[HowTo] Install and configure Oleg's firmware

**al37919** · 17-03-2009, 09:21

show full output of:

PHP Code:


cat /tmp/filter_rules

iptables-save -t filter

**adrianio** · 17-03-2009, 09:26

Originally Posted by al37919

show full output of:

PHP Code:


cat /tmp/filter_rules

iptables-save -t filter

Code:

[root@WL-500gpv2 root]$ cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o vlan1 ! -i br0 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT

Code:

[root@WL-500gpv2 root]$ iptables-save -t filter
# Generated by iptables-save v1.2.7a on Tue Mar 17 11:19:54 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [50:2400]
:OUTPUT ACCEPT [1784:622885]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name:  side: source
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name:  side: source -j DROP
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 65100:65150 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Tue Mar 17 11:19:54 2009

**al37919** · 17-03-2009, 10:27

these lines:

-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT

should be in the beginning of the INPUT chain.

Just a guess: at the moment you accept INVALID packets ==> the results can be unpredictable.

**adrianio** · 17-03-2009, 11:31

Thank you Al! I re-ordered iptables rules as you say. I'll see the rezult.
But what is with those cryptic numbers in the iptables-save command? Cause it seems that they aren't counters - what are those numbers in the INPUT-recent chain?

**adrianio** · 17-03-2009, 14:18

I tryied UPnP experience and I'm glad to share it with you.
First, I'm sorry Al, that I said that UPnP service does not work with 1.9.2.7-10.7 firmware. It works.
First we have to assure that UPnP service is installed and is working under Windows: http://support.microsoft.com/kb/941206
Second there are only few utilities to command router port forwarding from Windows. I tried about 5 of them an no one works except of this: http://www.codeproject.com/KB/IP/PortForward.aspx
...but the download link from the above site is broken

, so I found it and put it here in attach.

I hope you are satisfied with this!

**TheCrow** · 17-03-2009, 19:26

Originally Posted by adrianio

I tryied UPnP experience and I'm glad to share it with you.
First, I'm sorry Al, that I said that UPnP service does not work with 1.9.2.7-10.7 firmware. It work.
First we have to assure that UPnP service is installed and is working under Windows: http://support.microsoft.com/kb/941206
Second there are only few utilities to command router port forwarding from Windows. I tried about 5 of them an no one work except of this: http://www.codeproject.com/KB/IP/PortForward.aspx
...but the download link from the above site is broken

, so I found it and put it here in attach.

I hope you are satisfied with this!

it works......tnx .....

**adrianio** · 18-03-2009, 09:42

Originally Posted by al37919

these lines:

should be in the beginning of the INPUT chain.

Just a guess: at the moment you accept INVALID packets ==> the results can be unpredictable.

Al, I studied how UPnp insert rules in VSERVER chain and in FORWARD chain. So, in FORWARD chain rules are added on top of rules to drop invalid packets and let RELATED, ESTABILISHED traffic, so .... I think here may be a source of errors on forwarding ports. I did not experienced errors, but, again, as you say above, INVALID packets could traverse FORWARD chain through UPnP forwarded ports.

Solution is as UPnP to trigger commands like:

Code:

iptables -I FORWARD 4 -p tcp -m tcp --dport port_num -j ACCEPT

or, for flexibility to target a predefined "UPnP" chain. But I do not know how to modify this ...

We do not even need to accept forwarding (through FORWARD chain) UPnP ports cause we have in firewall:

Code:

-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

and so, DNAT-ed packets from VSERVER chain are already accepted through forwarding chain. ...But, it seems that this conntrack rule is not working. Maybe, because ip_conntrack.o module is missing?

I'm back cause I do not understand why there is no ending FORWARD rule to:

Code:

iptables -A FORWARD -j DROP

This is a security hole!!!

**TheCrow** · 19-03-2009, 11:35

Code:

PORT COMMAND FAILED!   500 Illegal port COMMAND

i change port on ftp "1021" and when i try to connect it give that error

how can i fix it?

