Home arrow BrainDump arrow Page 2 - Maintaining a Linux Wireless Access Point

4.12 Using Routing Instead of Bridging - BrainDump

In this fourth part of a five-part series on building a Linux wireless access point, you'll learn about firewalling, routing, and more. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O'Reilly; ISBN: 0596102488). Copyright © 2008 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Maintaining a Linux Wireless Access Point
  2. 4.12 Using Routing Instead of Bridging
  3. 4.13 Probing Your Wireless Interface Card
  4. 4.14 Changing the Pyramid Router’s Hostname
By: O'Reilly Media
Rating: starstarstarstarstar / 1
February 08, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Problem

You would rather use routing between your two LAN segments instead of bridging because it gives better performance and more control. For example, you might set up a separate link just to give Internet access to visitors and easily keep them out of your network. Or, you want some separation and different sets of LAN services for each network segment. You know it’s a bit more work to set up, but that doesn’t bother you, you just want to know how to make it go. 

Solution

The example access point in this chapter has three Ethernet interfaces: ath0, eth0, and eth1. Instead of bridging ath0 and eth0 to create the br0 LAN interface, ath0 and eth0 are going to be two separate LAN interfaces, and eth1 will still be the WAN interface. iptables will forward traffic between ath0 and eth0, and dnsmasq.conf will need some additional lines to handle the extra subnet.

This recipe assumes you are using either WPA-PSK or WPA-Enterprise with a separate RADIUS server. (See the previous recipes in this chapter to learn how to configure encryption and authentication.) You may create an open access point for testing by commenting out the two lines that control hostapd:

  ##/etc/network/interfaces
  auto lo
  iface lo inet loopback

  auto ath0
  iface ath0 inet static
         
address 192.168.2.50
         
network 192.168.2.0
         
netmask 255.255.255.0
         
broadcast 192.168.2.255
         
post-down wlanconfig ath0 destroy
          pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
          pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto
          pre-up ifconfig ath0 up
          pre-up sleep 3
          up hostapd -B /etc/hostapd.conf
          post-down killall hostapd

  auto eth0
 
iface eth0 inet static
         address 192.168.1.50
         network 192.168.1.0
         netmask 255.255.255.0
         broadcast 192.168.1.255

  auto eth1
  iface eth1 inet static
      address 12.169.163.241
      gateway 12.169.163.1
      netmask 255.255.255.0

  ##/etc/dnsmasq.conf
  domain-needed
  bogus-priv
  local=/alrac.net/
  expand-hosts
  domain=alrac.net
  listen-address=127.0.0.1
  listen-address=192.168.1.50
  listen-address=192.168.2.50
  server=12.169.174.2
  server=12.169.174.3

  dhcp-range=lan,192.168.1.100,192.168.1.200,255.255
.255.0,12h
  dhcp-range=wifi,192.168.2.100,192.168.2.200,255.255
.255.0,12h
  dhcp-lease-max=100

  #default gateway
  dhcp-option=lan,3,192.168.1.50
  dhcp-option=wifi,3,192.168.2.50

  #DNS server
  dhcp-option=lan,6,192.168.1.50
  dhcp-option=wifi,6,192.168.2.50

  #assign static IP addresses
  dhcp-host=stinkpad,192.168.2.74,net:wifi
  dhcp-host=penguina,192.168.2.75,net:wifi
  dhcp-host=uberpc,192.168.1.76,net:lan
  dhcp-host=xena,192.168.1.10,net:lan

You’ll need to add a batch of iptables rules to your firewall script. See the Discussion for a complete example iptables firewall script.

Discussion

This iptables example forwards all traffic freely between your two LAN segments, and makes name services available to all. This is a liberal configuration with no restrictions.

Remember that broadcast traffic does not cross routes, and some network protocols are nonroutable, such as Samba and other NetBIOS traffic. All routable traffic, such as SSH, ping, mail and web servers, and so forth will travel between your subnets with no problems.

By routing between your wired and wireless network segments, your options are legion: limit the services available to either network segment, filter on individual hosts, do some fine-grained traffic shaping—anything you want to do is possible.

dnsmasq.conf uses RFC 2132 numbers to represent servers, so refer to it for a complete list. Some common servers are:

dhcp-option=2,[offset]

Time offset from UTC (Coordinated Universal Time). You’ll have to manually adjust this twice per year if you are afflicted with daylight saving time. But at least you’ll control everything from the server. For example, pacific standard time is written asdhcp-option=2,-28800, which equals UTC -8 hours.

dhcp-option=3,[IP address]

Send clients the default route. Use this when dnsmasq is not on the same box as your router.

dhcp-option=7, [IP address]

Syslog server.

dhcp-option=33, wifi, [destination IP address, router address]

Assign a static route to the “wifi” group. You may list as many routes as you want. Each route is defined by a pair of comma-separated IP addresses.

dhcp-option=40, [domain]
   NIS domain name.

dhcp-option=41,[IP address]
   NIS domain server.

dhcp-option=42,[IP address]
   NTP server.

dhcp-option=69,[IP address]
   SMTP server.

dhcp-option=70,[IP address]
   POP server.

dhcp-option=72,[IP address]
   HTTP server.

