<HTML
><HEAD
><TITLE
>�$B%2!<%H%&%'%$%5!<%S%9$N@_Dj�(B</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.54"><LINK
REL="HOME"
TITLE="Authentication Gateway HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="�$BI,MW$J$b$N�(B"
HREF="services.html"><LINK
REL="NEXT"
TITLE="�$BG'>Z%2!<%H%&%'%$$NMxMQ�(B"
HREF="usage.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Authentication Gateway HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="services.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="usage.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SETUP"
>3. �$B%2!<%H%&%'%$%5!<%S%9$N@_Dj�(B</A
></H1
><P
>
�$B$3$N%;%/%7%g%s$G$O!"G'>Z%2!<%H%&%'%$$N3FItJ,$N@_DjJ}K!$r@bL@$7$^$9!#�(B
�$B$3$3$G;HMQ$5$l$kNc$O!"%5%V%M%C%H$,�(B 10.0.1.0 �$B$N%W%i%$%Y!<%H�(B
�$B8x3+%M%C%H%o!<%/$G$9!#�(Beth0 �$B$OFbIt%M%C%H%o!<%/$K@\B3$5$l$k!"�(B
�$B%2!<%H%&%'%$$N%$%s%?%U%'!<%9$G$9!#�(Beth1 �$B$,8x3+%M%C%H%o!<%/$K@\B3�(B
�$B$5$l$k%$%s%?%U%'!<%9$G$9!#$3$N%$%s%?%U%'!<%9B&$N�(B IP �$B%"%I%l%9$O�(B
10.0.1.1 �$B$G$9!#$3$l$i$N@_Dj$O!"$"$J$?$,MxMQ$7$F$$$k%M%C%H%o!<%/�(B
�$B$K9g$&$h$&$KJQ992DG=$G$9!#%2!<%H%&%'%$$K$O�(B Red Hat 7.1
�$B$rMxMQ$7$?$N$G!"B?$/$NNc$,�(B Red Hat �$B$K8BDj$5$l$^$9!#�(B
</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="NETFILTERSETUP"
>3.1. Netfilter �$B$N@_Dj�(B</A
></H2
><P
>
netfilter �$B$r@_Dj$9$k$?$a$K$O!"�(Bnetfilter �$B%5%]!<%H$r2C$($F%+!<%M%k�(B
�$B$r:F%3%s%Q%$%k$7$J$1$l$P$J$j$^$;$s!#%+!<%M%k$N@_Dj$H%3%s%Q%$%k�(B
�$B$K$D$$$F$b$C$H>pJs$,I,MW$J$i!"�(B
<A
HREF="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html"
TARGET="_top"
>Kernel-HOWTO</A
>
�$B$r;2>H$7$F$/$@$5$$!#�(B
</P
><P
>
�$B;d$N%+!<%M%k@_Dj$O!"0J2<$N$h$&$J46$8$G$9!#�(B
<TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> #
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_UNCLEAN=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
><P
>
iptables �$B$r%$%s%9%H!<%k$9$kI,MW$,$"$j$^$9!#�(Biptables
�$B$r%$%s%9%H!<%k$9$k$K$O!"$4MxMQ$N%G%#%9%H%j%S%e!<%7%g%s$K�(B
�$BF1:-$5$l$F$$$k%Q%C%1!<%8$rMxMQ$9$k$+!"%=!<%9$+$i%$%s%9%H!<%k�(B
�$B$7$F$/$@$5$$!#>e5-$N%*%W%7%g%s$r@_Dj$7?7$7$$%+!<%M%k$r:n@.$7$F�(B
iptables �$B$r%$%s%9%H!<%k$7$?8e$K!";d$O0J2<$N$h$&$K�(B
�$B%G%U%)%k%H$N%U%!%$%d%&%)!<%k%k!<%k$r@_Dj$7$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B>e5-$N%3%^%s%I$O!"%5!<%P$,:F5/F0$9$k:]$K5/F0$9$k$h$&$K!"�(Binitscript
�$B$NCf$KCV$/$3$H$b$G$-$^$9!#%k!<%k$,DI2C$5$l$?$3$H$r3N$+$a$k$?$a$K!"�(B
�$B0J2<$N%3%^%s%I$r<B9T$7$F$/$@$5$$!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> iptables -v -t nat -L
iptables -v -t filter -L
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B0J>e$N%k!<%k$rJ]B8$9$k$?$a!";d$O�(B Red Hat �$B$N�(B init
�$B%9%/%j%W%H$rMxMQ$7$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> /etc/init.d/iptables save
/etc/init.d/iptables restart
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B%k!<%k$,E,@Z$K@_Dj$5$l$?$i!"0J2<$N%3%^%s%I$r<B9T$7$F!"�(B
IP �$B%U%)%o!<%G%#%s%0$rM-8z$K$7$F$/$@$5$$!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> echo 1 > /proc/sys/net/ipv4/ip_forward
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B%^%7%s$N:F5/F0;~$K�(B IP �$B%U%)%o!<%G%#%s%0$,3N<B$KM-8z$K$J$k$h$&$K!"�(B
