Hi everybody, I''ve been using shorewall for 5 years now ( Thanks Tom again! ) and i''ve managed to get in a new challenge. I need to control guests internet access with a ID card based auth. The web gui/auth system is ready, and i''ve moved to the IPSET part. My idea is that when a client connects to the network a REDIRECT match will send the web (tcp 80) requests to the local machine. Then the software side will add it''s IP and MAC to a IPSET macipmap list My idea is to add a preceding rule to the RDIRECT(above) using ACCEPT+ that allows traffic to net if it matches the IPSET list,, then it will not pass on the redirect rule, so enabling user access. The question is: Will the ACCEPT+ action match the ip and mac from ipset list? Do i need to put the list on maclist file? Thank you all. Paulo Cezar Cunha www.ioerj.com.br ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
On 5/20/11 12:18 PM, Paulo Cunha wrote:> Hi everybody, > > I''ve been using shorewall for 5 years now ( Thanks Tom again! ) and i''ve > managed to get in a new challenge. > > I need to control guests internet access with a ID card based auth. > > The web gui/auth system is ready, and i''ve moved to the IPSET part. > > My idea is that when a client connects to the network a REDIRECT match > will send the web (tcp 80) requests to the local machine. > > Then the software side will add it''s IP and MAC to a IPSET macipmap list > > My idea is to add a preceding rule to the RDIRECT(above) using ACCEPT+ > that allows traffic to net if it matches the IPSET list,, then it will > not pass on the redirect rule, so enabling user access. > > The question is: > > Will the ACCEPT+ action match the ip and mac from ipset list?Yes.> > Do i need to put the list on maclist file?No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
On 05/20/2011 12:33 PM, Tom Eastep wrote:> On 5/20/11 12:18 PM, Paulo Cunha wrote: >> Hi everybody, >> >> I''ve been using shorewall for 5 years now ( Thanks Tom again! ) and i''ve >> managed to get in a new challenge. >> >> I need to control guests internet access with a ID card based auth. >> >> The web gui/auth system is ready, and i''ve moved to the IPSET part. >> >> My idea is that when a client connects to the network a REDIRECT match >> will send the web (tcp 80) requests to the local machine. >> >> Then the software side will add it''s IP and MAC to a IPSET macipmap list >> >> My idea is to add a preceding rule to the RDIRECT(above) using ACCEPT+ >> that allows traffic to net if it matches the IPSET list,, then it will >> not pass on the redirect rule, so enabling user access. >> >> The question is: >> >> Will the ACCEPT+ action match the ip and mac from ipset list? > > Yes.Note that you will want loc:+setname[src,src] in the SOURCE column (assuming that your LAN zone is ''loc''). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
On 20/05/2011 20:18, Paulo Cunha wrote:> I need to control guests internet access with a ID card based auth. > > The web gui/auth system is ready, and i''ve moved to the IPSET part.Hi, I''m working on a simple "captive portal" also, and I see others have asked about this in the past also. Would you be kind enough to share any info on the (non secret) parts of your implementation and also any challenges/tips you encountered? I think most captive portals are going to boil down to some kind of vlan emulation using iptables rules (either you are in or out), but it would be interesting to hear more success stories? Have you considered doing any "per user" logging? I''m looking at conntrack marks plus NFLOG to read those marks and log stats? Also I have been looking at hostapd offering 8021X access control on wired and wireless segments - the idea being that rather than have to repeatedly pass the captive portal login, the user can pass all that at the same time as connecting to the network. Hostapd has it''s own internal radius server and also it can use any external radius server (eg passing ID card credentials to freeradius or something else) Additionally very recent squid has a feature to copy conntrack marks onto the proxied outbound connection - effectively this allows you to keep per user connection marking intact, despite the data moving through a proxy. The dnsmasq author is also kindly implementing the same functionality and it''s available in a pre-release (that I need to test urgently) Good luck - interested to hear how you get on? Cheers Ed W ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay