Maintaining a Linux Wireless Access Point

In this fourth part of a five-part series on building a Linux wireless access point, you’ll learn about firewalling, routing, and more. This article is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O’Reilly; ISBN: 0596102488). Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O’Reilly Media.

4.11 Connecting to the Internet and Firewalling 


It’s high time to finish up with these LAN chores and bring the Internet to your LAN. Your wireless is encrypted, your LAN services are working, and your users want Internet. So you’re ready to configure your WAN interface and build a nice stout iptables firewall.


Easy as pie. First, configure your WAN interface, then set up an iptables firewall. (See Chapter 3 to learn how to do these things.) You’ll need to make some simple changes to /usr/local/bin/fw-nat to enable traffic to flow across your bridge. Add these two lines:

  $ipt -A INPUT -p ALL -i $LAN_IFACE -s -j ACCEPT
  $ipt -A FORWARD -p ALL -i $LAN_IFACE -s -j ACCEPT

Use your own subnet, of course. Then, change the value of LAN_IFACE to br0 :


Restart and test everything according to Chapter 3, and you are set.


Ethernet bridges join subnets into a single broadcast domain, with broadcast traffic going everywhere at once. A bridge is easy to set up and is transparent to your users. Your subnets function as a single network segment, so LAN services work without any additional tweaking, such as network printing, Samba servers, and Network Neighborhood. You can move computers around without having to give them new addresses. 

Bridging is inefficient because it generates more broadcast traffic. So, it doesn’t scale up very far. An Ethernet bridge operates at the data link layer (layer 2) of the OSI Model. It sees MAC addresses, but not IP addresses. Bridge traffic cannot be filtered with iptables; if you want to do this, use ebtables, which is designed for bridging firewalls.

Routing gives more control over your network segments; you can filter traffic any way you like. It’s more efficient than bridging because it’s not spewing broadcasts all over the place. Routing scales up indefinitely, as demonstrated by the existence of the Internet. Its main disadvantage in the LAN is it’s a bit more work to implement.

See Recipe 4.12 to learn how to use routing instead of bridging on your wireless access point.

See Also

  • Chapter 6

{mospagebreak title=4.12 Using Routing Instead of Bridging}


You would rather use routing between your two LAN segments instead of bridging because it gives better performance and more control. For example, you might set up a separate link just to give Internet access to visitors and easily keep them out of your network. Or, you want some separation and different sets of LAN services for each network segment. You know it’s a bit more work to set up, but that doesn’t bother you, you just want to know how to make it go. 


The example access point in this chapter has three Ethernet interfaces: ath0, eth0, and eth1. Instead of bridging ath0 and eth0 to create the br0 LAN interface, ath0 and eth0 are going to be two separate LAN interfaces, and eth1 will still be the WAN interface. iptables will forward traffic between ath0 and eth0, and dnsmasq.conf will need some additional lines to handle the extra subnet.

This recipe assumes you are using either WPA-PSK or WPA-Enterprise with a separate RADIUS server. (See the previous recipes in this chapter to learn how to configure encryption and authentication.) You may create an open access point for testing by commenting out the two lines that control hostapd:

  auto lo
  iface lo inet loopback

  auto ath0
  iface ath0 inet static
post-down wlanconfig ath0 destroy
          pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
          pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto
          pre-up ifconfig ath0 up
          pre-up sleep 3
          up hostapd -B /etc/hostapd.conf
          post-down killall hostapd

  auto eth0
iface eth0 inet static

  auto eth1
  iface eth1 inet static



  #default gateway

  #DNS server

  #assign static IP addresses

You’ll need to add a batch of iptables rules to your firewall script. See the Discussion for a complete example iptables firewall script.


This iptables example forwards all traffic freely between your two LAN segments, and makes name services available to all. This is a liberal configuration with no restrictions.

Remember that broadcast traffic does not cross routes, and some network protocols are nonroutable, such as Samba and other NetBIOS traffic. All routable traffic, such as SSH, ping, mail and web servers, and so forth will travel between your subnets with no problems.

