LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-29-2013, 08:18 AM   #1
Pyromanci
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Rep: Reputation: 0
Linux server as network router with secondary authentication


Hello,

I have a rather complex network layout. That with some up coming changes needs some more security. I have been racking my brain now for more then month trying to come up with a solution and just can't seem to figure one out.

I have 2 office's (1 corporate and 1 district) I look after and about 30 remote nodes. All connected together via a VPN network. With a up coming change I have to put a second VPN network in place at all the locations. That vpn network goes to a different company. I have all the needed security changes figured out for all locations but 1. It's the corporate office.

What I'm looking at doing is placing a linux server in between the VPN server (or just replacing the vpn server all together with a linux server) and the reset of the corporate office that all traffic coming from the VPN server will pass through. This linux server will act sort of like a proxy. Where all traffic will have to authenticate it's self except for port 80 and 443 traffic on the VPN.

I've seen setups similar to this in the past, but never needed to do it. So I didn't pay attention. I'm hoping someone has some advice on to do this? I can provide a network digram of everything up to this point if that helps.

Thanks.
 
Old 10-30-2013, 06:39 PM   #2
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 482

Rep: Reputation: 85
Sounds like you are looking for somthing providing some sort of layer 7 filtering.

Have a look at some utm devices or something like untangle

Untangle type systems normally have things like captive portal and other nice features you can play around with.

Last edited by ericson007; 10-30-2013 at 06:46 PM.
 
Old 10-31-2013, 12:10 PM   #3
Pyromanci
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
I was actually doing some more reading and found a way to set up a "capture portal" that uses IP tables and a simple php site. Basically the linux's server is connected to the local lan via eth0. Then VPN Server is Lan port is connected to the Linux's servers eth1. The the routing was setup in each device to go to where it should.

Though I'm struggling with the IPtables forwarding. Here is the iptables commands that were run.

Code:
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
iptables -t mangle -A internet -i eth0 -j RETURN
iptables -t mangle -A internet -i lo -j RETURN
iptables -t mangle -A internet -m mac --mac-source D8:D3:85:E1:61:90 -j RETURN
iptables -t mangle -A internet -m mac --mac-source D8:D3:85:E1:61:92 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:03:A0:89:CA:D6 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B6 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B2 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B8 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B9 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:BA -j RETURN
iptables -t mangle -A internet -j MARK --set-mark 99
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 192.168.9.205
iptables  -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 68 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 67 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Then i fired off
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward
but the linux box is not forwarding the traffic as it should.
 
Old 11-01-2013, 02:54 AM   #4
ericson007
Member
 
Registered: Sep 2004
Location: Japan
Distribution: CentOS 6.5
Posts: 482

Rep: Reputation: 85
Sorry mate, i cannot help much in terms of iptables. It is certainly not my strong point of the oprating system.

I would refrain from giving advice on specific rules.
 
Old 11-04-2013, 12:10 PM   #5
Pyromanci
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
I was finally able to get it. I had to play around with the subnets and routing inside the linux machine.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up LINUX Server to do Access Control on a router Public IP based Network debomi Linux - Server 1 12-19-2012 02:49 AM
Linux Server Set up for Wireless Network and central login and authentication ooreade Linux - Networking 1 07-21-2012 08:38 AM
[SOLVED] What is the best option: modem or Linux server as the router of my network? felipefv Linux - Server 5 10-07-2010 11:49 AM
801.x authentication radius server built in on router linuxmandrake Linux - Security 0 02-08-2010 07:51 AM
sniffing network traffic, linux server between firewall and router, only want http sabah Linux - Networking 2 10-20-2003 12:47 PM


All times are GMT -5. The time now is 09:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration