firestarter ICS bridge routing

[opensourceservers]

here is set up

cable modem >>>

router di-604 running dhcp 192.168.10.2 gw >>>

wrt54g running openwrt 192.168.20.1 >>>> (wifi disable just running as router)

I then have ubuntu box with 2 nics 192.168.20.136 (facing internet) and 192.168.1.1 (connected to fon+)

my fonera+ has 192.168.1.129

i goto :1471 and make sure it is down and then run top and kill dnsmasq and then stat it up with a 192.168.1.120,192.168.1.140

this works fine...I start up jasager and make sure i am in whitelist mode and add linksys...

I start up laptop and surf to linksys and may fail once but then i attach and get an ip...I have to add route as 192.168.1.1 and i can ping out and also resolve. I can surf to google and have fast google news etc and a few other sites but regular surfing does not work.

I am looking into making sure i have an unobstructed view to internet....I can get on server machine and surf fine to sites- the prob is isolated to the wireless client. I have firestarter facilitating ics and ipv4 forwarding is on. I have tried a couple of firewall rules but they have not seemed to have an affect (br-lan fwd/accept) maybe i will have another look at these and look at wireshark and see what is happening. any suggestions/advice appreciated.

++++++++

I need to have dhcp hand out correct gateway as well as assign ip (it assigns isp fine, just have to check what it is putting in resolv...)

I need to add rule to iptables so that packets coming in on one network know how to be routed to 10.1.1.0?

lastly here is ifconfig from ssh on fon and some other configs

login as: root

root@192.168.1.129's password:

BusyBox v1.4.2 (2008-12-01 23:41:48 EST) Built-in shell (ash)

Enter 'help' for a list of built-in commands.

_______ ________ __

| |.-----.-----.-----.| | | |.----.| |_

| - || _ | -__| || | | || _|| _|

|_______|| __|_____|__|__||________||__| |____|

|__| W I R E L E S S F R E E D O M

KAMIKAZE (7.09) -----------------------------------

* 10 oz Vodka Shake well with ice and strain

* 10 oz Triple sec mixture into 10 shot glasses.

* 10 oz lime juice Salute!

---------------------------------------------------

root@OpenWrt:~# ifconfig

ath0 Link encap:Ethernet HWaddr 00:18:84:A3:14:A9

inet addr:10.1.1.1 Bcast:10.255.255.255 Mask:255.0.0.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:25976 errors:0 dropped:0 overruns:0 frame:0

TX packets:26518 errors:0 dropped:61 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2188422 (2.0 MiB) TX bytes:11808015 (11.2 MiB)

br-lan Link encap:Ethernet HWaddr 00:18:84:A3:14:A8

inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:43441 errors:0 dropped:0 overruns:0 frame:0

TX packets:47184 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2683232 (2.5 MiB) TX bytes:34672962 (33.0 MiB)

eth0 Link encap:Ethernet HWaddr 00:18:84:A3:14:A8

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:30395 errors:0 dropped:0 overruns:0 frame:0

TX packets:40862 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:6552701 (6.2 MiB) TX bytes:28337996 (27.0 MiB)

Interrupt:4 Base address:0x1000

eth0.0 Link encap:Ethernet HWaddr 00:18:84:A3:14:A8

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:30391 errors:0 dropped:0 overruns:0 frame:0

TX packets:34585 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:6126971 (5.8 MiB) TX bytes:26281382 (25.0 MiB)

eth0.1 Link encap:Ethernet HWaddr 00:18:84:A3:14:A8

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:6276 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:2027148 (1.9 MiB)

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:313 errors:0 dropped:0 overruns:0 frame:0

TX packets:313 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:34161 (33.3 KiB) TX bytes:34161 (33.3 KiB)

wifi0 Link encap:Ethernet HWaddr 00:18:84:A3:14:A9

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:93401 errors:0 dropped:0 overruns:0 frame:499696

TX packets:27990 errors:1000 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:199

