First release: Oct 25, 2001
Last modified: Oct 9, 2004
In some sites, we need to control the access between different networks by user authentication. Normally, firewalls provide the capability of filtering IP packets by host authorization, by port number, etc. However, they do not provide access control by user authentication.
This program `authipgate' is a very simple (probably the simplest) implementation of Authenticating Gateway [1,2,3]. You can change the workstation router running Linux into Authenticating Gateway by authipgate. The program utilizes ipchains (kernel 2.2) or iptables (kernel 2.4) [4,5] which is commonly built into the Linux kernel. Suppose a user is using a WS/PC named `client1'. The authipgate works as follows.
iptables -A FORWARD -j ACCEPT -d client1 iptables -A FORWARD -j ACCEPT -s client1Now the user can access to the network transparently over the gateway.
iptables -D FORWARD -j ACCEPT -s client1 iptables -D FORWARD -j ACCEPT -d client1
Possible applications are as follows.
Since the algorithm is not very efficient nor elegant,
it is not a good idea to run users' application programs on
the gateway workstation.
The workstation should be specialized for the Authenticating Gateway.
(Even for a normal gateway, users should not be allowed to
run application programs on the gateway for security reasons.)
I have designed the program as simple as possible, since I do not like to modify the login processes of the operating system. I do not like to be bound to Linux. If another OS is equipped with the firewall whose rules can be dynamically configured, one may be able to make similar program for the OS based on authipgate quite easily.
You can freely use, distribute or modify this program, create a new program based on it, or incorporate it into your codes, all without fee. This program is provided ``AS IS''. The author is not responsible for any damage caused by this program.
NAT (NAPT) mode is available in authipgate-1.3 or newer versions.
In some sites, we need to let the gateway workstation work as a NAT box rather than a normal IP forwarding gateway. If USE_NAPT="yes" is specified in ``aipgd'' (a script in authipgate), NAPT (Network Address/Port Translation) feature will be turned on. All the clients will be observed as if they had the same IP address as the uplink port of the gateway from the outer networks.
Note that this feature should NOT be used in the sites where the administrator cannot trust the clients, because it will be difficult for the administrator to track the bad clients if NAPT is used. In a school for example: if a student did something wrong over the Internet and the administrator received a complaint from someone outside, the administrator or teachers would need to track the student and give an appropriate direction to the student. IP address can be a very important information for such trackings.
Extremely Restricted Shell (exrsh) is included in the package (>= v1.4). This program allows the normal users to use only a limited set of commands such as logout, exit, passwd, who, etc.
``exrsh'' can be used as an alternative login shell on the Authenticating Gateway. ``exrsh'' is useful for protecting the gateway from the abuses or the internal destructions by users.
Installation is very easy.
% tar zxf authipgate-1.5.tgz % cd authipgate-1.5 % make # make install (Customize /usr/local/sbin/aipgd .)
See INSTALLATION in the package for the details.
authipgate is currently designed to work under RedHat-based Linuxes. The program has been tested under the following operating systems.
The former version 1.4 was tested under the following operating systems.