mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
072b25377f
commit
a4bced5fe7
|
@ -164,7 +164,7 @@ application for Linux. </Para>
|
||||||
Game-Server-HOWTO</ULink>,
|
Game-Server-HOWTO</ULink>,
|
||||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||||
</Para><Para>
|
</Para><Para>
|
||||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||||
Explains how to install, configure and maintain servers
|
Explains how to install, configure and maintain servers
|
||||||
for various popular multiplayer games. </Para>
|
for various popular multiplayer games. </Para>
|
||||||
</ListItem>
|
</ListItem>
|
||||||
|
@ -1027,7 +1027,7 @@ server on your Linux system. </Para>
|
||||||
Game-Server-HOWTO</ULink>,
|
Game-Server-HOWTO</ULink>,
|
||||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||||
</Para><Para>
|
</Para><Para>
|
||||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||||
Explains how to install, configure and maintain servers
|
Explains how to install, configure and maintain servers
|
||||||
for various popular multiplayer games. </Para>
|
for various popular multiplayer games. </Para>
|
||||||
</ListItem>
|
</ListItem>
|
||||||
|
|
|
@ -997,7 +997,7 @@ this writing). </Para>
|
||||||
Game-Server-HOWTO</ULink>,
|
Game-Server-HOWTO</ULink>,
|
||||||
<CiteTitle>Game Server HOWTO</CiteTitle>
|
<CiteTitle>Game Server HOWTO</CiteTitle>
|
||||||
</Para><Para>
|
</Para><Para>
|
||||||
<CiteTitle>Updated: July 2001</CiteTitle>.
|
<CiteTitle>Updated: December 2002</CiteTitle>.
|
||||||
Explains how to install, configure and maintain servers
|
Explains how to install, configure and maintain servers
|
||||||
for various popular multiplayer games. </Para>
|
for various popular multiplayer games. </Para>
|
||||||
</ListItem>
|
</ListItem>
|
||||||
|
|
|
@ -3,13 +3,13 @@
|
||||||
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
|
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
|
||||||
<title>Samba Authenticated Gateway HOWTO
|
<title>Samba Authenticated Gateway HOWTO
|
||||||
</title><author>Ricardo Alexandre Mattar
|
</title><author>Ricardo Alexandre Mattar
|
||||||
</author><date>v1.0, 2002-12-16
|
</author><date>v1.0.1, 2002-12-24
|
||||||
</date><abstract>This documents intends to show how to build a Firewall/Gateway
|
</date><abstract>This documents intends to show how to build a Firewall/Gateway
|
||||||
with rules set on user basis having the users authenticated by a
|
with rules set on user basis having the users authenticated by a
|
||||||
Samba Primary Domain Controller.
|
Samba Primary Domain Controller
|
||||||
</abstract><sect>Introduction
|
</abstract><sect>Introduction
|
||||||
<p>As you can see by the poorness of my language, English is not
|
<p>As you can see by the poorness of my language, English is not
|
||||||
my mother language. I am writing this document in English for the
|
my native language. I am writing this document in English for the
|
||||||
sake of the Linux community. So, please, excuse me for my poor English.
|
sake of the Linux community. So, please, excuse me for my poor English.
|
||||||
And, please, if you speak Portuguese, address me in this language.
|
And, please, if you speak Portuguese, address me in this language.
|
||||||
</p><p>This document intends to enlighten you (and myself) in the process
|
</p><p>This document intends to enlighten you (and myself) in the process
|
||||||
|
@ -25,11 +25,12 @@
|
||||||
network.
|
network.
|
||||||
</p><p>Imagine that you have to build a gateway to let Windows workstation
|
</p><p>Imagine that you have to build a gateway to let Windows workstation
|
||||||
access the Internet and that you need to authenticate each user before
|
access the Internet and that you need to authenticate each user before
|
||||||
letting them access the network. The first solution you think about
|
letting them access the external networks. The first solution you
|
||||||
is Squid. Its indeed a great solution, when http and ftp access is
|
think about is Squid. Its indeed a great solution, when http and
|
||||||
enough for your users. when it comes to let them access other services
|
ftp access is enough for your users. when it comes to let them access
|
||||||
like pop, smtp, ssh, a database server or whatever else, you immediately
|
other services like pop, smtp, ssh, a database server or whatever
|
||||||
think about NAT or MASQUERADE. But what happens to the user authentication?
|
else, you immediately think about NAT or MASQUERADE. But what happens
|
||||||
|
to the user authentication?
|
||||||
</p><p>Well, this is my solution. It gives you user authentication and
|
</p><p>Well, this is my solution. It gives you user authentication and
|
||||||
fine grain control over their access to the network.
