[isf-wifidog] Problème firewalling WRT54G
kaouete
kaouete at crazydwarves.org
Ven 7 Oct 11:44:52 EDT 2005
hehe you are right, it is quite a dirty fix .
Anyway, the fix is not the "sleep 10" but in the fact that wifidog
starts before the firewall.
The other thing is that his problem appear because of my dirty fix
mis-applied.
So to find the problem, the correct informations to provides
should only be the different iptables' tables after having start
wifidog in the normar way (so without the dirty fix).
And the reason is, in my opinion, that the problem is just that
iptable doesnt redirect others ports than 80 (but i am maybe wrong
:)
I will try to provide you the more informations i can about this
problem Philippe, do you prefer to get it on your personnal mail ?
Or maybe should i report the bug on sf ?
kaouete
On Fri, Oct 07, 2005 at 09:18:24AM -0400, Philippe April wrote:
> I'd love the see the output of starting in debug mode anyway, because
> it works flawlessly at home on RC3.
>
> I do not consider a sleep 10 a fix, even temporarily!!
>
> Philippe April
> GnuPG http://key.philippeapril.com
>
> On 7-Oct-05, at 3:48 AM, kaouete wrote:
>
> >it is was my idea to rename to S42 and to add a sleep 10 at
> >the beginning of sirewall.
> >
> >You have to comment the 4 lines after the CLEAR TABLE COMMENT to,
> >it is why the tables you listed are empty or so.
> >
> >After that, it is just a trick to fix the problem.
> >
> >kaouete
> >
> >On Fri, Oct 07, 2005 at 02:58:15AM +0200, Max Horváth wrote:
> >
> >>Hi,
> >>
> >>I still have problems regarding the WifiDog gateway ...
> >>
> >>Installing the CVS version in OpenWRT I can access every port but
> >>port 80 without authenticating.
> >>
> >>Doing it the way you described (renaming to S42wifidog) and adding
> >>sleep 10 to S45firewall doesn't work. It's like WifiDog wouldn't run.
> >>So which lines do I have to comment in S45firewall?
> >>
> >>Non the less - Philippe: do you know, why this happends? Or why
> >>doesn't it happen at ISF? How did you split LAN and WiFi exactly?
> >>
> >>To answer another question: these are the results when running the
> >>following commands:
> >>
> >> iptables -t mangle -L
> >> iptables -t filter -L
> >> iptables -t nat -L
> >>
> >>
> >>
> >>iptables -t mangle -L
> >>=====================
> >>Chain PREROUTING (policy ACCEPT)
> >>target prot opt source destination
> >>WiFiDog_Outgoing all -- anywhere anywhere
> >>
> >>Chain INPUT (policy ACCEPT)
> >>target prot opt source destination
> >>
> >>Chain FORWARD (policy ACCEPT)
> >>target prot opt source destination
> >>
> >>Chain OUTPUT (policy ACCEPT)
> >>target prot opt source destination
> >>
> >>Chain POSTROUTING (policy ACCEPT)
> >>target prot opt source destination
> >>WiFiDog_Incoming all -- anywhere anywhere
> >>
> >>Chain WiFiDog_Incoming (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere 10.22.11.173
> >>
> >>Chain WiFiDog_Outgoing (1 references)
> >>target prot opt source destination
> >>MARK all -- 10.22.11.173 anywhere MAC
> >>00:11:24:C2:92:76 MARK set 0x2
> >>
> >>
> >>
> >>iptables -t filter -L
> >>=====================
> >>Chain INPUT (policy DROP)
> >>target prot opt source destination
> >>DROP all -- anywhere anywhere state
> >>INVALID
> >>ACCEPT all -- anywhere anywhere state
> >>RELATED,ESTABLISHED
