show full output of:
PHP Code:cat /tmp/filter_rules
iptables-save -t filter
Printable View
show full output of:
PHP Code:cat /tmp/filter_rules
iptables-save -t filter
Quote:
Originally Posted by al37919
Code:[root@WL-500gpv2 root]$ cat /tmp/filter_rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A SECURITY -p tcp --syn -m limit --limit 1/s -j RETURN
-A SECURITY -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A SECURITY -p udp -m limit --limit 5/s -j RETURN
-A SECURITY -p icmp -m limit --limit 5/s -j RETURN
-A SECURITY -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -o vlan1 ! -i br0 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
Code:[root@WL-500gpv2 root]$ iptables-save -t filter
# Generated by iptables-save v1.2.7a on Tue Mar 17 11:19:54 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [50:2400]
:OUTPUT ACCEPT [1784:622885]
:MACS - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name: side: source
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent recent: seconds: 1701970168 hit_count: 1953391971 name: side: source -j DROP
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 65100:65150 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o vlan1 -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN
-A SECURITY -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Tue Mar 17 11:19:54 2009
these lines:
should be in the beginning of the INPUT chain.Quote:
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
Just a guess: at the moment you accept INVALID packets ==> the results can be unpredictable.
Thank you Al! I re-ordered iptables rules as you say. I'll see the rezult.
But what is with those cryptic numbers in the iptables-save command? Cause it seems that they aren't counters - what are those numbers in the INPUT-recent chain?
I tryied UPnP experience and I'm glad to share it with you.
First, I'm sorry Al, that I said that UPnP service does not work with 1.9.2.7-10.7 firmware. It works.
First we have to assure that UPnP service is installed and is working under Windows: http://support.microsoft.com/kb/941206
Second there are only few utilities to command router port forwarding from Windows. I tried about 5 of them an no one works except of this: http://www.codeproject.com/KB/IP/PortForward.aspx
...but the download link from the above site is broken :), so I found it and put it here in attach.
I hope you are satisfied with this! :)
Quote:
Originally Posted by adrianio
:cool: it works......tnx .....
Al, I studied how UPnp insert rules in VSERVER chain and in FORWARD chain. So, in FORWARD chain rules are added on top of rules to drop invalid packets and let RELATED, ESTABILISHED traffic, so .... I think here may be a source of errors on forwarding ports. I did not experienced errors, but, again, as you say above, INVALID packets could traverse FORWARD chain through UPnP forwarded ports.Quote:
Originally Posted by al37919
Solution is as UPnP to trigger commands like:
or, for flexibility to target a predefined "UPnP" chain. But I do not know how to modify this ...Code:iptables -I FORWARD 4 -p tcp -m tcp --dport port_num -j ACCEPT
We do not even need to accept forwarding (through FORWARD chain) UPnP ports cause we have in firewall:and so, DNAT-ed packets from VSERVER chain are already accepted through forwarding chain. ...But, it seems that this conntrack rule is not working. Maybe, because ip_conntrack.o module is missing?Code:-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
I'm back cause I do not understand why there is no ending FORWARD rule to:
This is a security hole!!!Code:iptables -A FORWARD -j DROP
i change port on ftp "1021" and when i try to connect it give that errorCode:PORT COMMAND FAILED! 500 Illegal port COMMAND
how can i fix it?
What is wrong????Code:[TheCrow@WL-001FC6D7E6E7 root]$ lsmod
Tainted: P
usb-storage 63312 3
sd_mod 12660 6
scsi_mod 72624 2 [usb-storage sd_mod]
videodev 8752 0 (unused)
audio 47176 0 (unused)
soundcore 4920 0 [audio]
printer 12964 0 (unused)
ehci-hcd 22916 0 (unused)
usb-ohci 19412 0 (unused)
usbcore 76112 1 [usb-storage audio printer ehci-hcd usb-ohci]
ip_nat_ftp 3136 0 (unused)
ip_conntrack_ftp 4584 2
wl 897336 0 (unused)
et 29024 0 (unused)
[TheCrow@WL-001FC6D7E6E7 root]$
I don't know the answer for your question Crow, cause I have disabled ftp in web page and I installed another ftp server (for now is pure-ftpd).
But, I have a question too, related to ftp. Is there a way (optware package) to use disck quota? Cause I want to ftp running user (ftpuser) limit disk usage.
