Linux server as network router with secondary authentication

Pyromanci · 10-29-2013, 08:18 AM

Hello,

I have a rather complex network layout. That with some up coming changes needs some more security. I have been racking my brain now for more then month trying to come up with a solution and just can't seem to figure one out.

I have 2 office's (1 corporate and 1 district) I look after and about 30 remote nodes. All connected together via a VPN network. With a up coming change I have to put a second VPN network in place at all the locations. That vpn network goes to a different company. I have all the needed security changes figured out for all locations but 1. It's the corporate office.

What I'm looking at doing is placing a linux server in between the VPN server (or just replacing the vpn server all together with a linux server) and the reset of the corporate office that all traffic coming from the VPN server will pass through. This linux server will act sort of like a proxy. Where all traffic will have to authenticate it's self except for port 80 and 443 traffic on the VPN.

I've seen setups similar to this in the past, but never needed to do it. So I didn't pay attention. I'm hoping someone has some advice on to do this? I can provide a network digram of everything up to this point if that helps.

Thanks.

ericson007 · 10-30-2013, 06:39 PM

Sounds like you are looking for somthing providing some sort of layer 7 filtering.

Have a look at some utm devices or something like untangle

Untangle type systems normally have things like captive portal and other nice features you can play around with.

Pyromanci · 10-31-2013, 12:10 PM

I was actually doing some more reading and found a way to set up a "capture portal" that uses IP tables and a simple php site. Basically the linux's server is connected to the local lan via eth0. Then VPN Server is Lan port is connected to the Linux's servers eth1. The the routing was setup in each device to go to where it should.

Though I'm struggling with the IPtables forwarding. Here is the iptables commands that were run.

Code:

iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
iptables -t mangle -A internet -i eth0 -j RETURN
iptables -t mangle -A internet -i lo -j RETURN
iptables -t mangle -A internet -m mac --mac-source D8:D3:85:E1:61:90 -j RETURN
iptables -t mangle -A internet -m mac --mac-source D8:D3:85:E1:61:92 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:03:A0:89:CA:D6 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B6 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B2 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B8 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:B9 -j RETURN
iptables -t mangle -A internet -m mac --mac-source 00:26:CB:7E:CC:BA -j RETURN
iptables -t mangle -A internet -j MARK --set-mark 99
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination 192.168.9.205
iptables  -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 68 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 67 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Then i fired off

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

but the linux box is not forwarding the traffic as it should.

ericson007 · 11-01-2013, 02:54 AM

Sorry mate, i cannot help much in terms of iptables. It is certainly not my strong point of the oprating system.

I would refrain from giving advice on specific rules.

Pyromanci · 11-04-2013, 12:10 PM

I was finally able to get it. I had to play around with the subnets and routing inside the linux machine.