> >>DROP tcp -- anywhere anywhere tcp
> >>option=!2 flags:SYN/SYN
> >>input_rule all -- anywhere anywhere
> >>ACCEPT all -- anywhere anywhere
> >>ACCEPT icmp -- anywhere anywhere
> >>ACCEPT gre -- anywhere anywhere
> >>REJECT tcp -- anywhere anywhere reject-
> >>with tcp-reset
> >>REJECT all -- anywhere anywhere reject-
> >>with icmp-port-unreachable
> >>
> >>Chain FORWARD (policy DROP)
> >>target prot opt source destination
> >>DROP all -- anywhere anywhere state
> >>INVALID
> >>TCPMSS tcp -- anywhere anywhere tcp
> >>flags:SYN,RST/SYN TCPMSS clamp to PMTU
> >>ACCEPT all -- anywhere anywhere state
> >>RELATED,ESTABLISHED
> >>forwarding_rule all -- anywhere anywhere
> >>ACCEPT all -- anywhere anywhere
> >>ACCEPT all -- anywhere anywhere
> >>WiFiDog_WIFI2Internet all -- anywhere anywhere
> >>
> >>Chain OUTPUT (policy DROP)
> >>target prot opt source destination
> >>DROP all -- anywhere anywhere state
> >>INVALID
> >>ACCEPT all -- anywhere anywhere state
> >>RELATED,ESTABLISHED
> >>output_rule all -- anywhere anywhere
> >>ACCEPT all -- anywhere anywhere
> >>REJECT tcp -- anywhere anywhere reject-
> >>with tcp-reset
> >>REJECT all -- anywhere anywhere reject-
> >>with icmp-port-unreachable
> >>
> >>Chain WiFiDog_AuthServers (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere maxspot.de
> >>
> >>Chain WiFiDog_Global (1 references)
> >>target prot opt source destination
> >>ACCEPT tcp -- anywhere 85.10.198.114 tcp
> >>dpt:80
> >>
> >>Chain WiFiDog_Known (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere anywhere
> >>
> >>Chain WiFiDog_Locked (1 references)
> >>target prot opt source destination
> >>REJECT all -- anywhere anywhere reject-
> >>with icmp-port-unreachable
> >>
> >>Chain WiFiDog_Unknown (1 references)
> >>target prot opt source destination
> >>ACCEPT udp -- anywhere anywhere udp
> >>dpt:53
> >>ACCEPT tcp -- anywhere anywhere tcp
> >>dpt:53
> >>ACCEPT udp -- anywhere anywhere udp
> >>dpt:67
> >>ACCEPT tcp -- anywhere anywhere tcp
> >>dpt:67
> >>REJECT all -- anywhere anywhere reject-
> >>with icmp-port-unreachable
> >>
> >>Chain WiFiDog_Validate (1 references)
> >>target prot opt source destination
> >>REJECT tcp -- anywhere anywhere tcp dpt:
> >>25 reject-with icmp-port-unreachable
> >>ACCEPT all -- anywhere anywhere
> >>
> >>Chain WiFiDog_WIFI2Internet (1 references)
> >>target prot opt source destination
> >>WiFiDog_AuthServers all -- anywhere anywhere
> >>WiFiDog_Locked all -- anywhere anywhere
> >>MARK match 0x254
> >>WiFiDog_Global all -- anywhere anywhere
> >>WiFiDog_Validate all -- anywhere anywhere
> >>MARK match 0x1
> >>WiFiDog_Known all -- anywhere anywhere MARK
> >>match 0x2
> >>WiFiDog_Unknown all -- anywhere anywhere
> >>
> >>Chain forwarding_rule (1 references)
> >>target prot opt source destination
> >>
> >>Chain input_rule (1 references)
> >>target prot opt source destination
> >>
> >>Chain output_rule (1 references)
> >>target prot opt source destination
> >>
> >>
> >>
> >>iptables -t nat -L
> >>==================
> >>Chain PREROUTING (policy ACCEPT)
> >>target prot opt source destination
> >>prerouting_rule all -- anywhere anywhere
> >>WiFiDog_Outgoing all -- anywhere anywhere
> >>
> >>Chain POSTROUTING (policy ACCEPT)
> >>target prot opt source destination
> >>postrouting_rule all -- anywhere anywhere
> >>MASQUERADE all -- anywhere anywhere
