DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2009-08-01 06:16:01

kennedy101
Member
Registered: 2008-09-16
Posts: 48

iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

I see that I'm missing the modules necessary to run iptables on my DNS 323 (chroot debian). I have a few openvpn tunnels to family and friends that all terminate to openvpn processes that run on my DNS-323. My end goal is to route traffic between multiple lan segments, and SNAT the traffic on the NAS.

When I run the follow it reports the modules are not loaded.

wheezy1:~# iptables -t filter -L
iptables v1.3.6: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Does anyone have compiled modules for a 2.6.12.6-arm1 vanilla kernel?

Reason for modules:
It's slightly off topic, but the reason for needing iptables is to source nat packets destined for networks connected by vpn tunnels. From what I see in tcpdumps when I attempt to access an adjacent network my source IP is mangled as it passes through the vpn tunnel. When the other side attempts to reply it's sending the packet to the adjacent vpn endpoint, not my local subnet device. All documentation I've found on for openvpn on openwrt shows others utilizing iptables to mangle the packets before the enter the vpn tunnel.


Thanks in advance for any help, or other suggestions for implementing a routed openvpn solution.


DNS 323 (Hardware B1, Firmware 1.06). 2x 1.5TB Seagate HDs.
Chroot Debain (Lenny) on USB (not reloaded). Edna server. USB print server. USB drives added to samba share. All init.d scripts in place.
Future projects: FFP reloaded then chroot on B1 hardware.

Offline

 

#2 2009-08-06 21:25:37

alny
Member
Registered: 2009-08-05
Posts: 5

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

kennedy101 wrote:

Reason for modules:
It's slightly off topic, but the reason for needing iptables is to source nat packets destined for networks connected by vpn tunnels. From what I see in tcpdumps when I attempt to access an adjacent network my source IP is mangled as it passes through the vpn tunnel. When the other side attempts to reply it's sending the packet to the adjacent vpn endpoint, not my local subnet device. All documentation I've found on for openvpn on openwrt shows others utilizing iptables to mangle the packets before the enter the vpn tunnel.

Have you any success with kernel module compilation? I have the same problem with a Open VPN and I also think that the problem happens because no ip forwarding between two network interfaces because lack of kernel modules

Offline

 

#3 2009-08-07 01:22:22

Electrocut
Member
From: France
Registered: 2009-04-05
Posts: 195

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

alny wrote:

I also think that the problem happens because no ip forwarding between two network interfaces because lack of kernel modules

To enable IP forwarding (routing), just type:

echo 1 > /proc/sys/net/ipv4/ip_forward


DNS-313

Offline

 

#4 2009-08-07 10:19:00

alny
Member
Registered: 2009-08-05
Posts: 5

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

Electrocut wrote:

alny wrote:

I also think that the problem happens because no ip forwarding between two network interfaces because lack of kernel modules

To enable IP forwarding (routing), just type:

echo 1 > /proc/sys/net/ipv4/ip_forward

I have already do that but nothing happens. I still think that the problem with no "forwarding" module in the kernel

Offline

 

#5 2009-08-07 13:46:15

Electrocut
Member
From: France
Registered: 2009-04-05
Posts: 195

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

I don't think any special module is needed, to be able to forward IP packets. I think Iptables kernel modules are just if you want to filter traffic ... (choose what you want to forward), but I can be wrong.


DNS-313

Offline

 

#6 2009-08-08 15:36:02

alny
Member
Registered: 2009-08-05
Posts: 5

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

Electrocut wrote:

I don't think any special module is needed, to be able to forward IP packets. I think Iptables kernel modules are just if you want to filter traffic ... (choose what you want to forward), but I can be wrong.

Yes, you were right. No additional kernel modules was needed to forward IP from tun0 to egiga0 interface, just 1 flag in /proc/sys/net/ipv4/ip_forward file. My problem was in routing tables but not at DNS-323 device but at the other computers in my network. When they receive IP packet from other VPN network (10.10.0.x in my case) they don't know how to respond, to which gateway send the answer. When I put routing record

route add 10.10.0.0 MASK 255.255.255.0 <my NAS IP here>

to them, everything goes to work perfect.
My final step was adding the same record to my home router, so now I don't need to configure each computer in network.

Offline

 

#7 2009-09-04 23:06:36

kennedy101
Member
Registered: 2008-09-16
Posts: 48

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

The modules I need are to route from one client PC on say site1, to another client PC on site2. For the sake of arguement here was my setup

Site1 PC               -> Site1 VPN GW   -> Site1 VPN Tun -> Internet
192.168.200.146/24   192.168.200.5       10.0.0.1


Internet -> Site2 VPN Tun -> Site2 VPN GW  -> Site2 PC
                 10.0.0.2              192.168.150.1      192.168.150.101/24


All route statements were in place and I could ping each VPN endpoint (10.0.0.1 or 10.0.0.2)
A tcpdump on both sides (internal interface) showed that the VPN Gw at site 1 was mangling the packet from the PC. I could see that the source IP address seen at the Site2 interface (192.168.150.1) was 10.0.0.1 NOT 192.168.200.146. I noted that the Site1 GW interface (192.168.200.5) showed the correct source IP.

Looking at the OpenWRT forums this is "normal" and a source NAT rule is needed to force the packets to not mangle.

Anyway, the modules have been tested and working in my OpenWRT boxes. It would be nice to have the same modules available for the NAS.


DNS 323 (Hardware B1, Firmware 1.06). 2x 1.5TB Seagate HDs.
Chroot Debain (Lenny) on USB (not reloaded). Edna server. USB print server. USB drives added to samba share. All init.d scripts in place.
Future projects: FFP reloaded then chroot on B1 hardware.

Offline

 

#8 2009-09-28 06:24:55

kennedy101
Member
Registered: 2008-09-16
Posts: 48

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

Ended up loading DD-WRT on a WRT54G-TM (8 meg flash) router with jffs enabled. With openvpn moved to the router got the all needed module for iptables.


DNS 323 (Hardware B1, Firmware 1.06). 2x 1.5TB Seagate HDs.
Chroot Debain (Lenny) on USB (not reloaded). Edna server. USB print server. USB drives added to samba share. All init.d scripts in place.
Future projects: FFP reloaded then chroot on B1 hardware.

Offline

 

#9 2009-12-14 11:45:26

driverom
New member
Registered: 2009-12-14
Posts: 1

Re: iptables modules, ip_conntrack and others (ipsec, pptp, etc) on chroot

From WebAdmin LAN settings is:
IP 192.168.1.10
MASK 255.255.255.0
GW 192.168.1.1

comand through shell (on funplug 0.5)
route delete -net 0.0.0.0 (default route have metric 0)
route add -net 172.20.0.0 netmask 255.255.0.0 gw 192.168.1.2 metric 0
route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.1 metric 2

Before reboot routs work correctly,
but after rebooting routing table DNS-323 return to "default" - with set in webadmin (default route 192.168.1.1)
How to save config through shell?
(DNS-323, FW 1.07,2xSAMSUNG 1TB [HD103UJ], funplug 0.5)

Last edited by driverom (2009-12-14 11:52:16)

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB