mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
072b25377f
commit
a4bced5fe7
|
@ -164,7 +164,7 @@ application for Linux. </Para>
|
|||
Game-Server-HOWTO</ULink>,
|
||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
||||
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||
Explains how to install, configure and maintain servers
|
||||
for various popular multiplayer games. </Para>
|
||||
</ListItem>
|
||||
|
@ -1027,7 +1027,7 @@ server on your Linux system. </Para>
|
|||
Game-Server-HOWTO</ULink>,
|
||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
||||
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||
Explains how to install, configure and maintain servers
|
||||
for various popular multiplayer games. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -997,7 +997,7 @@ this writing). </Para>
|
|||
Game-Server-HOWTO</ULink>,
|
||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||
</Para><Para>
|
||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
||||
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||
Explains how to install, configure and maintain servers
|
||||
for various popular multiplayer games. </Para>
|
||||
</ListItem>
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
|
||||
<title>Samba Authenticated Gateway HOWTO
|
||||
</title><author>Ricardo Alexandre Mattar
|
||||
</author><date>v1.0, 2002-12-16
|
||||
</author><date>v1.0.1, 2002-12-24
|
||||
</date><abstract>This documents intends to show how to build a Firewall/Gateway
|
||||
with rules set on user basis having the users authenticated by a
|
||||
Samba Primary Domain Controller.
|
||||
Samba Primary Domain Controller
|
||||
</abstract><sect>Introduction
|
||||
<p>As you can see by the poorness of my language, English is not
|
||||
my mother language. I am writing this document in English for the
|
||||
my native language. I am writing this document in English for the
|
||||
sake of the Linux community. So, please, excuse me for my poor English.
|
||||
And, please, if you speak Portuguese, address me in this language.
|
||||
</p><p>This document intends to enlighten you (and myself) in the process
|
||||
|
@ -25,11 +25,12 @@
|
|||
network.
|
||||
</p><p>Imagine that you have to build a gateway to let Windows workstation
|
||||
access the Internet and that you need to authenticate each user before
|
||||
letting them access the network. The first solution you think about
|
||||
is Squid. Its indeed a great solution, when http and ftp access is
|
||||
enough for your users. when it comes to let them access other services
|
||||
like pop, smtp, ssh, a database server or whatever else, you immediately
|
||||
think about NAT or MASQUERADE. But what happens to the user authentication?
|
||||
letting them access the external networks. The first solution you
|
||||
think about is Squid. Its indeed a great solution, when http and
|
||||
ftp access is enough for your users. when it comes to let them access
|
||||
other services like pop, smtp, ssh, a database server or whatever
|
||||
else, you immediately think about NAT or MASQUERADE. But what happens
|
||||
to the user authentication?
|
||||
</p><p>Well, this is my solution. It gives you user authentication and
|
||||
fine grain control over their access to the network.
|
||||
</p><sect1>Disclaimer
|
||||
|
@ -45,19 +46,18 @@
|
|||
</p><p>Naming of particular products or brands should not be seen as
|
||||
endorsements.
|
||||
</p><sect1>New versions
|
||||
<p>The newest release of this document can be found at http://smbgate.sourceforge.net
|
||||
|
||||
<p>The newest release of this document can be found at <url url="http://smbgate.sourceforge.net" name="http://smbgate.sourceforge.net">
|
||||
</p><p>Related HOWTOs can be found at the Linux Documentation Project
|
||||
homepage.
|
||||
</p><sect1>Translations
|
||||
<p>A Portuguese version is on the way, but for moment there is only
|
||||
this English version. If you want to contribute, be my guest.
|
||||
<p>A Portuguese version is available. If you want to contribute,
|
||||
please do.
|
||||
</p><sect1>Feedback
|
||||
<p>Contributions and criticism are both welcome.
|
||||
</p><p>Corrections to my English are also very welcome!
|
||||
</p><p>If you want to mail me, my account is ricardo.mattar at the computer
|
||||
named bol.com.br. You may thank this mail address format to our beloved
|
||||
spammers and their nice spiders.
