[NoCat] How to restrict access for authenticated user
Jean-Philippe CAMBOURNAC
jpcambou at free.fr
Tue Sep 26 03:21:59 PDT 2006
Hi,
So, I've found that my $IncludePorts and $ExcludePorts where not define,
then the modifications that I try to applied doesn't work.
I removed the section which use IncludePorts et ExcludePorts and replace
it with :
for iface in $InternalDevice; do
for port in "80 443"; do #define the allowed port
for mark in "1 2"; do #for post auth user (owner & co-op)
$ports -p tcp -i $iface --dport $port -m mark --mark $mark -j ACCEPT
$ports -p udp -i $iface --dport $port -m mark --mark $mark -j ACCEPT
done
done
# Always permit access to the GatewayPort (or we can't logout)
$ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
$ports -p udp -i $iface --dport $GatewayPort -j ACCEPT
# ...and disable access to the rest.
for mark in "1 2"; do
$ports -p tcp -i $iface -m mark --mark $mark -j DROP
$ports -p udp -i $iface -m mark --mark $mark -j DROP
done
done
By doing this I bypass the use of Include/ExcludePorts and it works fine
(verified by ULOGging the firewall activity).
Now if someone have an idea why my Include/ExcludePorts doesn't (in
lib/NoCat/Firewall.pm the my @Perform_Export = qw{...} contain
IncludePorts and the nocat.conf GW file to.)
Regards,
Jean-Philippe
Jean-Philippe CAMBOURNAC a écrit :
> Hi,
>
> In the initialize.fw file the comment for IncludePorts and ExcludePorts
> said :
>
> # Lock down more ports for public users, if specified. Port restrictions
> # are not applied to co-op and owner class users.
>
> So I managed to change the initialize.fw from :
> (...)
> # Enable all ports in IncludePorts
> for iface in $InternalDevice; do
> for port in $IncludePorts; do
> $ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
> $ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
> done
> (...)
> # ...and disable access to the rest.
> $ports -p tcp -i $iface -m mark --mark 3 -j DROP
> $ports -p udp -i $iface -m mark --mark 3 -j DROP
> done
>
> to :
> # Enable all ports in IncludePorts
> for iface in $InternalDevice; do
> for port in $IncludePorts; do
> for mark in "1 2 3"; do
> $ports -p tcp -i $iface --dport $port -m mark --mark $mark -j
> ACCEPT
> $ports -p udp -i $iface --dport $port -m mark --mark $mark -j
> ACCEPT
> done
> done
> (...)
> # ...and disable access to the rest.
> for mark in "1 2 3"; do
> $ports -p tcp -i $iface -m mark --mark $mark -j DROP
> $ports -p udp -i $iface -m mark --mark $mark -j DROP
> done
> done
>
> Then in nocat.conf I set IncludePorts to 80, but I can still goes on
> https, ssh.
> Did I miss something ?
> Or is it impossible to restrict access for Owner and Co-op (mark 1 and 2) ?
>
> Regards,
> Jean-Philippe.
>
> Nicolas Schmitz a écrit :
>
>> Hi,
>> I think you can restrict access in gateway/nocat.conf with
>> IncludePorts and ExcludePorts. No need to patch initialize.fw
>>
>> Nicolas Schmitz
>>
>>
>> Jean-Philippe CAMBOURNAC wrote:
>>
>>> Hi all,
>>>
>>> I whant to restrict access for authenticated users, I explain :
>>> When a user is authenticated, he has full access on Internet (http,
>>> https, pop, smtp, imap, ssh...) :
>>> (from .../nocat/bin/initialize.fw (on the GW))
>>>
>>> (...)
>>> # Handle tagged traffic.
>>> #
>>> for iface in $InternalDevice; do
>>> for net in $LocalNetwork; do
>>> for fwmark in $classes; do
>>> # Only forward tagged traffic per class
>>> $fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
>>> (...)
>>>
>>> Replacing the last line by :
>>> for port in "80 443"; do
>>> $fwd -i $iface -p tcp --dport $port -s $net -m mark --mark
>>> $fwmark -j ACCEPT
>>> done
>>>
>>> But this "Patch" doesn't work. Perhaps on the bin/access.fw file...
>>>
>>> So, if anybody have an idea where can I define firewall rules to
>>> restrict access to only http and https for authenticated user, it
>>> will help me a lot.
>>>
>>> Thanks.
>>> Regards,
>>> Jean-Philippe.
>>>
>>> _______________________________________________
>>> NoCat mailing list
>>> NoCat at lists.nocat.net
>>> http://lists.nocat.net/mailman/listinfo/nocat
>>>
>>>
>
>
> _______________________________________________
> NoCat mailing list
> NoCat at lists.nocat.net
> http://lists.nocat.net/mailman/listinfo/nocat
>
More information about the NoCat
mailing list