Re: [isf-wifidog] Problème firewalling WRT54G

Max Horváth max.horvath at maxspot.de
Jeu 6 Oct 20:58:15 EDT 2005


Hi,

I still have problems regarding the WifiDog gateway ...

Installing the CVS version in OpenWRT I can access every port but  
port 80 without authenticating.

Doing it the way you described (renaming to S42wifidog) and adding  
sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't run.  
So which lines do I have to comment in S45firewall?

Non the less - Philippe: do you know, why this happends? Or why  
doesn't it happen at ISF? How did you split LAN and WiFi exactly?

To answer another question: these are the results when running the  
following commands:

     iptables -t mangle -L
     iptables -t filter -L
     iptables -t nat -L



iptables -t mangle -L
=====================
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
WiFiDog_Outgoing  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
WiFiDog_Incoming  all  --  anywhere             anywhere

Chain WiFiDog_Incoming (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.22.11.173

Chain WiFiDog_Outgoing (1 references)
target     prot opt source               destination
MARK       all  --  10.22.11.173         anywhere            MAC  
00:11:24:C2:92:76 MARK set 0x2



iptables -t filter -L
=====================
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state  
INVALID
ACCEPT     all  --  anywhere             anywhere            state  
RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp  
option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject- 
with tcp-reset
REJECT     all  --  anywhere             anywhere            reject- 
with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state  
INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp  
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state  
RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
WiFiDog_WIFI2Internet  all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state  
INVALID
ACCEPT     all  --  anywhere             anywhere            state  
RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject- 
with tcp-reset
REJECT     all  --  anywhere             anywhere            reject- 
with icmp-port-unreachable

Chain WiFiDog_AuthServers (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             maxspot.de

Chain WiFiDog_Global (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             85.10.198.114       tcp dpt:80

Chain WiFiDog_Known (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_Locked (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject- 
with icmp-port-unreachable

Chain WiFiDog_Unknown (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:53
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:53
ACCEPT     udp  --  anywhere             anywhere            udp dpt:67
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:67
REJECT     all  --  anywhere             anywhere            reject- 
with icmp-port-unreachable

Chain WiFiDog_Validate (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt: 
25 reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_WIFI2Internet (1 references)
target     prot opt source               destination
WiFiDog_AuthServers  all  --  anywhere             anywhere
WiFiDog_Locked  all  --  anywhere             anywhere             
MARK match 0x254
WiFiDog_Global  all  --  anywhere             anywhere
WiFiDog_Validate  all  --  anywhere             anywhere             
MARK match 0x1
WiFiDog_Known  all  --  anywhere             anywhere            MARK  
match 0x2
WiFiDog_Unknown  all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination



iptables -t nat -L
==================
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  anywhere             anywhere
WiFiDog_Outgoing  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain WiFiDog_AuthServers (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             maxspot.de

Chain WiFiDog_Outgoing (1 references)
target     prot opt source               destination
WiFiDog_WIFI2Router  all  --  anywhere             10.22.11.1
WiFiDog_WIFI2Internet  all  --  anywhere             anywhere

Chain WiFiDog_Unknown (1 references)
target     prot opt source               destination
WiFiDog_AuthServers  all  --  anywhere             anywhere
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt: 
80 redir ports 2060

Chain WiFiDog_WIFI2Internet (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            MARK  
match 0x2
ACCEPT     all  --  anywhere             anywhere            MARK  
match 0x1
WiFiDog_Unknown  all  --  anywhere             anywhere

Chain WiFiDog_WIFI2Router (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination



Regards, Max!

Am 17.09.2005 um 19:38 schrieb kaouete:

