[isf-wifidog] Shorewall Rules for WiFiDog
Matthew Tavenor
mtavenor at nlpl.ca
Jeu 3 Sep 11:17:46 EDT 2009
iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 19106 packets, 1833K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3995 packets, 226K bytes)
pkts bytes target prot opt in out source destination
3336 199K eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3310 packets, 199K bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.20.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16 0.0.0.0/0
40 2232 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0
--------------------------------
iptables -nvL
Chain INPUT (policy DROP 1 packets, 96 bytes)
pkts bytes target prot opt in out source destination
147 25524 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
11241 2910K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
13 1381 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
18318 1790K eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
39 6729 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
748 39901 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
147 25524 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
11372 1134K eth0_out all -- * eth0 0.0.0.0/0 0.0.0.0/0
12 1488 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0
18729 2264K eth2_out all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
36 2033 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
36 2033 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
15 752 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
19023 1826K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
18744 1767K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
18034 1730K reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
685 34888 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain all2all (7 references)
pkts bytes target prot opt in out source destination
12 1488 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
19023 1826K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
710 37709 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
710 37709 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
279 58323 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
1 40 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
39 6729 net2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
36 2033 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
9576 2600K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
11241 2910K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_out (1 references)
pkts bytes target prot opt in out source destination
11372 1134K fw2net all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
13 1381 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
13 1381 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
12 1488 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
748 39901 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
748 39901 wifi2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
18313 1790K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
10 3316 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
18308 1787K wifi2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_out (1 references)
pkts bytes target prot opt in out source destination
7 2296 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
18722 2262K fw2wifi all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
8072 937K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3300 197K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2wifi (1 references)
pkts bytes target prot opt in out source destination
18716 2262K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 288 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 0 level 7 prefix `Shorewall:fw2wifi:ACCEPT:'
6 288 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
13 1381 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
39 6729 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
36 2033 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
35 1993 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
35 1993 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
11205 2908K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
36 2033 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
685 34888 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
18056 1732K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
3 99 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 209.128.18.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 209.128.18.255 0.0.0.0/0
0 0 LOG all -- * * 192.168.20.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 192.168.20.255 0.0.0.0/0
0 0 LOG all -- * * 10.0.0.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 10.0.0.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain tcpflags (2 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02
Chain wifi2fw (1 references)
pkts bytes target prot opt in out source destination
5 240 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2060 LOG flags 0 level 7 prefix `Shorewall:wifi2fw:ACCEPT:'
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2060
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
18303 1787K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain wifi2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
41 2291 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 LOG flags 0 level 7 prefix `Shorewall:wifi2net:ACCEPT:'
41 2291 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
707 37610 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
________________________________________
From: wifidog-bounces at listes.ilesansfil.org [wifidog-bounces at listes.ilesansfil.org] On Behalf Of Menil Jean-Philippe [Jean-Philippe.Menil at univ-nantes.fr]
Sent: Wednesday, September 02, 2009 1:41 PM
To: WiFiDog Captive Portal
Subject: Re: [isf-wifidog] Shorewall Rules for WiFiDog
Matthew Tavenor a ?crit :
> Thanks Menil Jean-Philippe,
>
> But the Masquerading and routing is working fine. I am getting the authentication page, able to login, but as soon as I am authenticated no traffic will reach the Wireless Laptop.
>
> Eth0 - Ineternet (outside IP)
> Eth1 - LAN (192.168.0.1)
> Eth2 - Wired to Linksys (10.0.0.1)
>
> Default Policy in Shorewall:
>
> Source - Destination
> Eth2(wireless) Eth0(Internet) Accept
>
> Masquerading is setup for both eth1 and eth2.
>
> Any help on why web traffic is not reaching wireless client after successful login?
>
> Thanks,
> Matt
>
> -----Original Message-----
> From: wifidog-bounces at listes.ilesansfil.org [mailto:wifidog-bounces at listes.ilesansfil.org] On Behalf Of Menil Jean-Philippe
> Sent: Tuesday, September 01, 2009 11:57 AM
> To: WiFiDog Captive Portal
> Subject: Re: [isf-wifidog] Shorewall Rules for WiFiDog
>
> Matthew Tavenor a ?crit :
>> Hello All,
>>
>> I am in the process of creating new router/firewall/wifidog boxes for our 96+ Public Libraries. Currently I am running WifiDog on an Optiplex 755 Small Form Factor running Ubuntu. This is working out great but I am trying to merge all services/servers into one system in order to save space and keep cost down.
>>
>> My question is: Does anyone know the Shorewall rules needed to make WifiDog work on Ubuntu?
>>
>> Current setup is:
>>
>> Optiplex 755
>> 3 Network Cards - Internet, LAN, WiFi (Internet goes to DSL/Fibre, LAN Gigabit Network, WiFi goes to Linksys WRT54G*Access Point)
>> Shorewall
>> Dansguardian
>> Squid
>> DHCP3
>> WifiDog
>>
>> Everything is working and routing fine, just can't get the captive portal to redirect. (Due to firewall rules)
>>
>> Any help would be appreciated. http://wifi.nlpl.ca
>>
>> Thanks,
>> Matt
>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> Hi,
>
> it sounds related to the nat table?
>
> verify that you have theses rules:
>
> iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> # SNAT (MASQUERADE) sur eth0
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> Where eth1 is the interface, your client are connected on.
>
> --
> Menil Jean-Philippe
> DSI de l'Universit? de Nantes
> t?l: 02 51 12 53 92
> Fax: 02 51 12 58 60
> Jean-Philippe.Menil at univ-nantes.fr
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 4388 (20090902) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> This communication, including all attachments, is intended solely for the use of the person or persons to whom it is addressed and should be treated as a confidential NLPL document.
>
> If you are not the intended recipient, any use, distribution, printing, or copying of this email is strictly prohibited.
>
> If you received this email in error, please immediately delete it from your system and notify the originator. Your cooperation is appreciated.
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
Hi,
If i understand well, the wireless client are through eth2, and eth1 is
your private lan?
So wifidog is running for the eth2 interface, right?
Can you proide us, the result of theses commands:
iptables -nvL
iptables -t nat -nvL
Regards.
--
Menil Jean-Philippe
DSI de l'Universit? de Nantes
t?l: 02 51 12 53 92
Fax: 02 51 12 58 60
Jean-Philippe.Menil at univ-nantes.fr
_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
This communication, including all attachments, is intended solely for the use of the person or persons to whom it is addressed and should be treated as a confidential NLPL document.
If you are not the intended recipient, any use, distribution, printing, or copying of this email is strictly prohibited.
If you received this email in error, please immediately delete it from your system and notify the originator. Your cooperation is appreciated.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4389 (20090902) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
This communication, including all attachments, is intended solely for the use of the person or persons to whom it is addressed and should be treated as a confidential NLPL document.
If you are not the intended recipient, any use, distribution, printing, or copying of this email is strictly prohibited.
If you received this email in error, please immediately delete it from your system and notify the originator. Your cooperation is appreciated.
Plus d'informations sur la liste de diffusion WiFiDog