NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

chickenfrog's avatar
chickenfrog
Follower
Apr 21, 2017

Static Routing and NAT (iptables)

******* I'm posting this as a reference.  I struggled with this for about a day, trying to untangle the iptables of my Netgear Orbi.   Maybe this write-up can help others. USE AT YOUR OWN RISK Th...
Troubleshooting
fabbari's avatar
fabbari
Tutor
Sep 23, 2017

  I updated the script to make sure we logout any admin using the web-interface. It may be an inconvenience when an admin is using the web interface, but ensures that automated scripts will always run successfully.

 

#!/bin/sh

# NOTE: This script requires openssl and the real netcat to be available, not the BusyBox version. On OpenWRT
#       you can get them via:
#        
#       opkg install netcat openssl-util
#

ORBI_USERNAME="admin"
ORBI_PASSWORD="*********"

ORBI_ADDRESS="192.168.1.1"

AUTH_TOKEN=`echo -n "${ORBI_USERNAME}:${ORBI_PASSWORD}" | openssl enc -base64`

function forceLogout() {
  curl -s "https://${ORBI_ADDRESS}/change_user.html" -H "Authorization: Basic ${AUTH_TOKEN}" --insecure > /dev/null
  curl -s "https://${ORBI_ADDRESS}/change_user.html" -H "Authorization: Basic ${AUTH_TOKEN}" --insecure > /dev/null
}

function timeStamp() {
  curl https://${ORBI_ADDRESS}/debug_detail.htm -s --insecure  -H "Authorization: Basic ${AUTH_TOKEN}"  | grep -e '^var ts'  | sed -e 's/var\W\+ts="\([^"]\+\)".*/\1/g'
}

function enableTelnet() {
  TS_CODE=`timeStamp`
  curl "https://${ORBI_ADDRESS}/apply.cgi?/debug_detail.htm%20timestamp=${TS_CODE}" -H "Authorization: Basic ${AUTH_TOKEN}" --data 'submit_flag=debug_info&hid_telnet=1&enable_telnet=on' --insecure -s > /dev/null
}

function disableTelnet() {
  TS_CODE=`timeStamp`
  curl "https://${ORBI_ADDRESS}/apply.cgi?/debug_detail.htm%20timestamp=${TS_CODE}" -H "Authorization: Basic ${AUTH_TOKEN}" --data 'submit_flag=debug_info&hid_telnet=0&enable_telnet=off' --insecure -s > /dev/null
}

function isForwarding() {
  RULE=`(echo "iptables -L --line-numbers"; sleep 2) | netcat -c -t ${ORBI_ADDRESS} 23 | grep '^5\W\+DROP\W\+all\W\+--\W\+!\d\+\.\d\+\.\d\+\.\d\+\/\d\+\W\+anywhere'`
  if [ "${RULE}" = "" ]
  then
    echo "Forwarding enabled"
  else
    echo "Forwarding disabled"
  fi
}

function enableForwarding() {
  FORWARD=`isForwarding`
  if [ "${FORWARD}" = "Forwarding disabled" ]
  then
    echo "Enabling forwarding - current state: ${FORWARD}"
    (echo "iptables -t filter -D loc2net 5 && iptables -t nat -I POSTROUTING 1 -o brwan -j MASQUERADE"; sleep 1) | netcat -c -t ${ORBI_ADDRESS} 23 > /dev/null
    isForwarding
  else
   echo "Forwarding is already enabled!"
  fi
}



case "$1" in
  enable)
    forceLogout
    enableTelnet
    ;;
  disable)
    forceLogout
    disableTelnet
    ;;
  check)
    forceLogout
    enableTelnet
    isForwarding
    disableTelnet
    ;;
  forward)
    forceLogout
    enableTelnet
    enableForwarding
    disableTelnet
    ;;
  *)
    echo ""
    echo "$0 [enable|disable|forward]"
    echo ""
    echo "   enable: enable Orbi telnet interface"
    echo "  disable: disable Orbi telnet interface"
    echo "    check: check if Orbi is forwarding internal networks"
    echo "  forward: allow Orbi to forward internal networks"
    echo ""
esac
fabbari's avatar
fabbari
Tutor
Sep 23, 2017

  Last version of this script - I promise! Quick instructions: install socat, netcat and openssl-util on your openwrt router. Drop the script in a file called `/etc/init.d/orbi` - make the file executable. Edit the file to change your password and Orbi IP address - if it's not 192.168.1.1. Then enable the script: `/etc/init.d/orbi enable' and start it: '/etc/init.d/orbi start'.

 

  The script will listen for multicast messages from Orbi - every time it will detect one, it will check if the Orbi is configured for forwarding the internal lan - sleep for 30 seconds and start listening again.

 

  Let me know if anyone finds this useful.