By routing between your wired and wireless network segments, your options are legion: limit the services available to either network segment, filter on individual hosts, do some fine-grained traffic shaping—anything you want to do is possible.

dnsmasq.conf uses RFC 2132 numbers to represent servers, so refer to it for a com plete list. Some common servers are:


Time offset from UTC (Coordinated Universal Time). You’ll have to manually adjust this twice per year if you are afflicted with daylight saving time. But at least you’ll control everything from the server. For example, pacific standard time is written as dhcp-option=2,-28800 , which equals UTC -8 hours.

dhcp-option=3,[IP address]

Send clients the default route. Use this when dnsmasq is not on the same box as your router.

dhcp-option=7, [IP address]

Syslog server.

dhcp-option=33, wifi, [destination IP address, router address]

Assign a static route to the “wifi” group. You may list as many routes as you want. Each route is defined by a pair of comma-separated IP addresses.

dhcp-option=40, [domain]
   NIS domain name.

dhcp-option=41,[IP address]
   NIS domain server.

dhcp-option=42,[IP address]
   NTP server.

dhcp-option=69,[IP address]
   SMTP server.

dhcp-option=70,[IP address]
   POP server.

dhcp-option=72,[IP address]
   HTTP server.

Because our LAN routes pass through an iptables firewall with a default DROP policy, permitted traffic must be explicitly accepted and forwarded.

If you followed Chapter 3 to build your iptables firewall, don’t forget you can use /etc/ init.d/firewall/stop|start|restart when you’re testing new rules.

Here is a complete example /usr/local/bin/fw-nat that gives the wired and wireless subnets nearly unlimited access to each other:

  #!/bin/s h
  #iptables firewall script for sharing a cable or DSL Internet
  #connection, with no public services

  #define variables

  #load kernel modules
  $mod ip_tables
  $mod iptable_filter
  $mod iptable_nat
  $mod ip_conntrack
  $mod ipt_LOG
  $mod ipt_limit
  $mod ipt_state
  $mod iptable_mangle
  $mod ipt_MASQUERADE
  $mod ip_nat_ftp
  $mod ip_nat_irc
  $mod ip_conntrack_ftp
  $mod ip_conntrack_irc

  # Flush all active rules and delete all custom chains
  $ipt -F
  $ipt -t nat -F
  $ipt -t mangle -F
  $ipt -X
  $ipt -t nat -X
  $ipt -t mangle -X

  #Set default policies
  $ipt -P INPUT DROP
  $ipt -t nat -P OUTPUT ACCEPT
  $ipt -t nat -P PREROUTING ACCEPT
  $ipt -t mangle -P PREROUTING ACCEPT
  $ipt -t mangle -P POSTROUTING ACCEPT

  #this line is necessary for the loopback interface
  #and internal socket-based services to work correctly
  $ipt -A INPUT -i lo -j ACCEPT

  #Allow incoming SSH from the wired LAN only to the gateway box
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s –dport 22
  -m state –state NEW -j ACCEPT

  #Enable IP masquerading
  $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT –to-source

  #Enable unrestricted outgoing traffic, 
  #is restricted to locally-initiated sessions only
  #unrestricted between WIFI and LAN
  $ipt -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
  $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state –state
  $ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m state –state
  #$ipt -A FORWARD -i $LAN_IFACE -o $WIFI_IFACE -m state –state
  #$ipt -A FORWARD -i $WIFI_IFACE -o $LAN_IFACE -m state –state
  #$ipt -A FORWARD -i $WIFI_IFACE -o $WAN_IFACE -m state –state
  #$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -m state –state

  #Enable internal DHCP and DNS
  $ipt -A INPUT -p udp -i $LAN_IFACE -s –dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $LAN_IFACE -s –dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $LAN_IFACE  –dport 67  -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE -s –dport 53 -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE -s –dport 53 -j ACCEPT
  $ipt -A INPUT -p udp -i $WIFI_IFACE  –dport 67 -j ACCEPT

  #allow LAN to access router HTTP server
  $ipt -A INPUT -p tcp -i $LAN_IFACE  –dport 443  -j ACCEPT
  $ipt -A INPUT -p tcp -i $WIFI_IFACE  –dport 443  -j ACCEPT

  # Accept ICMP echo-request and time-exceeded
  $ipt -A INPUT -p icmp –icmp-type echo-request  -j ACCEPT
  $ipt -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
  $ipt -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT

  #Reject connection attempts not initiated from inside the LAN
  $ipt -A INPUT -p tcp –syn -j DROP

  echo "The firewall has now started up and is faithfully protecting your system"

See Also

  • Chapter 3 
  • man 5 dhclient
  1. dnsmasq.conf is a great help resource
  2. dnsmasq home page ( is where you’ll find mailing list archives and excellent help documents
  3. Chapter 24, “Managing Name Resolution,” in Linux Cookbook, by Carla Schroder (O’Reilly)

{mospagebreak title=4.13 Probing Your Wireless Interface Card} 


Your wireless interface card came in a colorful box and wads of multilanguage documentation. But none of it gives you the technical specs that you really want, such as supported channels, encryption protocols, modes, frequencies—you know, the useful information.


