Access Control Firewall
I am looking for a way to control access through a firewall based on an external script. In the past I have used squid as a transparent proxy through shorewall with an external_acl.
This way seems too complex. Is there any program out there that can use an external script, similar to external_acl in squid, to do access control? I was looking in shorewall, but all I see is MAC control, and no way to redirect to an authentication website running on the router if the MAC check fails. Does anyone know of a way I can do this? |
To REDIRECT, make a chain in the nat table specially for the MAC check and make the last rule a REDIRECT
If you are controlling M$ clients, you can setup squid for auth_ntlm. The clients will then silently auth to a domain controller/samba using their login credentials Closing the browser will close the auth session.. |
Is there a way to make the redirect dynamic? What I really want to be able to do is have a php script that checks the source and destination and chooses whether to redirect, accept, or deny based on those.
Is there a way to set up a chain to do this? |
Sure, that's always possible, with a few security caveats..
The iptables rules can be loaded, added, removed dynamically.. That could be scripted via php or perl from a webpage on the firewall or remote. Rules need to be operated on as root user, which is the security risk.. allowing a script that much privelege.. A typical example would be only allowing web access to users that have dhcp leases in group "web".. Have a look at the iptables tutorial for a broad overview of what's controllable. There's also a netfilter patch-o-matic system to build even more features.. |
All times are GMT -5. The time now is 08:00 AM. |