Simple user authorization to access the Internet using ipfw
Any network sooner or later begins to cut with another network, before it was. Now, creating a corporate network of any organization, it is unlikely to connect to the Internet. Therefore, the first and main server to be organized is a router.
Since I didn’t like Linux, although I’ll honestly start with it, I have long since chosen FreeBSD as my server OS. But how to set up routing on freebsd on the Internet is enough information. But if you need to release not only known (trusted) devices to you on the Internet, but also new ones that need to log in. For example, this is a public place, cafe or hotel.
And in the beginning we have a router and a network with wired and wireless access, still know how to braid the wires? Naturally it is better to forbid them from communicating with each other, but we will not consider how to implement it, since everyone has their own toys and a lot of options.
')
Getting into the network, the user should not be simply blocked. Otherwise, he will not know what to do and will be driven into a corner, so corny deny all from all to all will not suit us. Therefore, it is necessary to redirect all individuals unknown to us to one site, where all instructions will already be available and authorization will be made.
There are two options ...
First, all traffic will be sent through a proxy and there who will already know who is a friend and who is an enemy and what to give to someone as an answer. But in the current state of affairs, when the amount of information received by the user is so huge, and the prices for unlimited tariffs allow them to be used even by legal entities at good speeds, I don’t see any sense in accumulating information on their data carriers.
Therefore, I went the second way, namely, the firewall decides who will go where. Here is what my solution looks like in ipfw.
I use ipnat. Therefore, the rules for allowing traffic going to the external network will appear in ipfw, but there will be no rules for turning it, as in the cases with natd. We create a table of users which will be released to the external network:
Next will be the rule to allow traffic to the Internet through the external interface rl1:
Now all known our machines can use the Internet. However, new clients simply receive an error message that the server was not found.
For them, we will have our own rule:
Thus, we redirect all traffic from unknown users to port 9832. And on it we will hang the web server with the information we need.
A small digression: fwd wraps the packet to the specified address, but does not modify it. And if you wrap it on a thread of a web server on the network, then that one will simply reject it. Because the destination address is not his. From here a conclusion that it is possible to intercept and process data only locally.
Since this is not a full-fledged web server, I don’t see any reason to hang apache or ngnix there. I would recommend looking towards microhttpd, minihttod or lighthttpd.
Do not forget to add a rule to allow traffic within the network via the rl0 interface:
or it is better to open only what you need in your work:
I set it as the simplest and most convenient, in this case, service - micro_httpd.
We put from ports:
So it's just a binary, not a demon, then it does not hang in the memory and does not take anything. When requesting a specific port, inetd calls it with a parameter, it processes the data and returns the result.
Configure inetd by writing the following in /etc/inetd.conf (in one line):
where / var / www is the path to the root folder of the web server.
Also add info to / ets / services :
here 9832 is the port on which the web server hangs.
In / var / www we put index.html with the content we need.
Restart the Inetd or restart the server and check.
Since I didn’t like Linux, although I’ll honestly start with it, I have long since chosen FreeBSD as my server OS. But how to set up routing on freebsd on the Internet is enough information. But if you need to release not only known (trusted) devices to you on the Internet, but also new ones that need to log in. For example, this is a public place, cafe or hotel.
What do we have?
And in the beginning we have a router and a network with wired and wireless access, still know how to braid the wires? Naturally it is better to forbid them from communicating with each other, but we will not consider how to implement it, since everyone has their own toys and a lot of options.
')
Getting into the network, the user should not be simply blocked. Otherwise, he will not know what to do and will be driven into a corner, so corny deny all from all to all will not suit us. Therefore, it is necessary to redirect all individuals unknown to us to one site, where all instructions will already be available and authorization will be made.
There are two options ...
First, all traffic will be sent through a proxy and there who will already know who is a friend and who is an enemy and what to give to someone as an answer. But in the current state of affairs, when the amount of information received by the user is so huge, and the prices for unlimited tariffs allow them to be used even by legal entities at good speeds, I don’t see any sense in accumulating information on their data carriers.
Therefore, I went the second way, namely, the firewall decides who will go where. Here is what my solution looks like in ipfw.
I use ipnat. Therefore, the rules for allowing traffic going to the external network will appear in ipfw, but there will be no rules for turning it, as in the cases with natd. We create a table of users which will be released to the external network:
ipfw table 1 add 192.168.0.1 ipfw table 1 add 192.168.0.2 Next will be the rule to allow traffic to the Internet through the external interface rl1:
ipfw add allow ip from table\(1\) to any out via rl1 keep-state Now all known our machines can use the Internet. However, new clients simply receive an error message that the server was not found.
For them, we will have our own rule:
ipfw add fwd 127.0.0.1, 9832 ip from not table\(1\) to any out via rl1 Thus, we redirect all traffic from unknown users to port 9832. And on it we will hang the web server with the information we need.
A small digression: fwd wraps the packet to the specified address, but does not modify it. And if you wrap it on a thread of a web server on the network, then that one will simply reject it. Because the destination address is not his. From here a conclusion that it is possible to intercept and process data only locally.
Since this is not a full-fledged web server, I don’t see any reason to hang apache or ngnix there. I would recommend looking towards microhttpd, minihttod or lighthttpd.
Do not forget to add a rule to allow traffic within the network via the rl0 interface:
ipfw add allow ip from 192.168.0.0/24 to 192.168.0.0/24 via rl0 or it is better to open only what you need in your work:
ipfw add allow tcp from 192.168.0.0/24 to me 9832 in via rl0 keep-state I set it as the simplest and most convenient, in this case, service - micro_httpd.
We put from ports:
cd /usr/ports/www/micro_httpd make install clean So it's just a binary, not a demon, then it does not hang in the memory and does not take anything. When requesting a specific port, inetd calls it with a parameter, it processes the data and returns the result.
Configure inetd by writing the following in /etc/inetd.conf (in one line):
micro_http stream tcp nowait nobody /usr/local/sbin/micro_httpd micro_httpd /var/www #micro_httpd where / var / www is the path to the root folder of the web server.
Also add info to / ets / services :
micro_httpd 9832/tcp #micro_httpd here 9832 is the port on which the web server hangs.
In / var / www we put index.html with the content we need.
Restart the Inetd or restart the server and check.
Source: https://habr.com/ru/post/167589/
All Articles