[isf-wifidog] connection refused for all requests from client

Ken Chase m-wifidog at sizone.org
Mer 4 Juil 12:33:26 EDT 2007


trying to get wifidog going here for a project.

Auth server installed fine, no problems (in a linux vserver no less! :)
(ie linux-vserver.org)

I am running OpenWRT latest version (feb 07 on their page) on my WRT54GL
with the latest WebIf. 

I grabbed the latest release of the wifidog ipk, 1.1.3 and installed it
no problem on my WRT. 

Ive edited /etc/init.d/S35Firewall to comment out the forwarding lines,
and libpthread is installed (among much else).

Wifidog runs (-f -d 7) fine, and connects to the auth server no problem,
I see pongs every minute.

However, all surfing as a client thru wifidog is connection refused.
The Wifidog WRT IS resolving DNS fine (though I dont think a DNS
problem would give connection refused per se). Ive also tested with raw
IPs to surf (avoiding DNS).

Any suggestions as to what the problem may be? 

Do I need to do more auth server setup? It's all in defaults for now.

I would think that something would happen trying to surf through
wifidog, even if auth is opnly configured in defaults and wifidog 
can ping the auth server ok. I am confused that im getting a 
connection refused.

from a linux box as wifidog client:
# telnet 66.96.29.195 80
Trying 66.96.29.195...
telnet: Unable to connect to remote host: Connection refused

If I stop wifidog and rerun the original S35firewall to reinsert the
forwarding rules, I can surf to the internet no problem from my
clients.

Any help is appreciated. Long outputs follow below:

(192.168.1.0/24 is internal network at office im testing on, it's
natted to the net by another firewall (yes double natting is horrid).
192.168.5.0/24 is my wifi client network im testing on.)

==============================================================================

root at gw:~# ifconfig
br0       Link encap:Ethernet  HWaddr 00:1A:70:E6:90:28  
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22602 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20695 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1472871 (1.4 MiB)  TX bytes:7843103 (7.4 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1A:70:E6:90:28  
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:57041 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29747 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10253167 (9.7 MiB)  TX bytes:8873776 (8.4 MiB)
          Interrupt:4 

eth1      Link encap:Ethernet  HWaddr 00:1A:70:E6:90:2A  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:333 errors:0 dropped:0 overruns:0 frame:285809
          TX packets:343 errors:39 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:34751 (33.9 KiB)  TX bytes:42164 (41.1 KiB)
          Interrupt:2 Base address:0x5000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1472 (1.4 KiB)  TX bytes:1472 (1.4 KiB)

vlan0     Link encap:Ethernet  HWaddr 00:1A:70:E6:90:28  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:22266 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20852 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1531828 (1.4 MiB)  TX bytes:7945851 (7.5 MiB)

vlan1     Link encap:Ethernet  HWaddr 00:1A:70:E6:90:29  
          inet addr:192.168.1.78  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34789 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8897 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:7695595 (7.3 MiB)  TX bytes:774092 (755.9 KiB)


==============================================================================
once wifidog runs and sets up all its firewall rules, I see this in
iptables:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere            tcp option=!2 flags:SYN/SYN
input_rule  all  --  anywhere             anywhere
input_wan  all  --  anywhere             anywhere
LAN_ACCEPT  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     gre  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
WiFiDog_WIFI2Internet  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forwarding_wan  all  --  anywhere             anywhere

Chain LAN_ACCEPT (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
output_rule  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain WiFiDog_AuthServers (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             wifidog.harmony-mobile.com

Chain WiFiDog_Global (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp dpt:25 reject-with icmp-port-unreachable

Chain WiFiDog_Known (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_Locked (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain WiFiDog_Unknown (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:53
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:53
ACCEPT     udp  --  anywhere             anywhere            udp dpt:67
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:67
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain WiFiDog_Validate (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain WiFiDog_WIFI2Internet (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
WiFiDog_AuthServers  all  --  anywhere             anywhere
WiFiDog_Locked  all  --  anywhere             anywhere            MARK match 0x254
WiFiDog_Global  all  --  anywhere             anywhere
WiFiDog_Validate  all  --  anywhere             anywhere            MARK match 0x1
WiFiDog_Known  all  --  anywhere             anywhere            MARK match 0x2
WiFiDog_Unknown  all  --  anywhere             anywhere

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination


==============================================================================
Installed Packages