|
fine grain control over their access to the network.
|
||||||
</p><sect1>Disclaimer
|
</p><sect1>Disclaimer
|
||||||
|
@ -45,19 +46,18 @@
|
||||||
</p><p>Naming of particular products or brands should not be seen as
|
</p><p>Naming of particular products or brands should not be seen as
|
||||||
endorsements.
|
endorsements.
|
||||||
</p><sect1>New versions
|
</p><sect1>New versions
|
||||||
<p>The newest release of this document can be found at http://smbgate.sourceforge.net
|
<p>The newest release of this document can be found at <url url="http://smbgate.sourceforge.net" name="http://smbgate.sourceforge.net">
|
||||||
|
|
||||||
</p><p>Related HOWTOs can be found at the Linux Documentation Project
|
</p><p>Related HOWTOs can be found at the Linux Documentation Project
|
||||||
homepage.
|
homepage.
|
||||||
</p><sect1>Translations
|
</p><sect1>Translations
|
||||||
<p>A Portuguese version is on the way, but for moment there is only
|
<p>A Portuguese version is available. If you want to contribute,
|
||||||
this English version. If you want to contribute, be my guest.
|
please do.
|
||||||
</p><sect1>Feedback
|
</p><sect1>Feedback
|
||||||
<p>Contributions and criticism are both welcome.
|
<p>Contributions and criticism are both welcome.
|
||||||
</p><p>Corrections to my English are also very welcome!
|
</p><p>Corrections to my English are also very welcome!
|
||||||
</p><p>If you want to mail me, my account is ricardo.mattar at the computer
|
</p><p>If you want to mail me, my account is ricardo.mattar at the computer
|
||||||
named bol.com.br. You may thank this mail address format to our beloved
|
named bol.com.br. You may thank the spammers and their nice spiders
|
||||||
spammers and their nice spiders.
|
for the format of my address.
|
||||||
</p><sect1>Copyright and trademarks
|
</p><sect1>Copyright and trademarks
|
||||||
<p>Copyright (c) 2002 Ricardo Alexandre Mattar
|
<p>Copyright (c) 2002 Ricardo Alexandre Mattar
|
||||||
</p><p>Permission is granted to copy, distribute and/or modify this
|
</p><p>Permission is granted to copy, distribute and/or modify this
|
||||||
|
@ -72,6 +72,7 @@
|
||||||
document.
|
document.
|
||||||
</p><p>Thanks to Guillaume Lelarge for helping with the revision (he
|
</p><p>Thanks to Guillaume Lelarge for helping with the revision (he
|
||||||
caught my english errors, but I insisted on a few).
|
caught my english errors, but I insisted on a few).
|
||||||
|
</p><p>Thanks to Erik Esplund for further language corrections.
|
||||||
</p><sect>Requirements
|
</p><sect>Requirements
|
||||||
<sect1>Knowledge
|
<sect1>Knowledge
|
||||||
<p>You must have a fair knowledge about (at least know what these
|
<p>You must have a fair knowledge about (at least know what these
|
||||||
|
@ -80,34 +81,33 @@
|
||||||
<item>Linux netfilter;
|
<item>Linux netfilter;
|
||||||
<item>A scripting language (bash?);
|
<item>A scripting language (bash?);
|
||||||
<item>SAMBA and Windows networking and domain controllers;
|
<item>SAMBA and Windows networking and domain controllers;
|
||||||
</itemize></p><p>Fortunately, the Internet is plenty of documentation on these
|
</itemize></p><p>Fortunately, there is plenty of documentation of these topics
|
||||||
topics.
|
on the Internet.
|
||||||
</p><sect1>Software
|
</p><sect1>Software
|
||||||
<p>Installed on your server, you will need at least:
|
<p>Installed on your server, you will need at least:
|
||||||
</p><p><itemize><item>Samba;
|
</p><p><itemize><item>Samba;
|
||||||
<item>Iptables;
|
<item>Iptables;
|
||||||
<item>A scripting language;
|
<item>A scripting language;
|
||||||
</itemize></p><sect>Linux box setup
|
</itemize></p><sect>Linux box setup
|
||||||
<p>There are no important known issues up to the moment, but the
|
<p>This Howto assumes you have kernel from the 2.4 series as it
|
||||||
need of a kernel at least from 2.4 series if you intend to use iptables,
|
uses iptables. Other than that there are no know issues why this
|
||||||
like the examples in this document. If you want to use a 2.2 series
|
should not work on a 2.2 kernel box with the scripts adapted to ipchains.
|
||||||
kernel and ipchains, be my guest.
