Italiano English
Edit History Actions

Tutorial_Fonera_Script_Repeater

La Fonera come repeater


a cura di Emix

Ultimo aggiornamento: 02/03/2007 01:15


Per utilizzare la fonera come repeater è necessario accederci via ssh per modificare alcuni file, perciò bisogna avviare il demone DropBear seguendo il tutorial La Fonera: dalla scatola a OpenWrt - Tutorial fino al punto 4.

I file necessari al nostro scopo sono: lo script ponte2 e il suo relativo file di configurazione ponte2.conf editati da Antonio Anselmi. http://www.blogin.it/fonera4.php

Attraverso i comandi

scp /tmp/ponte2 root@IP-FONERA:/etc/ponte2
scp /tmp/ponte2.conf root@IP-FONERA:/etc/ponte2.conf

copiamo i due file dal nostro pc nella cartella /etc della Fonera, a questo punto editiamo il file di configurazione con le informazioni che ci interessano e diamo un

chmod 755 /etc/ponte2

per renderlo eseguibile.

Eseguiamo lo script con

sh ponte2

e controlliamo che non ci siano errori.

Teniamo presente che La fonera dispone di tre interfacce una ethernet e due wireless

  • ath0 - che farà da hot spot del segnale ricevuto
  • ath1 - che farà da link all'access point che vogliamo agganciare
  • eth0 - disabilitata nel file di configurazione ma se attiva in routing con ath0

Per utilizzare il supporto alla autenticazione WPA-PSK occorre scaricare wpa_supplicant e libopenssl reperibili nel repository ed installarli tramite

ipkg <nome file>

Se tutto è andato nel verso giusto la fonera dovrebbe avere un SSID <relay_APCOLLEGATO> che ci permetterà di collegarci alla rete dell'AP al quale ci siamo linkati.

Per avviare in automatico lo script creiamo con vi il file S70ponte in /etc/init.d

vi /etc/init.d/S70ponte

ci scriviamo dentro

/etc/ponte2
# the end

e diamo un

chmod 755 /etc/init.d/S70ponte

per renderlo eseguibile, ora ad ogni riavvio avermo il nostro repeater attivo.


file ponte2

# /etc/ponte2 - 20072802
#****************************************************************************
# beta-1 realease
# more about this script cab be found at: http://www.blogin.it/fonera4.php
# ansanto@interfree.it
#****************************************************************************

#----------------------------------------------------------------------------
# setup_env.  Function that setups environment 
setup_env () {
# Set the default values of all environment variables here
logDir=/var/log
tmpDir=/tmp
white_list=/etc/white_list.conf
myself=`basename $0`
logFile=$logDir/$myself.log
oggi=$(date)
IWCONFIG=/usr/sbin/iwconfig
IFCONFIG=/sbin/ifconfig
WLANCONFIG=/usr/sbin/wlanconfig
IWPRIV=/usr/sbin/iwpriv
NETFILTER=/usr/sbin/iptables
ROUTE=/sbin/route
rm -f /tmp/results
#
echo "$oggi: start" >> $logFile
if [ -f /etc/ponte2.conf ]; then
        . /etc/ponte2.conf
else
        echo "/etc/ponte2.conf not found"
        echo "/etc/ponte2.conf not found" >> $logFile
        echo "stop and exit" >> $logFile
        exit 1
fi

# ip_forward is set to 1 by default in fonera configuration
# echo 1 > /proc/sys/net/ipv4/ip_forward

# stop daemons
local web=httpd
local cron=crond
local dns=dnsmasq
#if [ ! -z "$( pidof $web )" ]; then
#  kill $(pidof $web) > /dev/null
#fi
if [ ! -z "$( pidof $cron )" ]; then
  kill $(pidof $cron) > /dev/null
fi
if [ ! -z "$( pidof $dns )" ]; then
  kill $(pidof $dns) >> /dev/null
fi
killall -9 udhcpc > /dev/null

# flush_netfilter tables
$NETFILTER -F
$NETFILTER -P INPUT ACCEPT
$NETFILTER -P OUTPUT ACCEPT
$NETFILTER -P FORWARD ACCEPT
$NETFILTER -t nat -F
echo "netfilter tables flushed" >> $logFile
} # setup_env


