[Chilli] Crazy TCP resets when CoovaChilli is enabled (UAM redirection problem)
Yuh-Rong Leu
yuhrong.leu at gmail.com
Wed May 4 10:06:17 UTC 2011
Please see the attached firewall rules (firewall.txt) and iptables dump
(iptables.txt).
Yuh-Rong Leu
2011/5/4 David Bird <david at coova.com>
> Hi, after your change, do you see duplicate packets on the dhcpif
> interface? What do your iptables rules look l like? My suspicion is that
> both the kernel and chilli are forwarding packets off of the dhcpif ... In
> iptables, you should have a DROP for the FORWARD coming in from the dhcpif.
>
> --
> David Bird
> Coova Technologies, LLC
>
> On Apr 27, 2011, at 4:33 PM, Yuh-Rong Leu <yuhrong.leu at gmail.com> wrote:
>
> I found the root cause of the crazy TCP reset messages.
>
> In dhcp.c, the dhcp_data_req() function calls dhcp_undoDNAT with the
> do_reset parameter set to 1 when authstate == DHCP_AUTH_DNAT (at around
> line# 4074). Therefore, crazy TCP reset messages will be sent inside
> dhcp_undoDNAT.
>
> After the code is changed to use 0 for the do_reset parameter when calling
> dhcp_undoDNAT, the problem goes away, and Web redirection works well with
> any triggering any URL on any browser.
>
> Yuh-Rong Leu
>
>
>
> 2011/4/26 Yuh-Rong Leu <yuhrong.leu at gmail.com>
>
>> Web redirection doesn't work stably with my CoovaChilli/OpenWrt box. Here
>> are the test results:
>>
>> If the browser home page is set to http://www.google.com:
>> - IE9 is seldom redirected to the welcome/login page
>> - Chrome 10 is redirected to the welcome/login page most of the time.
>> - Firefox 4 is is redirected to the welcome/login page most of the time.
>>
>> If the browser home page is set to http://www.microsoft.com:
>> - Redirection works quite fine with all kinds of browsers.
>>
>> If the browser home page is set to http://www.apple.com or
>> http://www.bing.com:
>> - Redirection does not work at all with any browsers.
>>
>> Peeking the packets with Wireshark, I found TCP connections are reset
>> several times by CoovaChilli/OpenWrt. And some TCP reset messages sent by
>> CoovaChilli/OpenWrt have insanely large SEQ number. As the attached
>> Wireshard packet capture, which was generated by "telnet 64.233.183.105 80,"
>> shows, 5 RST messages were sent, and 4 of them are with Seq=1246334216.
>>
>> I believe it's these crazy RST messages that make UAM redirection not work
>> stably. I doubt the RST messages were due to Firwall rules CoovaChilli added
>> to iptables, but I have not been able to figure out where the firewall rules
>> reside.
>>
>> Can anyone tell how CoovaChilli manipulates iptables before it sends HTTP
>> 302 Moved Temporarily for UAM redireciton?
>>
>> Yuh-Rong Leu
>>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20110504/3f6fde63/attachment-0001.html>
-------------- next part --------------
config 'rule'
option 'src' 'wan'
option 'dest_port' '22'
option 'target' 'DROP'
config 'rule'
option 'src' 'wan'
option 'dest_port' '80'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'lan'
option 'dest_port' '22'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'dest_port' '80'
option 'target' 'ACCEPT'
option 'src_ip' '211.75.128.1'
config 'rule'
option 'src' 'wan'
option 'dest_port' '80'
option 'src_ip' '1.2.3.4'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'dest_port' '80'
option 'src_ip' '1.2.3.4'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'dest_port' '22'
option 'src_ip' '192.168.0.113'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'src_ip' '211.75.128.1'
option 'proto' 'icmp'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'src_ip' '211.75.128.2'
option 'proto' 'icmp'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'src_ip' '211.75.128.1'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'src_ip' '211.75.128.2'
option 'target' 'ACCEPT'
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'zone'
option 'name' 'wireless1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
config 'forwarding'
option 'src' 'wireless1'
option 'dest' 'wan'
option 'mtu_fix' '1'
config 'zone'
option 'name' 'wan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'masq' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
option 'mtu_fix' '1'
config 'include'
option 'path' '/etc/firewall.user'
-------------- next part --------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
zone_wireless1_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain forwarding_wireless1 (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
zone_wireless1 all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain input_wireless1 (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wireless1_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (6 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:22
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_MSSFIX all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp -- www.yesturnkey.com anywhere
ACCEPT tcp -- www.yesturnkey.com anywhere
ACCEPT udp -- yesturnkey.com anywhere
ACCEPT tcp -- yesturnkey.com anywhere
ACCEPT icmp -- www.yesturnkey.com anywhere
ACCEPT icmp -- yesturnkey.com anywhere
ACCEPT udp -- 192.168.0.113 anywhere udp dpt:22
ACCEPT tcp -- 192.168.0.113 anywhere tcp dpt:22
ACCEPT udp -- 1.2.3.4 anywhere udp dpt:80
ACCEPT tcp -- 1.2.3.4 anywhere tcp dpt:80
ACCEPT udp -- 1.2.3.4 anywhere udp dpt:80
ACCEPT tcp -- 1.2.3.4 anywhere tcp dpt:80
ACCEPT udp -- yesturnkey.com anywhere udp dpt:80
ACCEPT tcp -- yesturnkey.com anywhere tcp dpt:80
ACCEPT udp -- anywhere anywhere udp dpt:80
ACCEPT tcp -- anywhere anywhere tcp dpt:80
DROP udp -- anywhere anywhere udp dpt:22
DROP tcp -- anywhere anywhere tcp dpt:22
input_wan all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain zone_wan_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_MSSFIX (2 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
forwarding_wan all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain zone_wireless1 (1 references)
target prot opt source destination
input_wireless1 all -- anywhere anywhere
zone_wireless1_ACCEPT all -- anywhere anywhere
Chain zone_wireless1_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wireless1_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wireless1_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wireless1_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wireless1_forward (1 references)
target prot opt source destination
zone_wan_MSSFIX all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_wireless1 all -- anywhere anywhere
zone_wireless1_ACCEPT all -- anywhere anywhere
More information about the Chilli
mailing list