Linux Authentification Gateway

  • Description
  • Authgateway Server
  • Authgateway Clients
  • Downloads
  • Author
    		•

    Installation

    There are two ways to install AuthGateway server: from source and using precompiled binaries.

    Using binaries.

    I use two ways for distribute my binaries: tar.gz acrhive and Debain package (.deb). All of them I compile on Debian testing branch.

    1. Download authgwd-x.x.x.x-i386.deb or authgwd-x.x.x.x-i386.tar.gz.
    2. If you are using .deb package just execute dpkg -i authgwd-x.x.x.x-i386.deb else run tar -C / -zxvf authgwd-x.x.x.x-i386.tar.gz

    Using sources

    1. Download authgwd-x.x.x.x-src.tar.gz.
    2. Create "authgw" directory in /usr/src/: mkdir /usr/src/authgw
    3. Unpack archive with source to it: tar -C /usr/src/authgw/ -zxvf authgwd-x.x.x.x-src.tar.gz
    4. Change your current dir: cd /usr/src/authgw
    5. Type make all
    6. Type make install

    Post installation steps

    1. Edit configuration file /etc/authgwd.conf (see Configuration chapter for full information about settings)
    2. Create iptables chain if you need. For example, you can create three chains, for three different access-levels. iptables -N DYNRULE_1 iptables -N DYNRULE_2 iptables -N DYNRULE_3 In this example, we will pass clients using their access-level (see Description chapter) to different networks. In simple chance you need only one chain. After that, create INPUT or FORWARD rules, for example: iptables -I FORWARD 11 -i eth0 -s 172.17.0.0/16 -d 1.1.1.0/24 -j DYNRULE_1 iptables -I FORWARD 12 -i eth0 -s 172.17.0.0/16 -d 1.1.2.0/24 -j DYNRULE_2 iptables -I FORWARD 13 -i eth0 -s 172.17.0.0/16 -d 1.1.3.0/24 -j DYNRULE_3
    3. Create iptables chain for incomming connections to AuthGateway Listener (see port in Configuration chapter): iptables -N AUTHGW_IN iptables -A AUTHGW_IN -j ACCEPT iptables -I INPUT 10 -s 172.17.0.0/16 -i eth0 -p tcp --dport 9034 -j AUTHGW_IN
    4. Edit bash scripts /usr/share/authgwd/* (by default, you can change this path in config file, but it is not recommended) for you new rules. For our example it may be like this:
      /usr/share/authgwd/ruleflush (script for flushing all dynamic rules, when restart daemon): #!/bin/bash
      echo "Flushing DYNRULE_1"
      iptables -F DYNRULE_1
      echo "Flushing DYNRULE_2"
      iptables -F DYNRULE_2
      echo "Flushing DYNRULE_3"
      iptables -F DYNRULE_3
      echo "Flushing AUTHGW_IN"
      iptables -F AUTHGW_IN
      exit 0       /usr/share/authgwd/ruleinsert (script for creating new dynamic rule): #!/bin/bash
      iptables -A DYNRULE_$4 -p all -s $1 -m comment --comment "socket: $2, user: $3" -j ACCEPT
      iptables -I AUTHGW_IN 1 -p all -s $1 -m comment --comment "socket: $2, user: $3" -j DROP
      exit 0       /usr/share/authgwd/ruledelete (script for deleteng dynamic rule): #!/bin/bash
      iptables -D DYNRULE_$4 -p all -s $1 -m comment --comment "socket: $2, user: $3" -j ACCEPT
      iptables -D AUTHGW_IN -p all -s $1 -m comment --comment "socket: $2, user: $3" -j DROP
      exit 0       /usr/share/authgwd/ruleshow (script for show status): #!/bin/bash
      echo "DYNRULE_1 -------------------------------------------------------------------------------------------------------------------------------------"
      iptables -L DYNRULE_1 -n -v --line-numbers
      echo "DYNRULE_2 -------------------------------------------------------------------------------------------------------------------------------------"
      iptables -L DYNRULE_2 -n -v --line-numbers
      echo "DYNRULE_3 -------------------------------------------------------------------------------------------------------------------------------------"
      iptables -L DYNRULE_3 -n -v --line-numbers
      echo "Process Info: ---------------------------------------------------------------------------------------------------------------------------------"
      echo "USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND"
      ps axu | grep authgwd | grep -v "/bin/bash" | grep -v grep
      echo "Active sockets: -------------------------------------------------------------------------------------------------------------------------------"
      netstat -antp | grep authgwd
      echo "-----------------------------------------------------------------------------------------------------------------------------------------------"
      exit 0
    5. It is all. Try to start AuthGateway: /etc/init.d/authgw start

    Notes:

    1. For all actions you need to have a root privileges.
    2. We are using AUTHGW_IN chain to prevent duplicated connections from client. It is not nessesary, but recommended. When user is authentificated we add DENY rule at the top of this chain, if he is disconnected we remove this rule.
    3. For working this daemon you need to have libconfuse libarary, installed in your system. If you build AuthGateway from source you need to have development files for libconfuse and libc6 libraries.