Do I need to write a module?

Do I need to write a module?

[Tony Thompson]

I am investigating an option to use netfilter to allow/deny traffic from
the local subnet based on rules/accounting information that is in
another (Java based) system.  I am new to netfilter so, I can someone
offer some suggestions:

1. Is netfilter the right place to hook or should I look at a firewall
that may provide some higher level hooks for authentication and
accounting?

2. If I should hook into netfilter, is it a good idea to call into a
JVM from a netfilter module?

3. I am not sure what kind of control I have when using the userspace
driver but, should I use that in this situation?  Can I use that
directly from Java so I wouldn't have the hassel of calling into a JVM
from a native process?

If anyone can offer any other suggestions or examples, that would be
appreciated.

Thanks.
Tony

Re: Do I need to write a module?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1503 bytes --]

Hi

Why don't you get the Java app to export some kind of text that you can
get netfilter to parse with regular unix utilities (sed, awk, grep).

Create a cron job to parse the file every 10 minutes (if that's regular
enough) that parses the text file and reloads your iptables rules as per
the file.

Ray

On Mon, 2003-06-23 at 20:43, Tony Thompson wrote:
> I am investigating an option to use netfilter to allow/deny traffic from
> the local subnet based on rules/accounting information that is in
> another (Java based) system.  I am new to netfilter so, I can someone
> offer some suggestions:
> 
> 1. Is netfilter the right place to hook or should I look at a firewall
> that may provide some higher level hooks for authentication and
> accounting?
> 
> 2. If I should hook into netfilter, is it a good idea to call into a
> JVM from a netfilter module?
> 
> 3. I am not sure what kind of control I have when using the userspace
> driver but, should I use that in this situation?  Can I use that
> directly from Java so I wouldn't have the hassel of calling into a JVM
> from a native process?
> 
> If anyone can offer any other suggestions or examples, that would be
> appreciated.
> 
> Thanks.
> Tony
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Do I need to write a module?

[Tony Thompson]

Thanks for the response.  Maybe I should give a better picture of what I
am trying to do.  I have a private network that I am trying to route
through a Linux box.  I want to deny all traffic (from a MAC address)
until a user authenticates, with their browser, to a Java application on
the Linux server (when they authenticate, something has to happen to let
netfilter know that the MAC address is allowed to pass).  There has to
be some level of coordination at that point between the Java app and
netfilter so that session timeouts, etc. can be handled.  I would like
to have all of this happen as close to real time (i.e. not batched) as
possible.

After writing this out, maybe I don't even need a module but, just a
way to control netfilter from a Java app.  I am still open to
suggestions...

Thanks.
Tony

>>> Ray Leach <raymondl@knowledgefactory.co.za> 06/24/03 01:57AM >>>
Hi

Why don't you get the Java app to export some kind of text that you
can
get netfilter to parse with regular unix utilities (sed, awk, grep).

Create a cron job to parse the file every 10 minutes (if that's
regular
enough) that parses the text file and reloads your iptables rules as
per
the file.

Ray

On Mon, 2003-06-23 at 20:43, Tony Thompson wrote:
> I am investigating an option to use netfilter to allow/deny traffic
from
> the local subnet based on rules/accounting information that is in
> another (Java based) system.  I am new to netfilter so, I can
someone
> offer some suggestions:
> 
> 1. Is netfilter the right place to hook or should I look at a
firewall
> that may provide some higher level hooks for authentication and
> accounting?
> 
> 2. If I should hook into netfilter, is it a good idea to call into a
> JVM from a netfilter module?
> 
> 3. I am not sure what kind of control I have when using the
userspace
> driver but, should I use that in this situation?  Can I use that
> directly from Java so I wouldn't have the hassel of calling into a
JVM
> from a native process?
> 
> If anyone can offer any other suggestions or examples, that would be
> appreciated.
> 
> Thanks.
> Tony
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za 
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

Re: Do I need to write a module?

[Ramin Dousti]

On Tue, Jun 24, 2003 at 10:22:52AM -0500, Tony Thompson wrote:

> Thanks for the response.  Maybe I should give a better picture of what I
> am trying to do.  I have a private network that I am trying to route
> through a Linux box.  I want to deny all traffic (from a MAC address)
> until a user authenticates, with their browser, to a Java application on
> the Linux server (when they authenticate, something has to happen to let
> netfilter know that the MAC address is allowed to pass).  There has to
> be some level of coordination at that point between the Java app and
> netfilter so that session timeouts, etc. can be handled.  I would like
> to have all of this happen as close to real time (i.e. not batched) as
> possible.
> 
> After writing this out, maybe I don't even need a module but, just a
> way to control netfilter from a Java app.  I am still open to
> suggestions...

