RE: [suse-security] Port Authentication before Port Forwarding
I'm looking to allow access to an internal web server via port forwarding, but I would like the port on the firewall to first authenticate the user.
Nope, that's not what you want to do. Port forwarding is performed by the kernel, but the kernel doesn't authenticate, that is performed by user-space applications such as PAM. In fact, a TCP or UDP 'port' is nothing but a logical construct, it's a 16-bit identification number, nothing more, nothing less. When a process transfers data via TCP/IP, it needs a TCP or UDP port so that it can be distinguished from other processes on the same machine. That's all there is to ports, basically. A port is *not* a program. There are programs listening to some of the ports on a system. And port forwarding is an additional option, but the kernel does nothing but modify the IP and TCP/UDP/ICMP headers when port forwarding them.
i.e. The client connects to port 8080 on the firewall with a web browser. On connection to the port he is served with a html login page - preferable via SSL. If the username and password is correct the port-forwarding is enabled for the clients IP Address and maybe MAC Address via IPCHAINS or IPTABLES. Once the client is finished it either logs out (i.e. the firewall rule closes the port after the client logs out or expires once the client disconnects).
What you want to do is typically called reverse proxying. You need a Web proxy on the firewall that is able to authenticate your users and subsequently act on their behalf on the real Web server. Since you want SSL support and a specific HTML page, you should probably go for Apache with mod_proxy and mod_ssl. I don't know which authentication modes are possible by other add-ins, but mod_ssl should allow you to operate with client certificates and HTTP basic authentication is probably built into Apache already.
Has anyone set-up some thing similar to this or knows where I can get more info - all tip welcome.
PS. This set-up seems similar to a POP before SMTP Config.
No, it's very much different. Cheers, Tobias
participants (1)
-
Reckhard, Tobias