[ale] RE: [Ipchains] Username and IPChains (dynamic firewall)

JANINDRA at MS.NDCORP.COM JANINDRA at MS.NDCORP.COM
Wed Sep 8 14:44:23 EDT 1999


Well, I have been working on a project in my spare time that addresses all
these issues. Just to make mouths water:

The program will include a "web-enabled" frontend to be run on Apache that
allow simple point and click interface to IPCHAINS. I intend to prompt the
user with a login box that will help resolve the "dynamic rules based on
user problem". Right now it is VERY unsafe to use $LOGNAME since anyone can
overwrite that variable. I am thinking maybe a $UID lookup in /etc/passwd to
get the REAL user then compare to a list of blacklisted (or whatever) users.
There will also be a master list of naughty IP addresses. With all this in
place I hope to accomplish dynamic IPCHAINS rules based on user with ADMIN
rights to adjust the rules at anytime based on logfile entries. All said and
done, IP accounting based on user will also be a breeze. I have a few more
ideas coming down the pipe but I will save then for after I release the
first prottype (beta, whatever). Anymore ideas are welcome.

For the curious, it will all be in Perl and HTML so even the mild hearted
can tweak it.

Until then (maybe at ALS),

--Randy

-----Original Message-----
 From: Rajiv Ghai [mailto:ghair at vsnl.com]
Sent: Wednesday, September 08, 1999 1:28 PM
To: ipchains at rustcorp.com
Cc: Janinda, Randy # NDCHQ
Subject: Re: [Ipchains] Username and IPChains (dynamic firewall) 


Hello everyone,
Thanks Rusty and Randy for the ideas and the tips -they really got me
thinking. I followed Randy's instructions using shell script (followed the
typical scripts) in etc/sysconfig/network-scripts/ifup file and inserted
the following lines (without using ipchains) to stop user "freedom" from
connecting to the internet from my Linux box:

if [ $Logname="freedom" ] then;
	logger "user freedom not allowed access"
	exit 1
fi

when I log in as freedom and give the command ifup ppp0 the linux box does
not dial out and I get the message "user freedom not allowed access" in
var/log/messages. So far so good except it seems the message comes up even
when I am logged in as root ??. Something wrong there?

The first complication arises if the ppp link to the internet is already up
because an authorised user is already logged on and connected to the
internet from my linux box. It would mean that even with the above script
in place user freedom will still get access to the internet from my Linux
Box.
So I thought of the following solution based on tips from Rusty:
If the user is freedom then we find his ppp interface.
Then use ipchains to deny access to the inernet by giving the command
ipchains -A output -s <source IP address> -j DENY
Start a timer for 30 seconds as Rusty suggested and check if the user
called freedom is still logged on. If not then
ipchains -A -s <source IP address> - j ACCEPT
else continue with the rule.
The second complication is that there could be more than one user called
freedom.
So Check if there is any other user called freedom with a different source
IP address. If so
ipchains _A output -s <new source address> -j deny and start another timer
and repeat the above sequence.

Can anyone help me with a shell script to do that ?.

2. I would like "freedom" to know he has not been granted access. Could one
put an instruction in the script so as to link it to an HTML page stored in
some Apache subdirectory.

Rusty has suggested that we create a rule which monitors the interface
source address and do a look-up on some form of user config file.  I think
this assumes the ppp link to the internet is always up and the source
address is fixed. I use dynamic addressing for both user so does my ISP. My
set up is such that anyone can dial-in to my linux box and log-in as user
"freedom" from any computer in town. My set-up then uses pppd demand
dialing . I would like to allow only the registered user (who gets a new
login name once he registers) to use demand dialing to connect to the
internet. 
Regarding the look-up on a user config file I would think that this should
not be necessary as if there was more than one name for an unauthorised
user then they could be put in a group and the group denied access as
above. Isn't there an existing built-in variable in Linux such as $LOGNAME
for GROUPNAME ?. In my case there is only one unauthorised user - freedom.
Maybe the solution is simple or, as Rusty suggested, someone needs to write
a paper on this subject and submit it to a Linux conference :-). I just
dont have the expertise to comment :-(.

Does anyone have further suggestions or ideas ?

Thanks
Rajiv
-----------------------------
 
At 12:11 PM 9/1/99 -0700, you wrote:
>In message <3.0.1.32.19990831194628.006b82cc at 202.54.96.3> you write:
>> Hello there,
>> Has anyone written a script or knows where I can find one to link
Usernames
>> or groups to Ipchain rules. I am using IP Masquerade. What I would like
to
>> do is to permit certain users or groups to have access to the internet
from
>> my Linux box by putting IP chains in my ip-up file. The ipchains HowTo
says
>> it is  "pretty easy" to do a lookup in a "userspace daemon" but I have no
>> clue ?. I am using Redhat 6.0.
>
>`Pretty easy' is relative 8-).  You'd have to write the userspace
>daemon, and Randy looks like he's up to the task
>(JANINDRA at MS.NDCORP.COM, are you listening?).
>
>Basically, you set up your firewall rules like normal, but create a
>special chain (call it `users').  Initially this chain contains the
>following rules:
>
># ipchains -A users -o -j DENY
>
>Insert a rule at the end of output to catch local packets going out
>the interface you care about:
>
># ipchains -A output -s <interface address> -j users
>
>You then write the userspace daemon (in perl if you want).  This
>daemon runs as root:
>1) Listens on /dev/fwmonitor for packets from the above ipchains rule.
>2) When it gets a packet, picks out the src & dest ip and ports, and
>   looks through /proc/net/tcp or /proc/net/udp to get the user id.
>3) Figure out what that userid is allowed to do (some kind of config
>   file would be nice): if it's allowed, insert an ACCEPT rule for
>   that packet (and one for replies) at the top of the users chain,
>   and start a timer for 30 (?) seconds.
>4) When the timer goes off, look up the connection again: if it's gone,
>   clear the rules out of the users chain.
>
>You can add refinements later, but this is the basic idea: put it on
>freshmeat, start a mailing list and submit a paper on it to a Linux
>conference in some exotic location...
>
>Rusty.
>--
>Hacking time.
>
>----------------------------------------------
>To unsubscribe to this list, write an email to
>ipchains-request at rustcorp.com with a body of
>'unsubscribe'.
>
>www.rustcorp.com - web site
>ftp.rustcorp.com - ftp site
>
>Mail Archives:
>http://www.starshadow.com/pipermail/ipchains
>http://www.progressive-comp.com/Lists/?l=linux-ipchains&r=1&w=2#linux-ipcha
ins
>----------------------------------------------
>
>






More information about the Ale mailing list