|
|
||||||
</p><p>Of course, you need to install the iptables userland tools, an
|
</p><p>Of course, you need to install the iptables userland tools, an
|
||||||
apache http server if you want to run a CGI tool to change passwords
|
apache http server if you want to run a CGI tool to change passwords
|
||||||
and SAMBA. And you will need a kernel compiled with iptables modules.
|
and SAMBA. And you will need a kernel compiled with iptables modules.
|
||||||
</p><p>You may wish to use DHCP. If so, set it up! Remember to configure
|
</p><p>You may wish to use DHCP. If so, it is easy to set up. Remember
|
||||||
the dhcp server to give the nameserver IP address and the gateway
|
to configure the dhcp server to give the nameserver IP address and
|
||||||
IP address as well. The Windows machines will make good use of this
|
the gateway IP address as well. The Windows machines will make good
|
||||||
information.
|
use of this information.
|
||||||
</p><sect1>Basic system setup
|
</p><sect1>Basic system setup
|
||||||
<p>Generally any basic system setup from commercial Linux distributions
|
<p>Generally any basic system setup from the common Linux distributions
|
||||||
will fit in this gateway example. Just check if you have Samba and
|
will fit in this gateway example. Just check if you have Samba and
|
||||||
IPTABLES.
|
IPTABLES.
|
||||||
</p><sect1>Additional directory hierarchy
|
</p><sect1>Additional directory hierarchy
|
||||||
<p>The additional directory hierarchy will be required to accomplish
|
<p>The additional directory hierarchy will be required to accomplish
|
||||||
the example of this howto:
|
the example of this howto:
|
||||||
</p><p>This is used to keep track of the users and IP addresses:
|
</p><p>This is used to keep track of the users and IP addresses:
|
||||||
</p><p><verb>/var/run/mgate/
|
</p><p><verb>/var/run/smbgate/
|
||||||
</verb></p><p>This is where I place user specific scripts:
|
</verb></p><p>This is where I place user specific scripts:
|
||||||
</p><p><verb>/etc/smbgate/users/
|
</p><p><verb>/etc/smbgate/users/
|
||||||
</verb></p><p>Directory for the netlogon share:
|
</verb></p><p>Directory for the netlogon share:
|
||||||
|
@ -142,21 +142,22 @@ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
||||||
$IPTABLES -P FORWARD ACCEPT
|
$IPTABLES -P FORWARD ACCEPT
|
||||||
$IPTABLES -F FORWARD
|
$IPTABLES -F FORWARD
|
||||||
$IPTABLES -t nat -F
|
$IPTABLES -t nat -F
|
||||||
</verb></p><p>You will notice that this code does actually nothing, but loads
|
</verb></p><p>You will notice that this code actually does nothing, but load
|
||||||
the kernel modules related to nat and firewalling and turns the packet
|
the kernel modules related to nat and firewalling and turns the packet
|
||||||
routing on. You can place any rules there to give your gateway a
|
routing on. You can place any rules there to give your gateway a
|
||||||
standard behavior, but the big magic will be done by scripts called
|
standard behavior, but the big magic will be done by scripts called
|
||||||
by the SAMBA daemon.
|
by the SAMBA daemon.
|
||||||
</p><p>Please, remember that this code doesn't have at least a bit of
|
</p><p>Please, remember that this code doesn't have the least bit of
|
||||||
security! If security is an issue, don't use this example in production
|
security! Don't use these examples in production environments. This
|
||||||
boxes. This example intends only to be educational.
|
example intends only to be educational. You have to add a firewall
|
||||||
</p><p>You were warned!
|
configuration that suits your systems.
|
||||||
|
</p><p>You have been warned!
|
||||||
</p><sect1>SAMBA setup
|
</p><sect1>SAMBA setup
|
||||||
<p>Check if you have Samba installed. If your distribution doen't
|
<p>Check if you have Samba installed. If your distribution doesn't
|
||||||
come with Samba pre-packaged then refer to <url url="http://www.samba.org" name="http://www.samba.org"> to get the packages and
|
come with Samba pre-packaged then refer to <url url="http://www.samba.org" name="http://www.samba.org"> to get the packages and
|
||||||
for documentation on how to install Samba. Roam around their web
|
for documentation on how to install Samba. Brows around their web
|
||||||
site and learn about it. The site is plenty of documentation and
|
site and learn about it. The site has plenty of documentation and
|
||||||
maybe your LINUX distribution is also plenty of SAMBA documentation.
|
maybe your LINUX distribution also has plenty of SAMBA documentation.
