Re: The WEP thing

Attachments:
Message as email (text/plain)

Author: Craig White
Date:
To: plug-discuss
Subject: Re: The WEP thing

On Fri, 2005-02-04 at 02:49 -0700, Lee Einer wrote:
>
> Craig White wrote:
>
> >On Thu, 2005-02-03 at 21:09 -0700, Lee Einer wrote:
> >
> >
> >>Craig White wrote:
> >>
> >>
> >>
> >>>On Thu, 2005-02-03 at 20:16 -0700, Lee Einer wrote:
> >>>
> >>>
> >>>
> >>>
> >>>>Done. Pinged Mepisbox. No packets returned. Mepisbox pings Mandrakebox
> >>>>just fine. Stopping iptables at mepisbox returns message
> >>>>
> >>>> Aborting iptables load: unknown ruleset, "inactive."
> >>>>
> >>>>I don't know if that is a good thing or a bad thing. It does not get the
> >>>>ping going, though.
> >>>>
> >>>>I have connectivity through both computers to the router, and through
> >>>>the router to the internet. The connection for the Mepis laptop is
> >>>>wireless- is this at the root of the issue?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>----
> >>>it might very well be...
> >>>
> >>>The wireless access point - does it have some security setting on it to
> >>>prevent wireless users from accessing other parts of the LAN? - does it
> >>>put wireless users in a DMZ ?
> >>>
> >>>Question if you do (on both machines): > >>>#route -n > >>>Kernel IP routing table > >>>Destination Gateway Genmask Flags Metric Ref Use > >>>Iface > >>>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > >>>169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > >>>0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

> >>>
> >>>does they look like above?
> >>>
> >>>
> >>>
> >>close. They both have the same gateway address, and both can ping it.
> >>Line 2 on Mandrake box has different Iface and Genmask -127.0.0.0 and
> >>255.0.0.0 respectively. Mepis box has two lines
> >>
> >>Destination Gateway Genmask > >>192.168.0.0 0.0.0.0 255.255.255.0 ath0 > >>0.0.0.0 192.168.0.1 0.0.0.0 ath0

> >>
> >>
> >>
> >-----
> >OK - well let's evaluate my assumptions then...
> >
> >You have something like a Netgear Wireless Router (I think they use the
> >192.168.0.0 network) or perhaps one of the newer Qwest supplied
> >Actiontec dsl modem/routers with wireless and your Mandrake box connects
> >with a cable to one of the LAN ports and the Mepisbox (your laptop)
> >connects to this same router via wireless.
> >
> >With this assumption (brand accuracy not important), then they are both
> >'pinging' the same gateway - 192.168.0.1
> >
> >With this assumption, from the Mepisbox, you should be able to ping
> >192.168.0.100 as well as 192.168.0.1 unless there is a firewall on the
> >Mandrakebox. If not, then on the Mandrakebox, type 'iptables -L' and
> >post the results
> >
> >With this assumption, from the Mandrakebox, you should be able to ping
> >192.168.0.101 as well as 192.168.0.1 unless there is a firewall on the
> >Mepisbox. If not, then on the Mepisbox, type 'iptables -L' and post the
> >results
> >
> This is the case. Here is the output of iptables -L from the Mepisbox-
>
> Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- mepisbox 192.168.0.255 > logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere icmp destination-unreachable > ACCEPT icmp -- anywhere anywhere icmp time-exceeded > ACCEPT icmp -- anywhere anywhere icmp parameter-problem > nicfilt all -- anywhere anywhere > srcfilt all -- anywhere anywhere

>
> Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere icmp destination-unreachable > ACCEPT icmp -- anywhere anywhere icmp time-exceeded > ACCEPT icmp -- anywhere anywhere icmp parameter-problem > srcfilt all -- anywhere anywhere

>
> Chain OUTPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT icmp -- anywhere anywhere icmp destination-unreachable > ACCEPT icmp -- anywhere anywhere icmp time-exceeded > ACCEPT icmp -- anywhere anywhere icmp parameter-problem > s1 all -- anywhere anywhere

>
> Chain f0to1 (3 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ipp state NEW > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:netbios-dgm > ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm > ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:65535 dpt:netbios-ssn > ACCEPT icmp -- anywhere anywhere icmp source-quench > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:webcache state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8008 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:6969 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW > ACCEPT udp -- anywhere anywhere udp dpts:6970:7170 > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:5999 > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW > ACCEPT icmp -- anywhere anywhere icmp echo-reply > logdrop all -- anywhere anywhere

>
> Chain f0to2 (1 references) > target prot opt source destination > logdrop all -- anywhere anywhere

