La Fonera come repeater
a cura di Emix
Ultimo aggiornamento: 02/03/2007 01:15
Per utilizzare la fonera come repeater è necessario accederci via ssh per modificare alcuni file, perciò bisogna avviare il demone DropBear seguendo il tutorial La Fonera: dalla scatola a OpenWrt - Tutorial fino al punto 4.
I file necessari al nostro scopo sono: lo script ponte2 e il suo relativo file di configurazione ponte2.conf editati da Antonio Anselmi. http://www.blogin.it/fonera4.php
Attraverso i comandi
scp /tmp/ponte2 root@IP-FONERA:/etc/ponte2 scp /tmp/ponte2.conf root@IP-FONERA:/etc/ponte2.conf
copiamo i due file dal nostro pc nella cartella /etc della Fonera, a questo punto editiamo il file di configurazione con le informazioni che ci interessano e diamo un
chmod 755 /etc/ponte2
per renderlo eseguibile.
Eseguiamo lo script con
sh ponte2
e controlliamo che non ci siano errori.
Teniamo presente che La fonera dispone di tre interfacce una ethernet e due wireless
- ath0 - che farà da hot spot del segnale ricevuto
- ath1 - che farà da link all'access point che vogliamo agganciare
- eth0 - disabilitata nel file di configurazione ma se attiva in routing con ath0
Per utilizzare il supporto alla autenticazione WPA-PSK occorre scaricare wpa_supplicant e libopenssl reperibili nel repository ed installarli tramite
ipkg <nome file>
Se tutto è andato nel verso giusto la fonera dovrebbe avere un SSID <relay_APCOLLEGATO> che ci permetterà di collegarci alla rete dell'AP al quale ci siamo linkati.
Per avviare in automatico lo script creiamo con vi il file S70ponte in /etc/init.d
vi /etc/init.d/S70ponte
ci scriviamo dentro
/etc/ponte2 # the end
e diamo un
chmod 755 /etc/init.d/S70ponte
per renderlo eseguibile, ora ad ogni riavvio avermo il nostro repeater attivo.
file ponte2
# /etc/ponte2 - 20072802
#****************************************************************************
# beta-1 realease
# more about this script cab be found at: http://www.blogin.it/fonera4.php
# ansanto@interfree.it
#****************************************************************************
#----------------------------------------------------------------------------
# setup_env. Function that setups environment
setup_env () {
# Set the default values of all environment variables here
logDir=/var/log
tmpDir=/tmp
white_list=/etc/white_list.conf
myself=`basename $0`
logFile=$logDir/$myself.log
oggi=$(date)
IWCONFIG=/usr/sbin/iwconfig
IFCONFIG=/sbin/ifconfig
WLANCONFIG=/usr/sbin/wlanconfig
IWPRIV=/usr/sbin/iwpriv
NETFILTER=/usr/sbin/iptables
ROUTE=/sbin/route
rm -f /tmp/results
#
echo "$oggi: start" >> $logFile
if [ -f /etc/ponte2.conf ]; then
. /etc/ponte2.conf
else
echo "/etc/ponte2.conf not found"
echo "/etc/ponte2.conf not found" >> $logFile
echo "stop and exit" >> $logFile
exit 1
fi
# ip_forward is set to 1 by default in fonera configuration
# echo 1 > /proc/sys/net/ipv4/ip_forward
# stop daemons
local web=httpd
local cron=crond
local dns=dnsmasq
#if [ ! -z "$( pidof $web )" ]; then
# kill $(pidof $web) > /dev/null
#fi
if [ ! -z "$( pidof $cron )" ]; then
kill $(pidof $cron) > /dev/null
fi
if [ ! -z "$( pidof $dns )" ]; then
kill $(pidof $dns) >> /dev/null
fi
killall -9 udhcpc > /dev/null
# flush_netfilter tables
$NETFILTER -F
$NETFILTER -P INPUT ACCEPT
$NETFILTER -P OUTPUT ACCEPT
$NETFILTER -P FORWARD ACCEPT
$NETFILTER -t nat -F
echo "netfilter tables flushed" >> $logFile
} # setup_env
#-------------------------------------------------------------------------------
# hardening Function that sets some TCP/IP parameters
hardening () {
if [ $khard == 1 ]; then
# Disable tcp_sack support
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Disable TCP window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
