Perhaps is a poor solution, but if you could assign MAC or IP to user in any form, you could use iptables/ebtables in gateway machine to allow this. For example, you can define chains for diferent purposes/internet access and in the FORWARD chain, use source/destination MAC or IP to allow the access associated to that type of user. For example, using one IP per user, you can use something as: iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s <client_a_ip> -j <client_a_chain> iptables -A FORWARD -s <client_b_ip> -j <client_b_chain> iptables -N HTTP iptables -N HTTP_MSN iptables -A HTTP -p tcp --dport 80 -j ACCEPT iptables -A HTTP_MSN -p tcp --dport 80 -j ACCEPT iptables -A HTTP_MSN -p tcp --dport 1863 -j ACCEPT Perhaps taking a view into iptables documents/how-to's you can have any idea on how to make that. Regards -- Samuel Díaz García ArcosCom Wireless, S.L.L. CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz http://www.arcoscom.com mailto:samueldg@xxxxxxxxxxxx msn: samueldg@xxxxxxxxxxxx Tlfn.: 956 70 13 15 Fax: 956 70 34 83 El Jue, 21 de Septiembre de 2006, 14:40, Marcelo Magno T. Sales escribió: > Hi, > > This is a long e-mail but I hope that the answer for this problem, if > there is > one, will be useful for many people. First, some background information: > Here at work we have been used MS solutions for a long time and since two > years ago we have been migrating several services for Unix/Linux. For the > last few months, I've been evaluating the feasibility of migrating > workstations for Linux, but there's a problem about controlling Internet > access that I've not been able to solve so far. > We use MS ISA server to restrict Internet access, by user and by > application. > For example, I can set it up so that user A can access HTTP servers and > use > instant messengers, while users from group B are allowed to access FTP > servers and users from group C are forbidden any access (users and groups > are > stored in Active Directory). > In order to work this way, ISA Server provides a client that is installed > at > the Windows workstations. This client intercepts all TCP/IP requests and > redirects them to the ISA server, along with the credentials of the > current > logged user. No additional configuration is needed in any application, > they > just "think" they are directly connected to the Internet. > I need a way to do the same with Linux clients. It may be a software that > acts > like the ISA Firewall Client, interoperating with MS ISA Server (this > would > be very useful during migration), or it may be an entirely Linux based > solution (preferred long term solution). > > I've tried the following so far: > > 1. Configure applications to use ISA Server as the proxy server. > . Positive point: Firefox can do NTLM authentication and interoperates > well > with ISA Server. > . Negative points: Many applications can't be configured to use > proxies. > Those which can are not able to authenticate against ISA Server. > Even if they were, it would be necessary to configure each > application > for each user. > In Firefox, the user have to retype his credentials every time he > opens the browser and java applets do not > work (JVM can't authenticate against ISA Server) > > 2. Use NTLMAPS / APServer on the client side > . Positive point: Firefox can access Internet using APServer without > requesting user credentials and java applets work fine. APServer can > do NTLM authentication and interoperates well with ISA Server. > . Negative points: It's usefull for HTTP access only. Other > applications > suffer from the same problems described in the previous solution. > APServer is not user-friendly enough to be used by normal users > and I can't configure it to start automatically (for that, I would > have > to set it up with a user account that would not match the current > logged > user). > > 3. Use squid on the server side > . Positive point: HTTP access can be restricted by AD user accounts. > squid is able to authenticate users against AD. > . It's another HTTP-only solution. squid capabilities of restricting > access by group are limited. Browser special configuration is > required. > > 4. On the client side, use a script that creates iptables rules > dinamically > when a user logs on, according to his credentials. > . Positive point: work for all applications. Works with ISA Server in > NAT mode as well as with a Linux based NAT solution. > . Negative points: administration is a nightmare. It's difficult to > work > with groups. The restrictions are enforced on the client side and > not on the server side, what lowers down security. My network > spans over a 800 km area, with many buildings. Each building > has support personnel who must have local root access to the > workstations in the building, but should not be able to set up > their own restrictions for Internet access. It's not possible to > prevent them from editing the local iptables rules, once they > have root privileges at the workstations. > > Is there a way to get the results I need using Linux clients? > > Thanks, > > Marcelo > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list >