Welcome! Log In Create A New Profile


Howto: Getting network LED working with firewall

Posted by savje 
This howto do not contribute with anything new, all the information exist already on the net but it's quite spread out. So to prevent that others have go though the "Google-dance" which I just went thought, I'll post everything compiled here. This howto is made for the dockstar, I don't know how it would work on the Pogoplug.

This howto will result in:
* A working IPtables firewall (in this case with a single NIC setup, allowing for some open ports)
* The green LED constantly on when the system is running
* The orange LED flashing on incoming network traffic
* When halting the system the orange LED will be constantly on, and thereby showing it's safe to remove USB flash drives and turn power off.

Lets start: Log on to your system as root (or run commands with sudo) with SSH.

First set the right arcNumber:
fw_setenv arcNumber 2998
Installing iptables, the stable release do not support the LED function so we'll need to update it as well:
apt-get install iptables
cd ~
wget http://cdn.debian.net/debian/pool/main/i/iptables/iptables_1.4.10-1_armel.deb
dpkg -i iptables_1.4.10-1_armel.deb
rm iptables_1.4.10-1_armel.deb
Activate the LED module:
modprobe xt_LED
Open /etc/modules (with command "nano /etc/modules") and add "xt_LED" at the end, so it looks something like this:
# /etc/modules: kernel modules to load at boot time.
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
# Parameters can be specified after the module name.

Configuring the firewall. A bug (?) in iptables leads to that no changes to the rules can be done after one has added the LED-trigger, so a little workaround with a separate chain for the LED is needed. First we'll flush any existing rules, then allowing loopback, adding the chain for the LED and allowing established connections:
iptables -F
iptables -N LEDCHAIN
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -j LEDCHAIN
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Here you should add your rules, which rules of course depends on what's running on the system. Probably you would like to allow SSH at least (more about iptables can be found with google). Lets say we like to allow web/html (tcp port 80) and SSH (tcp port 22), we would then run:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
To view the rules run "iptables -L -v". Remember that if you don't allow SSH you will lock yourself out of the system, if that happens a reboot will make you welcomed again.

Then we set the policies (which allow the system to connect to the net but don't allow the net to connect to the system):
iptables -P INPUT DROP
iptables -P FORWARD DROP
And last we add the LED:
iptables -A LEDCHAIN -j LED --led-trigger-id lednetin
A small footnote: Since you can not change the rules (or even policies) after adding the led-trigger unless you flush the rules, one runs into a bit of a problem (since flushing the rules will just leave the drop input policy which will make it impossible to connect with SSH). To solve this you can run "iptables -F; iptables -P INPUT ACCEPT" when changing the rules.

Saving the rules and enable loading the rules on start-up:
iptables-save > /etc/iptables.rules
Open "/etc/network/interfaces" (with the command "nano /etc/network/interfaces") and change so it look like this:
auto lo eth0
iface lo inet loopback
iface eth0 inet dhcp
	pre-up iptables-restore < /etc/iptables.rules
Configuring the LEDs:
echo netfilter-lednetin > /sys/class/leds/dockstar\:orange\:misc/trigger
Open rc.local (with command "nano /etc/rc.local") and add the following just before "exit 0":
echo default-on > /sys/class/leds/dockstar\:green\:health/trigger
echo netfilter-lednetin > /sys/class/leds/dockstar\:orange\:misc/trigger
Open /etc/init.d/halt (with command "nano /etc/init.d/halt") and add so that:
log_action_msg "Will now halt"
halt -d -f $netdown $poweroff $hddown

echo none > /sys/class/leds/dockstar\:green\:health/trigger
echo default-on > /sys/class/leds/dockstar\:orange\:misc/trigger
The two first lines already exist so look for them and add the two other lines (those that start with "echo") just after them.

Now everything is done! I hope this was to some help :)
Re: Howto: Getting network LED working with firewall
April 26, 2011 12:48PM
Thank you savje! very good compilation.

A small addition (because one thinks nothing happened) add the time in ms for the led

iptables -A LEDCHAIN -j LED --led-trigger-id lednetin --led-delay 100

and if you someone not using the iptables-firewall-funktion, also this lines for iptables are enough:

iptables -N LEDCHAIN
iptables -A INPUT -j LEDCHAIN
iptables -A LEDCHAIN -j LED --led-trigger-id lednetin --led-delay 100

or even less for a single port only, just enter

iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id lednetin --led-delay 100
Oh, you're right... Must have lost that part when I copied the commands from my notes. Great that you spotted it, thanks!

Your Email:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.