# Disable source routing
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/lo/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie potection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# No ICMP Redirect
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
# Enable IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ath0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ath1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "fonera hardened" >> $logFile
fi
} # hardening
#-------------------------------------------------------------------------------
# logging. Function that logs Spoofed, Source Routed and Redirect packets
logging () {
if [ $klog == 1 ]; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/lo/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/ath0/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/ath1/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/default/log_martians = 1
echo "logging malicyous packests activated" >> $logFile
fi
} # logging
#-------------------------------------------------------------------------------
# setup_ath0. Function that setup ath0 as an Access Point
setup_ath0 () {
if [ $whiteList == 1 ]; then
$IWPRIV ath0 maccmd 3
$IWPRIV ath0 maccmd 1
for i in $(cat $white_list); do
$IWPRIV ath0 addmac $i
done
fi
# catch external AP ESSID
$IWCONFIG ath1 | grep ESSID > /tmp/ponte_per
INI=32
FIN=$(cat /tmp/ponte_per | wc -c)
: $((FIN = $FIN - 4))
AP=$(cut /tmp/ponte_per -c $INI-$FIN)
$IWCONFIG ath0 essid "relay_$AP"
echo "ath0 is relay for "$AP >> $logFile
#
if [ $WepKeyAscii_ath0 ]; then
$IWCONFIG ath0 key s:$WepKeyAscii_ath0
echo "ath0 WEP key: "$WepKeyAscii_ath0 >> $logFile
fi
$IFCONFIG ath0 $IP_ath0 netmask $MASK_ath0 up
} # setup_ath0
#-------------------------------------------------------------------------------
# setup_ath1. Function that setup ath1 as repeater
setup_ath1 () {
case $ath1_mode in
2) #targeted external AP by SSID
$IWCONFIG ath1 mode managed essid $TargetSsid
echo "ath1 via SSID: "$TargetSsid >> $logFile
;;
3) #targeted external AP by MAC
$IWCONFIG ath1 mode managed ap $TargetMac
echo "ath1 via MAC: "$TargetMac >> $logFile
;;
4) #targeted external AP via WPA-PSK
$IWCONFIG ath1 mode managed essid $TargetWpa
$IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -d
echo "ath1 interface via WPA PSK" >> $logFile
;;
5) #targeted external AP via WEP
# what kind of key
if [ $WepKeyHex_ath1 ]; then
$IWCONFIG ath1 key $WepKeyHex_ath1
else
if [ $WepKeyAscii_ath1 ]; then
$IWCONFIG ath1 key "s:$WepKeyAscii_ath1"
else
echo "error: WEP key not configured" >> $logFile
exit 1
fi
fi
# target we look for
if [ $TargetWepSsid ]; then
$IWCONFIG ath1 mode managed essid $TargetWepSsid
else
if [ $TargetWepMac ]; then
$IWCONFIG ath1 mode managed ap $TargetWepMac
else
echo "error: no target AP for WEP" >> $logFile
exit 1
fi
fi
echo "ath1 interface via WEP" >> $logFile
;;
esac
# IP config for ath1
if [ $ath1_mode == 1 ]; then
#simply discover strongest external AP + dyanamic IP configuration
/sbin/udhcpc -i ath1 >> $logFile
$IWCONFIG ath1 | grep ESSID | awk '"external AP " {print $4}' >> $logFile
echo "ath1 interface via external dhcp" >> $logFile
else
# satic IP configuration
$IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
$ROUTE del default
$ROUTE add default gw $DFGW
echo "nameserver " $NAMESERVER1 > /etc/resolv.conf
echo "nameserver " $NAMESERVER2 >> /etc/resolv.conf
fi
} # setup_ath1
#-------------------------------------------------------------------------------
# setup_eth0. Function that setup eth0 (wired lan)
setup_eth0 () {
if [ $keth0 == 1 ]; then
$IFCONFIG eth0 $IP_eth0 netmask $MASK_eth0 up
$NETFILTER -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "eth0 interface: "$IP_eth0/$MASK_eth0 >> $logFile
fi
} # setup_eth0