>
> Chain f1to0 (1 references) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:xmpp-client state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:1863 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:554 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:7070 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ipp state NEW > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT udp -- anywhere anywhere udp dpt:3478 > ACCEPT tcp -- anywhere anywhere tcp dpt:kerberos state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:imaps state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:3030 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:rsync state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:gnutella-svc state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:8765 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8880 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ssh state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:netbios-dgm > ACCEPT udp -- anywhere anywhere udp spt:netbios-dgm dpt:netbios-dgm > ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:netbios-ssn > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:5190:5193 state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpts:5190:5193 > ACCEPT udp -- anywhere anywhere udp dpts:33434:33600 > ACCEPT udp -- anywhere anywhere udp dpt:ntp > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:pop3s state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:5000 > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:dict state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:1723 state NEW > ACCEPT gre -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:whois state NEW > ACCEPT udp -- anywhere anywhere udp dpt:43 > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:nntp state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:imap2 state NEW > ACCEPT udp -- anywhere anywhere udp dpt:imap2 > ACCEPT udp -- anywhere anywhere udp dpt:4000 > ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:ldap state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:522 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:1503 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:1720 state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:1731 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:1024:65535 state NEW > ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpts:1024:65535 > ACCEPT icmp -- anywhere anywhere icmp echo-request > ACCEPT icmp -- anywhere anywhere icmp source-quench > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:smtp state NEW > ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW > ACCEPT udp -- anywhere anywhere udp dpt:domain > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:www state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:webcache state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6660:6669 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW > ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:pop3 state NEW > logdrop all -- anywhere anywhere

>
> Chain f1to2 (1 references) > target prot opt source destination > logdrop all -- anywhere anywhere

>
> Chain f2to0 (1 references) > target prot opt source destination > logdrop all -- anywhere anywhere

>
> Chain f2to1 (3 references) > target prot opt source destination > logdrop all -- anywhere anywhere

>
> Chain logaborted (1 references) > target prot opt source destination > logaborted2 all -- anywhere anywhere limit: avg 1/sec burst 10 > LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

>
> Chain logaborted2 (1 references) > target prot opt source destination > LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED ' > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

>
> Chain logdrop (8 references) > target prot opt source destination > logdrop2 all -- anywhere anywhere

>
> Chain logdrop2 (1 references) > target prot opt source destination > DROP all -- anywhere anywhere

>
> Chain logreject (0 references) > target prot opt source destination > logreject2 all -- anywhere anywhere

>
> Chain logreject2 (1 references) > target prot opt source destination > REJECT tcp -- anywhere anywhere reject-with tcp-reset > REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable > DROP all -- anywhere anywhere

>
> Chain nicfilt (1 references) > target prot opt source destination > RETURN all -- anywhere anywhere > RETURN all -- anywhere anywhere > RETURN all -- anywhere anywhere > logdrop all -- anywhere anywhere

>
> Chain s0 (1 references) > target prot opt source destination > f0to1 all -- anywhere mepisbox > f0to1 all -- anywhere 192.168.0.255 > f0to1 all -- anywhere mepisbox > f0to2 all -- anywhere 12.168.0.100 > logdrop all -- anywhere anywhere

>
> Chain s1 (1 references) > target prot opt source destination > f1to2 all -- anywhere 12.168.0.100 > f1to0 all -- anywhere anywhere

>
> Chain s2 (1 references) > target prot opt source destination > f2to1 all -- anywhere mepisbox > f2to1 all -- anywhere 192.168.0.255 > f2to1 all -- anywhere mepisbox > f2to0 all -- anywhere anywhere

>
> Chain srcfilt (2 references) > target prot opt source destination > s2 all -- 12.168.0.100 anywhere > s0 all -- anywhere anywhere

----
wow - don't know where to fix this. You must be using some utility to
create this - does mepis create complex tables such as this by default?

My first thought is that there is a switch to turn this off for testing
and back on again - and then a 'configuration' utility to allow for
adding new ports.

a very quick check in forums at mepis shows two common utilities, guard
dog and firestarter. My guess is that you are using guard dog.

>From Mepis Documentation Wiki
What is Guarddog? From the website:

Guarddog is a firewall configuration utility for Linux systems. Guarddog
is aimed at two groups of users. Novice to intermediate users who are
not experts in TCP/IP networking and security, and those users who don't
want the hastle of dealing with cryptic shell scripts and
ipchains/iptables parameters.

Main Menu --> System --> Security --> Guarddog

Can you get there and turn it off momentarily?

Then you should be able to ping the Mepisbox from the Mandrakebox

Then I suppose you could allow NFS (port 2049) from 192.168.0.100

Perhaps something similar going on in Mandrakebox (firewall)
----
>
>
> The router is a D-Link DI 624. I will be reviewing the manual later in
> the morning also. Hope this isn't one of those cases where RTFM would
> have been the correct response.
----
I think you can spare yourself some reading effort here...problem seems
to be firewall

;-)

Craig

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date
	Lee Einer at
	Lee Einer at