<HTML ><HEAD ><TITLE >$B%2!<%H%&%'%$%5!<%S%9$N@_Dj(B</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.54"><LINK REL="HOME" TITLE="Authentication Gateway HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="$BI,MW$J$b$N(B" HREF="services.html"><LINK REL="NEXT" TITLE="$BG'>Z%2!<%H%&%'%$$NMxMQ(B" HREF="usage.html"></HEAD ><BODY CLASS="SECT1" BGCOLOR="#FFFFFF" TEXT="#000000" ><DIV CLASS="NAVHEADER" ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >Authentication Gateway HOWTO</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="services.html" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="usage.html" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="SECT1" ><H1 CLASS="SECT1" ><A NAME="SETUP" >3. $B%2!<%H%&%'%$%5!<%S%9$N@_Dj(B</A ></H1 ><P > $B$3$N%;%/%7%g%s$G$O!"G'>Z%2!<%H%&%'%$$N3FItJ,$N@_DjJ}K!$r@bL@$7$^$9!#(B $B$3$3$G;HMQ$5$l$kNc$O!"%5%V%M%C%H$,(B 10.0.1.0 $B$N%W%i%$%Y!<%H(B $B8x3+%M%C%H%o!<%/$G$9!#(Beth0 $B$OFbIt%M%C%H%o!<%/$K@\B3$5$l$k!"(B $B%2!<%H%&%'%$$N%$%s%?%U%'!<%9$G$9!#(Beth1 $B$,8x3+%M%C%H%o!<%/$K@\B3(B $B$5$l$k%$%s%?%U%'!<%9$G$9!#$3$N%$%s%?%U%'!<%9B&$N(B IP $B%"%I%l%9$O(B 10.0.1.1 $B$G$9!#$3$l$i$N@_Dj$O!"$"$J$?$,MxMQ$7$F$$$k%M%C%H%o!<%/(B $B$K9g$&$h$&$KJQ992DG=$G$9!#%2!<%H%&%'%$$K$O(B Red Hat 7.1 $B$rMxMQ$7$?$N$G!"B?$/$NNc$,(B Red Hat $B$K8BDj$5$l$^$9!#(B </P ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="NETFILTERSETUP" >3.1. Netfilter $B$N@_Dj(B</A ></H2 ><P > netfilter $B$r@_Dj$9$k$?$a$K$O!"(Bnetfilter $B%5%]!<%H$r2C$($F%+!<%M%k(B $B$r:F%3%s%Q%$%k$7$J$1$l$P$J$j$^$;$s!#%+!<%M%k$N@_Dj$H%3%s%Q%$%k(B $B$K$D$$$F$b$C$H>pJs$,I,MW$J$i!"(B <A HREF="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html" TARGET="_top" >Kernel-HOWTO</A > $B$r;2>H$7$F$/$@$5$$!#(B </P ><P > $B;d$N%+!<%M%k@_Dj$O!"0J2<$N$h$&$J46$8$G$9!#(B <TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > # # Networking options # CONFIG_PACKET=y # CONFIG_PACKET_MMAP is not set # CONFIG_NETLINK is not set CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_FILTER=y CONFIG_UNIX=y CONFIG_INET=y CONFIG_IP_MULTICAST=y # CONFIG_IP_ADVANCED_ROUTER is not set # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set # CONFIG_NET_IPGRE is not set # CONFIG_IP_MROUTE is not set # CONFIG_INET_ECN is not set # CONFIG_SYN_COOKIES is not set # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_UNCLEAN=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_MIRROR=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_TCPMSS=y </PRE ></FONT ></TD ></TR ></TABLE > </P ><P > iptables $B$r%$%s%9%H!