RX bytes:10937247 (10.4 MiB) TX bytes:12557876 (11.9 MiB)

Interrupt:3 Memory:b0000000-b00ffffc

root@OpenWrt:~#

chad@lappie:~$ ifconfig

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:41688 errors:0 dropped:0 overruns:0 frame:0

TX packets:41688 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:6916172 (6.5 MB) TX bytes:6916172 (6.5 MB)

wlan0 Link encap:Ethernet HWaddr xx:r0:0c:i0:37:xx

inet addr:192.168.1.105 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::240:cff:fe00:37ec/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:19653 errors:48 dropped:5592 overruns:0 frame:0

TX packets:18246 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:10598420 (10.1 MB) TX bytes:1928088 (1.8 MB)

chad@lappie:~$ traceroute 4.2.2.2

traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 40 byte packets

1 * * *

2 * * 192.168.20.1 (192.168.20.1) 152.462 ms

3 192.168.10.2 (192.168.10.2) 152.667 ms 152.628 ms *

4 * * *

5 * * *

here is a copy of firewall user entry

#!/bin/sh

# Copyright © 2006 OpenWrt.org

iptables -F input_rule

iptables -F output_rule

iptables -F forwarding_rule

iptables -t nat -F prerouting_rule

iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the

# WAN interface

iptables -F input_wan

iptables -F forwarding_wan

iptables -t nat -F prerouting_wan

### Open port to WAN

## -- This allows port 22 to be answered by (dropbear on) the router

# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT

# iptables -A input_wan -p tcp --dport 22 -j ACCEPT

### Port forwarding

## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2

# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80

# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

### DMZ

## -- Connections to ports not handled above will be forwarded to 192.168.1.2

# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2

# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT

File: /etc/config/firewall

the main

firewall script is blank

here is route from jasager client

chad@lappie:~$ route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0

here is etc/config/network from openwrt

config 'switch' 'eth0'

option 'vlan0' '1 2 3 4 5*'

option 'vlan1' '0 5'

config 'interface' 'loopback'

option 'ifname' 'lo'

option 'proto' 'static'

option 'ipaddr' '127.0.0.1'

option 'netmask' '255.0.0.0'

config 'interface' 'lan'

option 'type' 'bridge'

option 'ifname' 'eth0.0 ath0'

option 'netmask' '255.255.255.0'

option 'proto' 'dhcp'

option 'gateway' ''

option 'ipaddr' '192.168.1.129'

config 'interface' 'wan'

option 'ifname' 'eth0.1'

option 'proto' 'dhcp'

option 'type' ''

option 'ipaddr' ''

option 'netmask' ''

option 'gateway' ''

i am considering changing most of the ips to static or static dhcp, i have yet to add to hosts files on routers or main machine.

I can follow up on this thread and sorry for being somewhat disorganized. i would like to see this work to its potential. almost there. feel free to add suggestion. i did have tor going and thought- o that is why i am able to surf some but i turned tor and privoxy off and still same behavior- really decent connectivity to google but nothing to rest of intarweb.

[digininja]

You are going to need a rule on your default gateway, and any other routing devices that says to route to the subnet the Fon is on you need to go through Jasager.

I'd drop all the firewall stuff and just try to get a connection without it first.

Going with static IPs to start with is also a good idea. Make everything as basic and fixed as possible, get it working and then move up from there one step at a time.

Make sure you have /proc/sys/net/ipv4/ip_forward set to 1 on the machine doing the forwarding.

[opensourceservers]

You are going to need a rule on your default gateway, and any other routing devices that says to route to the subnet the Fon is on you need to go through Jasager.

I'd drop all the firewall stuff and just try to get a connection without it first.

Going with static IPs to start with is also a good idea. Make everything as basic and fixed as possible, get it working and then move up from there one step at a time.

Make sure you have /proc/sys/net/ipv4/ip_forward set to 1 on the machine doing the forwarding.

