Controlling Internet access by users/groups
Samuel Díaz García
samueldg at arcoscom.com
Thu Sep 21 13:02:09 UTC 2006
Perhaps is a poor solution, but if you could assign MAC or IP to user in
any form, you could use iptables/ebtables in gateway machine to allow
this.
For example, you can define chains for diferent purposes/internet access
and in the FORWARD chain, use source/destination MAC or IP to allow the
access associated to that type of user.
For example, using one IP per user, you can use something as:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s <client_a_ip> -j <client_a_chain>
iptables -A FORWARD -s <client_b_ip> -j <client_b_chain>
iptables -N HTTP
iptables -N HTTP_MSN
iptables -A HTTP -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 1863 -j ACCEPT
Perhaps taking a view into iptables documents/how-to's you can have any
idea on how to make that.
Regards
--
Samuel Díaz García
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
El Jue, 21 de Septiembre de 2006, 14:40, Marcelo Magno T. Sales escribió:
> Hi,
>
> This is a long e-mail but I hope that the answer for this problem, if
> there is
> one, will be useful for many people. First, some background information:
> Here at work we have been used MS solutions for a long time and since two
> years ago we have been migrating several services for Unix/Linux. For the
> last few months, I've been evaluating the feasibility of migrating
> workstations for Linux, but there's a problem about controlling Internet
> access that I've not been able to solve so far.
> We use MS ISA server to restrict Internet access, by user and by
> application.
> For example, I can set it up so that user A can access HTTP servers and
> use
> instant messengers, while users from group B are allowed to access FTP
> servers and users from group C are forbidden any access (users and groups
> are
> stored in Active Directory).
> In order to work this way, ISA Server provides a client that is installed
> at
> the Windows workstations. This client intercepts all TCP/IP requests and
> redirects them to the ISA server, along with the credentials of the
> current
> logged user. No additional configuration is needed in any application,
> they
> just "think" they are directly connected to the Internet.
> I need a way to do the same with Linux clients. It may be a software that
> acts
> like the ISA Firewall Client, interoperating with MS ISA Server (this
> would
> be very useful during migration), or it may be an entirely Linux based
> solution (preferred long term solution).
>
> I've tried the following so far:
>
> 1. Configure applications to use ISA Server as the proxy server.
> . Positive point: Firefox can do NTLM authentication and interoperates
> well
> with ISA Server.
> . Negative points: Many applications can't be configured to use
> proxies.
> Those which can are not able to authenticate against ISA Server.
> Even if they were, it would be necessary to configure each
> application
> for each user.
> In Firefox, the user have to retype his credentials every time he
> opens the browser and java applets do not
> work (JVM can't authenticate against ISA Server)
>
> 2. Use NTLMAPS / APServer on the client side
> . Positive point: Firefox can access Internet using APServer without
> requesting user credentials and java applets work fine. APServer can
> do NTLM authentication and interoperates well with ISA Server.
> . Negative points: It's usefull for HTTP access only. Other
> applications
> suffer from the same problems described in the previous solution.
> APServer is not user-friendly enough to be used by normal users
> and I can't configure it to start automatically (for that, I would
> have
> to set it up with a user account that would not match the current
> logged
> user).
>
> 3. Use squid on the server side
> . Positive point: HTTP access can be restricted by AD user accounts.
> squid is able to authenticate users against AD.
> . It's another HTTP-only solution. squid capabilities of restricting
> access by group are limited. Browser special configuration is
> required.
>
> 4. On the client side, use a script that creates iptables rules
> dinamically
> when a user logs on, according to his credentials.
> . Positive point: work for all applications. Works with ISA Server in
> NAT mode as well as with a Linux based NAT solution.
> . Negative points: administration is a nightmare. It's difficult to
> work
> with groups. The restrictions are enforced on the client side and
> not on the server side, what lowers down security. My network
> spans over a 800 km area, with many buildings. Each building
> has support personnel who must have local root access to the
> workstations in the building, but should not be able to set up
> their own restrictions for Internet access. It's not possible to
> prevent them from editing the local iptables rules, once they
> have root privileges at the workstations.
>
> Is there a way to get the results I need using Linux clients?
>
> Thanks,
>
> Marcelo
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
More information about the fedora-list
mailing list