Re: [Dorset] Query about iptables
On Monday, 28 March 2022 21:41:16 BST Patrick Wigmore wrote: > And is this borne out in the testing? Does the Visitor's device get > issued with an address in the expected range under both the working > and non-working scenarios? Does it also get told about the same DNS > server and default gateway (if any) in each case? Yes. In both scenarios the Visitor's device gets an IP Address and is told about the DNS Server and default gateway, which is the Webserver. What doesn't work is the script that points the Visitors Web Browser to the landing Page. Since I originally posted this, things have moved on. Yesterday I experienced several instances where the system worked with the link to the VPN Server connected and a couple when it didn't when it wasn't. I've been in contact with the author of pistrong and he got me to capture some Webserver data in both scenarios and we both came to the conclusion that the link to the VPN Server was a red herring; the problem lies with nodogsplash. This used to occur very rarely in the original installation (including before the VPN Server went in), but now it seems to be worse. That is what I am looking at now. > Does the Visitor's device obtain any unintended Internet access at > all? No. The only Internet access is in the initial stage when requests from the client devices to certain Google Servers are passed on to allow the device to 'see' the WiFi Network as a valid network and not a walled garden. Once the connection is established the the Visitor's device is issued with a token which provides access to the WMT content, but blocks access to the Internet. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sun, 27 Mar 2022 16:13:49 +0100, Terry Coles wrote: > On Sunday, 27 March 2022 16:07:30 BST Patrick Wigmore wrote: > > What is the IP address of the user's device, and how does it get > > allocated to that device? > > The Webserver is also a DHCP Server and a DNS Server. The bottom > 100 addresses are reserved for devices that a permanently > connected, eg river system etc. The top 100 or so addresses are > allocated to a user (eg a Visitor) by the DHCP Server. As soon as > the user's device is connected to the WiFi network, nodogsplash > routes his browser to the Webserver. > > In other words, when a Visitor connects to the site WiFi he gets a > landing page on his device which allows him to choose the content > he wishes to view. And is this borne out in the testing? Does the Visitor's device get issued with an address in the expected range under both the working and non-working scenarios? Does it also get told about the same DNS server and default gateway (if any) in each case? Does the Visitor's device obtain any unintended Internet access at all? Patrick -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 16:07:30 BST Patrick Wigmore wrote: > What is the IP address of the user's device, and how does it get > allocated to that device? The Webserver is also a DHCP Server and a DNS Server. The bottom 100 addresses are reserved for devices that a permanently connected, eg river system etc. The top 100 or so addresses are allocated to a user (eg a Visitor) by the DHCP Server. As soon as the user's device is connected to the WiFi network, nodogsplash routes his browser to the Webserver. In other words, when a Visitor connects to the site WiFi he gets a landing page on his device which allows him to choose the content he wishes to view. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sun, 27 Mar 2022 10:48:00 +0100, Terry Coles wrote: > Recently, we discovered a problem with the Webserver; it no longer > served up Webpages! I brought the Webserver hardware home and > connected it to a reference model of the VPN Server and a > representative site WiFi Antenna with a couple of switches. I've > posted a diagram at: > > https://hadrian-way.co.uk/Misc/VPN_Network_Configuration.p > df > > What I have discovered is that the system works if I disconnect the > VPN Server from the 5-port switch at the server, but not if I > disconnect the Webserver from the 5-port Switch. I think that is > because when the user uses his device to connect to the WiFi > Antenna, nodogsplash detects this and that obviously needs a > connection to the Antenna. What is the IP address of the user's device, and how does it get allocated to that device? Patrick -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 14:27:31 BST Hamish McIntyre-Bhatty wrote: > There's not much risk messing with iptables settings because unless you > save them, they won't persist over a reboot anyway. If in doubt, just > image the SD card first so you can restore it if anything goes wrong :) Perhaps I should rephrase my query. I don't want to mess anything up without realising at the time. Clearly, the new VPN Server that was deployed in January messed something up, but I've only just realised it. Reviewing the posts on the Forum, we started having problems back then, but I put it down to the lack of the Big Switch on the network. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On 27/03/2022 13:16, Terry Coles wrote: On Sunday, 27 March 2022 13:11:31 BST Hamish McIntyre-Bhatty wrote: The VPN server doesn't have any rules defined at all, so I'm struggling to see how it could be interfering with the Webserver. Being pernickety, the VPN Server does have some rules, they just don't filter anything. What happens if you have the webserver plugged and and only plug the VPN server into one side of the simulated network? eg just the office side or just the guest network side? The Webserver works. As mentioned, I think I could add a rule or rules to the VPN Server to selectively block traffic to and from the Webserver, but I don't want to mess anything up. Interesting. Although, the VPN Server isn't used to connect to the webserver, so that shouldn't have any effect AFAIUI. There's not much risk messing with iptables settings because unless you save them, they won't persist over a reboot anyway. If in doubt, just image the SD card first so you can restore it if anything goes wrong :) Hamish -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 13:11:31 BST Hamish McIntyre-Bhatty wrote: > The VPN server doesn't have any rules defined at all, so I'm struggling > to see how it could be interfering with the Webserver. Being pernickety, the VPN Server does have some rules, they just don't filter anything. > What happens if you have the webserver plugged and and only plug the VPN > server into one side of the simulated network? eg just the office side > or just the guest network side? The Webserver works. As mentioned, I think I could add a rule or rules to the VPN Server to selectively block traffic to and from the Webserver, but I don't want to mess anything up. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 13:00:51 BST Hamish McIntyre-Bhatty wrote: > iptables is a firewall so anything using that is definitely running a > firewall. >From the iptables entry on Wikipedia: iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets. I think that means that iptables is the means to manipulate the firewall that already exists (albeit with no rules that block anything by default). I know that it is often thought of as being the firewall, but it's not, its just another way to create the blocks and filters. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On 27/03/2022 13:07, Terry Coles wrote: On Sunday, 27 March 2022 13:00:51 BST Hamish McIntyre-Bhatty wrote: Can you confirm that the ufw command doesn't return any information? Yes. AIUI, ufw is simply a means to construct a firewall by manipulating iptables rules. I suspect that the authors of strongSwan and nodogsplash simply wrote the rules by hand. Yes you're absolutely right, I just wanted to be sure. The VPN server doesn't have any rules defined at all, so I'm struggling to see how it could be interfering with the Webserver. I need to look up some iptables stuff to make sense of it, but this is definitely perplexing. What happens if you have the webserver plugged and and only plug the VPN server into one side of the simulated network? eg just the office side or just the guest network side? Hamish -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 13:00:51 BST Hamish McIntyre-Bhatty wrote: > Can you confirm that the ufw command doesn't return any information? Yes. AIUI, ufw is simply a means to construct a firewall by manipulating iptables rules. I suspect that the authors of strongSwan and nodogsplash simply wrote the rules by hand. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On 27/03/2022 11:21, Terry Coles wrote: On Sunday, 27 March 2022 10:55:55 BST Hamish McIntyre-Bhatty wrote: I find this difficult to understand - these systems should operate independently IIRC, especially seeing as they both have their own independent physical cables to both sides of the network. I can't understand it either, unless the system has somehow got conflicting routes that confuse nodogsplash. I wonder. When I find some time I will read up on how nodogsplash works. In the meantime, hopefully a quick review of the firewall rules will help. I think it might be useful if you post the rules. There are some tweaks I'm meant to make to the firewall configuration at some point anyway, so I might as well familiarise myself with them. The VPN Server's rules are pretty simple, but the Webserver has a massive ruleset: https://hadrian-way.co.uk/Misc/VPN_Server_iptables_Rules.txt https://hadrian-way.co.uk/Misc/Webserver_iptables_Rules.txt NB: "sudo ufw status numbered" may also be useful if UFW was used to configure the firewall. There is no firewall in the sense normally understood. The VPN Server relies on seeing the correct User CERT to allow the traffic and the Webserver has the rules above (I suppose that would be considered a firewall). Neither device uses ufw. iptables is a firewall so anything using that is definitely running a firewall. Can you confirm that the ufw command doesn't return any information? Hamish -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
On Sunday, 27 March 2022 10:55:55 BST Hamish McIntyre-Bhatty wrote: > I find this difficult to understand - these systems should operate > independently IIRC, especially seeing as they both have their own > independent physical cables to both sides of the network. I can't understand it either, unless the system has somehow got conflicting routes that confuse nodogsplash. > I think it might be useful if you post the rules. There are some tweaks > I'm meant to make to the firewall configuration at some point anyway, so > I might as well familiarise myself with them. The VPN Server's rules are pretty simple, but the Webserver has a massive ruleset: https://hadrian-way.co.uk/Misc/VPN_Server_iptables_Rules.txt https://hadrian-way.co.uk/Misc/Webserver_iptables_Rules.txt > NB: "sudo ufw status numbered" may also be useful if UFW was used to > configure the firewall. There is no firewall in the sense normally understood. The VPN Server relies on seeing the correct User CERT to allow the traffic and the Webserver has the rules above (I suppose that would be considered a firewall). Neither device uses ufw. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Query about iptables
Hi Terry, I find this difficult to understand - these systems should operate independently IIRC, especially seeing as they both have their own independent physical cables to both sides of the network. I think it might be useful if you post the rules. There are some tweaks I'm meant to make to the firewall configuration at some point anyway, so I might as well familiarise myself with them. NB: "sudo ufw status numbered" may also be useful if UFW was used to configure the firewall. Hamish On 27/03/2022 10:48, Terry Coles wrote: Hi, Some of you may remember my earlier queries about setting up a Webserver and more latterly a VPN Server for the Wimborne Model Town. All this has worked fine through last Summer. Over the Winter Maintenance Period, I upgraded the VPN Server to the latest Version of RPi OS and pistrong (swanStrong) and after a few issues was able to redeploy the server in January this year. We didn't notice any other issues until recently, mainly because the whole network had been rendered dysfunctional while the main Network Switch was removed for refurbishment of the area around it's location. Recently, we discovered a problem with the Webserver; it no longer served up Webpages! I brought the Webserver hardware home and connected it to a reference model of the VPN Server and a representative site WiFi Antenna with a couple of switches. I've posted a diagram at: https://hadrian-way.co.uk/Misc/VPN_Network_Configuration.pdf What I have discovered is that the system works if I disconnect the VPN Server from the 5-port switch at the server, but not if I disconnect the Webserver from the 5-port Switch. I think that is because when the user uses his device to connect to the WiFi Antenna, nodogsplash detects this and that obviously needs a connection to the Antenna. I'm assuming that I should be able to fix this by dropping the connections at the VPN Server to the Webserver or vice versa. However, both devices have extensive iptables rules set up which I really don't understand, so before I write off to the authors of nodogsplash and / or pistrong can anyone shed any light on what is happening and how to fix it? I can post the rules from the two devices if it helps. -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
[Dorset] Query about iptables
Hi, Some of you may remember my earlier queries about setting up a Webserver and more latterly a VPN Server for the Wimborne Model Town. All this has worked fine through last Summer. Over the Winter Maintenance Period, I upgraded the VPN Server to the latest Version of RPi OS and pistrong (swanStrong) and after a few issues was able to redeploy the server in January this year. We didn't notice any other issues until recently, mainly because the whole network had been rendered dysfunctional while the main Network Switch was removed for refurbishment of the area around it's location. Recently, we discovered a problem with the Webserver; it no longer served up Webpages! I brought the Webserver hardware home and connected it to a reference model of the VPN Server and a representative site WiFi Antenna with a couple of switches. I've posted a diagram at: https://hadrian-way.co.uk/Misc/VPN_Network_Configuration.pdf What I have discovered is that the system works if I disconnect the VPN Server from the 5-port switch at the server, but not if I disconnect the Webserver from the 5-port Switch. I think that is because when the user uses his device to connect to the WiFi Antenna, nodogsplash detects this and that obviously needs a connection to the Antenna. I'm assuming that I should be able to fix this by dropping the connections at the VPN Server to the Webserver or vice versa. However, both devices have extensive iptables rules set up which I really don't understand, so before I write off to the authors of nodogsplash and / or pistrong can anyone shed any light on what is happening and how to fix it? I can post the rules from the two devices if it helps. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2022-05-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
