Digg this!
Del.ico.us
Google
Yahoo bookmarks
Reddit
Spurl
SimpyHow to allow internal tokens to authenticate against an external domain
This customer submitted how-to documents the iptables rules needed to allow internal token clients to be able to authenticate against the same domain as your external token clients.
So if you want your internal two-factor authentication token clients to be able to authenticate against the same WiKID domain as your external token clients, then you need to do some routing such that the internal clients can connect via your router/firewall. Here's the rules necessary in IPTABLES:
# Redirect request from FW to the internal auth server $IPT -t nat -A PREROUTING -i-p tcp \ --sport 1024:65535 -d --dport 80 \ -j DNAT --to-destination
# changes source address so responses go back through FW $IPT -t nat -A POSTROUTING -o-p tcp \ --sport 1024:65535 --dport 80 -s \ -j SNAT --to-source
In my test environment:
- Internal network interface = eth1
- Public IP for auth server = 192.168.2.45 (but in production, would be a publicly routable address like 129.210.8.1)
- Internal IP for auth server = 10.64.1.20
- IP address of firewall = 10.64.1.1
- Internal network mask = 10.0.0.0/8
This page talks about the issues:
http://iptables-tutorial.frozentux.net/chunkyhtml/x4033.htmlAnd this page pointed me there:
http://securepoint.com/lists/html/NetFilter/2007-05/msg00233.htmlStrangely I thought that a FORWARD chain would be required but this might have been specified already in my firewall rules set so the person may need to add a FORWARD allowance for this as well like this (untested):
#$IPT -A FORWARD -i $DMZ_INTERFACE -o $DMZ_INTERFACE -p tcp \ # --sport $UNPRIVPORTS -d $PUKKA_AUTHSERVER --dport 80 \ # -m state --state NEW -j ACCEPT
This how-to was submitted by Brian Ghidinelli
