[isf-wifidog] Problème firewalling WRT54G
kaouete
kaouete at crazydwarves.org
Ven 7 Oct 03:48:12 EDT 2005
it is was my idea to rename to S42 and to add a sleep 10 at
the beginning of sirewall.
You have to comment the 4 lines after the CLEAR TABLE COMMENT to,
it is why the tables you listed are empty or so.
After that, it is just a trick to fix the problem.
kaouete
On Fri, Oct 07, 2005 at 02:58:15AM +0200, Max Horváth wrote:
> Hi,
>
> I still have problems regarding the WifiDog gateway ...
>
> Installing the CVS version in OpenWRT I can access every port but
> port 80 without authenticating.
>
> Doing it the way you described (renaming to S42wifidog) and adding
> sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't run.
> So which lines do I have to comment in S45firewall?
>
> Non the less - Philippe: do you know, why this happends? Or why
> doesn't it happen at ISF? How did you split LAN and WiFi exactly?
>
> To answer another question: these are the results when running the
> following commands:
>
> iptables -t mangle -L
> iptables -t filter -L
> iptables -t nat -L
>
>
>
> iptables -t mangle -L
> =====================
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> WiFiDog_Outgoing all -- anywhere anywhere
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> WiFiDog_Incoming all -- anywhere anywhere
>
> Chain WiFiDog_Incoming (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere 10.22.11.173
>
> Chain WiFiDog_Outgoing (1 references)
> target prot opt source destination
> MARK all -- 10.22.11.173 anywhere MAC
> 00:11:24:C2:92:76 MARK set 0x2
>
>
>
> iptables -t filter -L
> =====================
> Chain INPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> DROP tcp -- anywhere anywhere tcp
> option=!2 flags:SYN/SYN
> input_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere
> ACCEPT gre -- anywhere anywhere
> REJECT tcp -- anywhere anywhere reject-
> with tcp-reset
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> TCPMSS tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> forwarding_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> WiFiDog_WIFI2Internet all -- anywhere anywhere
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> DROP all -- anywhere anywhere state
> INVALID
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> output_rule all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> REJECT tcp -- anywhere anywhere reject-
> with tcp-reset
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_AuthServers (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere maxspot.de
>
> Chain WiFiDog_Global (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 85.10.198.114 tcp dpt:80
>
> Chain WiFiDog_Known (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_Locked (1 references)
> target prot opt source destination
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_Unknown (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:53
> ACCEPT tcp -- anywhere anywhere tcp dpt:53
> ACCEPT udp -- anywhere anywhere udp dpt:67
> ACCEPT tcp -- anywhere anywhere tcp dpt:67
> REJECT all -- anywhere anywhere reject-
> with icmp-port-unreachable
>
> Chain WiFiDog_Validate (1 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere tcp dpt:
> 25 reject-with icmp-port-unreachable
> ACCEPT all -- anywhere anywhere
>
> Chain WiFiDog_WIFI2Internet (1 references)
> target prot opt source destination
> WiFiDog_AuthServers all -- anywhere anywhere
> WiFiDog_Locked all -- anywhere anywhere
> MARK match 0x254
> WiFiDog_Global all -- anywhere anywhere
> WiFiDog_Validate all -- anywhere anywhere
> MARK match 0x1
> WiFiDog_Known all -- anywhere anywhere MARK
> match 0x2
> WiFiDog_Unknown all -- anywhere anywhere
>
> Chain forwarding_rule (1 references)
> target prot opt source destination
>
> Chain input_rule (1 references)
> target prot opt source destination
>
> Chain output_rule (1 references)
> target prot opt source destination
>
>
>
> iptables -t nat -L
> ==================
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> prerouting_rule all -- anywhere anywhere
> WiFiDog_Outgoing all -- anywhere anywhere
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> postrouting_rule all -- anywhere anywhere
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain WiFiDog_AuthServers (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere maxspot.de
>
> Chain WiFiDog_Outgoing (1 references)
> target prot opt source destination
> WiFiDog_WIFI2Router all -- anywhere 10.22.11.1
> WiFiDog_WIFI2Internet all -- anywhere anywhere
>
> Chain WiFiDog_Unknown (1 references)
> target prot opt source destination
> WiFiDog_AuthServers all -- anywhere anywhere
> REDIRECT tcp -- anywhere anywhere tcp dpt:
> 80 redir ports 2060
>
> Chain WiFiDog_WIFI2Internet (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MARK
> match 0x2
> ACCEPT all -- anywhere anywhere MARK
> match 0x1
> WiFiDog_Unknown all -- anywhere anywhere
>
> Chain WiFiDog_WIFI2Router (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain postrouting_rule (1 references)
> target prot opt source destination
>
> Chain prerouting_rule (1 references)
> target prot opt source destination
>
>
>
> Regards, Max!
