectivity,

63814 Apr 20 2000 SMB-HOWTO
49404 Jan 6 15:22 Samba-Authenticated-Gateway-HOWTO

>AND providing some sort of dial-up-like connection to internet.

40490 Jun 22 2000 Home-Network-mini-HOWTO
708351 Nov 14 09:34 IP-Masquerade-HOWTO
14614 Aug 22 2001 Linux-Modem-Sharing
17605 Jul 21 2004 Masquerading-Simple-HOWTO
155096 Jan 23 2004 Security-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

270963 Apr 3 12:14 HOWTO-INDEX
96639 Apr 3 12:14 INDEX

>So any user who have a logon to connect on the internet can sit in any of
>the terminals and just dial-in to get connected. I think that can be done
>with some sort of "reversed" VPN (you connect to get out, and not in), but
>that seems kind lame.

There are many ways this can be done - the simplest method would be to set
the LAN IP of the dialin box as the default gateway on all of the desktops,
and run pppd on the dialin box in the demand mode. The pppd man page
discusses how. Briefly, you have two scripts, one that does the management
of pppd, and the other that dials the telephone. AN EXAMPLE would be

[compton ~]$ cat /usr/local/bin/dialin
#!/bin/bash
exec /usr/sbin/pppd connect "/usr/sbin/chat -f /etc/ppp/dialscript" \
defaultroute lock noipdefault modem /dev/modem 115200 crtscts \
user pele demand idle 300 holdoff 15
[compton ~]$

There must not be anything after the \ in those two lines.

[compton ~]$ cat /etc/ppp/dialscript
ABORT BUSY ABORT 'NO CARRIER' "" AT&F1 OK ATDT2662902 CONNECT \d\c
[compton ~]$

Here, 'pele' is the username at the ISP. There is also a secrets file that
contains the username and password for the ISP, in the form

pele * p42Sw0rD~

For the user, everything is transparent, though slightly delayed in
connecting. When there are packets for the internet, this script will
automagically dial to the ISP. When there has been no traffic on the
link for 300 seconds, the link is brought down.

>How can that be done?

Many ways.

>There are any recommended distros (preferably mini-distros) made for
>that purpose?

http://www.distrowatch.com/

There are over 300 different Linux distributions. There are also several
different distributions of *BSD. That is the problem - so many choices.
But then, there are also so many different brands of beer and cars and...

http://tldp.org/guides.html
2. Linux Consultants Guide
http://tldp.org/LDP/lcg/html/index.html

That guide lists 67 different consultants who can help in Brazil, including
9 in Sao Paulo.

Old guy

> Assume - old PC is dialing in now.

Not dialing, its broadband and is always connected.


> Are the other 20 desktops coming and going all the time? Microsoft uses
> DHCP to simplify the setup of the desktop at the cost of complexity in
> the DHCP server and massive security problems. You _can_ run DHCP if
> you want to, but I'd suggest looking at using static addressing.

Right now it uses static addressing, I planning in changing to DHCP to
simplify future changes in network, and throw away all those IP
listings.


> There are many ways this can be done - the simplest method would be to set
> the LAN IP of the dialin box as the default gateway on all of the desktops,
> and run pppd on the dialin box in the demand mode. The pppd man page
> discusses how. Briefly, you have two scripts, one that does the management
> of pppd, and the other that dials the telephone. AN EXAMPLE would be

When I said dial-up-like, I meant the user has to click a connection to
input user and pass to get connect to the internet, and not really dial
to ISP.


> There are over 300 different Linux distributions. There are also several
> different distributions of *BSD. That is the problem - so many choices.
> But then, there are also so many different brands of beer and cars and...

I know about that, that's why I taking suggestions...


Luiz Borges

On 9 Apr 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, Luiz Borges wrote:

>> Assume - old PC is dialing in now.
>
>Not dialing, its broadband and is always connected.

OK, then you are loosing me. Are you wanting something such that the
user has to authenticate for each time they want an Internet service,
and then have the connection drop after they are finished, or a set
amount of time? That can be done as a firewall application with lots
of wrappers, but I'm not sure what benefit it gives. You can also block
all Internet access, and run an application server - where your users
can log in and run selected Internet applications, perhaps with firewall
restrictions of where they can connect.

>Right now it uses static addressing, I planning in changing to DHCP to
>simplify future changes in network, and throw away all those IP
>listings.

That seriously complicates security. DHCP was _never_ even semi-secure.
Remember that for IP, there is no authentication in the protocol, and
what little security you have is on IP and MAC addresses. Any extra
security has to be built into the application layer.

>When I said dial-up-like, I meant the user has to click a connection to
>input user and pass to get connect to the internet, and not really dial
>to ISP.

