Re: [isf-wifidog] Problème firewalling WRT54G
Philippe April
isf_lists at philippeapril.com
Jeu 6 Oct 22:22:50 EDT 2005
I looked quickly, but it looks fine.
Can you run wifidog in debug mode:
wifidog -f -d 7
and send us the whole thing (attached in a .txt file or something)
after you try to surf the net? We should be able to find it quickly....
Let us know!
Philippe April
GnuPG http://key.philippeapril.com
On 6-Oct-05, at 8:58 PM, Max Horváth wrote:
> Hi,
>
> I still have problems regarding the WifiDog gateway ...
>
> Installing the CVS version in OpenWRT I can access every port but
> port 80 without authenticating.
>
> Doing it the way you described (renaming to S42wifidog) and adding
> sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't
> run. So which lines do I have to comment in S45firewall?
>
> Non the less - Philippe: do you know, why this happends? Or why
> doesn't it happen at ISF? How did you split LAN and WiFi exactly?
>
> To answer another question: these are the results when running the
> following commands:
>
> iptables -t mangle -L
> iptables -t filter -L
> iptables -t nat -L
>
>
>
> iptables -t mangle -L
> =====================
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> WiFiDog_Outgoing all -- anywhere anywhere
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> WiFiDog_Incoming all -- anywhere anywhere
>
> Chain WiFiDog_Incoming (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere 10.22.11.173
>
> Chain WiFiDog_Outgoing (1 references)
> target prot opt source destination
> MARK all -- 10.22.11.173 anywhere MAC
> 00:11:24:C2:92:76 MARK set 0x2
>
>
>
> iptables -t filter -L
> =====================
> Chain INPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP tcp -- anywhere anywhere tcp
> option=!2 flags:SYN/SYN
> input_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere
> ACCEPT gre -- anywhere anywhere
> REJECT tcp -- anywhere anywhere reject-
> with tcp-reset
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> TCPMSS tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> forwarding_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> WiFiDog_WIFI2Internet all -- anywhere anywhere
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> output_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT tcp -- anywhere anywhere reject-
> with tcp-reset
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_AuthServers (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere maxspot.de
>
> Chain WiFiDog_Global (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 85.10.198.114 tcp
> dpt:80
>
> Chain WiFiDog_Known (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_Locked (1 references)
> target prot opt source destination
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_Unknown (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:53
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:53
> ACCEPT udp -- anywhere anywhere udp
> dpt:67
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:67
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_Validate (1 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp
> dpt:25 reject-with icmp-port-unreachable
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_WIFI2Internet (1 references)
> target prot opt source destination
> WiFiDog_AuthServers all -- anywhere anywhere
> WiFiDog_Locked all -- anywhere anywhere
> MARK match 0x254
> WiFiDog_Global all -- anywhere anywhere
> WiFiDog_Validate all -- anywhere anywhere
> MARK match 0x1
> WiFiDog_Known all -- anywhere anywhere
> MARK match 0x2
> WiFiDog_Unknown all -- anywhere anywhere
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain output_rule (1 references)
> target prot opt source destination
>
>
>
> iptables -t nat -L
> ==================
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> prerouting_rule all -- anywhere anywhere
> WiFiDog_Outgoing all -- anywhere anywhere
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> postrouting_rule all -- anywhere anywhere
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain WiFiDog_AuthServers (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere maxspot.de
>
> Chain WiFiDog_Outgoing (1 references)
> target prot opt source destination
> WiFiDog_WIFI2Router all -- anywhere 10.22.11.1
> WiFiDog_WIFI2Internet all -- anywhere anywhere
>
> Chain WiFiDog_Unknown (1 references)
> target prot opt source destination
> WiFiDog_AuthServers all -- anywhere anywhere
> REDIRECT tcp -- anywhere anywhere tcp
> dpt:80 redir ports 2060
>
> Chain WiFiDog_WIFI2Internet (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MARK
> match 0x2
> ACCEPT all -- anywhere anywhere MARK
> match 0x1
> WiFiDog_Unknown all -- anywhere anywhere
>
> Chain WiFiDog_WIFI2Router (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain postrouting_rule (1 references)
> target prot opt source destination
>
> Chain prerouting_rule (1 references)
> target prot opt source destination
>
>
>
> Regards, Max!
>
> Am 17.09.2005 um 19:38 schrieb kaouete:
>
>
>> Ok,
>>
>> so, after a few tests there is the results :
>>
>> i installed a fresh openwrt whiterussian rc3
>> then i installed wifidog, modified the wifidog.conf, restarted the
>> wrt.
>>
>> 1) without touching firewall script and cie :
>> S65wifidog is started after S45firewall :
>> if i try to connect to a website with a wifi client i get the
>> wifidog auth page
>> BUT i can anyway ssh to the net or any other port than 80.
>>
>> 2) now i mv S65wifidog to S41wifidog (so it is started before
>> S45firewall), i comment the iptables flushing tables and cie and
>> add a sleep 10 at the beginning of the file to be sure that
>> wifidog have the time to load all of its rules.
>>
>> with a wifi client if i connect to the net : i get the wifidog
>> auth portal
>> AND i cant access to the net with anything without beeing authed
>> \o/
>>
>> concrusion : the openwrt out-of-box is not compatible with wifidog
>> for the moment. I think there should be a nicer way to fix it by
>> modifiing wifidog rules .. .. or note :]
>>
>> kaouete
>>
>> On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
>>
>>
>>> ho, sorry :]
>>>
>>> Follow the link of the bug on sourceforge.