> >>
> >>Chain OUTPUT (policy ACCEPT)
> >>target prot opt source destination
> >>
> >>Chain WiFiDog_AuthServers (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere maxspot.de
> >>
> >>Chain WiFiDog_Outgoing (1 references)
> >>target prot opt source destination
> >>WiFiDog_WIFI2Router all -- anywhere 10.22.11.1
> >>WiFiDog_WIFI2Internet all -- anywhere anywhere
> >>
> >>Chain WiFiDog_Unknown (1 references)
> >>target prot opt source destination
> >>WiFiDog_AuthServers all -- anywhere anywhere
> >>REDIRECT tcp -- anywhere anywhere tcp dpt:
> >>80 redir ports 2060
> >>
> >>Chain WiFiDog_WIFI2Internet (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere anywhere MARK
> >>match 0x2
> >>ACCEPT all -- anywhere anywhere MARK
> >>match 0x1
> >>WiFiDog_Unknown all -- anywhere anywhere
> >>
> >>Chain WiFiDog_WIFI2Router (1 references)
> >>target prot opt source destination
> >>ACCEPT all -- anywhere anywhere
> >>
> >>Chain postrouting_rule (1 references)
> >>target prot opt source destination
> >>
> >>Chain prerouting_rule (1 references)
> >>target prot opt source destination
> >>
> >>
> >>
> >>Regards, Max!
> >>
> >>Am 17.09.2005 um 19:38 schrieb kaouete:
> >>
> >>
> >>>Ok,
> >>>
> >>>so, after a few tests there is the results :
> >>>
> >>>i installed a fresh openwrt whiterussian rc3
> >>>then i installed wifidog, modified the wifidog.conf, restarted the
> >>>wrt.
> >>>
> >>>1) without touching firewall script and cie :
> >>>S65wifidog is started after S45firewall :
> >>>if i try to connect to a website with a wifi client i get the
> >>>wifidog auth page
> >>>BUT i can anyway ssh to the net or any other port than 80.
> >>>
> >>>2) now i mv S65wifidog to S41wifidog (so it is started before
> >>>S45firewall), i comment the iptables flushing tables and cie and
> >>>add a sleep 10 at the beginning of the file to be sure that
> >>>wifidog have the time to load all of its rules.
> >>>
> >>>with a wifi client if i connect to the net : i get the wifidog
> >>>auth portal
> >>>AND i cant access to the net with anything without beeing authed
> >>>\o/
> >>>
> >>>concrusion : the openwrt out-of-box is not compatible with wifidog
> >>>for the moment. I think there should be a nicer way to fix it by
> >>>modifiing wifidog rules .. .. or note :]
> >>>
> >>>kaouete
> >>>
> >>>On Thu, Sep 15, 2005 at 02:33:17PM +0200, kaouete wrote:
> >>>
> >>>
> >>>>ho, sorry :]
> >>>>
> >>>>Follow the link of the bug on sourceforge.
> >>>>
> >>>>For me the problem is that the openwrt firewall script breaks the
> >>>>iptables rules used by wifidog,
> >>>>
> >>>>but maybe it is working anyway, i will do more tests (and maybe
> >>>>other
> >>>>people too :) and will tell you if there are problems and if yes,
> >>>>what are they :]
> >>>>
> >>>>kaouete
> >>>>
> >>>>On Thu, Sep 15, 2005 at 02:17:54PM +0200, Max Horváth wrote:
> >>>>
> >>>>
> >>>>>Hey guys,
> >>>>>
> >>>>>I just those two words problem and firewall.
> >>>>>
> >>>>>As I can't read french, so I'd like to ask you, what kind of
> >>>>>problem
> >>>>>exists and if you could translate it for me.
> >>>>>
> >>>>>Thanks and cheers, Max!
> >>>>>
> >>>>>Am 15.09.2005 um 13:16 schrieb kaouete:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>ok, alors je ferais des tests alors, je vous dirais ce que j'ai
> >>>>>>trouvé.
