As you can see by the poorness of my language, English is not my native language. I am writing this document in English for the sake of the Linux community. So, please, excuse me for my poor English. And, please, if you speak Portuguese, address me in this language.
This document intends to enlighten you (and myself) in the process of building a Linux Gateway or Firewall, which modify rules on demand when users log in or out from their Windows workstations.
I should be writing an application, but I am too lazy. Hopefully when the idea is out there, people will build a few intelligently integrated packages. Meanwhile...
In this document, I will try to show how to build a gateway to NAT or MASQUERADE Windows workstations. Use your imagination to modify it to get any level of network management. You may use it to grant or deny access to services, servers or entire subnetworks on your network.
Imagine that you have to build a gateway to let Windows workstation access the Internet and that you need to authenticate each user before letting them access the external networks. The first solution you think about is Squid. It's indeed a great solution, when http and ftp access is enough for your users. When it comes to let them access other services like pop, smtp, ssh, a database server or whatever else, you immediately think about NAT or MASQUERADE. But what happens to the user authentication?
Well, this is my solution. It gives you user authentication and fine grain control over their access to the external networks.
We know that SAMBA can act as a Domain Controller and so it can authenticate users on Windows boxes. As a PDC, SAMBA can push netlogon scripts to the Windows workstations. We can use this netlogon scripts to force the Windows workstations mounting a given share from our Linux PDC. This "forced" share shall have preexec and postexec scripts which shall be triggered when the user logs in or out. There is a program named smbstatus which lists the shares being used, giving us also the username and ip address of the workstation. We just need to grep this information from smbstatus output and update our firewall rules.
No liability for the contents of this document can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
The newest release of this document can be found at http://ram.eti.br or at http://www.tldp.org
Related HOWTOs can be found at the Linux Documentation Project homepage at http://tldp.org.
A Portuguese version is available.
A French translation by Guillaume Lelarge is available at http://www.traduc.org
A Hungarian translation is available at http://tldp.fsf.hu
If you want to contribute with a translation, please do.
Contributions and criticism are both welcome.
Corrections to my English are also very welcome!
If you find any bugs in the scripts included, please tell me.
You can find me at ricardo@ram.eti.br or at ricardo.mattar@bol.com.br
Copyright (c) 2002-2003 Ricardo Alexandre Mattar
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Thanks to Carlos Alberto Reis Ribeiro for introducing me to Linux.
Thanks to Cesar Bremer Pinheiro for motivating me to write this document.
Thanks to Guillaume Lelarge for the (continuous) help with the revision.
Thanks to Erik Esplund for further language corrections.
Thanks to Albert Teixidó for code improvements.
Thanks to Felipe Cordeiro Caetano for helping on my main testing site.
Thanks to the secure communications company RASEAC for sponsoring my work.