|
||||
named bol.com.br. You may thank the spammers and their nice spiders
|
||||
for the format of my address.
|
||||
</p><sect1>Copyright and trademarks
|
||||
<p>Copyright (c) 2002 Ricardo Alexandre Mattar
|
||||
</p><p>Permission is granted to copy, distribute and/or modify this
|
||||
|
@ -72,6 +72,7 @@
|
|||
document.
|
||||
</p><p>Thanks to Guillaume Lelarge for helping with the revision (he
|
||||
caught my english errors, but I insisted on a few).
|
||||
</p><p>Thanks to Erik Esplund for further language corrections.
|
||||
</p><sect>Requirements
|
||||
<sect1>Knowledge
|
||||
<p>You must have a fair knowledge about (at least know what these
|
||||
|
@ -80,34 +81,33 @@
|
|||
<item>Linux netfilter;
|
||||
<item>A scripting language (bash?);
|
||||
<item>SAMBA and Windows networking and domain controllers;
|
||||
</itemize></p><p>Fortunately, the Internet is plenty of documentation on these
|
||||
topics.
|
||||
</itemize></p><p>Fortunately, there is plenty of documentation of these topics
|
||||
on the Internet.
|
||||
</p><sect1>Software
|
||||
<p>Installed on your server, you will need at least:
|
||||
</p><p><itemize><item>Samba;
|
||||
<item>Iptables;
|
||||
<item>A scripting language;
|
||||
</itemize></p><sect>Linux box setup
|
||||
<p>There are no important known issues up to the moment, but the
|
||||
need of a kernel at least from 2.4 series if you intend to use iptables,
|
||||
like the examples in this document. If you want to use a 2.2 series
|
||||
kernel and ipchains, be my guest.
|
||||
<p>This Howto assumes you have kernel from the 2.4 series as it
|
||||
uses iptables. Other than that there are no know issues why this
|
||||
should not work on a 2.2 kernel box with the scripts adapted to ipchains.
|
||||
</p><p>Of course, you need to install the iptables userland tools, an
|
||||
apache http server if you want to run a CGI tool to change passwords
|
||||
and SAMBA. And you will need a kernel compiled with iptables modules.
|
||||
</p><p>You may wish to use DHCP. If so, set it up! Remember to configure
|
||||
the dhcp server to give the nameserver IP address and the gateway
|
||||
IP address as well. The Windows machines will make good use of this
|
||||
information.
|
||||
</p><p>You may wish to use DHCP. If so, it is easy to set up. Remember
|
||||
to configure the dhcp server to give the nameserver IP address and
|
||||
the gateway IP address as well. The Windows machines will make good
|
||||
use of this information.
|
||||
</p><sect1>Basic system setup
|
||||
<p>Generally any basic system setup from commercial Linux distributions
|
||||
<p>Generally any basic system setup from the common Linux distributions
|
||||
will fit in this gateway example. Just check if you have Samba and
|
||||
IPTABLES.
|
||||
</p><sect1>Additional directory hierarchy
|
||||
<p>The additional directory hierarchy will be required to accomplish
|
||||
the example of this howto:
|
||||
</p><p>This is used to keep track of the users and IP addresses:
|
||||
</p><p><verb>/var/run/mgate/
|
||||
</p><p><verb>/var/run/smbgate/
|
||||
</verb></p><p>This is where I place user specific scripts:
|
||||
</p><p><verb>/etc/smbgate/users/
|
||||
</verb></p><p>Directory for the netlogon share:
|
||||
|
@ -142,21 +142,22 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
|||
$IPTABLES -P FORWARD ACCEPT
|
||||
$IPTABLES -F FORWARD
|
||||
$IPTABLES -t nat -F
|
||||
</verb></p><p>You will notice that this code does actually nothing, but loads
|
||||
</verb></p><p>You will notice that this code actually does nothing, but load
|
||||
the kernel modules related to nat and firewalling and turns the packet
|
||||
routing on. You can place any rules there to give your gateway a
|
||||
standard behavior, but the big magic will be done by scripts called
|
||||
by the SAMBA daemon.
|
||||
</p><p>Please, remember that this code doesn't have at least a bit of
|
||||
security! If security is an issue, don't use this example in production
|
||||
boxes. This example intends only to be educational.
|
||||
</p><p>You were warned!
|
||||
</p><p>Please, remember that this code doesn't have the least bit of
|
||||
security! Don't use these examples in production environments. This
|
||||
example intends only to be educational. You have to add a firewall
|
||||
configuration that suits your systems.
|
||||
</p><p>You have been warned!
|
||||
</p><sect1>SAMBA setup
|
||||
<p>Check if you have Samba installed. If your distribution doen't
|
||||
<p>Check if you have Samba installed. If your distribution doesn't
|
||||
come with Samba pre-packaged then refer to <url url="http://www.samba.org" name="http://www.samba.org"> to get the packages and
|
||||
for documentation on how to install Samba. Roam around their web
|
||||
site and learn about it. The site is plenty of documentation and
|
||||
maybe your LINUX distribution is also plenty of SAMBA documentation.
|
||||
for documentation on how to install Samba. Brows around their web
|
||||
site and learn about it. The site has plenty of documentation and
|
||||
maybe your LINUX distribution also has plenty of SAMBA documentation.
|
||||
</p><p>We will need to setup SAMBA as a Primary Domain Controller. I
|
||||
will give an example configuration file here, but you should read
|
||||
the <url url="http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> and learn all you can about a PDC.
|
||||
|
@ -207,17 +208,16 @@ root postexec = /usr/local/bin/netlogoff.sh %u
|
|||
</p><sect2>The netlogon and the tracking shares
|
||||
<p>The netlogon share is where the Windows workstations download
|
||||
the logon script from. We need this share in order to place there
|
||||
a script which will tell the workstation to mount a share that we
|
||||
will use to track the user's ip address.
|
||||
a logon script, which will tell the workstation to mount a share
|
||||
that will be used to track the users ip addresses.
|
||||
</p><p>As you can see, there must be a line like the following in your
|
||||
smb.conf
|
||||
</p><p><verb>logon script = netlogon.bat
|
||||
</verb></p><p>This line will tell your Windows client to download and execute
|
||||
the script named netlogon.bat. This script must be placed at the
|
||||
netlogon share. So, we will also need a netlogon.bat script to your
|
||||
Windows workstations. You can take the following example and create
|
||||
a file, naming it NETLOGON.BAT and placing it at the netlogon share,
|
||||
in this case at /home/samba/netlogon/NETLOGON.BAT.
|
||||
Windows workstations. You can use the following example and place
|
||||
it at the netlogon share, in this case: /home/samba/netlogon/NETLOGON.BAT.
|
||||
</p><p><verb>REM NETLOGON.BAT
|
||||
net use z: \\linux\samba /yes
|
||||
</verb></p><p>This script will tell the Windows workstation to mount the specified
|
||||
|
@ -225,8 +225,8 @@ net use z: \\linux\samba /yes
|
|||
through the output of the smbstatus program.
|
||||
</p><p>Quite simple! But not enough...
|
||||
</p><p>As you could see, we will need also a tracking share which, in
|
||||
this example, I named samba. You can see at the smb.conf file the
|
||||
tracking share configuration:
|
||||
this example, I named samba. You can see the tracking share configuration
|
||||
in smb.conf:
|
||||
</p><p><verb>[samba]
|
||||
comment = login tracking share
|
||||
path = /home/samba/samba
|
||||
|
@ -234,11 +234,11 @@ root preexec = /usr/local/bin/netlogon.sh %u
|
|||
root postexec = /usr/local/bin/netlogoff.sh %u
|
||||
</verb></p><p>As you can guess or know if you read the SAMBA documentation,
|
||||
the root preexec and the root postexec lines tell SAMBA to run the
|
||||
indicated scripts when a user mounts and unmounts the share. In this
|
||||
case, we are passing the user name to the script as a parameter.
