[MLB-WIRELESS] simple authorization???

[Toliman]

At 09:46 PM 20/06/2004, you wrote:
>Hi People,
>
>I have a simple firewall on my linux <> internet system, actually the one 
>from silicon chip of several years ago.  It works well and allows me to 
>masq my network to share the internet connection.  However, I now want to 
>have internet authorization, ie, when someone tries to link to the 
>internet, a User/Password banner pops up and asks them for their 
>particulars.  Naturally, if I have set up an account for them, they will 
>be able to get out onto the net.
>
>So, is there a simple way of adding a few entries to my firewall.rc script 
>or is it more complicated.

it's more complicated. there is no easy way to restrict internet access in 
a simple script, it requires something a little more advanced.
one of the best mechanisms to use, is via http.

since the great majority of people use web browsers as their main conduit 
to the internet, it makes a great authentication method if you have to use 
one. e.g., if you share internet access with a lot of users on a local 
network, you can set up a transparent proxy (via ipchains/iptables) to 
allow access to the internet that requires secure authorisation. any other 
internet protocol requests, including DNS, will likely succeed or fail 
depending on how you isolate the intranet/LAN from the internet.

in this scenario, if anyone requests an internet address via http, the 
outgoing request will be intercepted and directed to squid, a proxy 
program. Squid then determines if the user is authorised by displaying a 
login screen, and allows a temporary session as long as the browser is 
open. if a user tries to make a further request, they will keep getting 
their web site redirected until they log in.

if you want to secure traffic and access totally, you can use an ACL 
(Access-Control List) in squid to authorise http to secure users. there are 
lots of options on how to configure this, from a simple username/password 
text file, to an external DB for more professional sites.

Optionally, once authorised for network access, squid can then trigger a 
CGI script to open NAT to that host while it is still logged in, giving the 
user full internet access on a temporary basis. The same method can also be 
used in places you want to restrict access to the internet, for say gaming 
cafe's or universities, and perform accounting and traffic monitoring via 
squid. i'm not sure if there is a universal iptables script for 
blacklisting / white listing hosts, you might have to request one or build 
one from scratch that updates the firewall scripts every 15-20 minutes.

i only had a quick look at the field of squid authentication, e.g. 
SquidGuard and DansGuardian are aimed squarely at Schools/Organisations who 
need to filter profane/adult content, they also allow authentication and 
control mechanisms, and the install guides will familiarise you with the 
process of setting access restrictions in squid. some of the peripheral 
sites also include information on integrating SG/DG into IPCop or 
Smoothwall, which will take a lot of the initial configuration of the 
services more digestible than simply hitting a generic HOWTO. you do not 
need to use either of these programs, but if you later decide to use them, 
they will explain and introduce concepts on how to do this.

a quick hit reveals 
<http://ccfaq.valar.co.uk/modules.php?name=News&file=print&sid=89> a good 
guide to the process of setting simple sharing via authentication. you may 
also want to set up services for time updates (NTP) , DNS caching (bind), 
http caching (squid) and network (snort/squid) logging to make things 
spiffy. installing webmin is also a good idea for casual administration and 
remote administration.

Toliman.

>Thanks for your assistance.
>
>Mark



To unsubscribe: send mail to majordomo at wireless.org.au
with "unsubscribe melbwireless" in the body of the message