Pure-ftpd has disq quota for every user, but I'd like to apply quota for all ftp users group.
sry....i dont know....
try to connect in passive modeQuote:
PORT COMMAND FAILED! 500 Illegal port COMMAND
Does anybody have working SANE? I would appreciate any help on this...thanx for any advice or link to an advice..;-)
Use swapon / swapoff:Quote:
Originally Posted by darius by PM
wengiCode:[admin@blechbuechse root]$ swapoff /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
total used free shared buffers cached
Mem: 13964 13448 516 0 1548 7336
-/+ buffers/cache: 4564 9400
Swap: 0 0 0
[admin@blechbuechse root]$ swapon /dev/discs/disc0/part1
[admin@blechbuechse root]$ free
total used free shared buffers cached
Mem: 13964 13696 268 0 1548 7336
-/+ buffers/cache: 4812 9152
Swap: 500432 0 500432
Thanks for your excellent help.Quote:
Originally Posted by wengi
In the meantime TonyFullerMalv provided me with nice explanation
"
A dedicated swap partition does not get mounted, it is just used and is a raw filesytem.
"
Darius
Hi,Quote:
Originally Posted by wengi
I am back, as the problem persists.
My router No.1 worked fine , Olegs firmware,
applications installed on usb 4GB stick
and part2 /opt mounted regularly, part1 was on.
I reflashed it with Koppel for cellular modem support.
And part1 stopped to be swap-on, /opt directory is empty
I insert the same usb stick into my No.2 router
and part1 swap is on, /part2 /opt is mounted and I can run applications.
I can swapon on router No.1 and it works.
Unfortunately /opt directory is empty, so no preinstalled applications to run.
I discover the problem with putty when
ssh telnet session is closed immediately for router No.1
As I use the same system hdd stick on both routers,
what can be done to have
part1 swap-on and part2 /opt mounted on router No.1 on boot ?
As you can see, swap was off
so I followed your great tutorial
mkswap
swapon
Code:[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14264 16060 0 1772
Swap: 0 0 0
Total: 30324 14264 16060
[admin@aa /opt]$ mkswap /dev/discs/disc0/part1
Setting up swapspace version 1, size = 534499328 bytes
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14272 16052 0 1772
Swap: 0 0 0
Total: 30324 14272 16052
[admin@aa /opt]$ swapon /dev/discs/disc0/part1
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14532 15792 0 1772
Swap: 521968 0 521968
Total: 552292 14532 537760
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14532 15792 0 1772
Swap: 521968 0 521968
Total: 552292 14532 537760
[admin@aa /opt]$
edited once again (was empty)Code:
[admin@aa root]$ ls
[admin@aa root]$ cd /
[admin@aa /]$ cd /opt
[admin@aa /opt]$ ls
[admin@aa /opt]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /tmp/mnt/disc0_2 type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa /opt]$ free
total used free shared buffers
Mem: 30324 14256 16068 0 1772
Swap: 0 0 0
Total: 30324 14256 16068
[admin@aa /opt]$ fdisk -l
Disk /dev/scsi/host0/bus0/target0/lun0/disc: 4009 MB, 4009754624 bytes
145 heads, 48 sectors/track, 1125 cylinders
Units = cylinders of 6960 * 512 = 3563520 bytes
Device Boot Start End Blocks Id System
/dev/scsi/host0/bus0/target0/lun0/part1 1 150 521976 82 Linux swap
/dev/scsi/host0/bus0/target0/lun0/part2 151 500 1218000 83 Linux
/dev/scsi/host0/bus0/target0/lun0/part3 501 1125 2175000 83 Linux
[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary
Usage: df [-hmk] [FILESYSTEM ...]
[admin@aa /opt]$ df -l
df: illegal option -- l
BusyBox v1.1.3 (2008.04.25-08:17+0000) multi-call binary
Usage: df [-hmk] [FILESYSTEM ...]
vi /etc/fstab
echo "/etc/fstab" >> /usr/local/.files
edited pre-mount
vi /usr/local/sbin/pre-mount
and on reboot
flashfs save && flashfs commit && flashfs enable && reboot
======
So it works fine.Code:
[admin@aa root]$ mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/discs/disc0/part2 on /opt type ext3 (rw,noatime)
/dev/discs/disc0/part3 on /tmp/mnt/disc0_3 type ext3 (rw,noatime)
[admin@aa root]$ free
total used free shared buffers cached
Mem: 30324 17492 12832 0 1864 8476
-/+ buffers/cache: 7152 23172
Swap: 521968 0 521968
[admin@aa root]$
run mc
and clicking on arrow keys generates the following
AAAABBBBAAAAACCCCCDDDDAABBDDCCCDDABBBBBBBBACCDABD B
Ok. Closed putty session as there was no other way to press F10 for
mc exit
and get command line back
Opened new putty session
and arrows don't work in mc
so no way to use mc.
Any idea, any solution ?
Darius
Have you tried firmware from here: http://code.google.com/p/wl500g/ ? This firmware has been compiled on 15-Mar-2009 and seems to be very stable. I installed it yesterday and I din't found no bugs till now. So, it seems that swap space has got some improvements in this firmware. Give it a try!Quote:
Originally Posted by darius
from Wengi tutorial:
Some settings are necessary for MC to run properly.
Code:
make profile executable:Code:echo "export TERMINFO=/opt/share/terminfo">>/opt/etc/profile
echo "alias mc=\"mc -c\"">>/opt/etc/profile
Code:
By the way .... have you tried to work with WinSCP (Opensource)? It's possible after that you do not work with MC anymore :)Code:chmod +x /opt/etc/profile
Till now, in any firmware I tried, I have connected with WinSCP without any problem. Now, I connect OK through WinSCP, but when I want to edit a file (example: man.conf), I obtain the following message:
And after that the file I want to edit (or simply view) opens empty.Code:Received error message from remote side: 'scp: man.conf: not a regular file'
This behavior does not apply to every file. There are some files that I can open/view. I cannot find a rule for that files opens or not.
I can copy remote files to local directory and I can rename remote files that I cannot open.
I respond now to myself: I installed bash and it installed profile under /opt/etc and export LD_LIBRARY_PATH=/opt/lib. It seems that my error came from here...
Is it the same behaviour if you try to edit / view these files on command line?
wengi
Yes Wengi, after posting I found that the behavior is the same on command line. But I solve it, by simply renaming "/opt/etc/profile" file who was replaced by "ipkg install bash"! The error has came from exporting LD_LIBRARY_PATH=/opt/lib (ipkg and wget has stopped working too).Quote:
Originally Posted by wengi
I think that it is possible to work with LD_LIBRARY_PATH set, but after installing optware packages for wget and busybox. But it is possible that another original package to be affected by this ...
how can i instal and config a graph for wl-500gp V2??
Could you please specify what kind of graph do you need?Quote:
Originally Posted by TheCrow
Hello!
As first (as almost everybody) I want to thank You for that really precious and great tutorial. I successfully configured my new wl500-gp router with basic linux knowledge.
After first try and some additional settings (because of different root username, IP address, etc.) everything working like a charm.
I have a small problem just with one thing: Transmission is connected to trackers in Passive mode. This cause less peers, slower downloading and of course, I can help less leechers with my upload speed.
When I had such problem on local PC with uTorrent than I set up NAT and it worked, but now I do not know what to do. The router is directly connected to internet so it does not need port forwading - am I right?
I also tried a crazy thing - created NAT with inner IP address of router as destination IP but of course - does not work.
Do have anybody idea, how to solve this 'problem'?
EDIT:
So, after 2 days it was enough to ask here and I solved problem myself :).
Solution for others with the same problem: just open port as wengi did it for ssh in the tutorial.
Add the following lines to the /usr/sbin/post-firewall file:
Quote:
#!/bin/sh
# Transmission
iptables -I INPUT -m tcp -p tcp --dport 51413 -j ACCEPT
i found ...tnx http://wl500g.info/showthread.php?t=2848Quote:
Originally Posted by HoGo
I just did this configuration and it works great, but could you please tell what I must change to access HDD using ftp from WAN?
Thank You :)
There are two main solutions as I know: unsecure and secure.Quote:
Originally Posted by GS_IT
Unsecure is simple opening the ftp port (21) from the outside adding exclusion to firewall - add following lines to the /usr/sbin/post-firewall file:
Than you can connect via ftp using the created ftp user and access directories, where you have rights to go.Quote:
#!/bin/sh
# Transmission
iptables -I INPUT -m tcp -p tcp --dport 21 -j ACCEPT
Much more secure is opening random high port the same way as before, redirect it to ssh port (22) and using tunneling for ftp port on existing ssh connection.
