Arch Linux

Zzipo

Member

From: North Spain

Registered: 2013-01-07

Posts: 61

BASIC "server control" Firewall rules? user/password+MAC?

Hello,

I have one computer which will provide internet through its network 192.168.1.0/24 (WLAN, Connected to a home ROUTER), to another network 10.0.0.0/24 for example (could be with a switch or directly one computer to its ethernet).

The ips are provided with DHCP.

My target: when one device is connected to my computer (10.0.0.0/24 network) I would like to do a basic control: if the computer has a predefined user/password, it can be connected and can use internet. Also, depending on the user group it has more "bandwidth" of the bandwidth that I have for internet (because in the other network that gives me internet, I share the network with another 3 computers).

I don't want that you solve me this, I just ask what is the best approach to do what I want.

My questions:

a) is it possible only with dhcpd configuration? I have seen that I can give MAC -> IP     but first I have to know in a same way how to associate User/Password with a MAC.

b) Imagine that I use the a method, How dificult is to know that my network (ethernet) is in the 10.0.0.0/24? Because then It will be easy with nmap to check that range of IPs until find in 10.0.0.1 (for example) the gateway (my computer). And therefore, if another computers in that network has internet, it will have it.

c) I don't know how can I exchange the "messages" to validate the credentials. Should I create a httpd server with a basic webpage for login, associated with some sort of database in my computer, and If another computer that connects to the network wants internet, it should go to.... I don't know, https://10.0.0.1:80 ? And then create a secure connection, validate and return if is correct or not---> in my "server" side, create a new rule with iptables to validate "INTERNET" for that IP+MAC (I don't know if it is possible and how should I go in this way).

d) What happen if I have a range of maximum dhcpd IPs (10.0.0.10 to 10.0.0.20, therefore that is the maximum valid users (10), but in the network have been connected 3 computers with not valid credentials (and 7 with valid), and another with valid credentials (not verified yet) wants to be in the network,... but because of the maximum range, it cannot have a IP. What should I do?

e) What is best way to do something like that with the divisions of the bandwidth? How to define the policies?. I would like to control that like:

owner -> maximum 80% if owner needs, 20% for the below group. If owner doesn't use, the 100% is for the below group.
privileged group -> maximum 80% if privileged group need, 20% for the below group. If privileged group don't use, the 100% is for the below group. Bandwidth of the group is divided proportional by the users in this group.
normal group -> maximum 50%

So, Imagine that we have the owner, 2 users in privileged, and 4 users in the normal group.
In one specific moment:

The owner needs 20%, so he uses 20% of the total bandwidth, 80% for the below group:
Privileged user 1 needs 50% of the total bandwidth, he can only get 32% (0.8*0.8) because the Privileged user 2 needs 32% and he is using the other 32%.
Normal user 1 needs 60% of the bandwidth, he can only get 11% (because the rest 3% of the user2 is given to user1, with its maximum 8%).
Normal user 2 needs 5% of the bandwidth. he can get 5% (maximum was 8%)
Rest of normal users don't need bandwidth in this moment.

I know that this should be difficult to create. But I would like to learn.

My programming knowledge is quite high in Java, but I can do some things with Bash and C (I will need more time, but I will get it).

[Bonus Question]
**This is for a home network, and probably I seldom will connect only one computer to the internal network 10.0.0.0/24, but I want to do this to learn. How can I simulate another computers that want to connect to that network through eth0 (switch or not)?

Last edited by Zzipo (2013-04-10 06:30:13)