1.ok all fw stuff is dropped check...my ssh session died...i rebooted fonera went to 1471 and interface is up with karma off. i connected wirelessly ...added my route as 192.168.1.1 and i can ping and resolve google. i open a browser and get a fast connection to google.

2.checking the laptops etc/resolve shows nameserver 4.2.2.2 which works...

3.cat /proc/sys/net/ipv4/ip_forward shows as 1 check

so traffic will be coming back on my internal ics ethernet which is 192.168.1.1 and then needs to get routed to 192.168.1.129 (fon ethernet which is bridged to fon this shows up as br-lan)

arp shows 192.168.1.1 as br-lan

brctl show yields br-lan comprised of eth0.0 and ath0

do I need to log into a shell and enable forwarding on openwrt which is acting as gateway?

sorry i am a bit lost here but i am willing to stick to it til i get it. i am looking at running some enumeration programs or some cimple command line investigation to wee more fully what is happening. i have ntop, etherape running and wireshark running on machines...maybe i need to start applying some filters and drilling down to isolate and make sense of it all. like you said one step at a time...since i have it running and even just surfing google at least gives me some faith that i am close to solving the puzzle...the routing must be close or i would not be getting the type of connectivity...once i get it going i am going to start up some torrents just to torture test it for a while. i was impressed that tor seemd to have no problems with it either! ok thatnks for all the help and patience i really do appreciate it.

[opensourceservers]

sudo iptables -L -v shows extensive fw setup...

disabling fw (thus fwding) stops all rules and cuts off client

restarted fw and am going to go through rules.

stay tuned.

[digininja]

You mentioned a 10.x and a 192.168.20.x subnet before, what are they?

I don't run any iptables rules on any device, you don't need them to get this working. I'd definitely get rid of them all, especially on the fon.

[opensourceservers]

I found something that looks to be very helpful

http://fonblog.wordpress.com/2007/02/19/fo...eless-repeater/

looks good, lots of background.

[opensourceservers]

well i got windows going in ics now just because i am curious...I am getting exact same behavior- i establish my route and hit google fine...just no rest of the internet. I may look at walkthroughs one more time and i may well hook the other drive up and do iptables hacking. that last link looked to be interesting, the repaeter aspect could be valuable for wisp. i am going to have to check out some wikis and how tos. the wireless field looks to be growing fast especially with white space spectrum becoming available. i am sort of suprized there are not more ad hoc metro wisps popping up. i guess backhaul bandwidth can get pricey.

[opensourceservers]

update: i am running it...it is handing out addys, i may have fixed it so it also hands out gateway, dns is working though my network...i have successfully completed the necessary circuit (google news works great) but other sites do not resolve...they ping and resolve fine i mean but no browser action is happening. I am also into the fon through the wireless client now (it is easy to lock yourself out and lose the ip settings- i just plug in wan and screw around with it and after nmap and wireshark you will zoom in on it. i think i may have reflashed once on account of this...this is in spite of the fact that i have lan as a static- sometimes it just doesnt show up for me. anyways I do have a large collection of riles in etc/init.d/firewall i am considering flushing everything and just starting a custom ruleset. i also saw this...

Note: In current versions of Kamikaze, traffic forwarding is disallowed by default. this means that in

order to route between multiple networks on your local network, you will need to allow this.

from telnet or ssh, enter this if your router can ping these networks, but hosts return "destination port unreachable"

uci set firewall.@zone[0].forward=ACCEPT; uci commit firewall; /etc/init.d/firewall restart

[opensourceservers]

i am looking at this topic http://hak5.org/forums/index.php?showtopic=10955 good thread....

I have br-lan not br0...I can open ssh on fon and also my wrt54g running openwrt. i can ping out from client but i cannot ping client from gateway(wrt54g). I may flush evrything and just work up the chain.

[opensourceservers]

I am sshing to my gateway to make it forward to other subnet...

iptables -L -v locks me out I then ssh again to router and

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -L -v locks me out again...maybe i should ssh more directly and not from client....ok i just checked that and no problem- i load up ruleset fine....time to make some alterations.