It can be done. For one example, you'd have the user connect to a server
program on the gateway that accepts username/password, and that program
then allows connections through the firewall for that IP or MAC address for
some set amount of time, or activity. The problem is that it is trivial to
spoof IP and MAC addresses. Better would be simply blocking all Internet
access from the desktop (easy firewall setup), and having the users SSH into
the server and run Internet applications from there (only this computer is
given access to the Internet). From a network point that is easy, and setting
up an application server shouldn't be that hard. But when the user is allowed
Internet access, what limitations apply? Protocol? Destination port number?
If you need more than that, perhaps a proxy server would be a better solution.
Another problem is file transfer - whether mail, FTP or downloaded web pages.
What access do you give - and how to safely restrict it.

The "advantage" of the first (controlled gateway) or second (proxy)
approach is that your users are still using their own computers that they
are familiar with. If these are windoze, you still have the virus problem
and so on. The advantage of the third (application server) approach is that
it is one box that can be hardened very much. A problem occurs if the box
is running Linux or BSD - while a lot of things _look_ similar to windoze,
these are different, and so there will be a training issue.

>> But then, there are also so many different brands of beer and cars and...

>I know about that, that's why I taking suggestions...

The distributions are exactly like cars or beers. They really are (at least)
very similar, and the differences - the "which one is better" - is all
personal opinion. The application you need (even assuming a proxy server
will do) doesn't exist "out of the box". At the very least, you'd have to
configure it. All distributions _can_ do what you want. The question then
becomes which one is more suitable for you. I don't speak Portuguese, but
Conectiva (which is a Brazilian distribution) has an excellent reputation.
There was a 'Console' Linux from Brazil as well. The advantage - the
documentation is in your native language. On the other hand, a very small
text only distribution might be more suitable as a firewall type device.

For what it is worth, I'm a network admin at a local division of a large
company. Our users have "full" access at all times, except that we block
access to many networks that are not "job related" - and there is written
policy that describes how the network can be used. If the employees
violate that policy, there is disciplinary results. Your original post
mentioned blocking inbound connections - that's trivial to do with the
firewall, but it is also in that policy.

Old guy

The problem is, that this network is in a goverment office, all the PCs
available to the users are meant to be used to write trivial reports
(as our employees work mainly outside), all the sensitive data are
outside this LAN, so security and IP spoof inside the network isn't
much a concern.
About the internet restriction, not all the employees are allowed to
connect to internet, but all of the are allowed to use the terminals,
to those with permission to use internet there is no restriction in
ports or protocols.
We tried to enable internet access to all the users, but even with
policies and so, we had many problems, and as the terminals are no
restricted to one or other user is almost impossible to know which user
was responsable...

Luiz Borges

On Sun, 09 Apr 2006 19:54:27 -0700, Luiz Borges wrote:

> The problem is, that this network is in a goverment office, all the PCs
> available to the users are meant to be used to write trivial reports
> (as our employees work mainly outside), all the sensitive data are
> outside this LAN, so security and IP spoof inside the network isn't
> much a concern.
> About the internet restriction, not all the employees are allowed to
> connect to internet, but all of the are allowed to use the terminals,
> to those with permission to use internet there is no restriction in
> ports or protocols.
> We tried to enable internet access to all the users, but even with
> policies and so, we had many problems, and as the terminals are no
> restricted to one or other user is almost impossible to know which user
> was responsable...
>

I think you're looking for something like an authenticating proxy
server.... Google for proxy servers and see what you come up with. Don't
use them myslef, so I can't make any comments...

--Yan

--
o__
,>/'_ o__
(_)\(_) ,>/'_ o__
Yan Seiner, PE (_)\(_) ,>/'_ o__
Certified Personal Trainer (_)\(_) ,>/'_ o__
Licensed Professional Engineer (_)\(_) ,>/'_
Who says engineers have to be pencil necked geeks? (_)\(_)

On 9 Apr 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, Luiz Borges wrote:

>About the internet restriction, not all the employees are allowed to
>connect to internet, but all of the are allowed to use the terminals,
>to those with permission to use internet there is no restriction in
>ports or protocols.

Given that scenario, I'd go with an application server - where the user
must SSH into the server and run the Internet applications there. A
proxy server could also work, but there is more to the Internet than
the web - which was why I mentioned the ports/protocols problem.

>We tried to enable internet access to all the users, but even with
>policies and so, we had many problems, and as the terminals are no
>restricted to one or other user is almost impossible to know which user
>was responsable...

This also sounds as if the users have elevated privileges on the
terminals - in windoze language, "running as administrator". That makes
things very difficult to control.

Old guy