Hi,
I know that it has been a while since we discussed this on the list. But I
just had time to test it on my setup.
When I try to use "shorewall add" command to change a user's zone, I get
the following error:
router:~# shorewall add wlan1:192.168.5.10 walx
iptables v1.4.0: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Can't add wlan1:192.168.5.10 to zone walx
iptables v1.4.0: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Can't add wlan1:192.168.5.10 to zone walx
Then, if I try to re-add it I see that it's already added:
router:~# shorewall add wlan1:192.168.5.10 walx
wlan1:192.168.5.10 is already in zone walx
Now, I don't understand if my iptables version is fine or not. It seems to
support "-j" argument but shorewall command report an error.
What could be the problem ?
Thanks,
ilker
On 5/22/08, Mekabe Ramein <[EMAIL PROTECTED]> wrote:
>
> Thanks for this very nice email.
> I hope I can handle it with one of those methods.
>
> Just one question:
> How can I understand if my kernel has "ipset" capability ?
>
> Thanks.
>
> On 5/22/08, Tom Eastep <[EMAIL PROTECTED]> wrote:
>>
>> Mekabe Ramein wrote:
>>
>>> thanks.
>>> I tried it now.
>>> when I search I find the thread with subject "*Logon page access* <
>>> http://article.gmane.org/gmane.comp.security.shorewall/17904>" but
>>> that's not really what I'd like to do.
>>> I don't want t use any other software. I just want to use shorewall and
>>> simple scripts.
>>> Because I already have my web server and the users are redirected to the
>>> logon page by Shorewall.
>>> Now I just need commands to run for enabling access to the IP address of
>>> the user who logins. if possible, for a certain time period.
>>> When I search for "authenticate" I find many threads including some with
>>> "active directory users"
>>> If there is a specific thread that I should check , could you please
>>> give me the subject for this thread ?
>>>
>>
>> Don't you think that if I had a particular thread in mind that I would
>> direct you to it? I guess it's going to be less work to just tell you how to
>> do it.
>>
>> There are two ways in which you can do this without touching iptables
>> directly. I recommend that you choose one of them since manipulating the
>> Shorewall-generated ruleset directly requires that you have a good
>> understand of iptables and of the ruleset. That is because I reserve the
>> right to change the structure of the ruleset without warning.
>>
>> a) Create a dynamic zone whose members aren't redirected and run
>> "/sbin/shorewall add" commands when a user successfully logs on. Dynamic
>> zones are described in the Shorewall IPSEC documentation (
>> http://www1.shorewall.net/3.0/IPSEC.htm#id2480384) but that are not
>> restricted to use with IPSEC. In this approach, you need to write a little
>> daemon that deletes addresses from the ipset after the expiration time.
>>
>> b) Define a zone using an ipset (
>> http://www.shorewall.net/ipsets.html#Dynamic) and add addresses to the
>> ipset when a user successfully logs on. I believe that this approach also
>> can cover your timeout requirement also since I believe that ipsets now
>> support the ability to automatically time out entries.
>>
>> Regardless of which approach you take, you will need a rule such as the
>> following BEFORE your REDIRECT rule:
>>
>> NONAT z net tcp 80
>>
>> Where 'z' is the zone for users who have logged into your web server. Note
>> that 'z' must be a sub-zone of your 'loc' zone (you can define that in the
>> zones file).
>>
>> The ipset facility requires patching your iptables and kernel but those
>> features will eventually be in the mainline trees. The dynamic zone
>> capability in Shorewall will go away when that happens (notice that it is
>> not documented in the 4.0 documentation but it is still supported).
>>
>> -Tom
>> --
>> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
>> Shoreline, \ http://shorewall.net
>> Washington USA \ [EMAIL PROTECTED]
>> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>>
>
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