> Ok,
>
> so, after a few tests there is the results :
>
> i installed a fresh openwrt whiterussian rc3
> then i installed wifidog, modified the wifidog.conf, restarted the
> wrt.
>
> 1) without touching firewall script and cie :
> S65wifidog is started after S45firewall :
> if i try to connect to a website with a wifi client i get the
> wifidog auth page
> BUT i can anyway ssh to the net or any other port than 80.
>
> 2) now i mv S65wifidog to S41wifidog (so it is started before
> S45firewall), i comment the iptables flushing tables and cie and
> add a sleep 10 at the beginning of the file to be sure that
> wifidog have the time to load all of its rules.
>
> with a wifi client if i connect to the net : i get the wifidog
> auth portal
> AND i cant access to the net with anything without beeing authed
> \o/
>
> concrusion : the openwrt out-of-box is not compatible with wifidog
> for the moment. I think there should be a nicer way to fix it by
> modifiing wifidog rules .. .. or note :]
>
> kaouete
>
> On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
>
>> ho, sorry :]
>>
>> Follow the link of the bug on sourceforge.
>>
>> For me the problem is that the openwrt firewall script breaks the
>> iptables rules used by wifidog,
>>
>> but maybe it is working anyway, i will do more tests (and maybe other
>> people too :) and will tell you if there are problems and if yes,
>> what are they :]
>>
>> kaouete
>>
>> On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
>>
>>> Hey guys,
>>>
>>> I just those two words problem and firewall.
>>>
>>> As I can't read french, so I'd like to ask you, what kind of problem
>>> exists and if you could translate it for me.
>>>
>>> Thanks and cheers, Max!
>>>
>>> Am 15.09.2005 um 13:16 schrieb kaouete:
>>>
>>>
>>>> ok, alors je ferais des tests alors, je vous dirais ce que j'ai
>>>> trouvé.
>>>>
>>>> kaouete
>>>>
>>>> On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
>>>>
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> En fait, je viens de relire le bug report et ma réponse à  
>>>>> propos de
>>>>> mauvais iptables ne s'applique peut-être pas à 100%, l'auteur  
>>>>> semble
>>>>> dire que c'est vraiment un problème d'ordre.
>>>>>
>>>>> Ceci étant dit, le plus de feedback de personnes externes on  
>>>>> aura, le
>>>>> mieux on saura si tout est beau maintenant :)
>>>>>
>>>>> Tiens-nous au courant!
>>>>>
>>>>> Philippe April
>>>>> GnuPG http://key.philippeapril.com
>>>>>
>>>>> On 15-Sep-05, at 6:54 AM, kaouete wrote:
>>>>>
>>>>>
>>>>>
>>>>>> A ce propos, et en rapport avec ce bug :
>>>>>> https://sourceforge.net/tracker/index.php?
>>>>>> func=detail&aid=1210428&group_id=102646&atid=632424
>>>>>>
>>>>>> est-ce que ce probleme est reglé avec whiterussian ?
>>>>>>
>>>>>> (et il y a ausii d'autres bug sinon de reportés :)
>>>>>>
>>>>>> kaouete
>>>>>>
>>>>>> On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> Disons que dernièrement je me suis mis plus à date, et ISF va
>>>>>>> maintenant commencer à utiliser OpenWrt Whiterussian.
>>>>>>>
>>>>>>> Ce qui veut dire, que nous avons un package compilé pour
>>>>>>> whiterussian
>>>>>>> et qu'on va le tenir à jour!
>>>>>>>
>>>>>>> Donc, cette image (qui vient en fait du site d'openwrt):
>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
>>>>>>> rc2/
>>>>>>> openwrt-wrt54g-squashfs.bin
>>>>>>>
>>>>>>> et ce package:
>>>>>>>
>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
>>>>>>> rc2/
>>>>>>> packages/wifidog_1.1.2-1_mipsel.ipk
>>>>>>>
>>>>>>> Les deux devraient fonctionner parfaitement! Et puis ça devrait
>>>>>>> installer toutes les dépendences.
>>>>>>>
>>>>>>> Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
>>>>>>> wifidog-
>>>>>>> init start) pour partir wifidog afin qu'il load les modules du
>>>>>>> kernel
>>>>>>> dont wifidog dépend.
>>>>>>>
>>>>>>> L'image openwrt, est pour un WRT54G et non pas un WRT54GS, pour
>>>>>>> la S
>>>>>>> on peut la trouver au même lien, ou sur le site d'openwrt.
>>>>>>>
>>>>>>> Tenez-nous au courant!
>>>>>>>
>>>>>>> Philippe April
>>>>>>> GnuPG http://key.philippeapril.com
>>>>>>>
>>>>>>> On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> <image001.gif>
>>>>>>>> Salut,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Je viens de finir l???installation de l???auth server qui  
>>>>>>>> s???est
>>>>>>>> passée
>>>>>>>> à merveille sur une debian sarge, merci pour votre magnifique
>>>>>>>> travail.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Seulement j???ai des problèmes lors de l???installation de  
>>>>>>>> wifidog
>>>>>>>> client sur un WRT54G.
>>>>>>>>
>>>>>>>> Quelle version d???openwrt et quelle version de wifidog dois je
>>>>>>>> utiliser pour ne pas avoir de problèmes ?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Merci d???avance pour votre réponse.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Loïc DEVAUX
>>>>>>>>
>>>>>>>> 10 rue des mésanges
>>>>>>>>
>>>>>>>> 63170 AUBIERE France
>>>>>>>>
>>>>>>>> (: (+33) 6 63 69 76 09
>>>>>>>>
>>>>>>>> *: loic.devaux99 at laposte.net
>>>>>>>>
>>>>>>>> Skype : mioz963
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <image001.gif>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>>
>>>>>>> iD8DBQFDKOJ3Oq+Ep5Xn/aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
>>>>>>> JJvL2yATW5hSliOPoMXsT9M=
>>>>>>> =TXoM
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _______________________________________________
>>>>>>> WiFiDog mailing list
>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>
>>>>>>
>>>>>
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>
>>>>> iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
>>>>> vI5Dym6xZK8pjjtT0aojUFQ=
>>>>> =7Fgh
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>
>
>
>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog



More information about the WiFiDog mailing list