WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14110 questions

16770 answers

27533 comments

53890 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to wifi openvpn not sms trb140 firmware connection ipsec - on rutx12 rutx09 modbus

iptables-mod-iprange

0 votes
673 views 9 comments
by

We have problems with newer versions of the firmware of the RUT955 devices. 

What we do is use an iptables plugin called iprange, to block all then allow a specific range to go through. This has worked for years without any issues. 

With the 06.07.5 firmware it still works, but with the 06.07.7 firmware and later it doesn't work anymore. I suspect this is a bug in iptables that found it's way into the firmware. 

Let me show you what we do.

We first need to install the iprange module for iptables.

roo[email protected]:~# opkg install iptables-mod-iprange --force-depends

Installing iptables-mod-iprange (1.4.21-1) to root...

Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/ipt

ables-mod-iprange_1.4.21-1_ar71xx.ipk.

Multiple packages (kmod-ipt-core and kmod-ipt-core) providing same name marked HOLD or PREFER.

 Using latest.

Installing kmod-ipt-iprange (3.18.23-1) to root...

Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmo

d-ipt-iprange_3.18.23-1_ar71xx.ipk.

Configuring kmod-ipt-iprange.

sed: xt_iprange: No such file or directory

Configuring iptables-mod-iprange.
Collected errors:

 * satisfy_dependencies_for: Cannot satisfy the following dependencies for iptables-mod-iprange:
 *      kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *

[email protected]:~# opkg install iptables-mod-iprange

Package iptables-mod-iprange (1.4.21-1) installed in root is up to date.

Now we move the xt_iprange.ko file to the folder containing the current kernel version:

r[email protected]:/lib/modules/3.18.23# mv xt_iprange.ko ../3.18.44/

No we can insert the module.

[email protected]:/lib/modules/3.18.23# insmod /lib/modules/3.18.44/xt_iprange.ko

Now we try to install the iptables rule containing iprange.

[email protected]:/lib/modules/3.18.23# iptables -I FORWARD -m iprange --src-range 10.10.202.170-

10.10.202.190 -j ACCEPT

/usr/lib/iptables/libxt_iprange.so: File not found

iptables v1.6.2: Couldn't load match `iprange':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

When you check that folder, the file does exist. Both 06.07.5 and 06.07.7 both use the same kernel version, but .5 works properly and .7 doesn't. We also tried an even newer version, 06-08.1 which has the same issue.

by
Does anyone have an idea how to fix this?
by

You'll have to generate your own module using the SDK available here.

Regards,

by
Not exactly, the ipk are already compiled you can try to install them directly with opkg install on the device.

Or you can generate your own using the SDK, make menuconfig, enable both and make.
by

@  

Not exactly? Exactly. 

That was the solution. Installing directly doesn't work, this does.

by
1) Make sure you have the latest version of the firmware.

2) Upload iptables-mod-iprange ir kmod-ipt-iprange

3) Install kmod (with --force-depends should install, even though it drops the error)

4) Insmod /lib/modules/3.18.44/xt_iprange.ko

5) Install iptables-mod-iprange

https://kaunas.teltonika.lt:444/f/490bb411d2364abc985e/?dl=1

https://kaunas.teltonika.lt:444/f/06292ba117de4a409011/?dl=1

EB.

1 Answer

0 votes
by
Hi,

Could you please send me your troubleshoot file via private messages?

To download it go to System > Administration > Troubleshoot and download file from there.

Make sure you don't download it freshly started router and your configuration must be already done.

EB.
by
Hi,

Please try downloading and installing this: https://openwrt.org/packages/pkgdata_owrt18_6/iptables-mod-iprange#packageiptables-mod-iprange

Your current iptables mod iprange application doesn't work because iptables was updated due to security reasons and it's not working because of version mismatch.

EB.
by

How do I add that?

[email protected]:/etc/opkg# cat distfeeds.conf 

src/gz chaos_calmer_base http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base

src/gz chaos_calmer_packages http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/packages

src/gz chaos_calmer_luci http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci

[email protected]:/etc/opkg# cat /etc/*version

RUT9XX_R_00.06.07.7

When I look here ( https://archive.openwrt.org/releases/18.06.7/packages/ ) I don't see the ar71xx platform, so adding this to the repo doesn't look like an option.

by
by

[email protected]:~# opkg install iptables-mod-iprange_1.6.2-1_arm_cortex-a7_neon-vfpv4.ipk 

Unknown package 'iptables-mod-iprange'.

Collected errors:

 * pkg_hash_fetch_best_installation_candidate: Packages for iptables-mod-iprange found, but incompatible with the architectures configured

 * opkg_install_cmd: Cannot install package iptables-mod-iprange.

downloaded the file directly and tried to install that.