#-------------------------------------------------------------------------------
# hardening Function that sets some TCP/IP parameters
hardening () {
if [ $khard == 1 ]; then
  # Disable tcp_sack support
  echo "0" > /proc/sys/net/ipv4/tcp_sack
  # Disable TCP window_scaling
  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
  # Disable source routing
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/lo/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_source_route
  echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
  # Enable TCP SYN Cookie potection
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  # No ICMP Redirect
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/lo/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_redirects
  echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
  # Enable IP spoofing protection 
  echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/ath0/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/ath1/rp_filter
  echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
  echo "fonera hardened" >> $logFile
fi  
} # hardening


#-------------------------------------------------------------------------------
# logging. Function that logs Spoofed, Source Routed and Redirect packets
logging () {
if [ $klog == 1 ]; then
  echo "1" > /proc/sys/net/ipv4/conf/all/log_martians = 1
  echo "1" > /proc/sys/net/ipv4/conf/lo/log_martians = 1
  echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians = 1
  echo "1" > /proc/sys/net/ipv4/conf/ath0/log_martians = 1
  echo "1" > /proc/sys/net/ipv4/conf/ath1/log_martians = 1
  echo "1" > /proc/sys/net/ipv4/conf/default/log_martians = 1
  echo "logging malicyous packests activated" >> $logFile
fi
} # logging


#-------------------------------------------------------------------------------
# setup_ath0. Function that setup ath0 as an Access Point
setup_ath0 () {
if [ $whiteList == 1 ]; then
  $IWPRIV ath0 maccmd 3
  $IWPRIV ath0 maccmd 1
  for i in $(cat $white_list); do
    $IWPRIV ath0 addmac $i
  done
fi
# catch external AP ESSID
$IWCONFIG ath1 | grep ESSID > /tmp/ponte_per
INI=32
FIN=$(cat /tmp/ponte_per | wc -c)
  : $((FIN = $FIN - 4))
AP=$(cut /tmp/ponte_per -c $INI-$FIN)

$IWCONFIG ath0 essid "relay_$AP"
echo "ath0 is relay for "$AP >> $logFile
#
if [ $WepKeyAscii_ath0 ]; then
  $IWCONFIG ath0 key s:$WepKeyAscii_ath0
  echo "ath0 WEP key: "$WepKeyAscii_ath0 >> $logFile
fi
$IFCONFIG ath0 $IP_ath0 netmask $MASK_ath0 up
} # setup_ath0


#-------------------------------------------------------------------------------
# setup_ath1. Function that setup ath1 as repeater
setup_ath1 () {
  case $ath1_mode in
  
  2) #targeted external AP by SSID
  $IWCONFIG ath1 mode managed essid $TargetSsid
  echo "ath1 via SSID: "$TargetSsid >> $logFile
  ;;
  
  3) #targeted external AP by MAC
  $IWCONFIG ath1 mode managed ap $TargetMac
  echo "ath1 via MAC: "$TargetMac >> $logFile
  ;;
  
  4) #targeted external AP via WPA-PSK
  $IWCONFIG ath1 mode managed essid $TargetWpa
  $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
  wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -d 
  echo "ath1 interface via WPA PSK" >> $logFile  
  ;;
  
  5) #targeted external AP via WEP
  # what kind of key
  if [ $WepKeyHex_ath1 ]; then 
    $IWCONFIG ath1 key $WepKeyHex_ath1
    else 
    if [ $WepKeyAscii_ath1 ]; then
      $IWCONFIG ath1 key "s:$WepKeyAscii_ath1"
      else
      echo "error: WEP key not configured" >> $logFile  
      exit 1
    fi
  fi
# target we look for
  if [ $TargetWepSsid ]; then
    $IWCONFIG ath1 mode managed essid $TargetWepSsid
    else
    if [ $TargetWepMac ]; then
      $IWCONFIG ath1 mode managed ap $TargetWepMac
      else
      echo "error: no target AP for WEP" >> $logFile  
      exit 1
    fi      
  fi
  echo "ath1 interface via WEP" >> $logFile  
  ;;
  
esac

# IP config for ath1
if [ $ath1_mode == 1 ]; then 
  #simply discover strongest external AP + dyanamic IP configuration
  /sbin/udhcpc -i ath1 >> $logFile
  $IWCONFIG ath1 | grep ESSID | awk '"external AP " {print $4}' >> $logFile
  echo "ath1 interface via external dhcp" >> $logFile  
  else 
  # satic IP configuration
  $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
  $ROUTE del default 
  $ROUTE add default gw $DFGW
  echo "nameserver " $NAMESERVER1  > /etc/resolv.conf
  echo "nameserver " $NAMESERVER2 >> /etc/resolv.conf
fi
} # setup_ath1


