3. Setting up the Gateway Services

This section describes how to setup each piece of the authentication gateway. The examples used are for a private public network in the subnet. eth0 is the interface on the box that is connected to the internal network. eth1 is the interface connected to the public network. The IP address used for this interface is These settings can be changed to fit the network you are using. Red Hat 7.1 was used for the gateway box, so a lot of the examples are specific to Red Hat.

3.1. Netfilter Setup

To setup netfilter the kernel must be recompiled to include netfilter support. Please see the Kernel-HOWTO for more information on configuring and compiling your kernel.

This is what my kernel configuration looked like.

   # Networking options
   # CONFIG_PACKET_MMAP is not set
   # CONFIG_NETLINK is not set
   # CONFIG_IP_PNP is not set
   # CONFIG_NET_IPIP is not set
   # CONFIG_NET_IPGRE is not set
   # CONFIG_IP_MROUTE is not set
   # CONFIG_INET_ECN is not set
   # CONFIG_SYN_COOKIES is not set

   #   IP: Netfilter Configuration

iptables needs to be installed. To install iptables either use a package from your distribution or install from source. Once the above options were compiled in the new kernel and iptables was installed, I set the following default firewall rules.

   iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
   iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
   iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
   iptables -I FORWARD -o eth0 -j DROP
   iptables -I FORWARD -s -d -j ACCEPT

The above commands can also be put in an initscript to start up when the server restarts. To make sure the rules have been added issue the following commands:

   iptables -v -t nat -L
   iptables -v -t filter -L

To save these rules I used Red Hat's init scripts.

   /etc/init.d/iptables save
   /etc/init.d/iptables restart

Once the rules are in place turn on IP forwarding by executing this command.

   echo 1 > /proc/sys/net/ipv4/ip_forward

To make sure ip forwarding is enabled when the machine restarts add the following line to /etc/sysctl.conf.

   net.ipv4.ip_forward = 1

Now the gateway box will be able to do network address translation (NAT), but it will drop all forwarding packets except those coming from within the public network and bound for the gateway.

3.2. PAM iptables Module

This module is a PAM session module that inserts the firewall rule needed to allow forwarding for the authenticated client. To set it up simply get the source and compile it by running the following commands.

   gcc -fPIC -c pam_iptables.c
   ld -x --shared -o pam_iptables.so pam_iptables.o

You should now have two binaries called pam_iptables.so and pam_iptables.o. Copy pam_iptables.so to /lib/security/pam_iptables.so.

   cp pam_iptables.so /lib/security/pam_iptables.so

The chosen authentication client for the gateway was ssh so we added the following line to /etc/pam.d/sshd.

   session    required     /lib/security/pam_iptables.so 

Now, when a user logs in with ssh, the firewall rule will be added.

The default interface for pam_iptables is eth0. This default can be changed by adding the interface parameter.

   session required /lib/security/pam_iptables.so interface=eth1

This is only needed if the interface name that connects to the external network is not eth0.

To test if the pam_iptables module is working perform the following steps:

  1. Log into the box with ssh.

  2. Check to see if the rule was added with the command iptables -L.

  3. Log out of the box to make sure the rule is removed.

3.3. DHCP Server Setup

I installed DHCP using the following dhcpd.conf file.

   subnet netmask {
   # --- default gateway
        option routers        ;
        option subnet-mask    ;
        option broadcast-address;

        option domain-name-servers;      
        option time-offset              -5;     # Eastern Standard Time

        default-lease-time 21600;
        max-lease-time 43200;


The server was then run using eth1 , the interface to the public net.

    /usr/sbin/dhcpd eth1

3.4. Authentication Method Setup

As indicated in previous sections, I've set this gateway up to use LDAP for authenticating. However, you can use any means that PAM allows for authentication. See Section 2.4 for more information.

In order to get PAM LDAP to authenticate, I installed OpenLDAP and configured it with the following in /etc/ldap.conf.

   # Your LDAP server. Must be resolvable without using LDAP.
   host itc.musc.edu

   # The distinguished name of the search base.
   base dc=musc,dc=edu
   ssl no

The following files were used to configure PAM to do the LDAP authentication. These files were generated by Red Hat's configuration utility.

/etc/pam.d/system-auth was created and looked like this.

   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.
   auth        required      /lib/security/pam_env.so
   auth        sufficient    /lib/security/pam_unix.so likeauth nullok
   auth        sufficient    /lib/security/pam_ldap.so use_first_pass
   auth        required      /lib/security/pam_deny.so

   account     required      /lib/security/pam_unix.so
   account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

   password    required      /lib/security/pam_cracklib.so retry=3
   password    sufficient    /lib/security/pam_unix.so nullok use_authtok
   password    sufficient    /lib/security/pam_ldap.so use_authtok
   password    required      /lib/security/pam_deny.so

   session     required      /lib/security/pam_limits.so
   session     required      /lib/security/pam_unix.so
   session     optional      /lib/security/pam_ldap.so

Then the following /etc/pam.d/sshd file was created.

   auth       required     /lib/security/pam_stack.so service=system-auth
   auth       required     /lib/security/pam_nologin.so
   account    required     /lib/security/pam_stack.so service=system-auth
   password   required     /lib/security/pam_stack.so service=system-auth
   session    required     /lib/security/pam_stack.so service=system-auth
   #this line is added for firewall rule insertion upon login
   session    required     /lib/security/pam_iptables.so debug
   session    optional     /lib/security/pam_console.so

3.5. DNS Setup

I installed the default version of Bind that comes with Red Hat 7.1, and the caching-nameserver RPM. The DHCP server tells the machines on the public net to use the gateway box as their nameserver.