|
||||
Note the %u at the end of the lines. These scripts are the
|
||||
beasts which will call a script or program to modify our gateway's
|
||||
packet filtering rules.
|
||||
indicated scripts when a user mounts or unmounts the share. In this
|
||||
case, we are passing the username to the script as a parameter. Note
|
||||
the %u at the end of the lines. These scripts are the beasts
|
||||
which will call a script or program to modify our gateway's packet
|
||||
filtering rules.
|
||||
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
|
||||
</p><p><verb>#!/bin/sh
|
||||
#
|
||||
|
@ -255,7 +255,7 @@ ADDRESS=`cat /var/run/smbgate/$1`
|
|||
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
||||
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
|
||||
in and will filter the output of smbstatus extracting the user's
|
||||
ip address which will be wrote to a file at /var/run/smbgate. The
|
||||
ip address which will be written to a file at /var/run/smbgate. The
|
||||
file will take the user's name and will be later used when the user
|
||||
log off. The address extracted will be passed as an argument to a
|
||||
script with the users' name which will finally update the firewall.
|
||||
|
@ -288,8 +288,8 @@ IPTABLES='/usr/sbin/iptables'
|
|||
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
||||
</verb></p><sect>Windows workstation setup
|
||||
<sect1>Introduction
|
||||
<p>We will stick to setup the network, user management and policies
|
||||
on the Windows workstations.
|
||||
<p>We will stick to setting up the network, user management and
|
||||
policies on the Windows workstations.
|
||||
</p><p>I will not go through all those steps, naming each dialog box.
|
||||
I will presume that if you can read and understand this document
|
||||
you can find your way through that mess.
|
||||
|
@ -299,7 +299,7 @@ IPTABLES='/usr/sbin/iptables'
|
|||
broadcast a lot, and this doesn't please anyone. Anyway, with TCP/IP
|
||||
who needs anything else?
|
||||
</p><sect1>DHCP setup
|
||||
<p>If you set a DHCP server on your Linux box, remember that Windows
|
||||
<p>If you setup a DHCP server on your Linux box, remember that Windows
|
||||
workstations can get the nameservers and gateway's address besides
|
||||
its own IP address from it. So, you don't need to set all these items
|
||||
on each workstation.
|
||||
|
@ -324,16 +324,17 @@ IPTABLES='/usr/sbin/iptables'
|
|||
will annoy you asking for a Windows password and you will become
|
||||
nuts trying to synchronize and manage your Domain and Windows passwords.
|
||||
It seems that the OS doesn't know that it joined a domain. You must
|
||||
tell it and then you must slap it in the face so it can believe you.
|
||||
tell it and then you have to slap it in the face so it will believe
|
||||
you.
|
||||
</p><sect>User management
|
||||
<sect1>Adding users
|
||||
<p>Adding a Linux user by usual means and setting a samba password
|
||||
using smbpass shall work. If you have any doubt, just refer to the
|
||||
using smbpasswd will work. If you have any doubt, just refer to the
|
||||
SAMBA documentation. This is not a difficult issue.
|
||||
</p><sect1>Password management
|
||||
<p>I am issuing this as a major topic because I couldn't learn yet
|
||||
<p>I am issuing this a major topic because I couldn't learn yet
|
||||
how to manage users and users' passwords from a Windows workstation
|
||||
without using a web interface. I could not find and didn't know how
|
||||
without using a web interface. I couldn't find and didn't know how
|
||||
to build integrated tools to solve this problem. So, I am using a
|
||||
CGI program to get it done.
|
||||
</p><p>Try the package at http://changepassword.sourceforge.net/ , it
|
||||
|
@ -676,4 +677,4 @@ IPTABLES='/usr/sbin/iptables'
|
|||
to permit their use in free software.
|
||||
</p>
|
||||
|
||||
</article>
|
||||
</article>
|
Loading…
Reference in New Issue