Because our LAN routes pass through an iptables firewall with a defaultDROPpolicy, permitted traffic must be explicitly accepted and forwarded.

If you followed Chapter 3 to build your iptables firewall, don’t forget you can use/etc/ init.d/firewall/stop|start|restartwhen you’re testing new rules.

Here is a complete example /usr/local/bin/fw-nat that gives the wired and wireless subnets nearly unlimited access to each other:

  #!/bin/sh
  #iptables firewall script for sharing a cable or DSL Internet
  #connection, with no public services

  #define variables
  ipt="/sbin/iptables"
  mod="/sbin/modprobe"
  LAN_IFACE="eth0"
  WAN_IFACE="eth1"
  WIFI_IFACE="ath0"

  #load kernel modules
  $mod ip_tables
  $mod iptable_filter
  $mod iptable_nat
  $mod ip_conntrack
  $mod ipt_LOG
  $mod ipt_limit
  $mod ipt_state
  $mod iptable_mangle
  $mod ipt_MASQUERADE
  $mod ip_nat_ftp
  $mod ip_nat_irc
  $mod ip_conntrack_ftp
  $mod ip_conntrack_irc

  # Flush all active rules and delete all custom chains
  $ipt -F
  $ipt -t nat -F
  $ipt -t mangle -F
  $ipt -X
  $ipt -t nat -X
  $ipt -t mangle -X

  #Set default policies
  $ipt -P INPUT DROP
  $ipt -P FORWARD DROP
  $ipt -P OUTPUT ACCEPT
  $ipt -t nat -P OUTPUT ACCEPT
  $ipt -t nat -P PREROUTING ACCEPT
  $ipt -t nat -P POSTROUTING ACCEPT
  $ipt -t mangle -P PREROUTING ACCEPT
  $ipt -t mangle -P POSTROUTING ACCEPT

  #this line is necessary for the loopback interface
  #and internal socket-based services to work correctly
  $ipt -A INPUT -i lo -j ACCEPT
 

  #Allow incoming SSH from the wired LAN only to the gateway box
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 22 \
  -m state --state NEW -j ACCEPT

  #Enable IP masquerading
  $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source 12.34.56.789

  #Enable unrestricted outgoing traffic, 
incoming
  #is restricted to locally-initiated sessions only
  #unrestricted between WIFI and LAN
  $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state \
  ESTABLISHED,RELATED -j ACCEPT
  $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state --state \
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $LAN_IFACE -o $WIFI_IFACE -m state --state \
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WIFI_IFACE -o $LAN_IFACE -m state --state \
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WIFI_IFACE -o $WAN_IFACE -m state --state \
  NEW,ESTABLISHED,RELATED -j ACCEPT
  #$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -m state --state \
  ESTABLISHED,RELATED -j ACCEPT

  #Enable internal DHCP and DNS
  $ipt -A INPUT -p udp -i $LAN_IFACE -s 192.168.1.0/24 --dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s 192.168.1.0/24 --dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $LAN_IFACE  --dport 67  -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE -s 192.168.2.0/24 --dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE -s 192.168.2.0/24 --dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE  --dport 67 -j ACCEPT

  #allow LAN to access router HTTP server
  $ipt -A INPUT -p tcp -i $LAN_IFACE  --dport 443  -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE  --dport 443  -j ACCEPT

  # Accept ICMP echo-request and time-exceeded
  $ipt -A INPUT -p icmp --icmp-type echo-request  -j ACCEPT
  $ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
  $ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

  #Reject connection attempts not initiated from inside the LAN
  $ipt -A INPUT -p tcp --syn -j DROP

  echo "The firewall has now started up and is faithfully protecting your system"

See Also

  • Chapter 3 
  • man 5 dhclient
  1. dnsmasq.conf is a great help resource
  2. dnsmasq home page (http://www.thekelleys.org.uk/dnsmasq/doc.html) is where you’ll find mailing list archives and excellent help documents
  3. Chapter 24, “Managing Name Resolution,” in Linux Cookbook, by Carla Schroder (O’Reilly)



 
 
>>> More BrainDump Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

BRAINDUMP ARTICLES

- Apple Founder Steve Jobs Dies
- Steve Jobs` Era at Apple Ends
- Google's Chrome Developer Tool Updated
- Google's Chrome 6 Browser Brings Speed to th...
- New Open Source Update Fedora 13 is Released...
- Install Linux with Knoppix
- iPad Developers Flock To SDK 3.2
- Managing a Linux Wireless Access Point
- Maintaining a Linux Wireless Access Point
- Securing a Linux Wireless Access Point
- Configuring a Linux Wireless Access Point
- Building a Linux Wireless Access Point
- Migrating Oracle to PostgreSQL with Enterpri...
- Demystifying SELinux on Kernel 2.6
- Yahoo and Microsoft Create Ad Partnership

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: