Last modified: Aug 11, 2001

Simple Authenticating Gateway for Linux

Description

In some sites, we need to control the access between different networks by user authentication. Normally, firewalls provide the capability of filtering IP packets by host authorization, by port number, etc. However, they do not provide access control by user authentication.

This program `authipgate' is a very simple implementation of Authenticating Gateway. You can turn the workstation router running Linux into Authenticating Gateway by authipgate. The program utilizes ipchains (kernel 2.2) or iptables (kernel 2.4) which is commonly built into in the Linux kernel. Suppose a user is using a WS/PC named `client1'. The authipgate works as follows.

• As far as the user does not login to the Authenticating Gateway, all packets from client1 are blocked and are never forwarded to the network over the gateway.
• authipgate checks utmp file every few minutes. If the user logins to the gateway, authipgate issues the following commands to open a channel for the host client1.

    ipchains -A forward -j ACCEPT -d client1
    ipchains -A forward -j ACCEPT -s client1
  

  Now the user can access to the network transparently over the gateway.
• Within a few seconds after the user has logged out the gateway, authipgate issues the following commands to shut the channel.

    ipchains -D forward -j ACCEPT -s client1
    ipchains -D forward -j ACCEPT -d client1
  

Since the algorithm is not very efficient nor elegant, it is not a good idea to run users' application programs on the gateway workstation. The workstation should be specialized for the Authenticating Gateway.
(Even for a normal gateway, users should not be allowed to run application programs on the gateway for security reasons.)

I have designed the program as simple as possible, since I did not like to modify the login processes of the operating system. I do not like to be bound to Linux. If another OS is equipped with the firewall whose rules can be dynamically configured, one may be able to make similar program for the OS based on authipgate quite easily.

Source Package

You can freely use, distribute or modify this program, create a new program based on it, or incorporate it into your codes, all without fee. This program is provided ``AS IS''. The author is not responsible for any damage caused by this program.

• authipgate-1.2.tgz  (Aug 9, 2001)

Installation

Installation is very easy.

  % tar zxf authipgate-1.2.tgz
  % cd authipgate-1.2
  % make
  # make install

See INSTALLATION in the package for the details.

Testing Environments

authipgate is currently designed to work under RedHat-based Linuxes. The program has been tested under the following operating systems.

• Vine Linux 2.1CR  (kernel 2.2.17, on IA32)
• Kondara MNU/Linux 2.0  (kernel 2.4.4, on IA32)

Security Notes

• Authentication is made using user ID, but the permission is given to the host which the user is using (just like PPP).
• The communication channel remains open as far as the user's session is alive. If the user disconnect the WS/PC from the network without logging out, another person may be able to get through the gateway using the same IP address. Users must pay attention to their sessions' status.
• Are you still using telnet?
  telnet session is insecure and is easily be hijacked. This means that the communication channel will be easily hijacked as well if you use telnet. Let's use a secure session.