#-------------------------------------------------------------------------------
# std_routing. Standard routing
std_routing () {
# forwarding between the subnets
if [ $btorrent == 1 ]; then
BTports="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
for pt in $BTports; do
$NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport $pt -j DNAT --to $IP_client_btorrent:$pt
done
fi
if [ $xmule == 1 ]; then
echo "32752" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
$NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport 4662 -j DNAT --to $IP_client_xmule:4662
$NETFILTER -t nat -A PREROUTING -i ath1 -p udp --dport 4672 -j DNAT --to $IP_client_xmule:4672
fi
$NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE
} # std_routing
# main
#-------------------------------------------------------------------------------
clear
setup_env
hardening
logging
# destroy VAPs devices
$WLANCONFIG ath0 destroy
$WLANCONFIG ath1 destroy
# bring up first (!) VAP ath0 as Access Point
$WLANCONFIG ath0 create wlandev wifi0 wlanmode ap
# bring up VAP ath1 as station managed (no hardware beacon timers)
$WLANCONFIG ath1 create wlandev wifi0 wlanmode sta nosbeacon
# setup Wireless Lans
setup_ath1
setup_ath0
# basic netfilter rules
std_routing
# setup Ethernet Lan
setup_eth0
# bring up DHCP
if [ $kdhcp == 1 ]; then
/usr/sbin/dnsmasq
fi
# show results
clear
$IWCONFIG > /tmp/results
$IFCONFIG >> /tmp/results
clear
more /tmp/results
exit 0
# have fun!file pont2.conf
# /etc/ponte2.conf 20072802 # NO SPACE BETWEEN = AND VALUE # parameter = value <---- WRONG way # parameter=value <---- RIGHT way # #--------------------------------- # hardening some TCP/IP parameters #--------------------------------- #khard=1 khard=0 # #---------------------------------- # logging malicyous TCP/IP packests #---------------------------------- #klog=1 klog=0 # # ------------ # DHCP service # ------------ # If you want a dynamic IP configuration for WiFi/wired # ifaces of your pc, use dnsmasq as DHCPD on ath0 and/or eth0 # Remember: you must edit /etc/dnsmasq.conf #kdhcp=1 kdhcp=0 # #-------------------------------- # configuring ath0 interface (AP) #-------------------------------- # white_list # you must create the file /etc/white_list.conf with # ONLY one mac address allowed per line #whiteList=1 whiteList=0 # # if you want WEP auth on ath0 insert ASCII key #WepKeyAscii_ath0= # # IP configuration for ath0 # wifi iface of your pc must be in this subnet IP_ath0=192.168.10.1 MASK_ath0=255.255.255.0 # #------------------------------------- # configuring ath1 interface (station) #------------------------------------- # discovering stronger external AP and his dhcpd #ath1_mode=1 # # targeted external AP by SSID ath1_mode=2 #TargetSsid=outdoor-net TargetSsid=Cinigiano-wireless-network # # targeted external AP by MAC #ath1_mode=3 #TargetMac=aa:bb:cc:dd:ee:ff # # targeted external AP via WPA-PSK (WPA personal) # need /etc/wpa_supplicant.conf ! #ath1_mode=4 #TargetWpa=reteprotetta # # targeted external AP via WEP #ath1_mode=5 # key hex or ASCII #WepKeyHex_ath1= #WepKeyAscii_ath1= # target SSID or MAC #TargetWepSsid= #TargetWepMac= # #-------------------------- # static IP config for ath1 #-------------------------- IP_ath1=192.168.1.10 MASK_ath1=255.255.255.0 # default gateway DFGW=192.168.1.1 # name servers NAMESERVER1=151.99.125.2 NAMESERVER2=159.213.32.232 # #--------------------------------------- # configuring eth0 interface (wired lan) #--------------------------------------- #keth0=0 keth0=1 IP_eth0=192.168.10.2 MASK_eth0=255.255.255.0 # #-------------------------- # port forwarding for xMule #-------------------------- #xmule=1 #IP_client_xmule=192.168.10.20 xmule=0 # #btorrent=1 #IP_client_btorrent=192.168.10.20 btorrent=0 # # the end