Yes, what you need is to control netfilter from a Java app.

Before the authentication, redirect his web traffic to your java app.

After the authentication, remove the MAC restriction for the client,
add the necessary rules for his service.

Also, I'd implement some kind of timer to go off after certain period
of inactivity and remove the permission of his MAC.

It sounds easy but I'm sure it's gonna be fun implementing it ;-)


Ramin

> 
> Thanks.
> Tony

Re: Do I need to write a module?

[Tony Thompson]

So, to do the HTTP redirect before authentication, it sounds like I will
need a module or ????

What is the best way to control netfilter from Java, JNI or ????

This type of project is certain to have tricky little issues lurking
about but, should be interesting!

>>> Ramin Dousti <ramin@cannon.eng.us.uu.net> 06/24/03 10:55AM >>>
On Tue, Jun 24, 2003 at 10:22:52AM -0500, Tony Thompson wrote:

> Thanks for the response.  Maybe I should give a better picture of
what I
> am trying to do.  I have a private network that I am trying to route
> through a Linux box.  I want to deny all traffic (from a MAC
address)
> until a user authenticates, with their browser, to a Java application
on
> the Linux server (when they authenticate, something has to happen to
let
> netfilter know that the MAC address is allowed to pass).  There has
to
> be some level of coordination at that point between the Java app and
> netfilter so that session timeouts, etc. can be handled.  I would
like
> to have all of this happen as close to real time (i.e. not batched)
as
> possible.
> 
> After writing this out, maybe I don't even need a module but, just a
> way to control netfilter from a Java app.  I am still open to
> suggestions...

Yes, what you need is to control netfilter from a Java app.

Before the authentication, redirect his web traffic to your java app.

After the authentication, remove the MAC restriction for the client,
add the necessary rules for his service.

Also, I'd implement some kind of timer to go off after certain period
of inactivity and remove the permission of his MAC.

It sounds easy but I'm sure it's gonna be fun implementing it ;-)


Ramin

> 
> Thanks.
> Tony

Re: Do I need to write a module?

[Ramin Dousti]

On Tue, Jun 24, 2003 at 11:08:16AM -0500, Tony Thompson wrote:

> So, to do the HTTP redirect before authentication, it sounds like I will
> need a module or ????

Nope, you already have the redirect facility. Read the docs.

> 
> What is the best way to control netfilter from Java, JNI or ????

A simple command line output... With a (semi-complex) bookkeeping issues.

> 
> This type of project is certain to have tricky little issues lurking
> about but, should be interesting!

Yes. Have fun...

Ramin

Re: Do I need to write a module?

[Ralf Spenneberg]

Am Mon, 2003-06-23 um 20.43 schrieb Tony Thompson:
> I am investigating an option to use netfilter to allow/deny traffic from
> the local subnet based on rules/accounting information that is in
> another (Java based) system.  I am new to netfilter so, I can someone
> offer some suggestions:
Hi,
I am doing a similar thing just with apache and netfilter.

I have a webserver running on port 443 requiring authentication. The
webserver then calls a simple cgi-script:
--------------------------
#!/bin/bash
cat <<END
Content-Type: text/html

<center><H1>Hello $REMOTE_USER</H1>
<p>
<p>
Your IP-address $REMOTE_ADDR has been added for the next 3 minutes.
END
echo $REMOTE_ADDR >>address
--------------------------
A cron job runs every minute and checks for the file address and adds it
to the netfilter rules:
#!/bin/bash

if [[ -s /var/www/cgi-bin/address ]]
then
   read address < /var/www/cgi-bin/address
   rm -f /var/www/cgi-bin/address
   touch /var/www/cgi-bin/address
   chown apache /var/www/cgi-bin/address
   iptables -A u_remote -s $address -p tcp --dport 22 --syn\
            -m state --state NEW -j ACCEPT
   sleep 180
   iptables -D u_remote -s $address -p tcp --dport 22 --syn\
            -m state --state NEW -j ACCEPT
fi

Cheers,

Ralf
> 
> 1. Is netfilter the right place to hook or should I look at a firewall
> that may provide some higher level hooks for authentication and
> accounting?
> 
> 2. If I should hook into netfilter, is it a good idea to call into a
> JVM from a netfilter module?
> 
> 3. I am not sure what kind of control I have when using the userspace
> driver but, should I use that in this situation?  Can I use that
> directly from Java so I wouldn't have the hassel of calling into a JVM
> from a native process?
> 
> If anyone can offer any other suggestions or examples, that would be
> appreciated.
> 
> Thanks.
> Tony
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org