> >>>>>>
> >>>>>>kaouete
> >>>>>>
> >>>>>>On Thu, Sep 15, 2005 at 07:08:25AM -0400, Philippe April wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>>>>>Hash: SHA1
> >>>>>>>
> >>>>>>>En fait, je viens de relire le bug report et ma réponse à
> >>>>>>>propos de
> >>>>>>>mauvais iptables ne s'applique peut-être pas à 100%, l'auteur
> >>>>>>>semble
> >>>>>>>dire que c'est vraiment un problème d'ordre.
> >>>>>>>
> >>>>>>>Ceci étant dit, le plus de feedback de personnes externes on
> >>>>>>>aura, le
> >>>>>>>mieux on saura si tout est beau maintenant :)
> >>>>>>>
> >>>>>>>Tiens-nous au courant!
> >>>>>>>
> >>>>>>>Philippe April
> >>>>>>>GnuPG http://key.philippeapril.com
> >>>>>>>
> >>>>>>>On 15-Sep-05, at 6:54 AM, kaouete wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>>A ce propos, et en rapport avec ce bug :
> >>>>>>>>https://sourceforge.net/tracker/index.php?
> >>>>>>>>func=detail&aid=1210428&group_id=102646&atid=632424
> >>>>>>>>
> >>>>>>>>est-ce que ce probleme est reglé avec whiterussian ?
> >>>>>>>>
> >>>>>>>>(et il y a ausii d'autres bug sinon de reportés :)
> >>>>>>>>
> >>>>>>>>kaouete
> >>>>>>>>
> >>>>>>>>On Wed, Sep 14, 2005 at 10:54:46PM -0400, Philippe April wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>-----BEGIN PGP SIGNED MESSAGE-----
> >>>>>>>>>Hash: SHA1
> >>>>>>>>>
> >>>>>>>>>Disons que dernièrement je me suis mis plus à date, et ISF va
> >>>>>>>>>maintenant commencer à utiliser OpenWrt Whiterussian.
> >>>>>>>>>
> >>>>>>>>>Ce qui veut dire, que nous avons un package compilé pour
> >>>>>>>>>whiterussian
> >>>>>>>>>et qu'on va le tenir à jour!
> >>>>>>>>>
> >>>>>>>>>Donc, cette image (qui vient en fait du site d'openwrt):
> >>>>>>>>>http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
> >>>>>>>>>whiterussian-
> >>>>>>>>>rc2/
> >>>>>>>>>openwrt-wrt54g-squashfs.bin
> >>>>>>>>>
> >>>>>>>>>et ce package:
> >>>>>>>>>
> >>>>>>>>>http://www.ilesansfil.org/dist/wifidog/bin/openwrt/
> >>>>>>>>>whiterussian-
> >>>>>>>>>rc2/
> >>>>>>>>>packages/wifidog_1.1.2-1_mipsel.ipk
> >>>>>>>>>
> >>>>>>>>>Les deux devraient fonctionner parfaitement! Et puis ça
> >>>>>>>>>devrait
> >>>>>>>>>installer toutes les dépendences.
> >>>>>>>>>
> >>>>>>>>>Fait important: il faut utiliser /etc/init.d/S65wifidog (ou
> >>>>>>>>>wifidog-
> >>>>>>>>>init start) pour partir wifidog afin qu'il load les modules du
> >>>>>>>>>kernel
> >>>>>>>>>dont wifidog dépend.
> >>>>>>>>>
> >>>>>>>>>L'image openwrt, est pour un WRT54G et non pas un WRT54GS,
> >>>>>>>>>pour
> >>>>>>>>>la S
> >>>>>>>>>on peut la trouver au même lien, ou sur le site d'openwrt.
> >>>>>>>>>
> >>>>>>>>>Tenez-nous au courant!
