Internet Access
This is a discussion on Internet Access within the Linux Security forums, part of the System Security and Security Related category; Hi, Don't know if this is the correct place to post to but here goes: I have a little ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-08-2004
|
|||
|
|||
Internet Access
Hi,
Don't know if this is the correct place to post to but here goes: I have a little network set up as follows: Linux Red Hat (acting as Gateway(Firewall),DHCP,DNS) Windows 2000 Server (Active Directory) Windows 2000 Server (Exchange 2000) My questions are probably answered somewhere else, but I have been searching and couldn't find anything relevant. Here Goes: 1. How do I restict Internet Access? Currently as is anyone plugs in, gets an IP from DHCP and then gets out to net. I would like to make sure that they are logged on the domain/directory first. 2. How do I monitor Traffic on my Gateway? As well as ristrict things? Kazaa kills my bandwith, I also would like to do something like QOS on the box? 3. How do I allow certain services to pass thru Gateway? I currently have two NICS in the mail server (1 internal and 1 external), would also like web to get thru. The gateway has a simple chain running that allows all out but nothing in: root at linux# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root at linux# echo 1 > /proc/sys/net/ipv4/ip_forward root at linux# iptables -N block root at linux# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT root at linux# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT root at linux# iptables -A block -j DROP root at linux# iptables -A INPUT -j block root at linux# iptables -A FORWARD -j block I fairly new at this stuff, so please any help would really be appreciated. Thank You Craig 
|
|
07-08-2004
|
|||
|
|||
|
Re: Internet Access
On Wed, 07 Jul 2004 23:40:52 -0700, Craig Boltman wrote:
> Hi, > > Don't know if this is the correct place to post to but here goes: > > I have a little network set up as follows: > > Linux Red Hat (acting as Gateway(Firewall),DHCP,DNS) > Windows 2000 Server (Active Directory) > Windows 2000 Server (Exchange 2000) > > My questions are probably answered somewhere else, but I have been > searching and couldn't find anything relevant. > > Here Goes: > > 1. How do I restict Internet Access? > Currently as is anyone plugs in, gets an IP from DHCP and then gets > out to net. I would like to make sure that they are logged on the > domain/directory first. Not to sure how to make sure that they are logged on the domain but you can restrict through iptables using MAC addresses or through DHCP by using static ip's (MAC again). > > 2. How do I monitor Traffic on my Gateway? As well as ristrict things? > Kazaa kills my bandwith, I also would like to do something like QOS > on the box? All that acn also be done through uptables, refuse all traffic then only allow traffic you want to go out. You can also QOS and log requests to the net. > > 3. How do I allow certain services to pass thru Gateway? > I currently have two NICS in the mail server (1 internal and 1 > external), would also like web to get thru. The gateway has a simple > chain running that allows all out but nothing in: > root at linux# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > root at linux# echo 1 > /proc/sys/net/ipv4/ip_forward > root at linux# iptables -N block > root at linux# iptables -A block -m state --state ESTABLISHED,RELATED > -j ACCEPT > root at linux# iptables -A block -m state --state NEW -i ! eth0 -j > ACCEPT > root at linux# iptables -A block -j DROP > root at linux# iptables -A INPUT -j block > root at linux# iptables -A FORWARD -j block > You might want to have a look at shorewall, it will greatly simplify iptables for you. > I fairly new at this stuff, so please any help would really be > appreciated. > > Thank You > Craig Ed.
|
|
07-25-2004
|
|||
|
|||
|
Re: Internet Access
cboltman@nashuaconnect.com (Craig Boltman) writes:
> Hi, > > Don't know if this is the correct place to post to but here goes: > > I have a little network set up as follows: > > Linux Red Hat (acting as Gateway(Firewall),DHCP,DNS) > Windows 2000 Server (Active Directory) > Windows 2000 Server (Exchange 2000) > > My questions are probably answered somewhere else, but I have been > searching and couldn't find anything relevant. > > Here Goes: > > 1. How do I restict Internet Access? > Currently as is anyone plugs in, gets an IP from DHCP and then gets > out to net. I would like to make sure that they are logged on the > domain/directory first. > I'll take a stab at this one, as I do something similar at $DAYJOB for our guest user/wireless LAN. First, the theory: What you want to do is set up 2 address ranges for DHCP - one that has no access to the Internet which gives out addresses to anyone, and one that has full (or whatever) access but only gives out addresses to known MACs. You also want to run a DNS server that is going to pretend to be the root server, so *any* requested address will resolve to your gateway. That way, when someone plugs in, they get an address but when they attempt to browse to any website, they will get a login page on your gateway. Once they log in, you add their MAC to the "known" list and restart the DHCP server. The user does a reboot (or release/refresh the DHCP lease, if s/he has a clue) and now has an address which your firewall will let through. For example, if your net is 192.168.1/24, use (for example) a /27 (.1-.30) for the unregistered MACs, then a /25 (.129-.254) for registered/logged-in hosts. The NetReg package from Southwestern University (http://www.netreg.org/) was designed to do this. It consists of the scripts needed to update the DHCP config file, as well as instructions on how to get it all working. Check it out. I'm going to let someone else answer the other parts, 'cause I'm too lazy at the moment to think that carefully about it, and don't want to give you bogus information. -- Henry Stilmack, CISSP Email to hps (at) shangri-la (dot) cx Registered Linux User #324965
|
|
08-08-2004
|
|||
|
|||
|
Re: Internet Access
this is a test..
Craig Boltman wrote: > Hi, > > Don't know if this is the correct place to post to but here goes: > > I have a little network set up as follows: > > Linux Red Hat (acting as Gateway(Firewall),DHCP,DNS) > Windows 2000 Server (Active Directory) > Windows 2000 Server (Exchange 2000) > > My questions are probably answered somewhere else, but I have been > searching and couldn't find anything relevant. > > Here Goes: > > 1. How do I restict Internet Access? > Currently as is anyone plugs in, gets an IP from DHCP and then gets > out to net. I would like to make sure that they are logged on the > domain/directory first. > > 2. How do I monitor Traffic on my Gateway? As well as ristrict things? > Kazaa kills my bandwith, I also would like to do something like QOS > on the box? > > 3. How do I allow certain services to pass thru Gateway? > I currently have two NICS in the mail server (1 internal and 1 > external), would also like web to get thru. The gateway has a simple > chain running that allows all out but nothing in: > root at linux# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > root at linux# echo 1 > /proc/sys/net/ipv4/ip_forward > root at linux# iptables -N block > root at linux# iptables -A block -m state --state ESTABLISHED,RELATED > -j ACCEPT > root at linux# iptables -A block -m state --state NEW -i ! eth0 -j > ACCEPT > root at linux# iptables -A block -j DROP > root at linux# iptables -A INPUT -j block > root at linux# iptables -A FORWARD -j block > > I fairly new at this stuff, so please any help would really be > appreciated. > > Thank You > Craig
|
Linear Mode