�$B0J2<$N9T$r�(B <TT
CLASS="FILENAME"
>/etc/sysctl.conf</TT
> �$B$KDI2C$7$F$/$@$5$$!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> net.ipv4.ip_forward = 1
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B$3$l$G%2!<%H%&%'%$$O%M%C%H%o!<%/%"%I%l%9JQ49�(B(NAT)�$B$r9T$($k$h$&$K�(B
�$B$J$j$^$9$,!"8x3+%M%C%H%o!<%/$NCf$+$iAw?.$5$l$?%2!<%H%&%'%$08$F$N�(B
�$B%Q%1%C%H0J30$O!"%U%)%o!<%G%#%s%0%Q%1%C%H$r$9$Y$FGK4~$7$^$9!#�(B
</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="PAMIPTABLESSETUP"
>3.2. PAM iptables �$B%b%8%e!<%k�(B</A
></H2
><P
>
�$B$3$N%b%8%e!<%k$O!"G'>Z$5$l$?%/%i%$%"%s%H$N%U%)%o!<%G%#%s%0$r5v2D�(B
�$B$9$k$N$KI,MW$J!"%U%!%$%d%&%)!<%k%k!<%k$rA^F~$9$k�(B PAM �$B%;%C%7%g%s�(B
�$B%b%8%e!<%k$G$9!#$3$l$r4JC1$K%;%C%H%"%C%W$9$k$K$O!"C1$K�(B
<A
HREF="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz"
TARGET="_top"
>�$B%=!<%9�(B</A
>
�$B$rF~<j$7!"0J2<$N%3%^%s%I$r:nF0$5$;$F!"%3%s%Q%$%k$r9T$C$F$/$@$5$$!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> gcc -fPIC -c pam_iptables.c
ld -x --shared -o pam_iptables.so pam_iptables.o
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B$3$l$G�(B <TT
CLASS="FILENAME"
>pam_iptables.so</TT
> �$B$H�(B
<TT
CLASS="FILENAME"
>pam_iptables.o</TT
> �$B$H$$$&L>A0$NFs$D$N%P%$%J%j�(B
�$B$,$G$-$k$O$:$G$9!#�(B<TT
CLASS="FILENAME"
>pam_iptables.so</TT
> �$B$r�(B
<TT
CLASS="FILENAME"
>/lib/security/pam_iptables.so</TT
> �$B$K%3%T!<$7$F$/$@$5$$!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> cp pam_iptables.so /lib/security/pam_iptables.so
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B%2!<%H%&%'%$$KA*Br$5$l$?G'>Z%/%i%$%"%s%H$O�(B SSH �$B$@$C$?$N$G!"�(B
�$B0J2<$N9T$r�(B <TT
CLASS="FILENAME"
>/etc/pam.d/sshd</TT
> �$B$KDI2C$7$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> session required /lib/security/pam_iptables.so
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B$3$l$G%f!<%6$,�(BSSH�$B$G%m%0%$%s$9$l$P!"%U%!%$%d%&%)!<%k%k!<%k$,DI2C$5$l$k�(B
�$B$h$&$K$J$j$^$9!#�(B
</P
><P
>
pam_iptables �$B$N%G%U%)%k%H%$%s%?%U%'!<%9$O�(B eth0 �$B$G$9!#$3$N%G%U%)%k%H@_Dj$O!"�(B
�$B%$%s%?%U%'!<%9%Q%i%a!<%?$rDI2C$9$k$3$H$GJQ992DG=$G$9!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> session required /lib/security/pam_iptables.so interface=eth1
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B$3$N@_Dj$O!"30It%M%C%H%o!<%/$K@\B3$9$k%$%s%?%U%'!<%9L>$,�(B eth0
�$B$G$J$$>l9g$N$_I,MW$K$J$j$^$9!#�(B
</P
><P
>
pam_iptables �$B%b%8%e!<%k$,F0:n$7$F$$$k$+%F%9%H$9$k$K$O!"�(B
�$B0J2<$N<j=g$r<B9T$7$F$/$@$5$$!#�(B
</P
><P
></P
><OL
TYPE="1"
><LI
><P
>
SSH �$B$G%2!<%H%&%'%$$K%m%0%$%s!#�(B
</P
></LI
><LI
><P
>
�$B%k!<%k$,DI2C$5$l$F$$$k$+!"�(B<B
CLASS="COMMAND"
>iptables -L</B
> �$B$G3NG'!#�(B
</P
></LI
><LI
><P
>
�$B%2!<%H%&%'%$$+$i%m%0%"%&%H$7$F!"$=$N%k!<%k$,:o=|$5$l$F$$$k$N$r3NG'!#�(B
</P
></LI
></OL
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="DHCPDSETUP"
>3.3. DHCP �$B%5!<%P@_Dj�(B</A
></H2
><P
>
�$B;d$O!"0J2<$N�(B <TT
CLASS="FILENAME"
>dhcpd.conf</TT
> �$B$rMQ$$!"�(B
