Controlling Internet access by users/groups

Samuel Díaz García samueldg at arcoscom.com
Thu Sep 21 13:02:09 UTC 2006 

Perhaps is a poor solution, but if you could assign MAC or IP to user in
any form, you could use iptables/ebtables in gateway machine to allow
this.

For example, you can define chains for diferent purposes/internet access
and in the FORWARD chain, use source/destination MAC or IP to allow the
access associated to that type of user.

For example, using one IP per user, you can use something as:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s <client_a_ip> -j <client_a_chain>
iptables -A FORWARD -s <client_b_ip> -j <client_b_chain>

iptables -N HTTP
iptables -N HTTP_MSN

iptables -A HTTP -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 1863 -j ACCEPT

Perhaps taking a view into iptables documents/how-to's you can have any
idea on how to make that.

Regards

-- 
Samuel Díaz García
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz

http://www.arcoscom.com

mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com

Tlfn.: 956 70 13 15
Fax:   956 70 34 83


El Jue, 21 de Septiembre de 2006, 14:40, Marcelo Magno T. Sales escribió:
> Hi,
>
> This is a long e-mail but I hope that the answer for this problem, if
> there is
> one, will be useful for many people. First, some background information:
> Here at work we have been used MS solutions for a long time and since two
> years ago we have been migrating several services for Unix/Linux. For the
> last few months, I've been evaluating the feasibility of migrating
> workstations for Linux, but there's a problem about controlling Internet
> access that I've not been able to solve so far.
> We use MS ISA server to restrict Internet access, by user and by
> application.
> For example, I can set it up so that user A can access HTTP servers and
> use
> instant messengers, while users from group B are allowed to access FTP
> servers and users from group C are forbidden any access (users and groups
> are
> stored in Active Directory).
> In order to work this way, ISA Server provides a client that is installed
> at
> the Windows workstations. This client intercepts all TCP/IP requests and
> redirects them to the ISA server, along with the credentials of the
> current
> logged user. No additional configuration is needed in any application,
> they
> just "think" they are directly connected to the Internet.
> I need a way to do the same with Linux clients. It may be a software that
> acts
> like the ISA Firewall Client, interoperating with MS ISA Server (this
> would
> be very useful during migration), or it may be an entirely Linux based
> solution (preferred long term solution).
>
> I've tried the following so far:
>
> 1. Configure applications to use ISA Server as the proxy server.
>    . Positive point: Firefox can do NTLM authentication and interoperates
> well
>      with ISA Server.
>    . Negative points: Many applications can't be configured to use
> proxies.
>      Those which can are not able to authenticate against ISA Server.
>      Even if they were, it would be necessary to configure each
> application
>      for each user.
>      In Firefox, the user have to retype his credentials every time he
>      opens the browser and java applets do not
>      work (JVM can't authenticate against ISA Server)
>
> 2. Use NTLMAPS / APServer on the client side
>     . Positive point: Firefox can access Internet using APServer without
>       requesting user credentials and java applets work fine. APServer can
>       do NTLM authentication and interoperates well with ISA Server.
>     . Negative points: It's usefull for HTTP access only. Other
> applications
>       suffer from the same problems described in the previous solution.
>       APServer is not user-friendly enough to be used by normal users
>       and I can't configure it to start automatically (for that, I would
> have
>       to set it up with a user account that would not match the current
> logged
>       user).
>
> 3. Use squid on the server side
>     . Positive point: HTTP access can be restricted by AD user accounts.
>       squid is able to authenticate users against AD.
>     . It's another HTTP-only solution. squid capabilities of restricting
>       access by group are limited. Browser special configuration is
>       required.
>
> 4. On the client side, use a script that creates iptables rules
> dinamically
>     when a user logs on, according to his credentials.
>     . Positive point: work for all applications. Works with ISA Server in
>       NAT mode as well as with a Linux based NAT solution.
>     . Negative points: administration is a nightmare. It's difficult to
> work
>       with groups. The restrictions are enforced on the client side and
>       not on the server side, what lowers down security. My network
>       spans over a 800 km area, with many buildings. Each building
>       has support personnel who must have local root access to the
>       workstations in the building, but should not be able to set up
>       their own restrictions for Internet access. It's not possible to
>       prevent them from editing the local iptables rules, once they
>       have root privileges at the workstations.
>
> Is there a way to get the results I need using Linux clients?
>
> Thanks,
>
> Marcelo
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

More information about the fedora-list mailing list