iptables with LDAP authentication

iptables with LDAP authentication

[Yogesh Subhash Talekar]

hi,

I have a full Class C real IP network. All department have their own Linux
servers and the last IP (X.X.X.254) is given to the CISCO router which is
our gateway to Internet. Currently i have a OpenBSD firewall configured as
bridge with IP-filter.

Now I want to go with Linux firewall, if it will have following features:

1. It will run IP-tables firewall and will authenticate everyone (rather
each session for each type of service .. http, ftp, ssh etc.) against the
central LDAP server which is on some other server.

2. It will put on bandwidth restriction on each campus departmental
server. (it is possible with tc/qdisc)

All I want to know is ... is it possible to authenticate the traffic
flowing thro' a Linux ip-tables bridging firewall against a central
OpenLDAP database?
Will it maintain the sessions for each user separately for HTTP (Squid?),
FTP and telnet or ssh ? Is it possible to log per head traffic and ban
them if the exceed some limit (say 200 MB per month).

Any suggestions/ links / advice will be highly appriciated.

thanks in advance

--yogesh

Re: iptables with LDAP authentication

[Alex Nee]

Would It be possible to maybe get an LDAP server to Inject
Rules as needed via a SSH Tunnel into the Gateway as people were
authenticated ...

then as for quotas use the ipt_quota PoM patch (works well for me)
there is also talk on the developer IRC channels that ipt_quota maybee
getting
a hard & soft limit options aswell, so established & related connections
wont be hard cut off at the limit
effectivelly allowing 'allot' of clients to finnished there web surfing ect
before they get cut off permantly .(until a quota resets or an admin renews
it for them)

----- Original Message -----
From: "Yogesh Subhash Talekar" <yogesh@unipune.ernet.in>
To: <netfilter@lists.netfilter.org>
Sent: Monday, April 28, 2003 10:34 PM
Subject: iptables with LDAP authentication


> hi,
>
> I have a full Class C real IP network. All department have their own Linux
> servers and the last IP (X.X.X.254) is given to the CISCO router which is
> our gateway to Internet. Currently i have a OpenBSD firewall configured as
> bridge with IP-filter.
>
> Now I want to go with Linux firewall, if it will have following features:
>
> 1. It will run IP-tables firewall and will authenticate everyone (rather
> each session for each type of service .. http, ftp, ssh etc.) against the
> central LDAP server which is on some other server.
>
> 2. It will put on bandwidth restriction on each campus departmental
> server. (it is possible with tc/qdisc)
>
> All I want to know is ... is it possible to authenticate the traffic
> flowing thro' a Linux ip-tables bridging firewall against a central
> OpenLDAP database?
> Will it maintain the sessions for each user separately for HTTP (Squid?),
> FTP and telnet or ssh ? Is it possible to log per head traffic and ban
> them if the exceed some limit (say 200 MB per month).
>
> Any suggestions/ links / advice will be highly appriciated.
>
> thanks in advance
>
> --yogesh

RE: iptables with LDAP authentication

[Khanh Tran]

Check out: 

http://www.linuxselfhelp.com/HOWTO/Authentication-Gateway-HOWTO/setup.html

Scroll down to the 3.2 section.  It has a link to a iptables PAM that
supposedly will insert the proper iptables lines to allow the authenticated
client access through the firewall.  Hope this helps...

Khanh Tran
Network Operations
Sarah Lawrence College


-----Original Message-----
From: Yogesh Subhash Talekar [mailto:yogesh@unipune.ernet.in]
Sent: Monday, April 28, 2003 8:35 AM
To: netfilter@lists.netfilter.org
Subject: iptables with LDAP authentication


hi,

I have a full Class C real IP network. All department have their own Linux
servers and the last IP (X.X.X.254) is given to the CISCO router which is
our gateway to Internet. Currently i have a OpenBSD firewall configured as
bridge with IP-filter.

Now I want to go with Linux firewall, if it will have following features:

1. It will run IP-tables firewall and will authenticate everyone (rather
each session for each type of service .. http, ftp, ssh etc.) against the
central LDAP server which is on some other server.

2. It will put on bandwidth restriction on each campus departmental
server. (it is possible with tc/qdisc)

All I want to know is ... is it possible to authenticate the traffic
flowing thro' a Linux ip-tables bridging firewall against a central
OpenLDAP database?
Will it maintain the sessions for each user separately for HTTP (Squid?),
FTP and telnet or ssh ? Is it possible to log per head traffic and ban
them if the exceed some limit (say 200 MB per month).

Any suggestions/ links / advice will be highly appriciated.

thanks in advance

--yogesh

Re: iptables with LDAP authentication

[Stefan Nehlsen]

On Tue, Apr 29, 2003 at 09:05:32PM -0400, Khanh Tran wrote:
> Check out: 
> 
> http://www.linuxselfhelp.com/HOWTO/Authentication-Gateway-HOWTO/setup.html
> 
> Scroll down to the 3.2 section.  It has a link to a iptables PAM that
> supposedly will insert the proper iptables lines to allow the authenticated
> client access through the firewall.  Hope this helps...

How about using ippool?

Instead of using adding and deleting rules, it seems to be easier to me to
filter on pools.

Modifications will be made to the pools.

What is the status of the pool-stuff?

Does it work?

Is it in use?


cu, Stefan

> hi,
> 
> I have a full Class C real IP network. All department have their own Linux
> servers and the last IP (X.X.X.254) is given to the CISCO router which is
> our gateway to Internet. Currently i have a OpenBSD firewall configured as
> bridge with IP-filter.
> 
> Now I want to go with Linux firewall, if it will have following features:
> 
> 1. It will run IP-tables firewall and will authenticate everyone (rather
> each session for each type of service .. http, ftp, ssh etc.) against the
> central LDAP server which is on some other server.
> 
> 2. It will put on bandwidth restriction on each campus departmental
> server. (it is possible with tc/qdisc)
> 
> All I want to know is ... is it possible to authenticate the traffic
> flowing thro' a Linux ip-tables bridging firewall against a central
> OpenLDAP database?
> Will it maintain the sessions for each user separately for HTTP (Squid?),
> FTP and telnet or ssh ? Is it possible to log per head traffic and ban
> them if the exceed some limit (say 200 MB per month).
> 
> Any suggestions/ links / advice will be highly appriciated.
> 
> thanks in advance
> 
> --yogesh
> 

-- 
Stefan Nehlsen | ParlaNet Administration | sn@parlanet.de | +49 431 988-1260