Code:

[TheCrow@WL-001FC6D7E6E7 root]$ lsmod
    Tainted: P
usb-storage            63312   3
sd_mod                 12660   6
scsi_mod               72624   2 [usb-storage sd_mod]
videodev                8752   0 (unused)
audio                  47176   0 (unused)
soundcore               4920   0 [audio]
printer                12964   0 (unused)
ehci-hcd               22916   0 (unused)
usb-ohci               19412   0 (unused)
usbcore                76112   1 [usb-storage audio printer ehci-hcd usb-ohci]
ip_nat_ftp              3136   0 (unused)
ip_conntrack_ftp        4584   2
wl                    897336   0 (unused)
et                     29024   0 (unused)
[TheCrow@WL-001FC6D7E6E7 root]$

What is wrong????

**adrianio** · 20-03-2009, 10:12

I don't know the answer for your question Crow, cause I have disabled ftp in web page and I installed another ftp server (for now is pure-ftpd).
But, I have a question too, related to ftp. Is there a way (optware package) to use disck quota? Cause I want to ftp running user (ftpuser) limit disk usage.
Pure-ftpd has disq quota for every user, but I'd like to apply quota for all ftp users group.

**TheCrow** · 20-03-2009, 10:54

sry....i dont know....

**al37919** · 20-03-2009, 14:35

PORT COMMAND FAILED! 500 Illegal port COMMAND

try to connect in passive mode

**examiner** · 21-03-2009, 08:08

Does anybody have working SANE? I would appreciate any help on this...thanx for any advice or link to an advice..;-)

**wengi** · 24-03-2009, 07:43

Originally Posted by darius by PM

As I cannot unmount part1, what is a standard procedure to make part1 on.

Use swapon / swapoff:

Code:

[admin@blechbuechse root]$ swapoff /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13448        516          0       1548       7336
-/+ buffers/cache:       4564       9400
Swap:            0          0          0
[admin@blechbuechse root]$ swapon /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13696        268          0       1548       7336
-/+ buffers/cache:       4812       9152
Swap:       500432          0     500432

wengi

**darius** · 24-03-2009, 14:42

Originally Posted by wengi

Use swapon / swapoff:

Code:

[admin@blechbuechse root]$ swapoff /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13448        516          0       1548       7336
-/+ buffers/cache:       4564       9400
Swap:            0          0          0
[admin@blechbuechse root]$ swapon /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13696        268          0       1548       7336
-/+ buffers/cache:       4812       9152
Swap:       500432          0     500432

wengi

Thanks for your excellent help.

In the meantime TonyFullerMalv provided me with nice explanation
"
A dedicated swap partition does not get mounted, it is just used and is a raw filesytem.
"

Darius

**darius** · 24-03-2009, 21:34

Originally Posted by wengi

Use swapon / swapoff:

Code:

[admin@blechbuechse root]$ swapoff /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13448        516          0       1548       7336
-/+ buffers/cache:       4564       9400
Swap:            0          0          0
[admin@blechbuechse root]$ swapon /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
             total       used       free     shared    buffers     cached
Mem:         13964      13696        268          0       1548       7336
-/+ buffers/cache:       4812       9152
Swap:       500432          0     500432

wengi

Hi,

I am back, as the problem persists.
My router No.1 worked fine , Olegs firmware,
applications installed on usb 4GB stick
and part2 /opt mounted regularly, part1 was on.

I reflashed it with Koppel for cellular modem support.
And part1 stopped to be swap-on, /opt directory is empty

I insert the same usb stick into my No.2 router
and part1 swap is on, /part2 /opt is mounted and I can run applications.

I can swapon on router No.1 and it works.
Unfortunately /opt directory is empty, so no preinstalled applications to run.

