From: "Nicolás Velásquez O." <spidyno@yahoo.es>
To: netfilter@lists.netfilter.org
Subject: Re: Authentication in a Firewall Question
Date: Wed, 25 Aug 2004 12:41:35 -0500 [thread overview]
Message-ID: <200408251241.35463.spidyno@yahoo.es> (raw)
In-Reply-To: <1093452646.2391.9.camel@anduril.intranet.cartel-securite.net>
Hello there,
I'm trying to do something similar.
When an enduser tries to go to Internet, the browser is redirected to an
authentication page, then the webserver that contains that page inserts
a rule in the firewall to allow that computer to go to Internet.
It must be something like this, as no programs should be installed on
the enduser's machine.
What I was trying to do (without success) was, set a redirector policy
that applies to the unauthenticated traffic. The thing is that
redirection and dynamic nat are defined on different rules (PREROUTING,
POSTROUTING). This is if I'm working with nat, I haven't thought of a
way to require authentication when just routing.
Some of the things I'm trying:
## redirector
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p TCP --destination-port
80 -j REDIRECT --to-port 81 # The web server listens on port 81
## insert rule for each client
$IPTABLES -t nat -I POSTROUTING -o $INTERNET_IFACE -m mac --mac-source
$CLIENT_MAC -j MASQUERADE
Any thoughts are welcome.
El Mié 25 Ago 2004 11:50, Cedric Blancher escribió:
> Le mer 25/08/2004 à 18:46, Hihn, Jason a écrit :
> > I have devised the following acceptable scheme:
> > A firewall that rejects all traffic to everyone, except for one
> > port. This one port is used to authenticate an IP address through a
> > challenge/response algorithm.
> > If successful, the IP is then allowed through the firewall.
>
> Si NuFW at http://www.nufw.org/. Theses guys have achieved quite
> impressive work. You definitly must try this.
--
Atentamente,
Nicolás Velásquez
Bogotá, Colombia
(^) ASCII Ribbon Campaign
X NO HTML/RTF in e-mail
/ \ NO Word docs in e-mail
next prev parent reply other threads:[~2004-08-25 17:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <BE7EC6C7A6F0E74AAB1E7E36BF5E9EB72F7D50@colms1.co.corp.verintsys tems.com>
2004-08-25 16:50 ` Authentication in a Firewall Question Cedric Blancher
2004-08-25 17:41 ` Nicolás Velásquez O. [this message]
2004-08-25 17:02 Daniel Chemko
2004-08-25 17:15 ` Eric Leblond
-- strict thread matches above, loose matches on Subject: below --
2004-08-25 18:50 Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200408251241.35463.spidyno@yahoo.es \
--to=spidyno@yahoo.es \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.