Action	Package	Version	Description
Uninstall	base-files	9	OpenWrt filesystem structure and scripts
Uninstall	base-files-brcm	2	Board/architecture specific files
Uninstall	bridge	1.0.6-1	Ethernet bridging tools
Uninstall	busybox	1.00-5	Core utilities for embedded Linux systems
Uninstall	dnsmasq	2.35-1	A lightweight DNS and DHCP server
Uninstall	dropbear	0.48.1-1	a small SSH 2 server/client designed for small memory environments.
Uninstall	haserl	0.8.0-1	a CGI wrapper to embed shell scripts in HTML documents
Uninstall	ip	2.6.11-050330-1	iproute2 routing control utility
Uninstall	ipkg	0.99.149-2	lightweight package management system
Uninstall	iptables	1.3.3-2	The netfilter firewalling software for IPv4
Uninstall	iptables-mod-conntrack	1.3.3-3	Iptables (IPv4) extensions for connection tracking
Uninstall	iptables-mod-extra	1.3.3-3	Other extra Iptables (IPv4) extensions
Uninstall	iptables-mod-filter	1.3.3-3	Iptables (IPv4) extension for packet content inspection
Uninstall	iptables-mod-imq	1.3.3-3	Iptables (IPv4) extensions for Intermediate Queuing Device QoS-support
Uninstall	iptables-mod-ipopt	1.3.3-3	Iptables (IPv4) extensions for matching/changing IP packet options
Uninstall	iptables-mod-nat	1.3.3-3	Iptables (IPv4) extensions for different NAT targets
Uninstall	iwlib	28.pre7-1	Library for setting up WiFi cards using the Wireless Extension
Uninstall	kernel	2.4.30-brcm-5	
Uninstall	kmod-brcm-wl	2.4.30-brcm-5	Proprietary driver for Broadcom Wireless chipsets
Uninstall	kmod-diag	2.4.30-brcm-5	Kernel modules for LEDs and buttons
Uninstall	kmod-imq	2.4.30-brcm-5	Kernel support for the Intermediate Queueing device
Uninstall	kmod-ipt-conntrack	2.4.30-brcm-5	Extra Netfilter (IPv4) kernel modules for connection tracking
Uninstall	kmod-ipt-extra	2.4.30-brcm-5	Other extra Netfilter (IPv4) kernel modules
Uninstall	kmod-ipt-filter	2.4.30-brcm-5	Netfilter (IPv4) kernel modules for packet content inspection
Uninstall	kmod-ipt-ipopt	2.4.30-brcm-5	Netfilter (IPv4) kernel modules for matching/changing IP packet options
Uninstall	kmod-ipt-nat	2.4.30-brcm-5	Netfilter (IPv4) kernel modules for different NAT targets
Uninstall	kmod-ipt-nat-default	2.4.30-brcm-5	Default Netfilter (IPv4) NAT kernel modules for special protocols
Uninstall	kmod-ppp	2.4.30-brcm-5	PPP support
Uninstall	kmod-pppoe	2.4.30-brcm-5	PPP over Ethernet support
Uninstall	kmod-sched	2.4.30-brcm-5	Kernel schedulers for IP traffic
Uninstall	kmod-switch	2.4.30-brcm-1	switch driver for robo/admtek switch
Uninstall	kmod-wlcompat	2.4.30-brcm-4	Compatibility module for using the Wireless Extension with broadcom's wl
Uninstall	libpthread	0.9.27-1	POSIX threads library
Uninstall	mtd	5	Tool for modifying the flash chip
Uninstall	nvram	1	NVRAM utility and libraries for Broadcom hardware
Uninstall	ppp	2.4.3-7	a PPP (Point-to-Point Protocol) daemon (with MPPE/MPPC support)
Uninstall	ppp-mod-pppoe	2.4.3-7	a PPPoE (PPP over Ethernet) plugin for PPP
Uninstall	qos-scripts	1.1.1-2	QoS scripts for OpenWrt
Uninstall	tc	2.6.11-050330-1	iproute2 traffic control utility
Uninstall	uclibc	0.9.27-9	Standard C library for embedded Linux systems
Uninstall	webif	0.3-8	An HTTP administrative console for OpenWrt.
Uninstall	wificonf	6	Replacement utility for wlconf
Uninstall	wifidog	1.1.3-1	
Uninstall	wireless-tools	28.pre7-1	Tools for setting up WiFi cards using the Wireless Extension


/kc
-- 
Ken Chase - math at sizone.org Toronto CANADA.



Plus d'informations sur la liste de diffusion WiFiDog