Maintaining a Linux Wireless Access Point

In this fourth part of a five-part series on building a Linux wireless access point, you’ll learn about firewalling, routing, and more. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O’Reilly; ISBN: 0596102488). Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O’Reilly Media.

4.11 Connecting to the Internet and Firewalling 

Problem

It’s high time to finish up with these LAN chores and bring the Internet to your LAN. Your wireless is encrypted, your LAN services are working, and your users want Internet. So you’re ready to configure your WAN interface and build a nice stout iptables firewall.

Solution

Easy as pie. First, configure your WAN interface, then set up an iptables firewall. (See Chapter 3 to learn how to do these things.) You’ll need to make some simple changes to /usr/local/bin/fw-nat to enable traffic to flow across your bridge. Add these two lines:

  $ipt -A INPUT -p ALL -i $LAN_IFACE -s 192.168.1.0/24 -j ACCEPT
  $ipt -A FORWARD -p ALL -i $LAN_IFACE -s 192.168.1.0/24 -j ACCEPT

Use your own subnet, of course. Then, change the value of LAN_IFACE to br0 :

  LAN_IFACE="br0"

Restart and test everything according to Chapter 3, and you are set.

Discussion

Ethernet bridges join subnets into a single broadcast domain, with broadcast traffic going everywhere at once. A bridge is easy to set up and is transparent to your users. Your subnets function as a single network segment, so LAN services work without any additional tweaking, such as network printing, Samba servers, and Network Neighborhood. You can move computers around without having to give them new addresses. 

Bridging is inefficient because it generates more broadcast traffic. So, it doesn’t scale up very far. An Ethernet bridge operates at the data link layer (layer 2) of the OSI Model. It sees MAC addresses, but not IP addresses. Bridge traffic cannot be filtered with iptables; if you want to do this, use ebtables, which is designed for bridging firewalls.

Routing gives more control over your network segments; you can filter traffic any way you like. It’s more efficient than bridging because it’s not spewing broadcasts all over the place. Routing scales up indefinitely, as demonstrated by the existence of the Internet. Its main disadvantage in the LAN is it’s a bit more work to implement.

See Recipe 4.12 to learn how to use routing instead of bridging on your wireless access point.

See Also

  • Chapter 6

{mospagebreak title=4.12 Using Routing Instead of Bridging}

Problem

You would rather use routing between your two LAN segments instead of bridging because it gives better performance and more control. For example, you might set up a separate link just to give Internet access to visitors and easily keep them out of your network. Or, you want some separation and different sets of LAN services for each network segment. You know it’s a bit more work to set up, but that doesn’t bother you, you just want to know how to make it go. 

Solution

The example access point in this chapter has three Ethernet interfaces: ath0, eth0, and eth1. Instead of bridging ath0 and eth0 to create the br0 LAN interface, ath0 and eth0 are going to be two separate LAN interfaces, and eth1 will still be the WAN interface. iptables will forward traffic between ath0 and eth0, and dnsmasq.conf will need some additional lines to handle the extra subnet.

This recipe assumes you are using either WPA-PSK or WPA-Enterprise with a separate RADIUS server. (See the previous recipes in this chapter to learn how to configure encryption and authentication.) You may create an open access point for testing by commenting out the two lines that control hostapd:

  ##/etc/network/interfaces
  auto lo
  iface lo inet loopback

  auto ath0
  iface ath0 inet static
         
address 192.168.2.50
         
network 192.168.2.0
         
netmask 255.255.255.0
         
broadcast 192.168.2.255
         
post-down wlanconfig ath0 destroy
          pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
          pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto
          pre-up ifconfig ath0 up
          pre-up sleep 3
          up hostapd -B /etc/hostapd.conf
          post-down killall hostapd

  auto eth0
 
iface eth0 inet static
         address 192.168.1.50
         network 192.168.1.0
         netmask 255.255.255.0
         broadcast 192.168.1.255

  auto eth1
  iface eth1 inet static
      address 12.169.163.241
      gateway 12.169.163.1
      netmask 255.255.255.0

  ##/etc/dnsmasq.conf
  domain-needed
  bogus-priv
  local=/alrac.net/
  expand-hosts
  domain=alrac.net
  listen-address=127.0.0.1
  listen-address=192.168.1.50
  listen-address=192.168.2.50
  server=12.169.174.2
  server=12.169.174.3

  dhcp-range=lan,192.168.1.100,192.168.1.200,255.255
.255.0,12h
  dhcp-range=wifi,192.168.2.100,192.168.2.200,255.255
.255.0,12h
  dhcp-lease-max=100

  #default gateway
  dhcp-option=lan,3,192.168.1.50
  dhcp-option=wifi,3,192.168.2.50

  #DNS server
  dhcp-option=lan,6,192.168.1.50
  dhcp-option=wifi,6,192.168.2.50

  #assign static IP addresses
  dhcp-host=stinkpad,192.168.2.74,net:wifi
  dhcp-host=penguina,192.168.2.75,net:wifi
  dhcp-host=uberpc,192.168.1.76,net:lan
  dhcp-host=xena,192.168.1.10,net:lan

You’ll need to add a batch of iptables rules to your firewall script. See the Discussion for a complete example iptables firewall script.

Discussion

This iptables example forwards all traffic freely between your two LAN segments, and makes name services available to all. This is a liberal configuration with no restrictions.

Remember that broadcast traffic does not cross routes, and some network protocols are nonroutable, such as Samba and other NetBIOS traffic. All routable traffic, such as SSH, ping, mail and web servers, and so forth will travel between your subnets with no problems.

By routing between your wired and wireless network segments, your options are legion: limit the services available to either network segment, filter on individual hosts, do some fine-grained traffic shaping—anything you want to do is possible.

dnsmasq.conf uses RFC 2132 numbers to represent servers, so refer to it for a com plete list. Some common servers are:

dhcp-option=2,[offset]

Time offset from UTC (Coordinated Universal Time). You’ll have to manually adjust this twice per year if you are afflicted with daylight saving time. But at least you’ll control everything from the server. For example, pacific standard time is written as dhcp-option=2,-28800 , which equals UTC -8 hours.

dhcp-option=3,[IP address]

Send clients the default route. Use this when dnsmasq is not on the same box as your router.

dhcp-option=7, [IP address]

Syslog server.

dhcp-option=33, wifi, [destination IP address, router address]

Assign a static route to the “wifi” group. You may list as many routes as you want. Each route is defined by a pair of comma-separated IP addresses.

dhcp-option=40, [domain]
   NIS domain name.

dhcp-option=41,[IP address]
   NIS domain server.

dhcp-option=42,[IP address]
   NTP server.

dhcp-option=69,[IP address]
   SMTP server.

dhcp-option=70,[IP address]
   POP server.

dhcp-option=72,[IP address]
   HTTP server.

Because our LAN routes pass through an iptables firewall with a default DROP policy, permitted traffic must be explicitly accepted and forwarded.

If you followed Chapter 3 to build your iptables firewall, don’t forget you can use /etc/ init.d/firewall/stop|start|restart when you’re testing new rules.

Here is a complete example /usr/local/bin/fw-nat that gives the wired and wireless subnets nearly unlimited access to each other:

  #!/bin/s h
  #iptables firewall script for sharing a cable or DSL Internet
  #connection, with no public services

  #define variables
  ipt="/sbin/iptables"
  mod="/sbin/modprobe"
  LAN_IFACE="eth0"
  WAN_IFACE="eth1"
  WIFI_IFACE="ath0"

  #load kernel modules
  $mod ip_tables
  $mod iptable_filter
  $mod iptable_nat
  $mod ip_conntrack
  $mod ipt_LOG
  $mod ipt_limit
  $mod ipt_state
  $mod iptable_mangle
  $mod ipt_MASQUERADE
  $mod ip_nat_ftp
  $mod ip_nat_irc
  $mod ip_conntrack_ftp
  $mod ip_conntrack_irc

  # Flush all active rules and delete all custom chains
  $ipt -F
  $ipt -t nat -F
  $ipt -t mangle -F
  $ipt -X
  $ipt -t nat -X
  $ipt -t mangle -X

  #Set default policies
  $ipt -P INPUT DROP
  $ipt -P FORWARD DROP
  $ipt -P OUTPUT ACCEPT
  $ipt -t nat -P OUTPUT ACCEPT
  $ipt -t nat -P PREROUTING ACCEPT
  $ipt -t nat -P POSTROUTING ACCEPT
  $ipt -t mangle -P PREROUTING ACCEPT
  $ipt -t mangle -P POSTROUTING ACCEPT

  #this line is necessary for the loopback interface
  #and internal socket-based services to work correctly
  $ipt -A INPUT -i lo -j ACCEPT
 

  #Allow incoming SSH from the wired LAN only to the gateway box
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 –dport 22
  -m state –state NEW -j ACCEPT

  #Enable IP masquerading
  $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT –to-source 12.34.56.789

  #Enable unrestricted outgoing traffic, 
incoming
  #is restricted to locally-initiated sessions only
  #unrestricted between WIFI and LAN
  $ipt -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
  $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state –state
  ESTABLISHED,RELATED -j ACCEPT
  $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state –state
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $LAN_IFACE -o $WIFI_IFACE -m state –state
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WIFI_IFACE -o $LAN_IFACE -m state –state
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WIFI_IFACE -o $WAN_IFACE -m state –state
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -m state –state
  ESTABLISHED,RELATED -j ACCEPT

  #Enable internal DHCP and DNS
  $ipt -A INPUT -p udp -i $LAN_IFACE -s 192.168.1.0/24 –dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 –dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $LAN_IFACE  –dport 67  -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE -s 192.168.2.0/24 –dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE -s 192.168.2.0/24 –dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE  –dport 67 -j ACCEPT

  #allow LAN to access router HTTP server
  $ipt -A INPUT -p tcp -i $LAN_IFACE  –dport 443  -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE  –dport 443  -j ACCEPT

  # Accept ICMP echo-request and time-exceeded
  $ipt -A INPUT -p icmp –icmp-type echo-request  -j ACCEPT
  $ipt -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
  $ipt -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT

  #Reject connection attempts not initiated from inside the LAN
  $ipt -A INPUT -p tcp –syn -j DROP

  echo "The firewall has now started up and is faithfully protecting your system"

See Also

  • Chapter 3 
  • man 5 dhclient
  1. dnsmasq.conf is a great help resource
  2. dnsmasq home page (http://www.thekelleys.org.uk/dnsmasq/doc.html) is where you’ll find mailing list archives and excellent help documents
  3. Chapter 24, “Managing Name Resolution,” in Linux Cookbook, by Carla Schroder (O’Reilly)

{mospagebreak title=4.13 Probing Your Wireless Interface Card} 

Problem

Your wireless interface card came in a colorful box and wads of multilanguage documentation. But none of it gives you the technical specs that you really want, such as supported channels, encryption protocols, modes, frequencies—you know, the useful information.

Solution

Both wlanconfig, which is part of the MadWiFi driver package, and iwlist, which is part of wireless-tools, will probe your wireless card and tell you what it can do, like this command that displays what protocols the card supports:

  pyramid:~# wlanconfig ath0 list caps
  ath0=7782e40f<WEP,TKIP,AES,AES_CCM, HOSTAP,TXPMGT,SHSLOT,SHPREAMBLE,
  TKIPMIC,WPA1,WPA2,WME>

This means this is a nice modern card that supports all of the important encryption and authentication protocols, and it can serve as an access point.