Both wlanconfig, which is part of the MadWiFi driver package, and iwlist, which is part of wireless-tools, will probe your wireless card and tell you what it can do, like this command that displays what protocols the card supports:

  pyramid:~# wlanconfig ath0 list caps

This means this is a nice modern card that supports all of the important encryption and authentication protocols, and it can serve as an access point.

This command shows all of the channels and frequencies the card supports:

  pyramid:~# wlanconfig ath0 list chan

Find out what kind of keys your card supports:

  pyramid:~# iwlist ath0 key

Which card functions are configurable:

  pyramid:~# iwlist ath0 event

This particular card supports variable transmission power rates:

  pyramid:~# iwlist ath0 txpower

Probing Your Wireless Interface Card

What bit-rates are supported?

  pyramidwrap:~# iwlist ath0 rate

The iwconfig command shows the card’s current configuration:

  pyramidwrap:~# iwconfig ath0


What does this output mean?


It means this particular card supports WEP encryption, Temporal Key Integrity Protocol (TKIP), Advanced Encryption Standard with Counter Mode with CBC-MAC Protocol (AES and AES_CCM), can function as an Access Point, has variable transmission power, supports TKIP Message Identity Check, WPA/WPA2, frame bursting, and Wireless Media Extensions.

SHSLOT and SHPREAMBLE stand for “short slot” and “short preamble,” which have to do with faster transmission speeds. Matthew Gast’s 802.11 Wireless Networks: The Definitive Guide (O’Reilly) tells you all about these.

See Also

  • Pyramid Linux does not include manpages, so you should install the applications in this chapter on a PC to obtain them, or rely on Google
  • wlanconfig is part of MadWiFi-ng

  • man 8 iwlist
  • man 8 wlanconfig 
  • 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast (O’Reilly)

{mospagebreak title=4.14 Changing the Pyramid Router’s Hostname} 


Pyramid is a nice name, but you really want to change it to something else. You tried editing /etc/hostname, but the name reset to Pyramid after reboot. Arg! How do you make it what you want?


The files listed in /etc/rw/ are mounted in a temporary writeable filesystem, and are copied from /etc/ro at boot. /etc/hostname is symlinked to /rw/etc/hostname:

  pyramid:~# ls -l /etc/hostname
  lrwxrwxrwx  1 root root 18 Oct 30 2006 /etc/hostname -> ../rw/etc/hostname

So, you can make /etc/hostname immutable (remove the symlink to /rw/etc/hostname), or edit /ro/etc/hostname.


The filesystem is set up this way to reduce writes, because Compact Flash supports a limited number of writes.

You can use find to see which files in /etc are symlinks:

  pyramid:~# find /etc -maxdepth 1 -type l -ls

6051 0 lrwxrwxrwx 1 root


14 Oct 4

2006 /etc/mtab -> ../proc/





6052 0 lrwxrwxrwx 1 root


21 Oct 4

2006 /etc/resolv.conf -> ../





6079 0 lrwxrwxrwx 1 root


30 Dec 31

2006 /etc/localtime -> /usr/





6081 0 lrwxrwxrwx 1 root


18 Oct 4

2006 /etc/hostname -> ../rw/





6156 0 lrwxrwxrwx 1 root


15 Oct 4

2006 /etc/issue -> ../rw/





6195 0 lrwxrwxrwx 1 root


17 Oct 4

2006 /etc/zebra -> ../usr/





6227 0 lrwxrwxrwx 1 root


16 Oct 4

2006 /etc/resolv -> ../rw/





6426 0 lrwxrwxrwx 1 root


19 Oct 4

2006 /etc/ -> ../





6427 0 lrwxrwxrwx 1 root


17 Oct 4

2006 /etc/adjtime -> ../rw/





See Also

  1. man 1 find
  2. man 1 ls

Please check back for the conclusion to this series.

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye