In article <[EMAIL PROTECTED]>,
Graham Toal <[EMAIL PROTECTED]> wrote:
>Appreciate the pointer, but a squid proxy is too restrictive - we want to
>open up full 100% IP routing once validated so that any protocol will work,
>not just the ones a proxy server supports.
I set up one of these ages ago (back in the ipfwadm days). This was
actually for an office where management was afraid that some employee
might download a trojan and accidentally compromise network security.
Yeah, like that'll ever happen. ;-)
I used a telnet session instead of a CGI script, both for session tracking
(close Telnet, lose network access) and because I had the additional
requirement to show the user all of their exterior traffic as it goes by,
and give them an opportunity to permit or deny it. Imagine prompts like:
Connect to 24.48.96.192:80 (www.1337-crax0rz.com:http) and
POST to url "/upload-sniffed-passwords.cgi"
from 10.0.0.15:4637 (your.trojan.infested.win95.box:4637)
Accept/Reject Connection/Port/Host/Domain/Subnet]: rs
Enter netmask or /bits [255.255.255.0/24]: /8
Time Limit [1 Hour]: forever
Rejecting to Subnet 24.0.0.0/8 forever.
Anyway, a basic system can be set up using a CGI script and -j REDIRECT.
You set up rules like this:
# If the user is authenticated, they will appear in the AuthUser
# chain. Check this first.
iptables -t nat -A PREROUTING -j AuthUser
# Everyone else goes here
iptables -t nat -A PREROUTING --proto tcp --dport 80 \
-j REDIRECT --to-ports 80
You put your CGI script on a web server at port 80. Your users connect to
any off-LAN address with a web browser and get your CGI script instead.
The CGI script puts in rules like:
iptables -t nat -A AuthUser -s <client IP> -j ACCEPT
These rules bypass the REDIRECT rule at the end of the PREROUTING table.
You probably want to add MAC address checking as it makes people type
up to 17 extra keystrokes (or endure time-consuming mouse movements for
cut and paste) to steal someone else's access.
If the user attempts to connect to *anything* on port 80, they'll get
your web server instead.
Of course, as others may have mentioned this isn't really secure--anyone
can configure their IP/MAC to match an authenticated user and steal
their access. A real solution contains an Ethernet switch which can
dynamically repartition your LAN into authenticated and unauthenticated
segments, do MAC address filtering on each port, and so on.
--
Zygo Blaxell (Laptop) <[EMAIL PROTECTED]>
GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
