Topic: WallWatcher & OpenWRT

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

irishjd

1 Sep 2005, 03:03

Has anyone figured out how to get OpenWRT to work with WallWatcher (www.wallwatcher.com)? I used this program, in conjunction with MyNetWatchman, when I was running HyperWRT on my Linksys WRT54G. I was looking at the config I used with HyperWRT and tried to adapt it to OpwnWRT, but I am not having any luck. To get it to work under HyperWRT you have to add some lines to what they call the "Startup" script and the "Firewall" script. I am interpretting the startup script to be equivelant to /etc/init.d/rcS and the firewall script to be equivelant to /etc/firewall.user Anyway the HyperWRT startup script looks like this:

sleep 2
/sbin/klogd
/sbin/syslogd -R 192.168.1.12 <-- this is the IP of the logging PC
echo "#!/bin/sh" > /tmp/loggit.sh
echo "while true" >> /tmp/loggit.sh
echo "/usr/bin/killall -9 klogd" >> /tmp/loggit.sh
echo "sleep 1" >> /tmp/loggit.sh
echo "/sbin/klogd" >> /tmp/loggit.sh
echo "sleep 960" >> /tmp/loggit.sh
echo "done" >> /tmp/loggit.sh
chmod 700 /tmp/loggit.sh

When I try this though, I get en error saying: "root@OpenWrt:/etc/init.d# /tmp/loggit.sh: 7: Syntax error: "done" unexpected (expecting "do"). The firewall script looks like this:

/usr/sbin/iptables -R INPUT 7 -j logdrop
/usr/sbin/iptables -R INPUT 1 -j logdrop -m state --state INVALID

As I couldn't get the first part to work, I haven't tried the adding the second part to firewall.user yet. Anyway, I wass just wondering if anyone has got these two working together yet, and if so how. Secondly, if noone has got them working, is there a syntax and/or logic error in the first script?

Sincerely,
Jon

Post #2

bmclaughlin807

2 Sep 2005, 22:23

I'm actually working on this myself. I've found most of the info that I need to make it work, and will be working on it tonight. Will post back and let you know if I accomplish it, and how.

Post #3

bmclaughlin807

3 Sep 2005, 05:40

Woohoo! Got it working!!!

It takes a script, and slight modifications to your firewall.user file, and one nvram variable.

nvram:

nvram set log_ipaddr=xxx.xxx.xxx.xxx
nvram commit

Here is the script I use (I named it wallwatcherscript, and saved it in /etc)

###file: wallwatcherscript
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

### create a chain for logging dropped packets
iptables -N LOGDROP
iptables -F LOGDROP

#### log packets and drop them
iptables -A LOGDROP -j LOG --log-level warning --log-prefix 'DROP ' --log-tcp-sequence --log-ip-options --log-tcp-options
iptables -A LOGDROP -j DROP

### create a chain for logging accepted packets
iptables -N LOGACCEPT
iptables -F LOGACCEPT

### log packets and accept them
iptables -A LOGACCEPT -j LOG --log-level warning --log-prefix 'ACCEPT ' --log-tcp-sequence --log-ip-options --log-tcp-options
iptables -A LOGACCEPT -j ACCEPT

### create a chain for logging rejected packets
iptables -N LOGREJECT
iptables -F LOGREJECT

### log packets and reject them
iptables -A LOGREJECT -j LOG --log-level warning --log-prefix 'WEBDROP ' --log-tcp-sequence --log-ip-options --log-tcp-options
iptables -A LOGREJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable

### Replace default rules w/ ones that log where required:
# INPUT table
iptables -R INPUT 1 -m state --state INVALID -j LOGDROP                         #log/drop invalid packets
iptables -R INPUT 3 -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  LOGDROP    #log/drop bad traffic
iptables -R INPUT 6 -p icmp     -j LOGACCEPT                                    #log/accept icmp traffic
iptables -R INPUT 7 -p gre      -j LOGACCEPT                                    #log/accept gre traffic
iptables -R INPUT 8             -j LOGREJECT                                    #log/reject bad traffic