If you are interested about this solution, just write and I will try to create a little tutorial.
Of course there are much more solutions based of sftp or samba+windows sharing, etc.
now i have some other problems after I installed php-thttph ( if i'm not somewhere wrong).
some services didn''t start after boot.
[admin@WL-001FC64989AD root]$ ps axf
BusyBox v1.1.3 (2008.03.17-18:24+0000) multi-call binary
Usage: ps
[admin@WL-001FC64989AD root]$
when i try to mkdir /opt/tmp/ router says read-nly filesystem.
this means - i havent mountet my hdd.
how i can solve this problem?
hi,
post result of "mount" and "ps".
Maybe your filesystem is checked. This will take some time..
wengi
so if I have 1Tb harddrive, then this will take a LONG TIME.
Ok. when the checking will be done, i'll write if the problem still exist.
When I got home, everything was ok.
Is it possible to create VPN connection from wan to router? this would solve many problems :)
you could give openvpn a try.
Search the forum for openvpn.
wengi
OVPN has been seted up and it's working :) ( from local laptop). Later will try from WAN.
Yes. It's working great :)
I want to post a custom message when logging in with putty, how do i do that?
Please excuse me if this was discussed before and please link me to the topic or posts, but my internet connection is working painfully slow today and when i try to search for this i did not receive results.
Thank you.
Hello,
this is a general linux question.
Have alook at:
http://linux.about.com/library/cmd/blcmdl5_issue.htm
http://linux.about.com/library/cmd/blcmdl5_motd.htm
issue is pre-login, motd is post-login.
wengi
wtf is this
Apr 20 14:00:49 vsftpd[1562]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
Apr 20 14:00:51 vsftpd[1562]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
Apr 20 14:00:53 vsftpd[1562]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
Apr 20 14:00:55 vsftpd[1565]: CONNECT: Client "210.82.111.91"
Apr 20 14:00:56 vsftpd[1564]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
Apr 20 14:00:58 vsftpd[1564]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
Apr 20 14:01:00 vsftpd[1564]: [Administrator] FAIL LOGIN: Client "210.82.111.91"
in web syslog I see, that someone has trayed to connect to my ftp from Apr 20 14:00:20 till Apr 20 14:24:28
how I can block that f*** IP address?
P.S. I don't have username "Administrator" for my ftp.
It would be silly :D
P.S.S. this isn't first time, when someone is traying to connect.
Hi all,
i added a step to correct the time zone settings for middle europe.
search the howto for "pre-boot" and you will find the additions.
wengi
Hi all,
pls I have still problem with permission denied when i try:
[admin@ASUS_160GB ipkg]$ ipkg update
Downloading http://ipkg.nslu2-linux.org/feeds/op...le/Packages.gz
sh: wget: Permission denied
An error ocurred, return value: 1.
Collected errors:
ipkg_download: ERROR: Command failed with return value 127: `wget -q -P /opt/ipkg-4TwonM http://ipkg.nslu2-linux.org/feeds/op...le/Packages.gz'
[admin@ASUS_160GB ipkg]$ ipkg upgrade
sh: rm: Permission denied
Nothing to be done
Successfully terminated.
I posted here at this thread before (read page 38, posts 559-569) but still have this problem.
I am really newbie with linux so Wengi pls can you write me how to use e2fsck on /dev/discs/disc0/part2??? Dont know how to operate with superblocks etc.
Second dont know if check is necessary because i can create dir on /opt and can copy files in it. So I can write to /opt.
Any idea how to fix this permission denied problem? After finished this tutorial it forks for half year without problems.
Neither I cannot do this if I want any change:
here is post:Code:flashfs save && flashfs commit && flashfs enable && reboot
Code:[admin@ASUS_160GB tmp]$ flashfs save && flashfs commit && flashfs enable && reboot
/sbin/flashfs: /sbin/flashfs: 20: cat: Permission denied
/sbin/flashfs: /sbin/flashfs: 73: [: Permission denied
tar: Removing leading '/' from member names
tar: /tmp/local: Unknown file type
tar: Error exit delayed from previous errors
/sbin/flashfs: /sbin/flashfs: 73: ls: Permission denied