|
||||||
</p><p>We will need to setup SAMBA as a Primary Domain Controller. I
|
</p><p>We will need to setup SAMBA as a Primary Domain Controller. I
|
||||||
will give an example configuration file here, but you should read
|
will give an example configuration file here, but you should read
|
||||||
the <url url="http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> and learn all you can about a PDC.
|
the <url url="http://www.samba.org/samba/docs/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> and learn all you can about a PDC.
|
||||||
|
@ -207,17 +208,16 @@ root postexec = /usr/local/bin/netlogoff.sh %u
|
||||||
</p><sect2>The netlogon and the tracking shares
|
</p><sect2>The netlogon and the tracking shares
|
||||||
<p>The netlogon share is where the Windows workstations download
|
<p>The netlogon share is where the Windows workstations download
|
||||||
the logon script from. We need this share in order to place there
|
the logon script from. We need this share in order to place there
|
||||||
a script which will tell the workstation to mount a share that we
|
a logon script, which will tell the workstation to mount a share
|
||||||
will use to track the user's ip address.
|
that will be used to track the users ip addresses.
|
||||||
</p><p>As you can see, there must be a line like the following in your
|
</p><p>As you can see, there must be a line like the following in your
|
||||||
smb.conf
|
smb.conf
|
||||||
</p><p><verb>logon script = netlogon.bat
|
</p><p><verb>logon script = netlogon.bat
|
||||||
</verb></p><p>This line will tell your Windows client to download and execute
|
</verb></p><p>This line will tell your Windows client to download and execute
|
||||||
the script named netlogon.bat. This script must be placed at the
|
the script named netlogon.bat. This script must be placed at the
|
||||||
netlogon share. So, we will also need a netlogon.bat script to your
|
netlogon share. So, we will also need a netlogon.bat script to your
|
||||||
Windows workstations. You can take the following example and create
|
Windows workstations. You can use the following example and place
|
||||||
a file, naming it NETLOGON.BAT and placing it at the netlogon share,
|
it at the netlogon share, in this case: /home/samba/netlogon/NETLOGON.BAT.
|
||||||
in this case at /home/samba/netlogon/NETLOGON.BAT.
|
|
||||||
</p><p><verb>REM NETLOGON.BAT
|
</p><p><verb>REM NETLOGON.BAT
|
||||||
net use z: \\linux\samba /yes
|
net use z: \\linux\samba /yes
|
||||||
</verb></p><p>This script will tell the Windows workstation to mount the specified
|
</verb></p><p>This script will tell the Windows workstation to mount the specified
|
||||||
|
@ -225,8 +225,8 @@ net use z: \\linux\samba /yes
|
||||||
through the output of the smbstatus program.
|
through the output of the smbstatus program.
|
||||||
</p><p>Quite simple! But not enough...
|
</p><p>Quite simple! But not enough...
|
||||||
</p><p>As you could see, we will need also a tracking share which, in
|
</p><p>As you could see, we will need also a tracking share which, in
|
||||||
this example, I named samba. You can see at the smb.conf file the
|
this example, I named samba. You can see the tracking share configuration
|
||||||
tracking share configuration:
|
in smb.conf:
|
||||||
</p><p><verb>[samba]
|
</p><p><verb>[samba]
|
||||||
comment = login tracking share
|
comment = login tracking share
|
||||||
path = /home/samba/samba
|
path = /home/samba/samba
|
||||||
|
@ -234,11 +234,11 @@ root preexec = /usr/local/bin/netlogon.sh %u
|
||||||
root postexec = /usr/local/bin/netlogoff.sh %u
|
root postexec = /usr/local/bin/netlogoff.sh %u
|
||||||
</verb></p><p>As you can guess or know if you read the SAMBA documentation,
|
</verb></p><p>As you can guess or know if you read the SAMBA documentation,
|
||||||
the root preexec and the root postexec lines tell SAMBA to run the
|
the root preexec and the root postexec lines tell SAMBA to run the
|
||||||
indicated scripts when a user mounts and unmounts the share. In this
|
indicated scripts when a user mounts or unmounts the share. In this
|
||||||
case, we are passing the user name to the script as a parameter.
|
case, we are passing the username to the script as a parameter. Note
|
||||||
Note the %u at the end of the lines. These scripts are the
|
the %u at the end of the lines. These scripts are the beasts
|
||||||
beasts which will call a script or program to modify our gateway's
|
which will call a script or program to modify our gateway's packet
|
||||||
packet filtering rules.
|
filtering rules.
