[isf-wifidog] gateway problem
Cara Ward
cara at onshore.com
Mer 10 Mai 13:31:28 EDT 2006
Hi Mina,
Thanks for the reply.
I changed the mac to 20:20...
I ran the iptables commands you suggested (pasted at bottom) and realized
that a rule is added to mangle to allow my mac, but is then immediately
deleted after I hit the "Use the Internet" link in the portal, so I'm
thinking
this is a problem with my authenticator that I missed before. I'll have
to look into this a bit more, but any suggestions are appreciated.
...
[6][Wed May 10 11:11:58 2006][3648](auth.c:209) Got ALLOWED from central
server
authenticating token bd93e320cc9fd1a4cabb1f6c45ee5317 from 192.168.5.114
at 40:4
0:40:40:40:40 - adding to firewall and redirecting them to portal
[7][Wed May 10 11:11:58 2006][3648](firewall.c:87) Allowing 192.168.5.114
40:40:
40:40:40:40 with fw_connection_state 2
[7][Wed May 10 11:11:58 2006][3648](fw_iptables.c:79) Executing command:
iptable
s -t mangle -A WiFiDog_Outgoing -s 192.168.5.114 -m mac --mac-source
40:40:40:40
:40:40 -j MARK --set-mark 2
...
[6][Wed May 10 11:08:11 2006][3648](centralserver.c:149) Auth server
returned au
thentication code 0
[7][Wed May 10 11:08:11 2006][3648](firewall.c:247) Locking client list
[7][Wed May 10 11:08:11 2006][3648](firewall.c:247) Client list locked
[5][Wed May 10 11:08:11 2006][3648](firewall.c:280) 192.168.5.114 -
Denied. Remo
ving client and firewall rules
[7][Wed May 10 11:08:11 2006][3648](firewall.c:102) Denying 192.168.5.114
40:40:
40:40:40:40 with fw_connection_state 2
[7][Wed May 10 11:08:11 2006][3648](fw_iptables.c:79) Executing command:
iptable
s -t mangle -D WiFiDog_Outgoing -s 192.168.5.114 -m mac --mac-source
40:40:40:40
:40:40 -j MARK --set-mark 2
...
iptables -t filter -L:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
WiFiDog_WIFI2Internet all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere OSH-192-47.onshore.com
Chain WiFiDog_Global (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.5.1 tcp dpt:www
ACCEPT udp -- anywhere 192.168.5.1 udp
dpt:domain
ACCEPT udp -- anywhere nsns.onshore.com udp
dpt:domain
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain WiFiDog_Known (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain WiFiDog_Locked (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.5.1 tcp dpt:www
REJECT all -- anywhere anywhere reject-with
icmp-po
rt-unreachable
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
REJECT all -- anywhere anywhere reject-with
icmp-po
rt-unreachable
Chain WiFiDog_Validate (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:smtp
reject
-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
DROP all -- anywhere anywhere state
INVALID,NEW
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/S
YN TCPMSS clamp to PMTU
WiFiDog_AuthServers all -- anywhere anywhere
WiFiDog_Locked all -- anywhere anywhere MARK
match 0x2
54
WiFiDog_Global all -- anywhere anywhere
WiFiDog_Validate all -- anywhere anywhere MARK
match 0
x1
WiFiDog_Known all -- anywhere anywhere MARK
match 0x2
WiFiDog_Unknown all -- anywhere anywhere
iptables -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Outgoing all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WiFiDog_AuthServers (1 references)
target prot opt source destination
ACCEPT all -- anywhere OSH-192-47.onshore.com
Chain WiFiDog_Global (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.5.1 tcp dpt:www
ACCEPT udp -- anywhere 192.168.5.1 udp
dpt:domain
ACCEPT udp -- anywhere nsns.onshore.com udp
dpt:domain
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
ACCEPT udp -- anywhere nsns.onshore.com udp
dpt:domain
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
WiFiDog_WIFI2Router all -- anywhere 192.168.5.1
WiFiDog_WIFI2Internet all -- anywhere anywhere
Chain WiFiDog_Unknown (1 references)
target prot opt source destination
WiFiDog_AuthServers all -- anywhere anywhere
WiFiDog_Global all -- anywhere anywhere
REDIRECT tcp -- anywhere anywhere tcp dpt:www
redir p
orts 2060
Chain WiFiDog_WIFI2Internet (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK match
0x2
ACCEPT all -- anywhere anywhere MARK match
0x1
WiFiDog_Unknown all -- anywhere anywhere
Chain WiFiDog_WIFI2Router (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
iptables -t mangle -L (after logging in, but before attempting to surf
web)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Trusted all -- anywhere anywhere
WiFiDog_Outgoing all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Incoming all -- anywhere anywhere
Chain WiFiDog_Incoming (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.5.114
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
MARK all -- 192.168.5.114 anywhere MAC
40:40:40:40:40:40 MARK set 0x2
Chain WiFiDog_Trusted (1 references)
target prot opt source destination
iptables -t mangle -L (after I hit the "use the internet button" and am
redirected back to login)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Trusted all -- anywhere anywhere
WiFiDog_Outgoing all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
WiFiDog_Incoming all -- anywhere anywhere
Chain WiFiDog_Incoming (1 references)
target prot opt source destination
Chain WiFiDog_Outgoing (1 references)
target prot opt source destination
Chain WiFiDog_Trusted (1 references)
target prot opt source destination
On Wed, 10 May 2006, Mina Naguib wrote:
>
> Hi Cara
>
> Did you change the MAC address below to 20:20:20:20:20:20, or is that what it
> showed ?
