Port Authentication before Port Forwarding
Hi All I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user. i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects). Has anyone set-up some thing similar to this or knows where I can get more info - all tip welcome. PS. This set-up seems similar to a POP before SMTP Config. Thanks in advance Steven Thompson
Yup, On 14-Aug-01 Steven Thompson wrote:
Hi All
I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user.
i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects).
Hm. Technically I would be interested in how to accomplish this with ipchains/iptables and/or ipmasqadm. You would need a couple of nifty scripts for this, handled by the webserver on the fw, which IMO is not very secure. Why not giving out ssl client certs and only allow connections to the domain(s) in question if the client provides the proper cert? I mean, this would save you lots of work and is reasonably safe. Read http://www.apache-ssl.org/#Digital_Certificates for more infos about client certs.
Has anyone set-up some thing similar to this or knows where I can get more info - all tip welcome.
PS. This set-up seems similar to a POP before SMTP Config.
Thanks in advance
Steven Thompson
---
Boris Lorenz
I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user.
i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects). So, you want to use http to check if somebody is allowed to use http. Sounds like a chicken and egg problem. He already IS using http when you are asking him who he is in the first place.
So you would just use the web-server security features (not an issue for this list and it's in BOLD print in the documentation). If that is not enough and you want top-notch security you would place a proxyserver the authenticates in a DMZ and have that access the internal web-server. The variations, options and gory details are plentyfull and will provide for many hay hacking.
participants (3)
-
Boris Lorenz
-
Peter van den Heuvel
-
Steven Thompson