This sounds like a job for Proxy-man! But seriously tho' - I think Squid proxy (and others) can REQUIRE authentication before access by putting up a login box - I even heard that the new version of squid will pass-through Windows Domain Logins, otherwise the users for authenticating must/will be setup on the Proxy gateway. Squid can be configured for time of access, etc. There are no firewall rules to be added/deleted and is much more elegant...
Hope I'm not too far off base from what you were asking... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Toal > Sent: Thursday, March 28, 2002 11:34 AM > To: [EMAIL PROTECTED] > Subject: Turning routing off & on per user, dynamically. > (Hotel-like system) > > > I don't want to reinvent the wheel, so before working on this > I wanted to ask if anyone has done it before. (I checked the > recent archives first and can't see anything like it) > > We have an internal network in a public area that anyone can > walk up to, and plug in a PC. The network has a Class C > allocated to it and a DHCP server which will hand out those > Class C addresses. The DHCP server will set up the router > address to be the address of a Linux with two ether > interfaces and ip chains. > > I want someone hooking up to the network to have NO access to > the outside, *until*... > > the first time they use a web browser to access any outside > page, it is redirected to a browser on the firewall host. > That browser puts up a page requesting a username and > password which it checks in some database it has access to. > > Once the user has been validated, the ip chains are modified > to allow that host full routed access to the net. (For a > specific length of time - a timer will kick off and when that > time expires, another script will be run to remove the rules > which permitted that IP access) > > This is basically the same system as some hotels run for > internet access from your room, except that they ask for a > credit card whereas we ask for a valid student username and > password. (This is for a university environment) > > Has anyone done this before? If so please point me at it! > > thanks > > Graham Toal <[EMAIL PROTECTED]> > > PS The final system may be more complex, such as pinging the > client continuously and taking down the access if he is > offline for more than some minimum period, but for now what > I'm looking for is the firewall config (Linux chains) to > initially deny everyone outside access; then to intercept > that first web access; then rules to give access to a > specific IP address and later to take away access from that > address. We've already written the web page that invokes an > arbitrary script on the firewall once a user has successfully > logged in. > >