<%k$9$kI,MW$,$"$j$^$9!#(Biptables $B$r%$%s%9%H!<%k$9$k$K$O!"$4MxMQ$N%G%#%9%H%j%S%e!<%7%g%s$K(B $BF1:-$5$l$F$$$k%Q%C%1!<%8$rMxMQ$9$k$+!"%=!<%9$+$i%$%s%9%H!<%k(B $B$7$F$/$@$5$$!#>e5-$N%*%W%7%g%s$r@_Dj$7?7$7$$%+!<%M%k$r:n@.$7$F(B iptables $B$r%$%s%9%H!<%k$7$?8e$K!";d$O0J2<$N$h$&$K(B $B%G%U%)%k%H$N%U%!%$%d%&%)!<%k%k!<%k$r@_Dj$7$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i eth0 -m state --state NEW, INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state NEW, INVALID -j DROP iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.1 -j ACCEPT </PRE ></FONT ></TD ></TR ></TABLE ><P > $B>e5-$N%3%^%s%I$O!"%5!<%P$,:F5/F0$9$k:]$K5/F0$9$k$h$&$K!"(Binitscript $B$NCf$KCV$/$3$H$b$G$-$^$9!#%k!<%k$,DI2C$5$l$?$3$H$r3N$+$a$k$?$a$K!"(B $B0J2<$N%3%^%s%I$r<B9T$7$F$/$@$5$$!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > iptables -v -t nat -L iptables -v -t filter -L </PRE ></FONT ></TD ></TR ></TABLE ><P > $B0J>e$N%k!<%k$rJ]B8$9$k$?$a!";d$O(B Red Hat $B$N(B init $B%9%/%j%W%H$rMxMQ$7$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > /etc/init.d/iptables save /etc/init.d/iptables restart </PRE ></FONT ></TD ></TR ></TABLE ><P > $B%k!<%k$,E,@Z$K@_Dj$5$l$?$i!"0J2<$N%3%^%s%I$r<B9T$7$F!"(B IP $B%U%)%o!<%G%#%s%0$rM-8z$K$7$F$/$@$5$$!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > echo 1 > /proc/sys/net/ipv4/ip_forward </PRE ></FONT ></TD ></TR ></TABLE ><P > $B%^%7%s$N:F5/F0;~$K(B IP $B%U%)%o!<%G%#%s%0$,3N<B$KM-8z$K$J$k$h$&$K!"(B $B0J2<$N9T$r(B <TT CLASS="FILENAME" >/etc/sysctl.conf</TT > $B$KDI2C$7$F$/$@$5$$!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > net.ipv4.ip_forward = 1 </PRE ></FONT ></TD ></TR ></TABLE ><P > $B$3$l$G%2!<%H%&%'%$$O%M%C%H%o!<%/%"%I%l%9JQ49(B(NAT)$B$r9T$($k$h$&$K(B $B$J$j$^$9$,!"8x3+%M%C%H%o!<%/$NCf$+$iAw?.$5$l$?%2!<%H%&%'%$08$F$N(B $B%Q%1%C%H0J30$O!"%U%)%o!<%G%#%s%0%Q%1%C%H$r$9$Y$FGK4~$7$^$9!#(B </P ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="PAMIPTABLESSETUP" >3.2. PAM iptables $B%b%8%e!<%k(B</A ></H2 ><P > $B$3$N%b%8%e!<%k$O!"G'>Z$5$l$?%/%i%$%"%s%H$N%U%)%o!<%G%#%s%0$r5v2D(B $B$9$k$N$KI,MW$J!"%U%!%$%d%&%)!<%k%k!<%k$rA^F~$9$k(B PAM $B%;%C%7%g%s(B $B%b%8%e!<%k$G$9!#$3$l$r4JC1$K%;%C%H%"%C%W$9$k$K$O!"C1$K(B <A HREF="ftp://ftp.itlab.musc.edu/pub/pam_iptables.tar.gz" TARGET="_top" >$B%=!<%9(B</A > $B$rF~<j$7!"0J2<$N%3%^%s%I$r:nF0$5$;$F!"%3%s%Q%$%k$r9T$C$F$/$@$5$$!