>
> Am 17.09.2005 um 19:38 schrieb kaouete:
>
> >Ok,
> >
> >so, after a few tests there is the results :
> >
> >i installed a fresh openwrt whiterussian rc3
> >then i installed wifidog, modified the wifidog.conf, restarted the
> >wrt.
> >
> >1) without touching firewall script and cie :
> >S65wifidog is started after S45firewall :
> >if i try to connect to a website with a wifi client i get the
> >wifidog auth page
> >BUT i can anyway ssh to the net or any other port than 80.
> >
> >2) now i mv S65wifidog to S41wifidog (so it is started before
> >S45firewall), i comment the iptables flushing tables and cie and
> >add a sleep 10 at the beginning of the file to be sure that
> >wifidog have the time to load all of its rules.
> >
> >with a wifi client if i connect to the net : i get the wifidog
> >auth portal
> >AND i cant access to the net with anything without beeing authed
> >\o/
> >
> >concrusion : the openwrt out-of-box is not compatible with wifidog
> >for the moment. I think there should be a nicer way to fix it by
> >modifiing wifidog rules .. .. or note :]
> >
> >kaouete
> >
> >On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
> >
> >>ho, sorry :]
> >>
> >>Follow the link of the bug on sourceforge.
> >>
> >>For me the problem is that the openwrt firewall script breaks the
> >>iptables rules used by wifidog,
> >>
> >>but maybe it is working anyway, i will do more tests (and maybe other
> >>people too :) and will tell you if there are problems and if yes,
> >>what are they :]
> >>
> >>kaouete
> >>
> >>On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
> >>
> >>>Hey guys,
> >>>
> >>>I just those two words problem and firewall.
> >>>
> >>>As I can't read french, so I'd like to ask you, what kind of problem
> >>>exists and if you could translate it for me.
> >>>
> >>>Thanks and cheers, Max!
> >>>
> >>>Am 15.09.2005 um 13:16 schrieb kaouete:
> >>>
> >>>
> >>>>ok, alors je ferais des tests alors, je vous dirais ce que j'ai
> >>>>trouvé.
> >>>>
> >>>>kaouete
> >>>>
> >>>>On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
> >>>>
> >>>>
> >>>>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>>>Hash: SHA1
> >>>>>
> >>>>>En fait, je viens de relire le bug report et ma réponse à
> >>>>>propos de
> >>>>>mauvais iptables ne s'applique peut-être pas à 100%, l'auteur
> >>>>>semble
> >>>>>dire que c'est vraiment un problème d'ordre.
> >>>>>
> >>>>>Ceci étant dit, le plus de feedback de personnes externes on
> >>>>>aura, le
> >>>>>mieux on saura si tout est beau maintenant :)
> >>>>>
> >>>>>Tiens-nous au courant!
> >>>>>
> >>>>>Philippe April
> >>>>>GnuPG http://key.philippeapril.com
> >>>>>
> >>>>>On 15-Sep-05, at 6:54 AM, kaouete wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>A ce propos, et en rapport avec ce bug :
> >>>>>>https://sourceforge.net/tracker/index.php?
> >>>>>>func=detail&aid=1210428&group_id=102646&atid=632424
> >>>>>>
> >>>>>>est-ce que ce probleme est reglé avec whiterussian ?
> >>>>>>
> >>>>>>(et il y a ausii d'autres bug sinon de reportés :)
> >>>>>>
> >>>>>>kaouete
> >>>>>>
> >>>>>>On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>>>>>Hash: SHA1
> >>>>>>>
> >>>>>>>Disons que dernièrement je me suis mis plus à date, et ISF va
> >>>>>>>maintenant commencer à utiliser OpenWrt Whiterussian.
> >>>>>>>
> >>>>>>>Ce qui veut dire, que nous avons un package compilé pour
> >>>>>>>whiterussian
> >>>>>>>et qu'on va le tenir à jour!
