Documentation - README.en

Contents

[edit]

Introduction

NatACL, After version 200606XX, is made of 3 programs.
* NatACL_dhcp - Extreme simples version of a DHCP server.
* NatACL_web - Web Authenticator for transparent proxy or NAT.
* NatACL_netdetect - Network statistic collector.
The objective of these programs is to restrict access from unauthorized machines.
[edit]

NatACL_dhcp

    The DHCP server is a extreme simple version of a full dhcp, it just do the basic functions to provide IP address.
    The difference is that with this server, you can create rules from iptables and associate bind to users groups. You can also enforce users to use DHCP client, and block those who not use it ( eg. static address).
    You can also create group policies, where some groups can access internet thru NAT, or force the user to authenticated himself over WEB , using NatACL_web.
[edit]

NatACL_web

    It is a http server, with help from iptables it can be used to intercept http requests from external sites, it will show a html page, requesting login/passsword. If the user provides the correct login/password, NatACL_web will them create the iptables rules to allow access to internet.
This new rule will keep active until a expiration method be enabled, There are 3 types of methods:
* EXPIRE_PING - Send icmp request to the targer machine. ( The expiration occurs when the ping fail )
* EXPIRE_TIME - Use a time interval.
* EXPIRE_POPUP - Open a html popup on the client's browser, the expiration occurs when this window popup is closed.


There are 3 types of authentication: ( more are avaliable from external plugins ( download )).
* AUTH_POP3 - Use a POP3 server to check for login/password.
* AUTH_UNIX - Use the internal linux system password. ( passwd/shadow )
You can also download external modules:
eg.

* AUTH_MYSQL - Use mysql for login/password.

[edit]

NatACL_netdetect

A daemon that will listen every interface on the system, and creating statistic for use with mrtg, or others programs.
This statistics will be splitted by group.
[edit]

Configuration

[edit]

NatACL_dhcp

[edit]

Iptables

The first thing to do is delete any DNAT,SNAT and FORWARD Rule. and set iptables default FORWARD poliy to DROP.
ex.
'iptables -P FORWARD DROP'


Locks. ( Recommended )
Iptables can not be running twice at the same time, you must create a lock file when you run your firewall script.
In the beginning of your firewall script put this line:
touch /var/NatACL/dhcp.lock
And in the end:
rm -f /var/natACL/dhcp.lock


[edit]

Interfaces

After you configure your iptables script. you must create a interface for each group you plan to use.
Ex:<
ifconfig eth0:1 192.168.1.1 netmask 255.255.255.0
ifconfig eth0:2 192.168.2.1 netmask 255.255.255.0
ifconfig eth0:3 192.168.3.1 netmask 255.255.255.0
On the example above, i' ve created 3 interface alias, for groups 'unknown' , 'board' and 'hr'
[edit]

Groups

To bind the interfaces to the groups, you must inform NatACL:
Use the command 'NatACL_config group add':
/usr/bin/NatACL_config group add <group_name> <interface> <dns_address> <wins_address> <domain>
Ex.
NatACL_config group add unknown eth0:1 192.168.1.5 192.168.1.5 hostname.org
NatACL_config group add board eth0:2 192.168.1.5 192.168.1.5 hostname.org
NatACL_config group add hr eth0:3 192.168.1.5 192.168.1.5 hostname.org
Ps: if you dont have a wins server, you can put 0.0.0.0 as address.


!!! ************************* IMPORTANT: YOU MUST CREATE A GROUP CALLED 'unknown' ***************************** !!!
The group 'unknown' is the NatACL default group.


After this is done, you have a working dhcp server, any new computers that request a new IP address, will be
automaticly added to the group 'unknown'.
[edit]

Clientes ( Workstations ).

You can verify if a computer is in the NatACL database.
/usr/bin/NatACL_config client list
To change the computers' group:
/usr/bin/NatACL_config client group <mac address> <group name>
Ex:
/usr/bin/NatACL_config client group 00:c0:f1:d3:d4:e3 board
/usr/bin/NatACL_config client group 00:50:b1:d4:aa:c3 hr
On some dhcp clients, the nenew of the ip address can take 5 minutes.
In most cases in max 30 seconds.
[edit]

Group Policies

Now you have a working dhcp, but your stations dont have internet access.
You must configure your group policies:
/usr/bin/NatACL_config group policy_add <group_name> [<type> <type_options>]
There are 4 types of rules:
SNAT - source nat, to allow direct access to internet thru nat.
DNAT - destination nat, to use a transparent proxy.
NATACL - Web Authenticator ( see on chapter NatACL )
EXEC - run a shell command.
[edit]