>>>
>>> For me the problem is that the openwrt firewall script breaks the
>>> iptables rules used by wifidog,
>>>
>>> but maybe it is working anyway, i will do more tests (and maybe
>>> other
>>> people too :) and will tell you if there are problems and if yes,
>>> what are they :]
>>>
>>> kaouete
>>>
>>> On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
>>>
>>>
>>>> Hey guys,
>>>>
>>>> I just those two words problem and firewall.
>>>>
>>>> As I can't read french, so I'd like to ask you, what kind of
>>>> problem
>>>> exists and if you could translate it for me.
>>>>
>>>> Thanks and cheers, Max!
>>>>
>>>> Am 15.09.2005 um 13:16 schrieb kaouete:
>>>>
>>>>
>>>>
>>>>> ok, alors je ferais des tests alors, je vous dirais ce que j'ai
>>>>> trouvé.
>>>>>
>>>>> kaouete
>>>>>
>>>>> On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
>>>>>
>>>>>
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> En fait, je viens de relire le bug report et ma réponse à
>>>>>> propos de
>>>>>> mauvais iptables ne s'applique peut-être pas à 100%, l'auteur
>>>>>> semble
>>>>>> dire que c'est vraiment un problème d'ordre.
>>>>>>
>>>>>> Ceci étant dit, le plus de feedback de personnes externes on
>>>>>> aura, le
>>>>>> mieux on saura si tout est beau maintenant :)
>>>>>>
>>>>>> Tiens-nous au courant!
>>>>>>
>>>>>> Philippe April
>>>>>> GnuPG http://key.philippeapril.com
>>>>>>
>>>>>> On 15-Sep-05, at 6:54 AM, kaouete wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> A ce propos, et en rapport avec ce bug :
>>>>>>> https://sourceforge.net/tracker/index.php?
>>>>>>> func=detail&aid=1210428&group_id=102646&atid=632424
>>>>>>>
>>>>>>> est-ce que ce probleme est reglé avec whiterussian ?
>>>>>>>
>>>>>>> (et il y a ausii d'autres bug sinon de reportés :)
>>>>>>>
>>>>>>> kaouete
>>>>>>>
>>>>>>> On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA1
>>>>>>>>
>>>>>>>> Disons que dernièrement je me suis mis plus à date, et ISF va
>>>>>>>> maintenant commencer à utiliser OpenWrt Whiterussian.
>>>>>>>>
>>>>>>>> Ce qui veut dire, que nous avons un package compilé pour
>>>>>>>> whiterussian
>>>>>>>> et qu'on va le tenir à jour!
>>>>>>>>
>>>>>>>> Donc, cette image (qui vient en fait du site d'openwrt):
>>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
>>>>>>>> whiterussian-
>>>>>>>> rc2/
>>>>>>>> openwrt-wrt54g-squashfs.bin
>>>>>>>>
>>>>>>>> et ce package:
>>>>>>>>
>>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
>>>>>>>> whiterussian-
>>>>>>>> rc2/
>>>>>>>> packages/wifidog_1.1.2-1_mipsel.ipk
>>>>>>>>
>>>>>>>> Les deux devraient fonctionner parfaitement! Et puis ça devrait
>>>>>>>> installer toutes les dépendences.
>>>>>>>>
>>>>>>>> Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
>>>>>>>> wifidog-
>>>>>>>> init start) pour partir wifidog afin qu'il load les modules du
>>>>>>>> kernel
>>>>>>>> dont wifidog dépend.
>>>>>>>>
>>>>>>>> L'image openwrt, est pour un WRT54G et non pas un WRT54GS, pour
>>>>>>>> la S
>>>>>>>> on peut la trouver au même lien, ou sur le site d'openwrt.
>>>>>>>>
>>>>>>>> Tenez-nous au courant!
>>>>>>>>
>>>>>>>> Philippe April
>>>>>>>> GnuPG http://key.philippeapril.com
>>>>>>>>
>>>>>>>> On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> <image001.gif>
>>>>>>>>> Salut,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Je viens de finir l???installation de l???auth server qui
>>>>>>>>> s???est
>>>>>>>>> passée
>>>>>>>>> à merveille sur une debian sarge, merci pour votre magnifique
>>>>>>>>> travail.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Seulement j???ai des problèmes lors de l???installation de
>>>>>>>>> wifidog
>>>>>>>>> client sur un WRT54G.
>>>>>>>>>
>>>>>>>>> Quelle version d???openwrt et quelle version de wifidog
>>>>>>>>> dois je
>>>>>>>>> utiliser pour ne pas avoir de problèmes ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Merci d???avance pour votre réponse.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Loïc DEVAUX
>>>>>>>>>
>>>>>>>>> 10 rue des mésanges
>>>>>>>>>
>>>>>>>>> 63170 AUBIERE France
>>>>>>>>>
>>>>>>>>> (: (+33) 6 63 69 76 09
>>>>>>>>>
>>>>>>>>> *: loic.devaux99 at laposte.net
>>>>>>>>>
>>>>>>>>> Skype : mioz963
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <image001.gif>
>>>>>>>>> _______________________________________________
>>>>>>>>> WiFiDog mailing list
>>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>>>
>>>>>>>> iD8DBQFDKOJ3Oq+Ep5Xn/
>>>>>>>> aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
>>>>>>>> JJvL2yATW5hSliOPoMXsT9M=
>>>>>>>> =TXoM
>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> WiFiDog mailing list
>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>
>>>>>> iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
>>>>>> vI5Dym6xZK8pjjtT0aojUFQ=
>>>>>> =7Fgh
>>>>>> -----END PGP SIGNATURE-----
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>>
>>
>>
>>
>>
>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
More information about the WiFiDog
mailing list