We will test the setup by connecting from the local host ssh server. For this we need to add filtering rules to ask for authentication:
iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j QUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[1]
We will test the setup by connecting from the local host ssh server. For this we need to add filtering rules to ask for authentication:
iptables -A OUTPUT -s 192.168.75.0/24 -p tcp --dport 22 -m state --state NEW --syn -j NFQUEUE iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[2]
First, the daemons need to be started. We start nuauth in a terminal
nuauth -vvvvvvvvvthen we start
nufw -vvvvvvvvvin another terminal.
Next, we can try to connect a user. Under Linux it can be done with:
nutcpc -d -H [NUAUTH IP]enter name and password of a system user.
At nuauth level, we should see something like:
user bill@nufw uses OS Linux, 3.0.10, #1 Tue Oct 19 23:51:32 CEST 2008If your PAM setup is based on shadow file, you will not be able to authenticate a user different from the one running nuauth. On this kind of setup, nuauth needs to be run as root to authenticate other users. [3]
A ssh connection from the computer to start the authentication process:
nufw gets a packet from Netfilter:
[PID] Sending request for 1
nufw initiates a TLS connection to nuauth:
[PID] Trying TLS connection
nuauth receives nufw's request:
** Message: Packet : ** Message: Connection : src=192.168.75.2 dst=192.168.75.2 proto=6 ** Message: sport=32848 dport=22
nuauth sends an authentication request to the clients on IP source:
** Message: need to warn client ** Message: sending request
nuauth receives packet from the client:
** Message: User : ** Message: Connection : src=192.168.75.2 dst=192.168.75.2 proto=6 ** Message: sport=32848 dport=22 ** Message: OS : Linux 2.6.9 #1 Tue Oct 19 23:51:32 CEST 2004 ** Message: Application : /usr/bin/ssh
nuauth sends back response to nufw:
Sending auth answer 1 for 1 on 0x42428482 ...
nufw pushes the packet back in the kernel:
[PID] Accepting 1
| [1] | Only SYN packets are sent to QUEUE. This is not enough to do advanced user activities logging, but enough for trafic authentication. |
| [2] | Only SYN packets are sent to NFQUEUE. This is enough to do advanced user activities logging, because events on the connections will be automatically sent to nufw by Netfilter. This requires, in particular, that the CONFIG_IP_NF_CONNTRACK_EVENTS kernel option be set. |
| [3] | Never launch nutcpc against 'localhost' or '127.0.0.1', even if nuauth is on the same computer. Packets sent to nuauth by the firewall will hardly have the address of the loopback but rather have a source address which is one of the network interface. |