SNAT

To use source nat on a group, use:
/usr/bin/NatACL_config group policy_add <grupo> snat <snat_address>
Example:
/usr/bin/NatACL_config group policy_add board snat 201.13.2.1
In the example above, when one station from group board request a new IP to dhcp. the dhcp will add a new rule on iptables, allowing the IP to access the internet thru NAT.
[edit]

DNAT

To Use DNAT use:
/usr/bin/NatACL_config group policy_add <grupo> dnat <dnat_address> <dnat_port>
Exemple:
NatACL_config group policy_add board dnat 10.10.0.1 3128


In the example above, when one station from group board request a new IP to dhcp. the dhcp will add a new rule to iptables, allowing the IP to access internet thru proxy running on 10.10.0.1:3128
[edit]

EXEC

Execute a shell command:
The first parameter after 'exec' defines if the command will be executed only once or every time a dhcp client request an ip address. ( the minimun interval is 5 minutes ).
Exemple
NatACL_config group policy_add board exec 0 '/usr/bin/rules.sh'


The paremeter used in scripts are:
$1 ( First parameter ) Ip Address
$2 ( Second parameter ) MAC_address


For performance reasons, and cleanup on NatACL initializationm i strongly advise you to use the following iptables chains:
NatACL_snat_${2}
NatACL_dnat_${2}
NatACL_fwd_${2}
instead of PREROUTING, POSTROUTING e FORWARD.
Example.
If i want to deny a destination IP address from a group:
#!/bin/sh
iptables -t nat -I NatACL_fwd_${2} -p ALL -s $1 -d 200.200.200.200 -j DROP
And add a policy like:
# NatACL_config group policy_add developers exec 1 '/usr/bin/NatACL_deny_access.sh'
[edit]

Group

By default, every group on natacl cannot comunicate with another group, you must set groups' permissions.
In this example, the group board will see the group 'hr' and 'development', ( and the reverse, hr and

development will see the group board )

NatACL_config group policy_add board group hr
NatACL_config group policy_add board group development
I recomend to not allow any group to access the group 'unknown', this group is only for temporary machines.
[edit]

Client Policies

The use is almost the same as group policy.
Just Use NatACL_config client instead of NatACL_config group, also use MAC address instead of group name.
[edit]

NATACL

If you have configured the items above, you already have a working dhcp, and your stations have internet access.
But if you want to enforce the user to authenticated over WEB, before have any internet access. You must use NatACL_web.
First you must add a group_policy ( or a client_policy ).
/usr/bin/NatACL_config group policy_add <grupo> natacl <multiple_sessions 1/0> <expire_options> <authentication_options>


Where:
<multiple_session> is a boolean value( 0/1 ), it allows multiple logins using the same username.
<expire_option> define the expiration method. There are 3 types:
EXPIRE_PING=[ping_interval]
EXPIRE_POPUP
EXPIRE_TIME=[time_interval]
ping_interval e time_intaval are time values in seconds.


<item authentication_options> defines the authentication type, these value can change from plugin to plugin.
auth_unix.so
auth_pop3.so|SERVER=<server>
where <server> is the POP3 server.
Examples:
NatACL_config group policy_add hr natacl 1 EXPIRE_POPUP auth_unix.so
NatACL_config group policy_add hr natacl 1 EXPIRE_TIME=3600 auth_unix.so
NatACL_config group policy_add hr natacl 1 EXPIRE_POPUP 'auth_pop3.so|SERVER=10.10.0.9'


When the web authentication occurs, NatACL will search the others policy groups and execute them.
[edit]

MRTG

If you want mrtg to generate statistic on NatACL groups, you must start the NatACL_netdetect.


# NatACL_netdetect


This is a daemon program, it will capture all network packets, and generating statistic splited by group.
You can run NatACL_netdetect_collector to see this statistics.


Ex.
# NatACL_netdetect_collector stats external unknown
This will show the total bytes sent and total bytes received by all machines on group 'unkown' to the internet.
In Mrtg.conf you should have something like:
Target[vol_unknown]: `/usr/bin/NatACL_netdetect_collector stats external unknown`
Options[vol_unknown]:growright,nopercent, noinfo, nobanner
Maxbytes[vol_unknown]:10000000
kMG[vol_unknown]:B,K,M,G,T,P
Title[vol_unknown]:Internet
YLegend[vol_unknown]:bytes
ShortLegend[vol_unknown]:bytes   
Legend1[vol_unknown]:In
Legend2[vol_unknown]:Out
LegendI[vol_unknown]:In
LegendO[vol_unknown]:Out
WithPeak[vol_unknown]: wmy
Legend3[vol_unknown]: Top IN
Legend4[vol_unknown]: Top Out
[edit]

Execution

To start dhcp:
NatACL_dhcp