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > gcc -fPIC -c pam_iptables.c ld -x --shared -o pam_iptables.so pam_iptables.o </PRE ></FONT ></TD ></TR ></TABLE ><P > $B$3$l$G(B <TT CLASS="FILENAME" >pam_iptables.so</TT > $B$H(B <TT CLASS="FILENAME" >pam_iptables.o</TT > $B$H$$$&L>A0$NFs$D$N%P%$%J%j(B $B$,$G$-$k$O$:$G$9!#(B<TT CLASS="FILENAME" >pam_iptables.so</TT > $B$r(B <TT CLASS="FILENAME" >/lib/security/pam_iptables.so</TT > $B$K%3%T!<$7$F$/$@$5$$!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > cp pam_iptables.so /lib/security/pam_iptables.so </PRE ></FONT ></TD ></TR ></TABLE ><P > $B%2!<%H%&%'%$$KA*Br$5$l$?G'>Z%/%i%$%"%s%H$O(B SSH $B$@$C$?$N$G!"(B $B0J2<$N9T$r(B <TT CLASS="FILENAME" >/etc/pam.d/sshd</TT > $B$KDI2C$7$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > session required /lib/security/pam_iptables.so </PRE ></FONT ></TD ></TR ></TABLE ><P > $B$3$l$G%f!<%6$,(BSSH$B$G%m%0%$%s$9$l$P!"%U%!%$%d%&%)!<%k%k!<%k$,DI2C$5$l$k(B $B$h$&$K$J$j$^$9!#(B </P ><P > pam_iptables $B$N%G%U%)%k%H%$%s%?%U%'!<%9$O(B eth0 $B$G$9!#$3$N%G%U%)%k%H@_Dj$O!"(B $B%$%s%?%U%'!<%9%Q%i%a!<%?$rDI2C$9$k$3$H$GJQ992DG=$G$9!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > session required /lib/security/pam_iptables.so interface=eth1 </PRE ></FONT ></TD ></TR ></TABLE ><P > $B$3$N@_Dj$O!"30It%M%C%H%o!<%/$K@\B3$9$k%$%s%?%U%'!<%9L>$,(B eth0 $B$G$J$$>l9g$N$_I,MW$K$J$j$^$9!#(B </P ><P > pam_iptables $B%b%8%e!<%k$,F0:n$7$F$$$k$+%F%9%H$9$k$K$O!"(B $B0J2<$N<j=g$r<B9T$7$F$/$@$5$$!#(B </P ><P ></P ><OL TYPE="1" ><LI ><P > SSH $B$G%2!<%H%&%'%$$K%m%0%$%s!#(B </P ></LI ><LI ><P > $B%k!<%k$,DI2C$5$l$F$$$k$+!"(B<B CLASS="COMMAND" >iptables -L</B > $B$G3NG'!#(B </P ></LI ><LI ><P > $B%2!<%H%&%'%$$+$i%m%0%"%&%H$7$F!"$=$N%k!<%k$,:o=|$5$l$F$$$k$N$r3NG'!#(B </P ></LI ></OL ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="DHCPDSETUP" >3.3. DHCP $B%5!<%P@_Dj(B</A ></H2 ><P > $B;d$O!"0J2<$N(B <TT CLASS="FILENAME" >dhcpd.conf</TT > $B$rMQ$$!"(B DHCP $B$rF3F~$7$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > subnet 10.0.1.0 netmask 255.255.255.0 { # --- default gateway option routers 10.0.1.1; option subnet-mask 255.255.255.0; option broadcast-address 10.0.1.255; option domain-name-servers 10.0.1.1; range 10.0.1.3 10.0.1.254; option time-offset -5; # Eastern Standard Time default-lease-time 21600; max-lease-time 43200; } </PRE ></FONT ></TD ></TR ></TABLE ><P > DHCP$B%5!<%P$O$3$N>l9g!"8x3+%M%C%H$N%$%s%?%U%'!<%9$G$"$k!"(Beth1 $BB&$KBP$7$F:nF0$5$;$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > /usr/sbin/dhcpd eth1 </PRE ></FONT ></TD ></TR ></TABLE ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="AUTHENTICATIONSETUP" >3.4. $BG'>Z<jK!