Graham Toal wrote: > We have an internal network in a public area that anyone can walk up to, > and plug in a PC. > I want someone hooking up to the network to have NO access to the outside, > *until*... > > the first time they use a web browser to access any outside page, it > is redirected to a browser on the firewall host. That browser puts up > a page requesting a username and password which it checks in some > database it has access to. > > Once the user has been validated, the ip chains are modified to allow > that host full routed access to the net. (For a specific length of time - > a timer will kick off and when that time expires, another script will be > run to remove the rules which permitted that IP access) > > This is basically the same system as some hotels run for internet access > from your room, except that they ask for a credit card whereas we ask for > a valid student username and password. (This is for a university environment) > > Has anyone done this before? If so please point me at it!
I posed the same kind of question to this list in Aug 2001: http://msgs.securepoint.com/cgi-bin/get/netfilter-0108/200.html That particular project never got traction, but what I learned may be of help. I'd very much like to keep this discussion going, in list preferably, since this issue of public-access networking is timely, interesting and applicable to netfilter community. There are commercial products that do these functions but at high cost ($10-15K), notably: Cisco's BBSM (broadband Building Service Manager) and SolutionInc (http://www.solutioninc.com/products/hospitality.html) Being primarily for MxU markets, these solutions all have a billing component to hook into (for example) the Hotel PMS system. They also support other auth models like username/password input, not just credit card models. For example, when someone is renting a conference room and needs to allow all participants to connect, a pre-assigned username/password model is used. I believe the commercial offerings use proxy arp to force requests to an authentication/billing service running locally. Whether they use dynamic fw rules I can't say but it would seem likely that they do. What you may/maynot also want is a way to segregate LAN segments and/or individual users from one another. In the case VLAN/802.1q can be used in conjunction with switched network which supports VLAN tagging. Recent linux kernels > 2.4.15 support VLAN/802.1q - http://scry.wanfear.com/~greear/vlan.html and some notes on how I got VLAN working with IPtables and DHCP: http://www.planetconnect.com/vlan/ some tangentially related links included FWIW: NetReg: An Automated DHCP Registration System http://www.usenix.org/event/lisa99/full_papers/valian/valian_html/index.html Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication http://www.usenix.org/event/lisa99/full_papers/beck/beck_html/index.html Again...This is a great start but I'd like to keep this discussion going so if anyone has other ideas/info/insight to add, please chime in! -- Doug Monroe
