[WLANware] Freifunk 1.6.29, dhcp-splash, and natting
Jan Groenewald
jan at aims.ac.za
Sun Jul 27 13:35:45 CEST 2008
Hi
2008/7/27 Lorenz Schori <lorenz.schori at gmx.ch>:
> It would help if you could post an excerpt of the iptables from a router
> suffering this problem. like this it would be easier to track down the
> origin of the superflous NAT rules.
> iptables -t nat -vnL
Thanks. I am not an iptables expert, so I may have it all wrong. Please
do check that what I say makes sense.
root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 11741 packets, 1093K bytes)
pkts bytes target prot opt in out source
destination
11732 1092K splash_prerouting_all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 71 packets, 11828 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * vlan1 0.0.0.0/0
0.0.0.0/0
9343 853K MASQUERADE all -- * * 172.18.172.24/29
0.0.0.0/0
0 0 MASQUERADE all -- * vlan1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 67 packets, 11617 bytes)
pkts bytes target prot opt in out source
destination
Chain splash_prerouting (0 references)
pkts bytes target prot opt in out source
destination
0 0 splash_redirect all -- * * 0.0.0.0/0
0.0.0.0/0
Chain splash_prerouting_all (1 references)
pkts bytes target prot opt in out source
destination
Chain splash_redirect (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
That router should not NAT that range 172.18.172.24/29, having
ff_wldhcp=172.18.172.24/29,255.255.255.240
and in /etc/init.d/S45firewall I commented out these lines:
root at jan-south:~# grep ^# /etc/init.d/S45firewall
#!/bin/sh
# # Mask packets from these WLAN DHCP clients, so they can do inet w/o OLSR
# ENTS=$(nvram get ff_wldhcp)
# IFS=\;
# for ENT in $ENTS; do
# NET=${ENT%[:,]*}
# MSK=${ENT#*[:,]}
# iptables -t nat -A POSTROUTING -s $NET -j MASQUERADE
# done
# unset IFS
Now I do this:
root at jan-south:~# /etc/init.d/S45firewall restart
Stopping firewall...
^[[AStarting firewall...
root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 28 packets, 2842 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 28 packets, 2842 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * vlan1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
and then I do:
root at jan-south:~# /etc/init.d/S70dhcpsplash start
Starting dhcpsplash...
root at jan-south:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 194 packets, 17767 bytes)
pkts bytes target prot opt in out source
destination
12 1192 splash_prerouting_all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 164 packets, 15487 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * vlan1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain splash_prerouting (0 references)
pkts bytes target prot opt in out source
destination
0 0 splash_redirect all -- * * 0.0.0.0/0
0.0.0.0/0
Chain splash_prerouting_all (1 references)
pkts bytes target prot opt in out source
destination
Chain splash_redirect (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
Hmm, uh, now that OLSR-DHCP nat is gone.
It doesn't seem to be the cron job either
root at jan-south:/etc/init.d# touch /var/run/dhcpsplas_needs_update
root at jan-south:/etc/init.d# /usr/sbin/cron.dhcpsplash
root at jan-south:/etc/init.d# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1086 packets, 83943 bytes)
pkts bytes target prot opt in out source
destination
904 67368 splash_prerouting_all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 826 packets, 64418 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * vlan1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 406 bytes)
pkts bytes target prot opt in out source
destination
Chain splash_prerouting (0 references)
pkts bytes target prot opt in out source
destination
0 0 splash_redirect all -- * * 0.0.0.0/0
0.0.0.0/0
Chain splash_prerouting_all (1 references)
pkts bytes target prot opt in out source
destination
Chain splash_redirect (1 references)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
But the problem may be something to do with this? (I don't think so --
this is for all the nodes with no WAN connection and so it has a fifth
LAN port this way)
root at jan-south:/etc/init.d# nvram show|grep ports
size: 6920 bytes (25848 left)
vlan0ports=3 2 1 0 5* 4
vlan1ports=5
regards,
Jan
More information about the WLANware
mailing list