[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: Controlling Internet access by users/groups
- From: Samuel Díaz García <samueldg arcoscom com>
- To: "For users of Fedora Core releases" <fedora-list redhat com>
- Subject: Re: Controlling Internet access by users/groups
- Date: Thu, 21 Sep 2006 15:02:09 +0200 (CEST)
Perhaps is a poor solution, but if you could assign MAC or IP to user in
any form, you could use iptables/ebtables in gateway machine to allow
For example, you can define chains for diferent purposes/internet access
and in the FORWARD chain, use source/destination MAC or IP to allow the
access associated to that type of user.
For example, using one IP per user, you can use something as:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s <client_a_ip> -j <client_a_chain>
iptables -A FORWARD -s <client_b_ip> -j <client_b_chain>
iptables -N HTTP
iptables -N HTTP_MSN
iptables -A HTTP -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 80 -j ACCEPT
iptables -A HTTP_MSN -p tcp --dport 1863 -j ACCEPT
Perhaps taking a view into iptables documents/how-to's you can have any
idea on how to make that.
Samuel Díaz García
ArcosCom Wireless, S.L.L.
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
mailto:samueldg arcoscom com
msn: samueldg arcoscom com
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
El Jue, 21 de Septiembre de 2006, 14:40, Marcelo Magno T. Sales escribió:
> This is a long e-mail but I hope that the answer for this problem, if
> there is
> one, will be useful for many people. First, some background information:
> Here at work we have been used MS solutions for a long time and since two
> years ago we have been migrating several services for Unix/Linux. For the
> last few months, I've been evaluating the feasibility of migrating
> workstations for Linux, but there's a problem about controlling Internet
> access that I've not been able to solve so far.
> We use MS ISA server to restrict Internet access, by user and by
> For example, I can set it up so that user A can access HTTP servers and
> instant messengers, while users from group B are allowed to access FTP
> servers and users from group C are forbidden any access (users and groups
> stored in Active Directory).
> In order to work this way, ISA Server provides a client that is installed
> the Windows workstations. This client intercepts all TCP/IP requests and
> redirects them to the ISA server, along with the credentials of the
> logged user. No additional configuration is needed in any application,
> just "think" they are directly connected to the Internet.
> I need a way to do the same with Linux clients. It may be a software that
> like the ISA Firewall Client, interoperating with MS ISA Server (this
> be very useful during migration), or it may be an entirely Linux based
> solution (preferred long term solution).
> I've tried the following so far:
> 1. Configure applications to use ISA Server as the proxy server.
> . Positive point: Firefox can do NTLM authentication and interoperates
> with ISA Server.
> . Negative points: Many applications can't be configured to use
> Those which can are not able to authenticate against ISA Server.
> Even if they were, it would be necessary to configure each
> for each user.
> In Firefox, the user have to retype his credentials every time he
> opens the browser and java applets do not
> work (JVM can't authenticate against ISA Server)
> 2. Use NTLMAPS / APServer on the client side
> . Positive point: Firefox can access Internet using APServer without
> requesting user credentials and java applets work fine. APServer can
> do NTLM authentication and interoperates well with ISA Server.
> . Negative points: It's usefull for HTTP access only. Other
> suffer from the same problems described in the previous solution.
> APServer is not user-friendly enough to be used by normal users
> and I can't configure it to start automatically (for that, I would
> to set it up with a user account that would not match the current
> 3. Use squid on the server side
> . Positive point: HTTP access can be restricted by AD user accounts.
> squid is able to authenticate users against AD.
> . It's another HTTP-only solution. squid capabilities of restricting
> access by group are limited. Browser special configuration is
> 4. On the client side, use a script that creates iptables rules
> when a user logs on, according to his credentials.
> . Positive point: work for all applications. Works with ISA Server in
> NAT mode as well as with a Linux based NAT solution.
> . Negative points: administration is a nightmare. It's difficult to
> with groups. The restrictions are enforced on the client side and
> not on the server side, what lowers down security. My network
> spans over a 800 km area, with many buildings. Each building
> has support personnel who must have local root access to the
> workstations in the building, but should not be able to set up
> their own restrictions for Internet access. It's not possible to
> prevent them from editing the local iptables rules, once they
> have root privileges at the workstations.
> Is there a way to get the results I need using Linux clients?
> fedora-list mailing list
> fedora-list redhat com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Date Prev][Date Next] [Thread Prev][Thread Next]