This section describes how to setup each piece of the authentication gateway. The examples used are for a private public network in the 10.0.1.0 subnet. eth0 is the interface on the box that is connected to the internal network. eth1 is the interface connected to the public network. The IP address used for this interface is 10.0.1.1. These settings can be changed to fit the network you are using. Red Hat 7.1 was used for the gateway box, so a lot of the examples are specific to Red Hat.
To setup netfilter the kernel must be recompiled to include netfilter support. Please see the Kernel-HOWTO for more information on configuring and compiling your kernel.
This is what my kernel configuration looked like.
# # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK is not set CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_UNCLEAN=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_TCPMSS=y |
iptables needs to be installed. To install iptables either use a package from your distribution or install from source. Once the above options were compiled in the new kernel and iptables was installed, I set the following default firewall rules.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT |
The above commands can also be put in an initscript to start up when the server restarts. To make sure the rules have been added issue the following commands:
iptables -v -t nat -L iptables -v -t filter -L |
To save these rules I used Red Hat's init scripts.
/etc/init.d/iptables save /etc/init.d/iptables restart |
Once the rules are in place turn on IP forwarding by executing this command.
echo 1 > /proc/sys/net/ipv4/ip_forward |
To make sure ip forwarding is enabled when the machine restarts add the following line to /etc/sysctl.conf.
net.ipv4.ip_forward = 1 |
Now the gateway box will be able to do network address translation (NAT), but it will drop all forwarding packets except those coming from within the public network and bound for the gateway.
This module is a PAM session module that inserts the firewall rule needed to allow forwarding for the authenticated client. To set it up simply get the source and compile it by running the following commands.
gcc -fPIC -c pam_iptables.c ld -x --shared -o pam_iptables.so pam_iptables.o |
You should now have two binaries called pam_iptables.so and pam_iptables.o. Copy pam_iptables.so to /lib/security/pam_iptables.so.
cp pam_iptables.so /lib/security/pam_iptables.so |
The chosen authentication client for the gateway was ssh so we added the following line to /etc/pam.d/sshd.
session required /lib/security/pam_iptables.so |
Now, when a user logs in with ssh, the firewall rule will be added.
The default interface for pam_iptables is eth0. This default can be changed by adding the interface parameter.
session required /lib/security/pam_iptables.so interface=eth1 |
This is only needed if the interface name that connects to the external network is not eth0.
To test if the pam_iptables module is working perform the following steps:
Log into the box with ssh.
Check to see if the rule was added with the command iptables -L.
Log out of the box to make sure the rule is removed.
I installed DHCP using the following dhcpd.conf file.
subnet 10.0.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
option time-offset -5; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;
}
|
The server was then run using eth1 , the interface to the public net.
/usr/sbin/dhcpd eth1
|
As indicated in previous sections, I've set this gateway up to use LDAP for authenticating. However, you can use any means that PAM allows for authentication. See Section 2.4 for more information.
In order to get PAM LDAP to authenticate, I installed OpenLDAP and configured it with the following in /etc/ldap.conf.
# Your LDAP server. Must be resolvable without using LDAP. host itc.musc.edu # The distinguished name of the search base. base dc=musc,dc=edu ssl no |
The following files were used to configure PAM to do the LDAP authentication. These files were generated by Red Hat's configuration utility.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
|
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
#this line is added for firewall rule insertion upon login
session required /lib/security/pam_iptables.so debug
session optional /lib/security/pam_console.so
|
I installed the default version of Bind that comes with Red Hat 7.1, and the caching-nameserver RPM. The DHCP server tells the machines on the public net to use the gateway box as their nameserver.