DNS 323 and iptables

How to set up a firewall with the DNS 323

One of the weak points of the DNS 323 is that out of the box it is not possible
to set up a software firewall using iptables. Iptables for the arm architecture exists as an optware package

- see the optware page on the DNS-323 wiki http://wiki.dns323.info/howto:optware

for information on how to get access to this large collection of software
To install iptables simply type

ipkg install iptables

and you should see:
Installing iptables (1.2.11-2) to root…
Downloading http://ipkg.nslu2-linux.org/feeds/optware/dns323/cross/unstable/iptables_1.2.11-2_arm.ipk
Configuring iptables
Successfully terminated.

That is unfortunately about where the fun stops.
If you now type:

iptables -L

to list the default rules, you will receive a message like:
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

mmm, not so great. The problem is that iptables support is not compiled into the default kernel of the DNS-323. Check the kernel version by typing

uname -a

and you will see something like
Linux dlink-96D654 2.6.12.6-arm1 #30 Mon Aug 18 14:19:14 CST 2008 armv5tejl unknown

To be able to dig a bit deeper one would need either the .config file in an already
configured kernel source tree (not available by default) or config.gz in the /proc folder of a running kernel - provided that the CONFIG_IKCONFIG_PROC flag was set at compile time.

Unfortunately neither of these seem to be available so one must proceed on under the assumption
that the kernel either does not have support for iptables built in or have it available as a module.

Ok, I know that I could use an external firewall with port forwarding and all that, but to set up iptables on the 323 itself is a challenge, right?

---

The next steps are not for the faint hearted……

You will need to get access to a suitable kernel source and set up an arm cross compiler system. This is described on the wiki here:

http://wiki.dns323.info/howto:crosscompile

There are quite a few gotchas to watch out for. The first is that the tools required are older versions, not found in all the most recent distributions. As an example I could not get the correct version of gcc and libraries on Ubuntu Jaunty 9.04. I think they were all present on Hardy still but some things did not work straight away I seem to recall.
So I decided the best way was to run an older version of Ubuntu as a virtual machine. You can use VirtualBox or VMWare whichever you happen to work with.

I elected for Ubuntu 6.06.1, available as an image from tuxdistro.org or thoughtpolice.co.uk:

ubuntu-server-6.06.1-i386.zip, 172M
Download using:
fast torrent download:
http://download.thoughtpolice.co.uk/ubuntu-server-6.06.1-i386.zip.torrent
or
web download:
http://downloads.sourceforge.net/thoughtpolicevm/ubuntu-server-6.06.1-i386.zip

md5sum: 28fc5b4990802c2bd4af1d7dd01f8985 (old: 9869ae189277b3d6b8303d666c12bb5bfg)
Notes: There is no root account. Login as user ”notroot”, password is ”thoughtpolice“

Quick start HOWTO: Ubuntu 6.06 in 1 minute:
http://www.thoughtpolice.co.uk/vmware/howto/1-minute-guide.html#ubuntu6.06
Install VMware Tools:
http://www.thoughtpolice.co.uk/vmware/howto/ubuntu-server-6.06-dapper-drake-vmware-tools-install.html
Note: if you get stuck at “uncompressing kernel”, see Ubuntu forums.

Comments:
- Screen size by default is too small, put vga=791 as argument to kernel in menu.lst
- in the sources.list file in /etc/apt. uncomment out repos you want to enable and run sudo apt-get update
- install joe and mc packages if you are addicted to these two
- change pw for notroot from thoughtpolice
- vmware tools install - need gcc, make, binutils and kernel source

That should allow you to set up a toolchain-arm cross compile system.
Download your preferred kernel source, I decided to stay with the mainstream 2.6.12.6 source and downloaded it from:

http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.12.6.tar.bz2

I untarred it and started make menuconfig which finally worked ok and I could configure the kernel as I wanted.
The configure process is quite tedious as there are heaps of options, not all readily obvious as to what purpose they serve.

(BTW don't forget to run source crosstools-env.sh and check the result by typing echo $CC before trying to configure the source).

[Hint: If you want a place to start from, one way is to get a “sample” .config by installing and running the fsck module for ffp. This kernel image has config.gz support compiled in and you can zcat this file to generate a plain text .config file to work from:
zcat /proc/config.gz > /some/path/src/linux/.config
See http://www.inreto.de/dns323/fsck/ for more information.
I could not get the reload.sh file to work until I found a debug version in the forums:
http://forum.dsmg600.info/attachment.php?item=296 in forum topic:
http://forum.dsmg600.info/viewtopic.php?id=2611&p=1 ]

Save the .config file somewhere safe so you don't lose it if you inadvertently do a make clean or make mrproper.

Having set up for the netfilter you can now compile a new kernel. Generate a zImage file using the command make zImage
I compiled pretty much everything I needed into the kernel rather than try and mess around with modules.

Once you have a new compiled kernel you can use ffp-reloaded to boot into the new kernel without running the firmware. This is described fairly well here: http://wiki.dns323.info/howto:ffp-reloaded Do not use an initial ram disk file as it does not then seem to load ffp at boot up. Copy your new zImage kernel to the boot folder and create a soft link to it:

ln -s zImage-2.6.12.6-NEW zImage

The last step is to run

nohup ./boot.sh

and in my case at least it rebooted, the drive lights disappeared and I could immediately telnet back in again.

I understand now that:

It appears that blue disk leds are not blinking in mainline kernels (tried 2.6.26). To fix that, you'll need to change GPIO setting in drivers/ata/sata_mv.c: 
static void mv6_enable_leds(struct mv_host_priv *hpriv, void __iomem *mmio)
{
#if 0 
        writel(0x00000060, mmio + MV_GPIO_PORT_CTL_OFS);
#else 
        writel(0x00000050, mmio + MV_GPIO_PORT_CTL_OFS);
#endif
}

I modified the rc file in /ffp/etc so that the references to /mnt/HD_a2 were removed. In this way I could get the ipkg/opt tree mounted on /opt and could run iptables at last!

Have a look in the /proc/config.gz file and you should see heaps of references to CONFIG_NETFILTER, CONFIG_IP_NF_something or other…….

---

You may ask why one could not install Debian and get a new kernel that way. At

http://wiki.dns323.info/howto:chroot_debian

you can read how to install a chroot system with Debian, but the problem is that it does not reboot into a different kernel and you are stuck with the original one.

In a similar way, if you are running a rev B1 323 you cannot install armedslack:

http://wiki.dns323.info/howto:armedslack

which would also be interesting.

– butibum, June 2009

PS

http://support.dlink.com/products/view.asp?orig=2&productid=Dns-323#firm

lists all the firmware packages officially released by D-Link