This command shows all of the channels and frequencies the card supports:

  pyramid:~# wlanconfig ath0 list chan

Find out what kind of keys your card supports:

  pyramid:~# iwlist ath0 key

Which card functions are configurable:

  pyramid:~# iwlist ath0 event

This particular card supports variable transmission power rates:

  pyramid:~# iwlist ath0 txpower

Probing Your Wireless Interface Card

What bit-rates are supported?

  pyramidwrap:~# iwlist ath0 rate

The iwconfig command shows the card’s current configuration:

  pyramidwrap:~# iwconfig ath0

Discussion

What does this output mean?

  ath0=7782e40f<WEP,TKIP,AES,AES_CCM,HOSTAP, TXPMGT,SHSLOT,SHPREAMBLE,
  TKIPMIC,WPA1,WPA2,WME>

It means this particular card supports WEP encryption, Temporal Key Integrity Protocol (TKIP), Advanced Encryption Standard with Counter Mode with CBC-MAC Protocol (AES and AES_CCM), can function as an Access Point, has variable transmission power, supports TKIP Message Identity Check, WPA/WPA2, frame bursting, and Wireless Media Extensions.

SHSLOT and SHPREAMBLE stand for “short slot” and “short preamble,” which have to do with faster transmission speeds. Matthew Gast’s 802.11 Wireless Networks: The Definitive Guide (O’Reilly) tells you all about these.

See Also

  • Pyramid Linux does not include manpages, so you should install the applications in this chapter on a PC to obtain them, or rely on Google
  • wlanconfig is part of MadWiFi-ng

  • man 8 iwlist
  • man 8 wlanconfig 
  • 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast (O’Reilly)

{mospagebreak title=4.14 Changing the Pyramid Router’s Hostname} 

Problem

Pyramid is a nice name, but you really want to change it to something else. You tried editing /etc/hostname, but the name reset to Pyramid after reboot. Arg! How do you make it what you want?

Solution

The files listed in /etc/rw/ are mounted in a temporary writeable filesystem, and are copied from /etc/ro at boot. /etc/hostname is symlinked to /rw/etc/hostname:

  pyramid:~# ls -l /etc/hostname
  lrwxrwxrwx  1 root root 18 Oct 30 2006 /etc/hostname -> ../rw/etc/hostname

So, you can make /etc/hostname immutable (remove the symlink to /rw/etc/hostname), or edit /ro/etc/hostname.

Discussion

The filesystem is set up this way to reduce writes, because Compact Flash supports a limited number of writes.

You can use find to see which files in /etc are symlinks:

  pyramid:~# find /etc -maxdepth 1 -type l -ls

6051 0 lrwxrwxrwx 1 root

root

14 Oct 4

2006 /etc/mtab -> ../proc/

mounts

 

 

 

6052 0 lrwxrwxrwx 1 root

root

21 Oct 4

2006 /etc/resolv.conf -> ../

rw/etc/resolv.conf

 

 

 

6079 0 lrwxrwxrwx 1 root

root

30 Dec 31

2006 /etc/localtime -> /usr/

share/zoneinfo/US/Pacific

 

 

 

6081 0 lrwxrwxrwx 1 root

root

18 Oct 4

2006 /etc/hostname -> ../rw/

etc/hostname

 

 

 

6156 0 lrwxrwxrwx 1 root

root

15 Oct 4

2006 /etc/issue -> ../rw/

etc/issue

 

 

 

6195 0 lrwxrwxrwx 1 root

root

17 Oct 4

2006 /etc/zebra -> ../usr/

local/etc/

 

 

 

6227 0 lrwxrwxrwx 1 root

root

16 Oct 4

2006 /etc/resolv -> ../rw/

etc/resolv

 

 

 

6426 0 lrwxrwxrwx 1 root

root

19 Oct 4

2006 /etc/issue.net -> ../

rw/etc/issue.net

 

 

 

6427 0 lrwxrwxrwx 1 root

root

17 Oct 4

2006 /etc/adjtime -> ../rw/

etc/adjtime

 

 

 

See Also

  1. man 1 find
  2. man 1 ls

Please check back for the conclusion to this series.

Google+ Comments

Google+ Comments