savje
Howto: Getting network LED working with firewall April 25, 2011 11:24AM |
fw_setenv arcNumber 2998Installing iptables, the stable release do not support the LED function so we'll need to update it as well:
apt-get install iptables cd ~ wget http://cdn.debian.net/debian/pool/main/i/iptables/iptables_1.4.10-1_armel.deb dpkg -i iptables_1.4.10-1_armel.deb rm iptables_1.4.10-1_armel.debActivate the LED module:
modprobe xt_LEDOpen /etc/modules (with command "nano /etc/modules") and add "xt_LED" at the end, so it looks something like this:
# /etc/modules: kernel modules to load at boot time. # # This file contains the names of kernel modules that should be loaded # at boot time, one per line. Lines beginning with "#" are ignored. # Parameters can be specified after the module name. xt_LEDConfiguring the firewall. A bug (?) in iptables leads to that no changes to the rules can be done after one has added the LED-trigger, so a little workaround with a separate chain for the LED is needed. First we'll flush any existing rules, then allowing loopback, adding the chain for the LED and allowing established connections:
iptables -F iptables -N LEDCHAIN iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j LEDCHAIN iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTHere you should add your rules, which rules of course depends on what's running on the system. Probably you would like to allow SSH at least (more about iptables can be found with google). Lets say we like to allow web/html (tcp port 80) and SSH (tcp port 22), we would then run:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPTTo view the rules run "iptables -L -v". Remember that if you don't allow SSH you will lock yourself out of the system, if that happens a reboot will make you welcomed again.
iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROPAnd last we add the LED:
iptables -A LEDCHAIN -j LED --led-trigger-id lednetinA small footnote: Since you can not change the rules (or even policies) after adding the led-trigger unless you flush the rules, one runs into a bit of a problem (since flushing the rules will just leave the drop input policy which will make it impossible to connect with SSH). To solve this you can run "iptables -F; iptables -P INPUT ACCEPT" when changing the rules.
iptables-save > /etc/iptables.rulesOpen "/etc/network/interfaces" (with the command "nano /etc/network/interfaces") and change so it look like this:
auto lo eth0 iface lo inet loopback iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.rulesConfiguring the LEDs:
echo netfilter-lednetin > /sys/class/leds/dockstar\:orange\:misc/triggerOpen rc.local (with command "nano /etc/rc.local") and add the following just before "exit 0":
echo default-on > /sys/class/leds/dockstar\:green\:health/trigger echo netfilter-lednetin > /sys/class/leds/dockstar\:orange\:misc/triggerOpen /etc/init.d/halt (with command "nano /etc/init.d/halt") and add so that:
log_action_msg "Will now halt" halt -d -f $netdown $poweroff $hddown echo none > /sys/class/leds/dockstar\:green\:health/trigger echo default-on > /sys/class/leds/dockstar\:orange\:misc/triggerThe two first lines already exist so look for them and add the two other lines (those that start with "echo") just after them.
Re: Howto: Getting network LED working with firewall April 26, 2011 01:48PM |
Registered: 13 years ago Posts: 5 |
iptables -A LEDCHAIN -j LED --led-trigger-id lednetin --led-delay 100
iptables -N LEDCHAIN iptables -A INPUT -j LEDCHAIN iptables -A LEDCHAIN -j LED --led-trigger-id lednetin --led-delay 100
iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id lednetin --led-delay 100
savje
Re: Howto: Getting network LED working with firewall April 26, 2011 02:01PM |