> >>>>>>>>>
> >>>>>>>>>Philippe April
> >>>>>>>>>GnuPG http://key.philippeapril.com
> >>>>>>>>>
> >>>>>>>>>On 14-Sep-05, at 9:58 PM, Loïc DEVAUX wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>><image001.gif>
> >>>>>>>>>>Salut,
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Je viens de finir l???installation de l???auth server qui
> >>>>>>>>>>s???est
> >>>>>>>>>>passée
> >>>>>>>>>>à merveille sur une debian sarge, merci pour votre magnifique
> >>>>>>>>>>travail.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Seulement j???ai des problèmes lors de l???installation de
> >>>>>>>>>>wifidog
> >>>>>>>>>>client sur un WRT54G.
> >>>>>>>>>>
> >>>>>>>>>>Quelle version d???openwrt et quelle version de wifidog
> >>>>>>>>>>dois je
> >>>>>>>>>>utiliser pour ne pas avoir de problèmes ?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Merci d???avance pour votre réponse.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Loïc DEVAUX
> >>>>>>>>>>
> >>>>>>>>>>10 rue des mésanges
> >>>>>>>>>>
> >>>>>>>>>>63170 AUBIERE France
> >>>>>>>>>>
> >>>>>>>>>>(: (+33) 6 63 69 76 09
> >>>>>>>>>>
> >>>>>>>>>>*: loic.devaux99 at laposte.net
> >>>>>>>>>>
> >>>>>>>>>>Skype : mioz963
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>><image001.gif>
> >>>>>>>>>>_______________________________________________
> >>>>>>>>>>WiFiDog mailing list
> >>>>>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>-----BEGIN PGP SIGNATURE-----
> >>>>>>>>>Version: GnuPG v1.2.4 (Darwin)
> >>>>>>>>>
> >>>>>>>>>iD8DBQFDKOJ3Oq+Ep5Xn/
> >>>>>>>>>aARAkXoAJ93s8aZTuhO2qnRkXDHKyfP4qSbeACfel23
> >>>>>>>>>JJvL2yATW5hSliOPoMXsT9M=
> >>>>>>>>>=TXoM
> >>>>>>>>>-----END PGP SIGNATURE-----
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>_______________________________________________
> >>>>>>>>>WiFiDog mailing list
> >>>>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>_______________________________________________
> >>>>>>>>WiFiDog mailing list
> >>>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>-----BEGIN PGP SIGNATURE-----
> >>>>>>>Version: GnuPG v1.2.4 (Darwin)
> >>>>>>>
> >>>>>>>iD8DBQFDKVYpOq+Ep5Xn/aARAgscAKDCcBMgHzY4ZM0PvQe0M5sRwNxM1wCaA9u6
> >>>>>>>vI5Dym6xZK8pjjtT0aojUFQ=
> >>>>>>>=7Fgh
> >>>>>>>-----END PGP SIGNATURE-----
> >>>>>>>_______________________________________________
> >>>>>>>WiFiDog mailing list
> >>>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>_______________________________________________
> >>>>>>WiFiDog mailing list
> >>>>>>WiFiDog at listes.ilesansfil.org
> >>>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>WiFiDog mailing list
> >>>>>WiFiDog at listes.ilesansfil.org
> >>>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>>
> >>>>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>_______________________________________________
> >>>>WiFiDog mailing list
> >>>>WiFiDog at listes.ilesansfil.org
> >>>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>
> >>>>
> >>>_______________________________________________
> >>>WiFiDog mailing list
> >>>WiFiDog at listes.ilesansfil.org
> >>>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>
> >>
> >>_______________________________________________
> >>WiFiDog mailing list
> >>WiFiDog at listes.ilesansfil.org
> >>http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >_______________________________________________
> >WiFiDog mailing list
> >WiFiDog at listes.ilesansfil.org
> >http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
-------------- section suivante --------------
Une pièce jointe non texte a été nettoyée...
Nom: non disponible
Type: application/pgp-signature
Taille: 189 octets
Desc: Digital signature
Url: http://listes.ilesansfil.org/pipermail/wifidog/attachments/20051007/1b29d928/attachment.pgp
More information about the WiFiDog
mailing list