|
||||||
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
|
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
|
||||||
</p><p><verb>#!/bin/sh
|
</p><p><verb>#!/bin/sh
|
||||||
#
|
#
|
||||||
|
@ -255,7 +255,7 @@ ADDRESS=`cat /var/run/smbgate/$1`
|
||||||
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
||||||
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
|
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
|
||||||
in and will filter the output of smbstatus extracting the user's
|
in and will filter the output of smbstatus extracting the user's
|
||||||
ip address which will be wrote to a file at /var/run/smbgate. The
|
ip address which will be written to a file at /var/run/smbgate. The
|
||||||
file will take the user's name and will be later used when the user
|
file will take the user's name and will be later used when the user
|
||||||
log off. The address extracted will be passed as an argument to a
|
log off. The address extracted will be passed as an argument to a
|
||||||
script with the users' name which will finally update the firewall.
|
script with the users' name which will finally update the firewall.
|
||||||
|
@ -288,8 +288,8 @@ IPTABLES='/usr/sbin/iptables'
|
||||||
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
||||||
</verb></p><sect>Windows workstation setup
|
</verb></p><sect>Windows workstation setup
|
||||||
<sect1>Introduction
|
<sect1>Introduction
|
||||||
<p>We will stick to setup the network, user management and policies
|
<p>We will stick to setting up the network, user management and
|
||||||
on the Windows workstations.
|
policies on the Windows workstations.
|
||||||
</p><p>I will not go through all those steps, naming each dialog box.
|
</p><p>I will not go through all those steps, naming each dialog box.
|
||||||
I will presume that if you can read and understand this document
|
I will presume that if you can read and understand this document
|
||||||
you can find your way through that mess.
|
you can find your way through that mess.
|
||||||
|
@ -299,7 +299,7 @@ IPTABLES='/usr/sbin/iptables'
|
||||||
broadcast a lot, and this doesn't please anyone. Anyway, with TCP/IP
|
broadcast a lot, and this doesn't please anyone. Anyway, with TCP/IP
|
||||||
who needs anything else?
|
who needs anything else?
|
||||||
</p><sect1>DHCP setup
|
</p><sect1>DHCP setup
|
||||||
<p>If you set a DHCP server on your Linux box, remember that Windows
|
<p>If you setup a DHCP server on your Linux box, remember that Windows
|
||||||
workstations can get the nameservers and gateway's address besides
|
workstations can get the nameservers and gateway's address besides
|
||||||
its own IP address from it. So, you don't need to set all these items
|
its own IP address from it. So, you don't need to set all these items
|
||||||
on each workstation.
|
on each workstation.
|
||||||
|
@ -324,16 +324,17 @@ IPTABLES='/usr/sbin/iptables'
|
||||||
will annoy you asking for a Windows password and you will become
|
will annoy you asking for a Windows password and you will become
|
||||||
nuts trying to synchronize and manage your Domain and Windows passwords.
|
nuts trying to synchronize and manage your Domain and Windows passwords.
|
||||||
It seems that the OS doesn't know that it joined a domain. You must
|
It seems that the OS doesn't know that it joined a domain. You must
|
||||||
tell it and then you must slap it in the face so it can believe you.
|
tell it and then you have to slap it in the face so it will believe
|
||||||
|
you.
|
||||||
</p><sect>User management
|
</p><sect>User management
|
||||||
<sect1>Adding users
|
<sect1>Adding users
|
||||||
<p>Adding a Linux user by usual means and setting a samba password
|
<p>Adding a Linux user by usual means and setting a samba password
|
||||||
using smbpass shall work. If you have any doubt, just refer to the
|
using smbpasswd will work. If you have any doubt, just refer to the
|
||||||
SAMBA documentation. This is not a difficult issue.
|
SAMBA documentation. This is not a difficult issue.
|
||||||
</p><sect1>Password management
|
</p><sect1>Password management
|
||||||
<p>I am issuing this as a major topic because I couldn't learn yet
|
<p>I am issuing this a major topic because I couldn't learn yet
|
||||||
how to manage users and users' passwords from a Windows workstation
|
how to manage users and users' passwords from a Windows workstation
|
||||||
without using a web interface. I could not find and didn't know how
|
without using a web interface. I couldn't find and didn't know how
|
||||||
to build integrated tools to solve this problem. So, I am using a
|
to build integrated tools to solve this problem. So, I am using a
|
||||||
CGI program to get it done.
|
CGI program to get it done.
|
||||||
</p><p>Try the package at http://changepassword.sourceforge.net/ , it
|
</p><p>Try the package at http://changepassword.sourceforge.net/ , it
|
||||||
|
@ -676,4 +677,4 @@ IPTABLES='/usr/sbin/iptables'
|
||||||
to permit their use in free software.
|
to permit their use in free software.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
</article>
|
</article>
|
Loading…
Reference in New Issue