 

  Fabio

 

#!/bin/sh /etc/rc.common
# Example script
# Copyright (C) 2007 OpenWrt.org
 
START=10
STOP=15

# NOTE: This script requires socat, openssl and the real netcat to be available, not the BusyBox version. On OpenWRT
#       you can get them via:
#        
#       opkg install socat netcat openssl-util
#

ORBI_USERNAME="admin"
ORBI_PASSWORD="*************"

ORBI_ADDRESS=192.168.1.1
ORBI_MCAST_PORT=5353
ORBI_MCAST_ADDR=224.0.0.251
ORBI_MCAST_IF=eth0.2

AUTH_TOKEN=`echo -n "${ORBI_USERNAME}:${ORBI_PASSWORD}" | openssl enc -base64`

ORBI_SCRIPT=/etc/init.d/orbi

function forceLogout() {
  curl -s "https://${ORBI_ADDRESS}/change_user.html" -H "Authorization: Basic ${AUTH_TOKEN}" --insecure > /dev/null
  curl -s "https://${ORBI_ADDRESS}/change_user.html" -H "Authorization: Basic ${AUTH_TOKEN}" --insecure > /dev/null
}

function timeStamp() {
  curl https://${ORBI_ADDRESS}/debug_detail.htm -s --insecure  -H "Authorization: Basic ${AUTH_TOKEN}"  | grep -e '^var ts'  | sed -e 's/var\W\+ts="\([^"]\+\)".*/\1/g'
}

function enableTelnet() {
  TS_CODE=`timeStamp`
  curl "https://${ORBI_ADDRESS}/apply.cgi?/debug_detail.htm%20timestamp=${TS_CODE}" -H "Authorization: Basic ${AUTH_TOKEN}" --data 'submit_flag=debug_info&hid_telnet=1&enable_telnet=on' --insecure -s > /dev/null
}

function disableTelnet() {
  TS_CODE=`timeStamp`
  curl "https://${ORBI_ADDRESS}/apply.cgi?/debug_detail.htm%20timestamp=${TS_CODE}" -H "Authorization: Basic ${AUTH_TOKEN}" --data 'submit_flag=debug_info&hid_telnet=0&enable_telnet=off' --insecure -s > /dev/null
}

function isForwarding() {
  RULE=`(echo "iptables -L --line-numbers"; sleep 2) | netcat -c -t ${ORBI_ADDRESS} 23 | grep '^5\W\+DROP\W\+all\W\+--\W\+!\d\+\.\d\+\.\d\+\.\d\+\/\d\+\W\+anywhere'`
  if [ "${RULE}" = "" ]
  then
    FORWARDING=1
  else
    FORWARDING=0
  fi
}

function enableForwarding() {
  isForwarding
  if [ ${FORWARDING} -eq 0 ]
  then
    logger -t ORBI -p daemon.info "Enabling forwarding"
    (echo "iptables -t filter -D loc2net 5 && iptables -t nat -I POSTROUTING 1 -o brwan -j MASQUERADE"; sleep 1) | netcat -c -t ${ORBI_ADDRESS} 23 > /dev/null
  else
    logger -t ORBI -p daemon.warn "Forwarding is already enabled!"
  fi
}


EXTRA_COMMANDS="on off forward check monitor"
EXTRA_HELP=<<EOF
                    on    Enable telnet on the Orbi
                   off    Disable telnet on the Orbi
               forward    Manually enable forwarding for the Orbi
                 check    Check the Orbi to see if forwarding is enabled
               monitor    Enable monitoring of Orbi
EOF


start () {
  logger -t ORBI -p daemon.info 'Launching background monitor'
  (( ${ORBI_SCRIPT} monitor >/dev/null 2>&1 ) & ) &
}

stop () {
    if [ -f /tmp/.orbi.running ]
    then
      logger -t ORBI -p daemon.info 'Stopping Orbi Service'
      PID=`cat /tmp/.orbi.running`
      rm /tmp/.orbi.running
      kill -TERM ${PID}
    else
      logger -t ORBI -p daemon.info 'Orbi Service not Running'
    fi
}

restart () {
  stop
  sleep 1
  start
}

monitor() {
    logger -t ORBI -p daemon.info 'Starting Orbi Monitor Service'
    echo $$ > /tmp/.orbi.running 
    while [ -f /tmp/.orbi.running ]
    do
      socat UDP4-RECV:${ORBI_MCAST_PORT},bind=${ORBI_MCAST_ADDR},ip-add-membership=${ORBI_MCAST_ADDR}:${ORBI_MCAST_IF},range=${ORBI_ADDRESS}/32 SYSTEM:"${ORBI_SCRIPT} forward"
      sleep 30
    done
    logger -t ORBI -p daemon.info 'Orbi Monitor Service Exited'
}

on () {
  forceLogout
  enableTelnet
}

off () {
  forceLogout
  disableTelnet
}

check () {
  forceLogout
  enableTelnet
  isForwarding
  if [ ${FORWARDING} -eq 0 ]
  then
    echo "Forwarding is disabled"
  else
    echo "Forwarding is enabled"
  fi
  disableTelnet
}

forward () {
  if [ -f /tmp/.orbi.enabling ]
  then
    logger -t ORBI -p daemon.warn "Already enabling Orbi forwarding - Ignoring request"
  else
    touch /tmp/.orbi.enabling
    forceLogout
    enableTelnet
    enableForwarding
    disableTelnet
    rm /tmp/.orbi.enabling
  fi
}