Dynamic change of iptables rules using web interface
Helo,
kerio WinROute firewall has one interesting feature. This feature allows inserting firewall rules based on username that was used to log into firewallīs web interface. So user insert his username and password into webform, firewall authenticates him against Active Directory and insert predefined rules for ip address the user logged from.
My boss likes this feature so much, that I was charged to find or write linux equivalent.
I do not think that is very big problem, but also it is not trivia task. Especially because we are handling with security
In fact I used similar system in my former job to limit access to internet for specific ip or mac address.
This system uses mysql database, web interface and one php and one bash script. From web interface was I run bash script and this script started php script and then refreshed firewall. The php script loaded from mysql database ip addresse with flag that denies internet access and these ip addresses were written to file called blacklist. Our firewall (shorewall) then denies internet acces for ip addresses listed in blacklist file.
So I have some idea how the future application will work.
I suppose that the application should work this way:
User points his browser to firewallīs web interface and inserts his username and password into webform. Firewall authenticates him/her, modifies iptables rules to suit userīs ip address and isert them.
I also need some script to delete rules after certain amount of inactivity from userīs ip address and when user logs off or close browser
The biggest problem I see is modifying rules according to userīs ip address. I suppose that I will need some php script that will determine userīs ip address and then will run bash script with userīs ip address as parameter. This parameter will be inserted into rules.
Iīd like to ask you for your advices, experience and security suggestions.
Is there some already existing open source project that will solve my task ?
Any recomendations are welcome.
Thanks for your posts.
|