DHCP �$B$rF3F~$7$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> subnet 10.0.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 10.0.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.1.255;
option domain-name-servers 10.0.1.1;
range 10.0.1.3 10.0.1.254;
option time-offset -5; # Eastern Standard Time
default-lease-time 21600;
max-lease-time 43200;
}
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
DHCP�$B%5!<%P$O$3$N>l9g!"8x3+%M%C%H$N%$%s%?%U%'!<%9$G$"$k!"�(Beth1
�$BB&$KBP$7$F:nF0$5$;$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> /usr/sbin/dhcpd eth1
</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AUTHENTICATIONSETUP"
>3.4. �$BG'>Z<jK!$N@_Dj�(B</A
></H2
><P
>
�$BA0$N%;%/%7%g%s$G=R$Y$?$h$&$K!";d$OG'>Z$K�(B LDAP �$B$r;HMQ$9$k$h$&�(B
�$B%2!<%H%&%'%$$N@_Dj$r9T$$$^$7$?!#$7$+$7!"$"$J$?$,$?$O�(B PAM
�$B$,G'>Z$r5vMF$9$k$I$NJ}K!$G$bMxMQ2DG=$G$9!#$b$C$H>pJs$,I,MW$J$i$P!"�(B
<A
HREF="services.html#AUTHENTICATION"
>Section 2.4</A
> �$B$r;2>H$/$@$5$$!#�(B
</P
><P
>
PAM LDAP �$B$GG'>Z$r9T$&$?$a$K!";d$O�(B
<A
HREF="http://www.openldap.org"
TARGET="_top"
>OpenLDAP</A
>
�$B$r%$%s%9%H!<%k$7!"�(B<TT
CLASS="FILENAME"
>/etc/ldap.conf</TT
>
�$B$K0J2<$N@_Dj$r9T$$$^$7$?!#�(B
</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> # Your LDAP server. Must be resolvable without using LDAP.
host itc.musc.edu
# The distinguished name of the search base.
base dc=musc,dc=edu
ssl no
</PRE
></FONT
></TD
></TR
></TABLE
><P
>
�$B0J2<$K5s$2$k%U%!%$%k$O!"�(BLDAP �$BG'>Z$r9T$&$h$&�(B PAM �$B$r@_Dj$9$k$N$K;HMQ�(B
�$B$5$l$^$7$?!#$3$l$i$N%U%!%$%k$O!"�(BRed Hat �$B$N@_Dj%f!<%F%#%j%F%#$K$h$j�(B
�$B@8@.$5$l$^$7$?!#�(B
</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
><TT
CLASS="FILENAME"
>/etc/pam.d/system-auth</TT
> �$B$,:n@.$5$l!"�(B
�$B0J2<$N$h$&$JFbMF$K$J$j$^$7$?!#�(B</DT
><DD
><P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> #%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=ok user_unknown=ignore service_err=ignore system_err=ignore]
/lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></DD
><DT
>�$B$^$?!"0J2<$N�(B <TT
CLASS="FILENAME"
>/etc/pam.d/sshd</TT
>
�$B%U%!%$%k$,:n@.$5$l$^$7$?!#�(B</DT
><DD
><P
> <TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
> #%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
#this line is added for firewall rule insertion upon login
session required /lib/security/pam_iptables.so debug
session optional /lib/security/pam_console.so
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="DNSSETUP"
>3.5. DNS �$B$N@_Dj�(B</A
></H2
><P
>
�$B;d$O!"�(BRed Hat 7.1 �$B$K$D$$$F$-$?%G%U%)%k%H%P!<%8%g%s$N�(B Bind
�$B$H%-%c%C%7%s%0%M!<%`%5!<%P�(B RPM �$B$r%$%s%9%H!<%k$7$^$7$?!#�(BDHCP �$B%5!<%P$O!"�(B
�$B8x3+%M%C%H%o!<%/>e$N%^%7%s$,%M!<%`%5!<%P$H$7$F%2!<%H%&%'%$�(B
�$B$rMxMQ$9$k$h$&@_Dj$7$F$$$^$9!#�(B
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="services.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="usage.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>�$BI,MW$J$b$N�(B</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
> </TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>�$BG'>Z%2!<%H%&%'%$$NMxMQ�(B</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