$N@_Dj(B</A ></H2 ><P > $BA0$N%;%/%7%g%s$G=R$Y$?$h$&$K!";d$OG'>Z$K(B LDAP $B$r;HMQ$9$k$h$&(B $B%2!<%H%&%'%$$N@_Dj$r9T$$$^$7$?!#$7$+$7!"$"$J$?$,$?$O(B PAM $B$,G'>Z$r5vMF$9$k$I$NJ}K!$G$bMxMQ2DG=$G$9!#$b$C$H>pJs$,I,MW$J$i$P!"(B <A HREF="services.html#AUTHENTICATION" >Section 2.4</A > $B$r;2>H$/$@$5$$!#(B </P ><P > PAM LDAP $B$GG'>Z$r9T$&$?$a$K!";d$O(B <A HREF="http://www.openldap.org" TARGET="_top" >OpenLDAP</A > $B$r%$%s%9%H!<%k$7!"(B<TT CLASS="FILENAME" >/etc/ldap.conf</TT > $B$K0J2<$N@_Dj$r9T$$$^$7$?!#(B </P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > # Your LDAP server. Must be resolvable without using LDAP. host itc.musc.edu # The distinguished name of the search base. base dc=musc,dc=edu ssl no </PRE ></FONT ></TD ></TR ></TABLE ><P > $B0J2<$K5s$2$k%U%!%$%k$O!"(BLDAP $BG'>Z$r9T$&$h$&(B PAM $B$r@_Dj$9$k$N$K;HMQ(B $B$5$l$^$7$?!#$3$l$i$N%U%!%$%k$O!"(BRed Hat $B$N@_Dj%f!<%F%#%j%F%#$K$h$j(B $B@8@.$5$l$^$7$?!#(B </P ><P ></P ><DIV CLASS="VARIABLELIST" ><DL ><DT ><TT CLASS="FILENAME" >/etc/pam.d/system-auth</TT > $B$,:n@.$5$l!"(B $B0J2<$N$h$&$JFbMF$K$J$j$^$7$?!#(B</DT ><DD ><P ><TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="90%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_ldap.so </PRE ></FONT ></TD ></TR ></TABLE > </P ></DD ><DT >$B$^$?!"0J2<$N(B <TT CLASS="FILENAME" >/etc/pam.d/sshd</TT > $B%U%!%$%k$,:n@.$5$l$^$7$?!#(B</DT ><DD ><P > <TABLE BORDER="1" BGCOLOR="#E0E0E0" WIDTH="90%" ><TR ><TD ><FONT COLOR="#000000" ><PRE CLASS="SCREEN" > #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth #this line is added for firewall rule insertion upon login session required /lib/security/pam_iptables.so debug session optional /lib/security/pam_console.so </PRE ></FONT ></TD ></TR ></TABLE > </P ></DD ></DL ></DIV ></DIV ><DIV CLASS="SECT2" ><H2 CLASS="SECT2" ><A NAME="DNSSETUP" >3.5. DNS $B$N@_Dj(B</A ></H2 ><P > $B;d$O!"(BRed Hat 7.1 $B$K$D$$$F$-$?%G%U%)%k%H%P!<%8%g%s$N(B Bind $B$H%-%c%C%7%s%0%M!<%`%5!<%P(B RPM $B$r%$%s%9%H!<%k$7$^$7$?!#(BDHCP $B%5!<%P$O!"(B $B8x3+%M%C%H%o!<%/>e$N%^%7%s$,%M!<%`%5!<%P$H$7$F%2!<%H%&%'%$(B $B$rMxMQ$9$k$h$&@_Dj$7$F$$$^$9!#(B </P ></DIV ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="services.html" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="usage.html" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >$BI,MW$J$b$N(B</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >$BG'>Z%2!<%H%&%'%$$NMxMQ(B</TD ></TR ></TABLE ></DIV ></BODY ></HTML >