[WLANware] Freifunk 1.6.29, dhcp-splash, and natting

Jan Groenewald jan at aims.ac.za
Sun Jul 27 13:35:45 CEST 2008 

Hi

2008/7/27 Lorenz Schori <lorenz.schori at gmx.ch>:
> It would help if you could post an excerpt of the iptables from a router
> suffering this problem. like this it would be easier to track down the
> origin of the superflous NAT rules.
> iptables -t nat -vnL

Thanks. I am not an iptables expert, so I may have it all wrong. Please
do check that what I say makes sense.


root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 11741 packets, 1093K bytes)
 pkts bytes target     prot opt in     out     source
destination
11732 1092K splash_prerouting_all  all  --  *      *       0.0.0.0/0
         0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 71 packets, 11828 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0
0.0.0.0/0
 9343  853K MASQUERADE  all  --  *      *       172.18.172.24/29
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 67 packets, 11617 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_prerouting (0 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 splash_redirect  all  --  *      *       0.0.0.0/0
   0.0.0.0/0

Chain splash_prerouting_all (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_redirect (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80

That router should not NAT that range 172.18.172.24/29, having
ff_wldhcp=172.18.172.24/29,255.255.255.240
and in /etc/init.d/S45firewall I commented out these lines:
root at jan-south:~# grep ^# /etc/init.d/S45firewall
#!/bin/sh
#	# Mask packets from these WLAN DHCP clients, so they can do inet w/o OLSR
#	ENTS=$(nvram get ff_wldhcp)
#	IFS=\;
#	for ENT in $ENTS; do
#		NET=${ENT%[:,]*}
#		MSK=${ENT#*[:,]}
#		iptables -t nat -A POSTROUTING -s $NET -j MASQUERADE
#	done
#	unset IFS


Now I do this:

root at jan-south:~# /etc/init.d/S45firewall restart
Stopping firewall...
^[[AStarting firewall...
root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 28 packets, 2842 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 28 packets, 2842 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination



and then I do:



root at jan-south:~# /etc/init.d/S70dhcpsplash start
Starting dhcpsplash...
root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 194 packets, 17767 bytes)
 pkts bytes target     prot opt in     out     source
destination
   12  1192 splash_prerouting_all  all  --  *      *       0.0.0.0/0
         0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 164 packets, 15487 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_prerouting (0 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 splash_redirect  all  --  *      *       0.0.0.0/0
   0.0.0.0/0

Chain splash_prerouting_all (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_redirect (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80



Hmm, uh, now that OLSR-DHCP nat is gone.
It doesn't seem to be the cron job either

root at jan-south:/etc/init.d# touch /var/run/dhcpsplas_needs_update
root at jan-south:/etc/init.d# /usr/sbin/cron.dhcpsplash
root at jan-south:/etc/init.d# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1086 packets, 83943 bytes)
 pkts bytes target     prot opt in     out     source
destination
  904 67368 splash_prerouting_all  all  --  *      *       0.0.0.0/0
         0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 826 packets, 64418 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      vlan1   0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2 packets, 406 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_prerouting (0 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 splash_redirect  all  --  *      *       0.0.0.0/0
   0.0.0.0/0

Chain splash_prerouting_all (1 references)
 pkts bytes target     prot opt in     out     source
destination

Chain splash_redirect (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80


But the problem may be something to do with this? (I don't think so --
this is for all the nodes with no WAN connection and so it has a fifth
LAN port this way)
root at jan-south:/etc/init.d# nvram show|grep ports
size: 6920 bytes (25848 left)
vlan0ports=3 2 1 0 5* 4
vlan1ports=5


regards,
Jan

More information about the WLANware mailing list