Re: [isf-wifidog] Problème firewalling WRT54G
Max Horváth
max.horvath at maxspot.de
Jeu 6 Oct 20:58:15 EDT 2005
Hi,
I still have problems regarding the WifiDog gateway ...
Installing the CVS version in OpenWRT I can access every port but
port 80 without authenticating.
Doing it the way you described (renaming to S42wifidog) and adding
sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't run.
So which lines do I have to comment in S45firewall?
Non the less - Philippe: do you know, why this happends? Or why
doesn't it happen at ISF? How did you split LAN and WiFi exactly?
To answer another question: these are the results when running the
following commands:
iptables -t mangle -L
iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L
=====================
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Outgoing all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Incoming all -- anywhere anywhere
Chain WiFiDog_Incoming (1 references)
target prot opt source destination
ACCEPT all -- anywhere 10.22.11.173
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
MARK all -- 10.22.11.173 anywhere MAC
00:11:24:C2:92:76 MARK set 0x2
iptables -t filter -L
=====================
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp
option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-
with tcp-reset
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
WiFiDog_WIFI2Internet all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-
with tcp-reset
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere maxspot.de
Chain WiFiDog_Global (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 85.10.198.114 tcp dpt:80
Chain WiFiDog_Known (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain WiFiDog_Locked (1 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:53
ACCEPT tcp -- anywhere anywhere tcp dpt:53
ACCEPT udp -- anywhere anywhere udp dpt:67
ACCEPT tcp -- anywhere anywhere tcp dpt:67
REJECT all -- anywhere anywhere reject-
with icmp-port-unreachable
Chain WiFiDog_Validate (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:
25 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
WiFiDog_AuthServers all -- anywhere anywhere
WiFiDog_Locked all -- anywhere anywhere
MARK match 0x254
WiFiDog_Global all -- anywhere anywhere
WiFiDog_Validate all -- anywhere anywhere
MARK match 0x1
WiFiDog_Known all -- anywhere anywhere MARK
match 0x2
WiFiDog_Unknown all -- anywhere anywhere
Chain forwarding_rule (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain output_rule (1 references)
target prot opt source destination
iptables -t nat -L
==================
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prerouting_rule all -- anywhere anywhere
WiFiDog_Outgoing all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere maxspot.de
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
WiFiDog_WIFI2Router all -- anywhere 10.22.11.1
WiFiDog_WIFI2Internet all -- anywhere anywhere
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
WiFiDog_AuthServers all -- anywhere anywhere
REDIRECT tcp -- anywhere anywhere tcp dpt:
80 redir ports 2060
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK
match 0x2
ACCEPT all -- anywhere anywhere MARK
match 0x1
WiFiDog_Unknown all -- anywhere anywhere
Chain WiFiDog_WIFI2Router (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain postrouting_rule (1 references)
target prot opt source destination
Chain prerouting_rule (1 references)
target prot opt source destination
Regards, Max!
Am 17.09.2005 um 19:38 schrieb kaouete:
> Ok,
>
> so, after a few tests there is the results :
>
> i installed a fresh openwrt whiterussian rc3
> then i installed wifidog, modified the wifidog.conf, restarted the
> wrt.
>
> 1) without touching firewall script and cie :
> S65wifidog is started after S45firewall :
> if i try to connect to a website with a wifi client i get the
> wifidog auth page
> BUT i can anyway ssh to the net or any other port than 80.
>
> 2) now i mv S65wifidog to S41wifidog (so it is started before
> S45firewall), i comment the iptables flushing tables and cie and
> add a sleep 10 at the beginning of the file to be sure that
> wifidog have the time to load all of its rules.
>
> with a wifi client if i connect to the net : i get the wifidog
> auth portal
> AND i cant access to the net with anything without beeing authed
> \o/
>
> concrusion : the openwrt out-of-box is not compatible with wifidog
> for the moment. I think there should be a nicer way to fix it by
> modifiing wifidog rules .. .. or note :]
>
> kaouete
>
> On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
>
>> ho, sorry :]
>>
>> Follow the link of the bug on sourceforge.
>>
>> For me the problem is that the openwrt firewall script breaks the
>> iptables rules used by wifidog,
>>
>> but maybe it is working anyway, i will do more tests (and maybe other
>> people too :) and will tell you if there are problems and if yes,
>> what are they :]
>>
>> kaouete
>>
>> On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
>>
>>> Hey guys,
>>>
>>> I just those two words problem and firewall.
>>>
>>> As I can't read french, so I'd like to ask you, what kind of problem
>>> exists and if you could translate it for me.
>>>
>>> Thanks and cheers, Max!
>>>
>>> Am 15.09.2005 um 13:16 schrieb kaouete:
>>>
>>>
>>>> ok, alors je ferais des tests alors, je vous dirais ce que j'ai
>>>> trouvé.
>>>>
>>>> kaouete
>>>>
>>>> On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
>>>>
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> En fait, je viens de relire le bug report et ma réponse à
>>>>> propos de
>>>>> mauvais iptables ne s'applique peut-être pas à 100%, l'auteur
>>>>> semble
>>>>> dire que c'est vraiment un problème d'ordre.
>>>>>
>>>>> Ceci étant dit, le plus de feedback de personnes externes on
>>>>> aura, le
>>>>> mieux on saura si tout est beau maintenant :)
>>>>>
>>>>> Tiens-nous au courant!
>>>>>
>>>>> Philippe April
>>>>> GnuPG http://key.philippeapril.com
>>>>>
>>>>> On 15-Sep-05, at 6:54 AM, kaouete wrote:
>>>>>
>>>>>
>>>>>
>>>>>> A ce propos, et en rapport avec ce bug :
>>>>>> https://sourceforge.net/tracker/index.php?
>>>>>> func=detail&aid=1210428&group_id=102646&atid=632424
>>>>>>
>>>>>> est-ce que ce probleme est reglé avec whiterussian ?
>>>>>>
>>>>>> (et il y a ausii d'autres bug sinon de reportés :)
>>>>>>
>>>>>> kaouete
>>>>>>
>>>>>> On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> Disons que dernièrement je me suis mis plus à date, et ISF va
>>>>>>> maintenant commencer à utiliser OpenWrt Whiterussian.
>>>>>>>
>>>>>>> Ce qui veut dire, que nous avons un package compilé pour
>>>>>>> whiterussian
>>>>>>> et qu'on va le tenir à jour!
>>>>>>>
>>>>>>> Donc, cette image (qui vient en fait du site d'openwrt):
>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
>>>>>>> rc2/
>>>>>>> openwrt-wrt54g-squashfs.bin
>>>>>>>
>>>>>>> et ce package:
>>>>>>>
>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
>>>>>>> rc2/
>>>>>>> packages/wifidog_1.1.2-1_mipsel.ipk
>>>>>>>
>>>>>>> Les deux devraient fonctionner parfaitement! Et puis ça devrait
>>>>>>> installer toutes les dépendences.
>>>>>>>
>>>>>>> Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
>>>>>>> wifidog-
>>>>>>> init start) pour partir wifidog afin qu'il load les modules du
>>>>>>> kernel
>>>>>>> dont wifidog dépend.
>>>>>>>
>>>>>>> L'image openwrt, est pour un WRT54G et non pas un WRT54GS, pour
>>>>>>> la S
>>>>>>> on peut la trouver au même lien, ou sur le site d'openwrt.
>>>>>>>
>>>>>>> Tenez-nous au courant!
>>>>>>>
>>>>>>> Philippe April
>>>>>>> GnuPG http://key.philippeapril.com
>>>>>>>
>>>>>>> On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> <image001.gif>
>>>>>>>> Salut,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Je viens de finir l???installation de l???auth server qui
>>>>>>>> s???est
>>>>>>>> passée
>>>>>>>> à merveille sur une debian sarge, merci pour votre magnifique
>>>>>>>> travail.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Seulement j???ai des problèmes lors de l???installation de
>>>>>>>> wifidog
>>>>>>>> client sur un WRT54G.
>>>>>>>>
>>>>>>>> Quelle version d???openwrt et quelle version de wifidog dois je
>>>>>>>> utiliser pour ne pas avoir de problèmes ?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Merci d???avance pour votre réponse.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Loïc DEVAUX
>>>>>>>>
>>>>>>>> 10 rue des mésanges
>>>>>>>>
>>>>>>>> 63170 AUBIERE France
>>>>>>>>
>>>>>>>> (: (+33) 6 63 69 76 09
>>>>>>>>
>>>>>>>> *: loic.devaux99 at laposte.net
>>>>>>>>
>>>>>>>> Skype : mioz963
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <image001.gif>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>>
>>>>>>> iD8DBQFDKOJ3Oq+Ep5Xn/aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
>>>>>>> JJvL2yATW5hSliOPoMXsT9M=
>>>>>>> =TXoM
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _______________________________________________
>>>>>>> WiFiDog mailing list
>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>
>>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>
>>>>> iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
>>>>> vI5Dym6xZK8pjjtT0aojUFQ=
>>>>> =7Fgh
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>
>
>
>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
More information about the WiFiDog
mailing list