> >>>>>>>
> >>>>>>>Donc, cette image (qui vient en fait du site d'openwrt):
> >>>>>>>http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
> >>>>>>>rc2/
> >>>>>>>openwrt-wrt54g-squashfs.bin
> >>>>>>>
> >>>>>>>et ce package:
> >>>>>>>
> >>>>>>>http://www.ilesansfil.org/dist/wifidog/bin/openwrt/whiterussian-
> >>>>>>>rc2/
> >>>>>>>packages/wifidog_1.1.2-1_mipsel.ipk
> >>>>>>>
> >>>>>>>Les deux devraient fonctionner parfaitement! Et puis ça devrait
> >>>>>>>installer toutes les dépendences.
> >>>>>>>
> >>>>>>>Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
> >>>>>>>wifidog-
> >>>>>>>init start) pour partir wifidog afin qu'il load les modules du
> >>>>>>>kernel
> >>>>>>>dont wifidog dépend.
> >>>>>>>
> >>>>>>>L'image openwrt, est pour un WRT54G et non pas un WRT54GS, pour
> >>>>>>>la S
> >>>>>>>on peut la trouver au même lien, ou sur le site d'openwrt.
> >>>>>>>
> >>>>>>>Tenez-nous au courant!
> >>>>>>>
> >>>>>>>Philippe April
> >>>>>>>GnuPG http://key.philippeapril.com
> >>>>>>>
> >>>>>>>On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>><image001.gif>
> >>>>>>>>Salut,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Je viens de finir l???installation de l???auth server qui
> >>>>>>>>s???est
> >>>>>>>>passée
> >>>>>>>>à merveille sur une debian sarge, merci pour votre magnifique
> >>>>>>>>travail.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Seulement j???ai des problèmes lors de l???installation de
> >>>>>>>>wifidog
> >>>>>>>>client sur un WRT54G.
> >>>>>>>>
> >>>>>>>>Quelle version d???openwrt et quelle version de wifidog dois je
> >>>>>>>>utiliser pour ne pas avoir de problèmes ?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Merci d???avance pour votre réponse.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>Loïc DEVAUX
> >>>>>>>>
> >>>>>>>>10 rue des mésanges
> >>>>>>>>
> >>>>>>>>63170 AUBIERE France
> >>>>>>>>
> >>>>>>>>(: (+33) 6 63 69 76 09
> >>>>>>>>
> >>>>>>>>*: loic.devaux99 at laposte.net
> >>>>>>>>
> >>>>>>>>Skype : mioz963
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>><image001.gif>
> >>>>>>>>_______________________________________________
> >>>>>>>>WiFiDog mailing list
> >>>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>-----BEGIN PGP SIGNATURE-----
> >>>>>>>Version: GnuPG v1.2.4 (Darwin)
> >>>>>>>
> >>>>>>>iD8DBQFDKOJ3Oq+Ep5Xn/aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
> >>>>>>>JJvL2yATW5hSliOPoMXsT9M=
> >>>>>>>=TXoM
> >>>>>>>-----END PGP SIGNATURE-----
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>_______________________________________________
> >>>>>>>WiFiDog mailing list
> >>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>_______________________________________________
> >>>>>>WiFiDog mailing list
> >>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>-----BEGIN PGP SIGNATURE-----
> >>>>>Version: GnuPG v1.2.4 (Darwin)
> >>>>>
> >>>>>iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
> >>>>>vI5Dym6xZK8pjjtT0aojUFQ=
> >>>>>=7Fgh
> >>>>>-----END PGP SIGNATURE-----
> >>>>>_______________________________________________
> >>>>>WiFiDog mailing list
> >>>>>WiFiDog at listes.ilesansfil.org
> >>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>
> >>>>>
> >>>>_______________________________________________
> >>>>WiFiDog mailing list
> >>>>WiFiDog at listes.ilesansfil.org
> >>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>
> >>>
> >>>_______________________________________________
> >>>WiFiDog mailing list
> >>>WiFiDog at listes.ilesansfil.org
> >>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>
> >
> >
> >
> >
> >>_______________________________________________
> >>WiFiDog mailing list
> >>WiFiDog at listes.ilesansfil.org
> >>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >_______________________________________________
> >WiFiDog mailing list
> >WiFiDog at listes.ilesansfil.org
> >http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: Digital signature
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20051007/d6bb7d76/attachment.pgp
More information about the WiFiDog
mailing list