Intracom netroute2 hacks

Since I now own my own dsl I am using an intracom netroute2 as a dsl modem/router. What really rocks about it is that it is linux (busybox) based, so one can change a lot of how stuff works in it. The bad news about it is that Intracom no longer produces it! The good news is that someone might be able to get some second hand of those modems really cheap. I wonder who was the idiot to stop the production of those modems in Intracom…

Anyway…I’ll post here some of the changes I did to it . I am using firmware version 577 so everything I say here might not work on older ones.

A) Fix ntp.
The modem/router on boot reads /etc/date and changes the date according to that file. My version dated from april 2006 made the modem on boot to think that it was april. It is easy to fix this using an ntpclient cronjob. So create a file inside /etc/cron.d/ named cron_ntpclient and paste the following inside it:
0,15,30,45 * * * * root /usr/bin/ntpclient -s -h ntp.grnet.gr > /dev/null 2>&1
This will sync the time on the modem every 15minutes.
If you want to be even more accurate like I do check out the following. I had noticed that my modem takes about 1 min and 20 secs from the time I plugged it in till the time it got IP from my ISP. So if I could make it to ntp sync immediately after getting an IP it would be pretty cool. So, I edited /etc/date and replaced the contents of the file with the following:
091918002006
This makes the modem to set its date at 18:00 19-September-2006.

Then change the cron script to this:
02,15,30,45 * * * * root /usr/bin/ntpclient -s -h ntp.grnet.gr > /dev/null 2>&1

Now the modem syncs the date on the next minute after it gets IP from the ISP. This is really helpfull if you use syslog (read on for this).

BEWARE though that BEFORE you reboot you MUST run /etc/init.d/checkpoint. This command is VITAL! It saves the changes you do inside the configuration files so they are not overwritten on the reboot by the stuff inside /etc-ro/.

B) This version has snmpd installed but not started by default. So let’s make it start when netroute2 boots.
The only thing that needs to be done for this is add an entry inside /etc/net.conf. You need to add somewhere around the end an entry like this:

SNMP_RO_COMMUNITY=YOUR_SNMP_COMMUNITY

Change ‘YOUR_SNMP_COMMUNITY’ with a password of your choice. You can use vi to do it. Run /etc/init.d/checkpoint afterwards to save your changes.

You can now reboot Netroute2 and if you type ‘ps aux’ on it’s shell you will probably see something like this:
408 root 840 S /sbin/snmpd -c /etc/snmpd.conf -l /dev/null
That means snmpd is now listening for connections. You can now monitor the traffic with mrtg if you want from another PC. I’ll post my own mrtg.conf for the netroute2 but it does not necessarily mean that it will work for you too. It depends on which ethernet devices you use to connect it to your network. I use eth0.
Here’s the mrtg.conf for my netroute2: netroute2-mrtg.conf

Use it with your other mrtg scripts, I won’t tell you how here…if you don’t know…google for it. It’s realy simple. Here’s a HOWTO from the Gentoo Wiki HOWTO_SNMP_and_MRTG_Made_Easy for the lazy ones.

C) Syslog activation.
A syslog daemon is also included but not started in netroute2. It is primarily thought to be logging remotely to another machine. But netroute2 has 10Mb of free space at /tmp…so we can make it store some logs there. On reboot these logs are lost, so it’s only usefull if you netroute is on a UPS or if you want to monitor what’s going on while netroute is working. It’s not for watching what happened and your netroute2 crashed. If you want such behaviour you must activate remote syslog logging, and if you want that you must be able to easily find out how to do it, you don’t need my advice 🙂

First of all fire up vi and edit /etc/syslog.conf. Change all entries that start with /var/log to /tmp/var/log/. Then go find /etc/init.d/rc-syslog and edit it with vi. Find line 13. It should say something like this:

/bin/echo "Invalid Syslog Server IP!"
exit 1

Change it to:

/bin/echo "Invalid Syslog Server IP!"
/bin/echo "Logging Locally!"
mkdir -p /tmp/var/log/
#exit 1

What happens here is this, the script searches /etc/net.conf for a variable named SYSLOG_SERVER_IP. If it finds it it enables remote syslogging to that IP (damn!.. I’ve said it), but we want to enable local logging so we have to bypass it. We first create the /tmp/var/log directory and then put a “#” in front of the exit command so the script does not stop when it can’t find SYSLOG_SERVER_IP.

/etc/init.d/checkpoint again….reboot…and if all went fine if you “ps aux” you should see something like:

166 root 336 S /sbin/syslogd
169 root 264 S /sbin/klogd -c 3 -x

If you cd to /tmp/var/log you can find the log files. You can more them, tail them, grep them, whatever…it’s up to you now.

D) Enable iptables logging.
Netroute2 features iptables firewalling and tc for QoS!!! You can easily modify the firewall script to make it suit your needs better. What I am going to describe here is how to make iptables log to syslog so you can view what is being blocked by iptables.

First thing you have to do is go to the web interface (yes it IS sloooooooow but who cares ? You won’t be needing much anyway 🙂 ), go to “Wan Connections” and click on Firewall. Go where it says “Expert Configuration” (don’t you already feel l33t ? heh) and add a dummy line like this:

iptables -A INPUT -i ppp0 -p tcp --dport 135 -j DROP

Click on apply and wait a bit until it refreshes the firewall webpage.
This line, even it is totally useless (if you know a bit of iptables and see the rest of the firewall listing I am sure you already know why), it will force netroute2 to create a seperate firewall file for your connection and not use its default one.

Now go back to netroute2's shell. If you don't know/remember the name of your connection do an
ls /etc/wan/current/
and it will show you it's name. Then go to /etc/wan/firewall/ and edit the file with your connection name. You will see inside it the full listing of iptables rules.

Lines 25-27 should a bit like these:

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [43:9993]
:OUTPUT ACCEPT [73:33579]

Add below the last one a line like the following:

:LOG_DROP - [0:0]

Around line 65 there should be something like this:

-A INPUT -i ppp0 -j DROP

change it to:

-A INPUT -i ppp0 -j LOG_DROP

Then finally find the last line of the file that says COMMIT and add above it these two lines:

-A LOG_DROP -j LOG
-A LOG_DROP -j DROP

The editing is finished. DON’T forget to /etc/init.d/checkpoint….reboot and you are ready.

If you had previously enabled syslog logging correctly you can do a:
tail -f /tmp/var/log/kernel.log

and if you firewall blocks something you might see a line that looks like this:
Sep 24 02:16:57 (none) kernel: IN=ppp0 OUT= MAC= SRC=XX.XX.XX.XX DST=YY.YY.YY.YY LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=30976 DF PROTO=TCP SPT=3935 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0

You can change all the other “-j DROP” settings inside your firewall config with “-j LOG_DROP” to gather more information about what gets dropped. If you do that though it might be necessary to refine your /etc/syslog.conf to create more accurate log files..Which log files keeps what kinds of logs…play with it.

E) Netroute has some advanced commands that are not inside the PATH.
Look for some very interesting binaries like tcpdump, tc, etc inside /usr/sbin

F) Public key auth with dropbear:
on client machine:

ssh-keygen -t rsa
scp .ssh/id_rsa.pub root@netroute.ip:

on netroute2:

mkdir .ssh
mv id_rsa.pub .ssh/authorized_keys
chmod 400 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
/etc/init.d/checkpoint

If everything is done properly you will now be able to ssh from your client to netroute2 without password.

I wish I could find more of these great machines. 2 Ethernet ports, usb, serial console, 2 FXS, it’s own small sip compatible PBX … what else can one need ? A usb port for an external disk and a torrent client probably… 🙂