I discover the problem with putty when
ssh telnet session is closed immediately for router No.1

As I use the same system hdd stick on both routers,
what can be done to have
part1 swap-on and part2 /opt mounted on router No.1 on boot ?

As you can see, swap was off
so I followed your great tutorial
mkswap
swapon

Code:

[admin@aa /opt]$ free
              total         used         free       shared      buffers
  Mem:        30324        14264        16060            0         1772
 Swap:            0            0            0
Total:        30324        14264        16060
[admin@aa /opt]$ mkswap /dev/discs/disc0/part1
Setting up swapspace version 1, size = 534499328 bytes
[admin@aa /opt]$ free
              total         used         free       shared      buffers
  Mem:        30324        14272        16052            0         1772
 Swap:            0            0            0
Total:        30324        14272        16052
[admin@aa /opt]$ swapon /dev/discs/disc0/part1
[admin@aa /opt]$ free
              total         used         free       shared      buffers
  Mem:        30324        14532        15792            0         1772
 Swap:       521968            0       521968
Total:       552292        14532       537760
[admin@aa /opt]$ free
              total         used         free       shared      buffers
  Mem:        30324        14532        15792            0         1772
 Swap:       521968            0       521968
Total:       552292        14532       537760
[admin@aa /opt]$

Code:

[admin@aa root]$ ls
[admin@aa root]$ cd /
[admin@aa /]$ cd /opt
[admin@aa /opt]$ ls
[admin@aa /opt]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /tmp/mnt/disc0_2 type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa /opt]$ free
              total         used         free       shared      buffers
  Mem:        30324        14256        16068            0         1772
 Swap:            0            0            0
Total:        30324        14256        16068
[admin@aa /opt]$ fdisk -l

Disk /dev/scsi/host0/bus0/target0/lun0/disc: 4009 MB, 4009754624 bytes
145 heads, 48 sectors/track, 1125 cylinders
Units = cylinders of 6960 * 512 = 3563520 bytes

                                 Device Boot    Start       End    Blocks   Id  System
/dev/scsi/host0/bus0/target0/lun0/part1               1         150      521976   82  Linux swap
/dev/scsi/host0/bus0/target0/lun0/part2             151         500     1218000   83  Linux
/dev/scsi/host0/bus0/target0/lun0/part3             501        1125     2175000   83  Linux
[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary

Usage: df [-hmk] [FILESYSTEM ...]

[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary

Usage: df [-hmk] [FILESYSTEM ...]

edited once again (was empty)

vi /etc/fstab

echo "/etc/fstab" >> /usr/local/.files

edited pre-mount

vi /usr/local/sbin/pre-mount

and on reboot

flashfs save && flashfs commit && flashfs enable && reboot

======

Code:

[admin@aa root]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /opt type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa root]$ free
             total       used       free     shared    buffers     cached
Mem:         30324      17492      12832          0       1864       8476
-/+ buffers/cache:       7152      23172
Swap:       521968          0     521968
[admin@aa root]$

So it works fine.

run mc
and clicking on arrow keys generates the following

AAAABBBBAAAAACCCCCDDDDAABBDDCCCDDABBBBBBBBACCDABD B

Ok. Closed putty session as there was no other way to press F10 for
mc exit
and get command line back

Opened new putty session
and arrows don't work in mc
so no way to use mc.

Any idea, any solution ?

Darius

Thread: [HowTo] Install and configure Oleg's firmware

Thread Tools

Display

OK!

UPnP service

PORT COMMAND FAILED

SANE

part1 swap is not mounting, no /opt partition

Similar Threads

[Howto] Install DLNA media servers for Oleg firmware

[Howto] Install and configure basic OpenVPN server for Oleg firmware

[HowTo] Install and Configure a WORKING Samba (Vista included)

[Howto] Install recent version of Transmission for Oleg firmware

[Howto] Install kernel modules for Oleg firmware

Tags for this Thread

Posting Permissions