#OUTPUT table
iptables -R OUTPUT 1 -m state --state INVALID -j LOGDROP                        #Log/Drop invalid traffic
iptables -I OUTPUT 4 -o $WAN -j LOGACCEPT                                       #Log traffic from the router to the internet
iptables -R OUTPUT 6 -j LOGREJECT                                               #log/drop rejected(bad) traffic

#FORWARD table
iptables -R FORWARD 1 -m state --state INVALID -j LOGDROP                       #Log/Drop invalid traffic
iptables -R FORWARD 6 -i $LAN -o $WAN -j LOGACCEPT                              #log outgoing traffic from LAN to internet

And the changes to firewall.user are as follows:

1: Add a line to call the script near the beginning of the file (before you define any rules!)
2: Change anyplace that you have '-j ACCEPT' to '-j LOGACCEPT' and '-j DROP' to '-j LOGDROP'

example:

### file:firewall.user

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

#load wallwatcher script
/etc/wallwatcherscript

### BIG FAT DISCLAIMER
### The "-i $WAN" literally means packets that came in over the $WAN interface;
### this WILL NOT MATCH packets sent from the LAN to the WAN address.

### Block ICMP ping
iptables        -A input_rule -i $WAN -p icmp --icmp-type echo-request -j LOGDROP

### Allow SSH from WAN
iptables -t nat -A prerouting_rule -i $WAN -s xxxxx.selfip.org -p tcp --dport 22 -j ACCEPT 
iptables        -A input_rule      -i $WAN -s xxxxx.selfip.org -p tcp --dport 22 -j LOGACCEPT

### Port forwarding
iptables -t nat -A prerouting_rule -i $WAN -s xxxxx.selfip.org -p tcp --dport 3389 -j DNAT --to 192.168.3.101
iptables        -A forwarding_rule -i $WAN -s xxxxxx.selfip.org -p tcp --dport 3389 -d 192.168.3.101 -j LOGACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 4662 -j DNAT --to 192.168.3.101
iptables        -A forwarding_rule -i $WAN -p tcp --dport 4662 -d 192.168.3.101 -j LOGACCEPT
iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 9455 -j DNAT --to 192.168.3.101
iptables        -A forwarding_rule -i $WAN -p udp --dport 9455 -d 192.168.3.101 -j LOGACCEPT


### DMZ (should be placed after port forwarding / accept rules)
# iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
# iptables        -A forwarding_rule -i $WAN -d 192.168.1.2 -j LOGACCEPT

Do note:
the script alters the original firewall rules where necessary. If you need to restart the user portion of the firewall for any reason, you will have to run /etc/init.d/S45firewall
ALSO: If you've modified S45firewall from WhiteRussian rc2, this may not work as is! The rules have to be replaced in the proper places, and if you've changed the rules then these won't be in the right places, and may cause loss of connectivity, cancer, and weight gain.

(Last edited by bmclaughlin807 on 3 Sep 2005, 05:42)

Post #4

irishjd

3 Sep 2005, 06:30

Great job bmclaughlin807!

It is now working for me as well. I had to reboot the router to get WallWatcher to start receiving data, but that was the only difference. Oh, in case there are other Linux newbies out there (like me ;-) don't forget to "chmod 755 /etc/wallwatcherscript" so that it will execute.

Thanks Again,
Jon

Post #5

bmclaughlin807

3 Sep 2005, 16:30

Heh... yeah, that. I'm a linux noob too! This involved over a week of research, as well as a lot of trial and error on my part to get it working.

Anyway, enjoy.

AzCowboy

Post #6

irishjd

4 Sep 2005, 16:25

Hey bmclaughlin807,
You ought to publish this as a mini how-to and put it in the wiki

Jon

Post #7

AzCowboy

5 Sep 2005, 19:37

I'm looking into doing this a different way. This makes the serial console virtually useless because of all the logged messages. So if you have to use the serial console to debug it becomes VERY difficult.

The discussion might have continued from here.

Page 1 of 1