["SOLVED"] B3 inaccessible with limited functionality

[ryz]

Maby you should look into the firewall rules. It should not increas the bot time but it can defenitly make it impossible to ssh into the bubba.

[rojter]

Hi ryz!

You might be right - I've gone through the firewall.conf front and back not being able to find anything related to port 22, even though I'm 100% sure it's enabled through the web interface and has never been touched. Could this rule have disappeared for some reason? The Excito DHCP is as you can see configured in the 10.3.2.x range and the temporary router I've right now connecting the desktop to the Excito is in the 192.168.1.x range. I guess it's not an issue since the Excito shows up with a lease associated to it in the router, but I just wanted to be clear on that point. What would be the best way to configure a rule in this case or am I missing something obvious in the firewall.conf?

Code: Select all

#vi /mnt/etc/firewall.conf
- firewall.conf 1/47 2%
# Generated by iptables-save v1.4.8 on Thu Oct  2 09:37:25 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A FORWARD -d 10.3.2.14/32 -p udp -m udp --dport 1194 -j ACCEPT
-A FORWARD -d 10.3.2.14/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -d 10.3.2.14/32 -p udp -m udp --dport 465 -j ACCEPT
-A FORWARD -d 10.3.2.14/32 -p udp -m udp --dport 993 -j ACCEPT
-A FORWARD -d 10.3.2.14/32 -p tcp -m tcp --dport 993 -j ACCEPT
COMMIT
# Completed on Thu Oct  2 09:37:25 2014
# Generated by iptables-save v1.4.8 on Thu Oct  2 09:37:25 2014
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d [b]<global-ip>[/b]/32 -p udp -m udp --dport 1194 -j DNAT --to-destination 10.3.2.14:1194
-A PREROUTING -d <hidden-global-ip>/32 -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.3.2.14:465
-A PREROUTING -d <hidden-global-ip>/32 -p udp -m udp --dport 465 -j DNAT --to-destination 10.3.2.14:465
-A PREROUTING -d <hidden-global-ip>/32 -p udp -m udp --dport 993 -j DNAT --to-destination 10.3.2.14:993
-A PREROUTING -d <hidden-global-ip>/32 -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.3.2.14:993
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.3.2.0/24 -d 10.3.2.14/32 -p udp -m udp --dport 1194 -j SNAT --to-source 10.3.2.1
-A POSTROUTING -s 10.3.2.0/24 -d 10.3.2.14/32 -p tcp -m tcp --dport 465 -j SNAT --to-source 10.3.2.1
-A POSTROUTING -s 10.3.2.0/24 -d 10.3.2.14/32 -p udp -m udp --dport 465 -j SNAT --to-source 10.3.2.1
-A POSTROUTING -s 10.3.2.0/24 -d 10.3.2.14/32 -p udp -m udp --dport 993 -j SNAT --to-source 10.3.2.1
-A POSTROUTING -s 10.3.2.0/24 -d 10.3.2.14/32 -p tcp -m tcp --dport 993 -j SNAT --to-source 10.3.2.1
COMMIT
# Completed on Thu Oct  2 09:37:25 2014

[Gordon]

Code: Select all

-A INPUT -i br0 -j ACCEPT

Is the accept everything rule for what should be your LAN interface, which is eth1 and wlan0 combined. Since you can ping the box this should be correct. Or can you ping the WAN side (icmp type 8) only? In that case you could try insert a similar accept all rule for eth0 and see if you can get in from that side.

To enable web access you may try to create the appropriate folders in /home. You'll want /home/web and /home/admin. No content is required, since the web admin pages are actually served from a folder in /usr/share. Set both folder rights to 777 - the objective is to get access first, then fix things.

Does booting still take longer than normal? And can you access the home share through samba now?

[rojter]

Hi all and thanks for all your help!

From my last post the Excito couldn't even get a lease from router, so I was unable to reach it. I couldn't even turn it off by holding the power button. So I decided that since I don't really have anything important on it that I simply would do a reinstall of the unit. Said and done. Now my proud Mary is rolling on again like nothing ever happened to it.

Thanks again for all your efforts! Much appreciated

[Gordon]

Well that's a bit of a downer. I would have loved to have known what caused it. Still glad to hear that you got it sorted in the end.