Thanks for this very nice email.
I hope I can handle it with one of those methods.
Just one question:
How can I understand if my kernel has "ipset" capability ?
Thanks.
On 5/22/08, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> Mekabe Ramein wrote:
>
>> thanks.
>> I tried it now.
>> when I search I find the thread with subject "*Logon page access* <
>> http://article.gmane.org/gmane.comp.security.shorewall/17904>" but that's
>> not really what I'd like to do.
>> I don't want t use any other software. I just want to use shorewall and
>> simple scripts.
>> Because I already have my web server and the users are redirected to the
>> logon page by Shorewall.
>> Now I just need commands to run for enabling access to the IP address of
>> the user who logins. if possible, for a certain time period.
>> When I search for "authenticate" I find many threads including some with
>> "active directory users"
>> If there is a specific thread that I should check , could you please give
>> me the subject for this thread ?
>>
>
> Don't you think that if I had a particular thread in mind that I would
> direct you to it? I guess it's going to be less work to just tell you how to
> do it.
>
> There are two ways in which you can do this without touching iptables
> directly. I recommend that you choose one of them since manipulating the
> Shorewall-generated ruleset directly requires that you have a good
> understand of iptables and of the ruleset. That is because I reserve the
> right to change the structure of the ruleset without warning.
>
> a) Create a dynamic zone whose members aren't redirected and run
> "/sbin/shorewall add" commands when a user successfully logs on. Dynamic
> zones are described in the Shorewall IPSEC documentation (
> http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not
> restricted to use with IPSEC. In this approach, you need to write a little
> daemon that deletes addresses from the ipset after the expiration time.
>
> b) Define a zone using an ipset (
> http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the
> ipset when a user successfully logs on. I believe that this approach also
> can cover your timeout requirement also since I believe that ipsets now
> support the ability to automatically time out entries.
>
> Regardless of which approach you take, you will need a rule such as the
> following BEFORE your REDIRECT rule:
>
> NONAT z net tcp 80
>
> Where 'z' is the zone for users who have logged into your web server. Note
> that 'z' must be a sub-zone of your 'loc' zone (you can define that in the
> zones file).
>
> The ipset facility requires patching your iptables and kernel but those
> features will eventually be in the mainline trees. The dynamic zone
> capability in Shorewall will go away when that happens (notice that it is
> not documented in the 4.0 documentation but it is still supported).
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
