The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Поиск:  Каталог документации

Next Previous Contents

3. Linux box setup

This Howto assumes you have kernel from the 2.4 series as it uses iptables. Other than that there are no know issues why this should not work on a 2.2 kernel box with the scripts adapted to ipchains.

Of course, you need to install the iptables userland tools, an apache http server if you want to run a CGI tool to change passwords and SAMBA. And you will need a kernel compiled with iptables modules.

You may wish to use DHCP. If so, it is easy to set up. Remember to configure the dhcp server to give the nameserver IP address and the gateway IP address as well. The Windows machines will make good use of this information.

3.1 Basic system setup

Generally any basic system setup from the common Linux distributions will fit in this gateway example. Just check if you have Samba and IPTABLES.

3.2 Additional directory hierarchy

The additional directory hierarchy will be required to accomplish the example of this howto:

This is used to keep track of the users and IP addresses:

/var/run/smbgate/

This is where I place user specific scripts:

/etc/smbgate/users/

Directory for the netlogon share:

/home/samba/netlogon/

Directory for the tracking share:

/home/samba/samba/

These hierarchies are required by some of the scripts and daemons of the example.

3.3 Firewall setup

Its very unlikely that your distribution's kernel won't be compiled with Iptables and the userland tools won't be installed either. Anyway, if you don't have it. Refer to http://www.netfilter.org or http://www.iptables.org to get the software and the documentation.

You will need a basic firewall setup in order to get the gateway working. Take a look at the iptables tutorial at IPTABLES TUTORIAL. Its an interesting reading. Anyway, if you have no time to spend, the following code is somewhat (very) loose but it may fit your needs:

#!/bin/sh
IPTABLES=/usr/sbin/iptables
/sbin/depmod -a
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_conntrack_irc
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD 
$IPTABLES -t nat -F

You will notice that this code actually does nothing, but load the kernel modules related to nat and firewalling and turns the packet routing on. You can place any rules there to give your gateway a standard behavior, but the big magic will be done by scripts called by the SAMBA daemon.

Please, remember that this code doesn't have the least bit of security! Don't use these examples in production environments. This example intends only to be educational. You have to add a firewall configuration that suits your systems.

You have been warned!

3.4 SAMBA setup

Check if you have Samba installed. If your distribution doesn't come with Samba pre-packaged then refer to http://www.samba.org to get the packages and for documentation on how to install Samba. Brows around their web site and learn about it. The site has plenty of documentation and maybe your LINUX distribution also has plenty of SAMBA documentation.

We will need to setup SAMBA as a Primary Domain Controller. I will give an example configuration file here, but you should read the Samba HOWTO Collection and learn all you can about a PDC.

Basic SAMBA setup.

Since I do not intend to rewrite the SAMBA documentation, here goes a sample smb.conf file:

# Global parameters
[global]
workgroup = DOMAIN
netbios name = LINUX
server string = Linux PDC
encrypt passwords = Yes
map to guest = Bad Password
passwd program = /usr/bin/passwd
unix password sync = Yes
max log size = 50
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = netlogon.bat
domain logons = Yes
os level = 64
lm announce = True
preferred master = True
domain master = True
dns proxy = No
printing = lprng
[homes]
comment = Home Directories
path = /home/%u
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
available = No
[netlogon]
comment = NetLogon ShARE
path = /home/samba/netlogon
guest account = 
[samba]
comment = login tracking share
path = /home/samba/samba
root preexec = /usr/local/bin/netlogon.sh %u
root postexec = /usr/local/bin/netlogoff.sh %u

You will have to make do with it or read the SAMBA documentation if you really want to control your server and network.

The netlogon and the tracking shares

The netlogon share is where the Windows workstations download the logon script from. We need this share in order to place there a logon script, which will tell the workstation to mount a share that will be used to track the users ip addresses.

As you can see, there must be a line like the following in your smb.conf

logon script = netlogon.bat

This line will tell your Windows client to download and execute the script named netlogon.bat. This script must be placed at the netlogon share. So, we will also need a netlogon.bat script to your Windows workstations. You can use the following example and place it at the netlogon share, in this case: /home/samba/netlogon/NETLOGON.BAT.

REM NETLOGON.BAT
net use z: \\linux\samba /yes

This script will tell the Windows workstation to mount the specified share, and so we will be able to keep track of the user and workstation through the output of the smbstatus program.

Quite simple! But not enough...

As you could see, we will need also a tracking share which, in this example, I named samba. You can see the tracking share configuration in smb.conf:

[samba]
comment = login tracking share
path = /home/samba/samba
root preexec = /usr/local/bin/netlogon.sh %u
root postexec = /usr/local/bin/netlogoff.sh %u

As you can guess or know if you read the SAMBA documentation, the root preexec and the root postexec lines tell SAMBA to run the indicated scripts when a user mounts or unmounts the share. In this case, we are passing the username to the script as a parameter. Note the %u at the end of the lines. These scripts are the beasts which will call a script or program to modify our gateway's packet filtering rules.

Take a look at the netlogon.sh and netlogoff.sh scripts:

#!/bin/sh
#
# netlogon.sh
#
# usage:
# netlogon.sh <username>
#
smbstatus | grep $1 | grep samba | gawk '// { print substr($6,2,length($6)-2)}' > /var/run/smbgate/$1
IPTABLES='/usr/sbin/iptables'
EXTIF='ppp0'
COMMAND='-A'
ADDRESS=`cat /var/run/smbgate/$1`
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF

This script (netlogon.sh) is intended to run when the user logs in and will filter the output of smbstatus extracting the user's ip address which will be written to a file at /var/run/smbgate. The file will take the user's name and will be later used when the user log off. The address extracted will be passed as an argument to a script with the users' name which will finally update the firewall.

#!/bin/sh
#
# netlogoff.sh
#
# usage:
# netlogoff.sh <username>
#
IPTABLES='/usr/sbin/iptables'
EXTIF='ppp0'
COMMAND='-D'
ADDRESS=`cat /var/run/smbgate/$1`
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF 
rm -f /var/run/smbgate/$1

This script (netlogoff.sh) is intended to run when the user logs off and will get the address from the /var/run/smbgate/user file which will be passed as an argument to the /etc/smbgate/users/user script which will update the firewall to the state desired when the user is not logged in.

The following is a standard /etc/smbgate/users/user script. This is the one which will actually modify the firewall rules.

#!/bin/sh
#
COMMAND=$1
ADDRESS=$2
EXTIF=$3
IPTABLES='/usr/sbin/iptables'
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE

Next Previous Contents


Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру