Re: [isf-wifidog] Problème firewalling WRT54G
Philippe April
isf_lists at philippeapril.com
Ven 7 Oct 09:18:24 EDT 2005
I'd love the see the output of starting in debug mode anyway, because
it works flawlessly at home on RC3.
I do not consider a sleep 10 a fix, even temporarily!!
Philippe April
GnuPG http://key.philippeapril.com
On 7-Oct-05, at 3:48 AM, kaouete wrote:
> it is was my idea to rename to S42 and to add a sleep 10 at
> the beginning of sirewall.
>
> You have to comment the 4 lines after the CLEAR TABLE COMMENT to,
> it is why the tables you listed are empty or so.
>
> After that, it is just a trick to fix the problem.
>
> kaouete
>
> On Fri, Oct 07, 2005 at 02:58:15AM +0200, Max Horváth wrote:
>
>> Hi,
>>
>> I still have problems regarding the WifiDog gateway ...
>>
>> Installing the CVS version in OpenWRT I can access every port but
>> port 80 without authenticating.
>>
>> Doing it the way you described (renaming to S42wifidog) and adding
>> sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't run.
>> So which lines do I have to comment in S45firewall?
>>
>> Non the less - Philippe: do you know, why this happends? Or why
>> doesn't it happen at ISF? How did you split LAN and WiFi exactly?
>>
>> To answer another question: these are the results when running the
>> following commands:
>>
>> iptables -t mangle -L
>> iptables -t filter -L
>> iptables -t nat -L
>>
>>
>>
>> iptables -t mangle -L
>> =====================
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> WiFiDog_Outgoing all -- anywhere anywhere
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>> WiFiDog_Incoming all -- anywhere anywhere
>>
>> Chain WiFiDog_Incoming (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere 10.22.11.173
>>
>> Chain WiFiDog_Outgoing (1 references)
>> target prot opt source destination
>> MARK all -- 10.22.11.173 anywhere MAC
>> 00:11:24:C2:92:76 MARK set 0x2
>>
>>
>>
>> iptables -t filter -L
>> =====================
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> DROP all -- anywhere anywhere state
>> INVALID
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> DROP tcp -- anywhere anywhere tcp
>> option=!2 flags:SYN/SYN
>> input_rule all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT gre -- anywhere anywhere
>> REJECT tcp -- anywhere anywhere reject-
>> with tcp-reset
>> REJECT all -- anywhere anywhere reject-
>> with icmp-port-unreachable
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> DROP all -- anywhere anywhere state
>> INVALID
>> TCPMSS tcp -- anywhere anywhere tcp
>> flags:SYN,RST/SYN TCPMSS clamp to PMTU
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> forwarding_rule all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> WiFiDog_WIFI2Internet all -- anywhere anywhere
>>
>> Chain OUTPUT (policy DROP)
>> target prot opt source destination
>> DROP all -- anywhere anywhere state
>> INVALID
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> output_rule all -- anywhere anywhere
>> ACCEPT all -- anywhere anywhere
>> REJECT tcp -- anywhere anywhere reject-
>> with tcp-reset
>> REJECT all -- anywhere anywhere reject-
>> with icmp-port-unreachable
>>
>> Chain WiFiDog_AuthServers (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere maxspot.de
>>
>> Chain WiFiDog_Global (1 references)
>> target prot opt source destination
>> ACCEPT tcp -- anywhere 85.10.198.114 tcp
>> dpt:80
>>
>> Chain WiFiDog_Known (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>>
>> Chain WiFiDog_Locked (1 references)
>> target prot opt source destination
>> REJECT all -- anywhere anywhere reject-
>> with icmp-port-unreachable
>>
>> Chain WiFiDog_Unknown (1 references)
>> target prot opt source destination
>> ACCEPT udp -- anywhere anywhere udp
>> dpt:53
>> ACCEPT tcp -- anywhere anywhere tcp
>> dpt:53
>> ACCEPT udp -- anywhere anywhere udp
>> dpt:67
>> ACCEPT tcp -- anywhere anywhere tcp
>> dpt:67
>> REJECT all -- anywhere anywhere reject-
>> with icmp-port-unreachable
>>
>> Chain WiFiDog_Validate (1 references)
>> target prot opt source destination
>> REJECT tcp -- anywhere anywhere tcp dpt:
>> 25 reject-with icmp-port-unreachable
>> ACCEPT all -- anywhere anywhere
>>
>> Chain WiFiDog_WIFI2Internet (1 references)
>> target prot opt source destination
>> WiFiDog_AuthServers all -- anywhere anywhere
>> WiFiDog_Locked all -- anywhere anywhere
>> MARK match 0x254
>> WiFiDog_Global all -- anywhere anywhere
>> WiFiDog_Validate all -- anywhere anywhere
>> MARK match 0x1
>> WiFiDog_Known all -- anywhere anywhere MARK
>> match 0x2
>> WiFiDog_Unknown all -- anywhere anywhere
>>
>> Chain forwarding_rule (1 references)
>> target prot opt source destination
>>
>> Chain input_rule (1 references)
>> target prot opt source destination
>>
>> Chain output_rule (1 references)
>> target prot opt source destination
>>
>>
>>
>> iptables -t nat -L
>> ==================
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>> prerouting_rule all -- anywhere anywhere
>> WiFiDog_Outgoing all -- anywhere anywhere
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>> postrouting_rule all -- anywhere anywhere
>> MASQUERADE all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain WiFiDog_AuthServers (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere maxspot.de
>>
>> Chain WiFiDog_Outgoing (1 references)
>> target prot opt source destination
>> WiFiDog_WIFI2Router all -- anywhere 10.22.11.1
>> WiFiDog_WIFI2Internet all -- anywhere anywhere
>>
>> Chain WiFiDog_Unknown (1 references)
>> target prot opt source destination
>> WiFiDog_AuthServers all -- anywhere anywhere
>> REDIRECT tcp -- anywhere anywhere tcp dpt:
>> 80 redir ports 2060
>>
>> Chain WiFiDog_WIFI2Internet (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere MARK
>> match 0x2
>> ACCEPT all -- anywhere anywhere MARK
>> match 0x1
>> WiFiDog_Unknown all -- anywhere anywhere
>>
>> Chain WiFiDog_WIFI2Router (1 references)
>> target prot opt source destination
>> ACCEPT all -- anywhere anywhere
>>
>> Chain postrouting_rule (1 references)
>> target prot opt source destination
>>
>> Chain prerouting_rule (1 references)
>> target prot opt source destination
>>
>>
>>
>> Regards, Max!
>>
>> Am 17.09.2005 um 19:38 schrieb kaouete:
>>
>>
>>> Ok,
>>>
>>> so, after a few tests there is the results :
>>>
>>> i installed a fresh openwrt whiterussian rc3
>>> then i installed wifidog, modified the wifidog.conf, restarted the
>>> wrt.
>>>
>>> 1) without touching firewall script and cie :
>>> S65wifidog is started after S45firewall :
>>> if i try to connect to a website with a wifi client i get the
>>> wifidog auth page
>>> BUT i can anyway ssh to the net or any other port than 80.
>>>
>>> 2) now i mv S65wifidog to S41wifidog (so it is started before
>>> S45firewall), i comment the iptables flushing tables and cie and
>>> add a sleep 10 at the beginning of the file to be sure that
>>> wifidog have the time to load all of its rules.
>>>
>>> with a wifi client if i connect to the net : i get the wifidog
>>> auth portal
>>> AND i cant access to the net with anything without beeing authed
>>> \o/
>>>
>>> concrusion : the openwrt out-of-box is not compatible with wifidog
>>> for the moment. I think there should be a nicer way to fix it by
>>> modifiing wifidog rules .. .. or note :]
>>>
>>> kaouete
>>>
>>> On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
>>>
>>>
>>>> ho, sorry :]
>>>>
>>>> Follow the link of the bug on sourceforge.
>>>>
>>>> For me the problem is that the openwrt firewall script breaks the
>>>> iptables rules used by wifidog,
>>>>
>>>> but maybe it is working anyway, i will do more tests (and maybe
>>>> other
>>>> people too :) and will tell you if there are problems and if yes,
>>>> what are they :]
>>>>
>>>> kaouete
>>>>
>>>> On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
>>>>
>>>>
>>>>> Hey guys,
>>>>>
>>>>> I just those two words problem and firewall.
>>>>>
>>>>> As I can't read french, so I'd like to ask you, what kind of
>>>>> problem
>>>>> exists and if you could translate it for me.
>>>>>
>>>>> Thanks and cheers, Max!
>>>>>
>>>>> Am 15.09.2005 um 13:16 schrieb kaouete:
>>>>>
>>>>>
>>>>>
>>>>>> ok, alors je ferais des tests alors, je vous dirais ce que j'ai
>>>>>> trouvé.
>>>>>>
>>>>>> kaouete
>>>>>>
>>>>>> On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> En fait, je viens de relire le bug report et ma réponse à
>>>>>>> propos de
>>>>>>> mauvais iptables ne s'applique peut-être pas à 100%, l'auteur
>>>>>>> semble
>>>>>>> dire que c'est vraiment un problème d'ordre.
>>>>>>>
>>>>>>> Ceci étant dit, le plus de feedback de personnes externes on
>>>>>>> aura, le
>>>>>>> mieux on saura si tout est beau maintenant :)
>>>>>>>
>>>>>>> Tiens-nous au courant!
>>>>>>>
>>>>>>> Philippe April
>>>>>>> GnuPG http://key.philippeapril.com
>>>>>>>
>>>>>>> On 15-Sep-05, at 6:54 AM, kaouete wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> A ce propos, et en rapport avec ce bug :
>>>>>>>> https://sourceforge.net/tracker/index.php?
>>>>>>>> func=detail&aid=1210428&group_id=102646&atid=632424
>>>>>>>>
>>>>>>>> est-ce que ce probleme est reglé avec whiterussian ?
>>>>>>>>
>>>>>>>> (et il y a ausii d'autres bug sinon de reportés :)
>>>>>>>>
>>>>>>>> kaouete
>>>>>>>>
>>>>>>>> On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>> Hash: SHA1
>>>>>>>>>
>>>>>>>>> Disons que dernièrement je me suis mis plus à date, et ISF va
>>>>>>>>> maintenant commencer à utiliser OpenWrt Whiterussian.
>>>>>>>>>
>>>>>>>>> Ce qui veut dire, que nous avons un package compilé pour
>>>>>>>>> whiterussian
>>>>>>>>> et qu'on va le tenir à jour!
>>>>>>>>>
>>>>>>>>> Donc, cette image (qui vient en fait du site d'openwrt):
>>>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
>>>>>>>>> whiterussian-
>>>>>>>>> rc2/
>>>>>>>>> openwrt-wrt54g-squashfs.bin
>>>>>>>>>
>>>>>>>>> et ce package:
>>>>>>>>>
>>>>>>>>> http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
>>>>>>>>> whiterussian-
>>>>>>>>> rc2/
>>>>>>>>> packages/wifidog_1.1.2-1_mipsel.ipk
>>>>>>>>>
>>>>>>>>> Les deux devraient fonctionner parfaitement! Et puis ça
>>>>>>>>> devrait
>>>>>>>>> installer toutes les dépendences.
>>>>>>>>>
>>>>>>>>> Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
>>>>>>>>> wifidog-
>>>>>>>>> init start) pour partir wifidog afin qu'il load les modules du
>>>>>>>>> kernel
>>>>>>>>> dont wifidog dépend.
>>>>>>>>>
>>>>>>>>> L'image openwrt, est pour un WRT54G et non pas un WRT54GS,
>>>>>>>>> pour
>>>>>>>>> la S
>>>>>>>>> on peut la trouver au même lien, ou sur le site d'openwrt.
>>>>>>>>>
>>>>>>>>> Tenez-nous au courant!
>>>>>>>>>
>>>>>>>>> Philippe April
>>>>>>>>> GnuPG http://key.philippeapril.com
>>>>>>>>>
>>>>>>>>> On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> <image001.gif>
>>>>>>>>>> Salut,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Je viens de finir l???installation de l???auth server qui
>>>>>>>>>> s???est
>>>>>>>>>> passée
>>>>>>>>>> à merveille sur une debian sarge, merci pour votre magnifique
>>>>>>>>>> travail.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Seulement j???ai des problèmes lors de l???installation de
>>>>>>>>>> wifidog
>>>>>>>>>> client sur un WRT54G.
>>>>>>>>>>
>>>>>>>>>> Quelle version d???openwrt et quelle version de wifidog
>>>>>>>>>> dois je
>>>>>>>>>> utiliser pour ne pas avoir de problèmes ?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Merci d???avance pour votre réponse.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Loïc DEVAUX
>>>>>>>>>>
>>>>>>>>>> 10 rue des mésanges
>>>>>>>>>>
>>>>>>>>>> 63170 AUBIERE France
>>>>>>>>>>
>>>>>>>>>> (: (+33) 6 63 69 76 09
>>>>>>>>>>
>>>>>>>>>> *: loic.devaux99 at laposte.net
>>>>>>>>>>
>>>>>>>>>> Skype : mioz963
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <image001.gif>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> WiFiDog mailing list
>>>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>>>>
>>>>>>>>> iD8DBQFDKOJ3Oq+Ep5Xn/
>>>>>>>>> aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
>>>>>>>>> JJvL2yATW5hSliOPoMXsT9M=
>>>>>>>>> =TXoM
>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> WiFiDog mailing list
>>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> WiFiDog mailing list
>>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1.2.4 (Darwin)
>>>>>>>
>>>>>>> iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
>>>>>>> vI5Dym6xZK8pjjtT0aojUFQ=
>>>>>>> =7Fgh
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>> _______________________________________________
>>>>>>> WiFiDog mailing list
>>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> WiFiDog mailing list
>>>>>> WiFiDog at listes.ilesansfil.org
>>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
More information about the WiFiDog
mailing list