>
> Also after authentication, could you send us the output of `iptables -t
> filter -L`, `iptables -t nat -L` and `iptables -t mangle -L`
>
> On 10-May-06, at 2:30 AM, Cara Ward wrote:
>
>> Hi,
>>
>> I am testing wifidog for possible deployment in a large scale wireless
>> community network project in Chicago, but am unable to get the gateway
>> working properly. Hosts are directed to the portal and are able to
>> successfully authenticate via radius, but instead of gaining access online
>> the are redirected back to the login screen. The gateway is an ibm server
>> running debian 2.6.16.12 with netfilter and ipt_mac statically compiled
>> into the kernel.
>> The output of lsmod is below.
>>
>>
>> Im still learning iptables, but I think, the wifidog debug log shows that
>> everything should be working, however when I issue iptables --list I do not
>> see the WiFiDog_Outgoing/Incoming chain at all. Here is a portion of my
>> log:
>>
>> [6][Tue May 9 12:43:07 2006][2877](auth.c:209) Got ALLOWED from central
>> server authenticating token 0ad18c2ff45f31842e832013a141a7b0 from
>> 192.168.5.113 at 20:20:20:20:20:20 - adding to firewall and redirecting
>> them to portal
>> [7][Tue May 9 12:43:07 2006][2877](firewall.c:87) Allowing 192.168.5.113
>> 20:20:20:20:20:20 with fw_connection_state 2
>> [7][Tue May 9 12:43:07 2006][2877](fw_iptables.c:79) Executing command:
>> iptables -t mangle -A WiFiDog_Outgoing -s 192.168.5.113 -m mac
>> --mac-source 20:20:20:20:20:20 -j MARK --set-mark 2
>> [7][Tue May 9 12:43:07 2006][2877](util.c:108) Waiting for PID 2984 to
>> exit
>> [7][Tue May 9 12:43:07 2006][2877](gateway.c:256) Handler for SIGCHLD
>> called. Trying to reap a child
>> [7][Tue May 9 12:43:07 2006][2877](gateway.c:260) Handler for SIGCHLD
>> reaped child PID -1
>> [7][Tue May 9 12:43:07 2006][2877](util.c:110) Process PID 2984 exited
>> [7][Tue May 9 12:43:07 2006][2877](fw_iptables.c:79) Executing command:
>> iptables -t mangle -A WiFiDog_Incoming -d 192.168.5.113 -j ACCEPT
>>
>> lsmod
>>
>> Module Size Used by
>> ipt_REJECT 4992 0
>> ipt_TCPMSS 3840 0
>> ipt_REDIRECT 2432 0
>> xt_mark 2048 0
>> iptable_mangle 2816 0
>> ipt_MASQUERADE 3584 1
>> xt_state 2304 1
>> iptable_filter 2944 1
>> ip_nat_irc 2688 0
>> ip_nat_ftp 3200 0
>> iptable_nat 7172 1
>> ip_nat 16940 5
>> ipt_REDIRECT,ipt_MASQUERADE,ip_nat_irc,ip_nat_ftp,iptable_nat
>> ip_conntrack_irc 6384 1 ip_nat_irc
>> ip_conntrack_ftp 7280 1 ip_nat_ftp
>> ip_conntrack 47404 8
>> ipt_MASQUERADE,xt_state,ip_nat_irc,ip_nat_ftp,iptable_nat,ip_nat,ip_co
>> nntrack_irc,ip_conntrack_ftp
>> i2c_i801 7564 0
>> i2c_core 19856 1 i2c_i801
>> generic 4484 0 [permanent]
>> hw_random 5400 0
>> ata_piix 10116 0
>> libata 52240 1 ata_piix
>> tg3 91780 0
>> iptable_raw 2304 0
>> ip_tables 13144 4
>> iptable_mangle,iptable_filter,iptable_nat,iptable_raw
>> ip_gre 12320 0
>> ipt_ttl 1920 0
>> ipt_TOS 2304 0
>> ipt_tos 1792 0
>> xt_mac 2176 0
>> ipip 9956 0
>> ipt_addrtype 2048 0
>> psmouse 34056 0
>> ide_generic 1536 0 [permanent]
>> ide_disk 14976 0
>> ide_cd 36228 0
>> ide_core 107188 4 generic,ide_generic,ide_disk,ide_cd
>> genrtc 9600 0
>> ....
>>
>> I've set this up on two different machines with the same problem so I'm
>> guessing I'm missing something crucial on both.
>> Thanks in advance for any suggestions you can provide -
>>
>> Cara Ward
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
>
> !DSPAM:4461e40c327663234517553!
>
More information about the WiFiDog
mailing list