100 jamz tech support
2002-Aug-23 16:59 UTC
[Shorewall-users] want to open access through firewall via login
I want to do the following: Have a shorewall box with 2 nics. eth0 goes to internet. eth1 goes to a wireless access point. run dhcp server, web server and mysql server on shorewall box. Any wireless user comming up in range of the access point is assigned an ip address (say 192.168.xxx.xxx) from the dhcp server. At this point, this user should be able to browse web sites on the shorewall box (or another box connected to eth1) and probably other such users. By going to a particular page on the shorewall box (say https://192.168.xxx.1/usrmgr/index.html) they should be able to log in with a prevoiusly established userid and password. Upon login, shorewall should be adjusted to allow them access to the internet and their loginh time should be noted. When they are done, they should go back to the same page and logout. This would then close down their access to the net and record their logout time. I think I have this working in a rudimentary fashion now, but I want to have advise/help in making it better. Right now, loggin in or out writes files in a temp directory. A cron script processes these files and writes a hosts file and then restarts shorewall. The restart takes too long, also, access is not opened as soon as hte user logs in, but only when the cron script is run. I would rather do this in another way. I guess I would really like to figure out how to only allow access to the shorewall box for dhcp and http(s) for users on eth1 and then add a rule to allow internet access upon login and to remove the rule on log out. Any help would be greatly appreciated. If anyone wants to have what I have done so far, let me know. I will eventually release it all, probably under the gpl. (I will release under the gpl unless some of the stuff I started with prevents it.) all the best, drew
Harish Pillay
2002-Aug-23 17:28 UTC
[Shorewall-users] want to open access through firewall via login
Drew - What you describe is done more or less as is with the nocat package (nocat.net). I have it working with shorewall with no problems. You can of course tweak the iptables rules in the nocat package to suit your specific requirements as listed below. HTH. Harish On Fri, Aug 23, 2002 at 12:59:11PM -0400, 100 jamz tech support wrote:> I want to do the following: > > Have a shorewall box with 2 nics. > > eth0 goes to internet. > > eth1 goes to a wireless access point. > > run dhcp server, web server and mysql server on shorewall box. > > Any wireless user comming up in range of the access point is assigned an > ip address (say 192.168.xxx.xxx) from the dhcp server. > > At this point, this user should be able to browse web sites on the > shorewall box (or another box connected to eth1) and probably other such > users. > > By going to a particular page on the shorewall box (say > https://192.168.xxx.1/usrmgr/index.html) they should be able to log in > with a prevoiusly established userid and password. > > Upon login, shorewall should be adjusted to allow them access to the > internet and their loginh time should be noted. > > When they are done, they should go back to the same page and logout. > This would then close down their access to the net and record their > logout time. > > I think I have this working in a rudimentary fashion now, but I want to > have advise/help in making it better. > > Right now, loggin in or out writes files in a temp directory. A cron > script processes these files and writes a hosts file and then restarts > shorewall. > > The restart takes too long, also, access is not opened as soon as hte > user logs in, but only when the cron script is run. I would rather do > this in another way. > > I guess I would really like to figure out how to only allow access to > the shorewall box for dhcp and http(s) for users on eth1 and then add a > rule to allow internet access upon login and to remove the rule on log > out. > > Any help would be greatly appreciated. If anyone wants to have what I > have done so far, let me know. I will eventually release it all, > probably under the gpl. (I will release under the gpl unless some of the > stuff I started with prevents it.) > > all the best, > > drew