Mekabe Ramein wrote:
thanks. I tried it now.when I search I find the thread with subject "*Logon page access* <http://article.gmane.org/gmane.comp.security.shorewall/17904>" but that's not really what I'd like to do. I don't want t use any other software. I just want to use shorewall and simple scripts. Because I already have my web server and the users are redirected to the logon page by Shorewall. Now I just need commands to run for enabling access to the IP address of the user who logins. if possible, for a certain time period. When I search for "authenticate" I find many threads including some with "active directory users" If there is a specific thread that I should check , could you please give me the subject for this thread ?
Don't you think that if I had a particular thread in mind that I would direct you to it? I guess it's going to be less work to just tell you how to do it.
There are two ways in which you can do this without touching iptables directly. I recommend that you choose one of them since manipulating the Shorewall-generated ruleset directly requires that you have a good understand of iptables and of the ruleset. That is because I reserve the right to change the structure of the ruleset without warning.
a) Create a dynamic zone whose members aren't redirected and run "/sbin/shorewall add" commands when a user successfully logs on. Dynamic zones are described in the Shorewall IPSEC documentation (http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not restricted to use with IPSEC. In this approach, you need to write a little daemon that deletes addresses from the ipset after the expiration time.
b) Define a zone using an ipset (http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the ipset when a user successfully logs on. I believe that this approach also can cover your timeout requirement also since I believe that ipsets now support the ability to automatically time out entries.
Regardless of which approach you take, you will need a rule such as the following BEFORE your REDIRECT rule:
NONAT z net tcp 80
Where 'z' is the zone for users who have logged into your web server. Note
that 'z' must be a sub-zone of your 'loc' zone (you can define that in the
zones file).
The ipset facility requires patching your iptables and kernel but those features will eventually be in the mainline trees. The dynamic zone capability in Shorewall will go away when that happens (notice that it is not documented in the 4.0 documentation but it is still supported).
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