#-------------------------------------------------------------------------------
# setup_eth0. Function that setup eth0 (wired lan)
setup_eth0 () {
if [ $keth0 == 1 ]; then
  $IFCONFIG eth0 $IP_eth0 netmask $MASK_eth0 up
  $NETFILTER -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  echo "eth0 interface: "$IP_eth0/$MASK_eth0 >> $logFile
fi
} # setup_eth0


#-------------------------------------------------------------------------------
# std_routing. Standard routing
std_routing () {
# forwarding between the subnets
if [ $btorrent == 1 ]; then
  BTports="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
  for pt in $BTports; do
    $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport $pt -j DNAT --to $IP_client_btorrent:$pt
  done
fi
if [ $xmule == 1 ]; then
  echo "32752" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
  $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport 4662 -j DNAT --to $IP_client_xmule:4662
  $NETFILTER -t nat -A PREROUTING -i ath1 -p udp --dport 4672 -j DNAT --to $IP_client_xmule:4672
fi
$NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE
} # std_routing


# main
#-------------------------------------------------------------------------------
clear
setup_env
hardening
logging
# destroy VAPs devices
$WLANCONFIG ath0 destroy
$WLANCONFIG ath1 destroy

# bring up first (!) VAP ath0 as Access Point
$WLANCONFIG ath0 create wlandev wifi0 wlanmode ap
# bring up VAP ath1 as station managed (no hardware beacon timers)
$WLANCONFIG ath1 create wlandev wifi0 wlanmode sta nosbeacon

# setup Wireless Lans
setup_ath1
setup_ath0

# basic netfilter rules 
std_routing

# setup Ethernet Lan
setup_eth0

# bring up DHCP
if [ $kdhcp == 1 ]; then
  /usr/sbin/dnsmasq
fi

# show results
clear
$IWCONFIG > /tmp/results
$IFCONFIG >> /tmp/results
clear
more /tmp/results
exit 0

# have fun!

file pont2.conf

# /etc/ponte2.conf 20072802
# NO SPACE BETWEEN = AND VALUE
# parameter = value <---- WRONG way
# parameter=value   <---- RIGHT way
#
#---------------------------------
# hardening some TCP/IP parameters
#---------------------------------
#khard=1
khard=0
#
#----------------------------------
# logging malicyous TCP/IP packests
#----------------------------------
#klog=1
klog=0
#
# ------------
# DHCP service
# ------------
# If you want a dynamic IP configuration for WiFi/wired 
# ifaces of your pc, use dnsmasq as DHCPD on ath0 and/or eth0
# Remember: you must edit /etc/dnsmasq.conf 
#kdhcp=1
kdhcp=0
#
#--------------------------------
# configuring ath0 interface (AP)
#--------------------------------
# white_list
# you must create the file /etc/white_list.conf with
# ONLY one mac address allowed per line
#whiteList=1
whiteList=0
# 
# if you want WEP auth on ath0 insert ASCII key
#WepKeyAscii_ath0=
#
# IP configuration for ath0
# wifi iface of your pc must be in this subnet
IP_ath0=192.168.10.1
MASK_ath0=255.255.255.0
#
#-------------------------------------
# configuring ath1 interface (station)
#-------------------------------------
# discovering stronger external AP and his dhcpd 
#ath1_mode=1 
#
# targeted external AP by SSID
ath1_mode=2
#TargetSsid=outdoor-net
TargetSsid=Cinigiano-wireless-network
#
# targeted external AP by MAC
#ath1_mode=3
#TargetMac=aa:bb:cc:dd:ee:ff
#
# targeted external AP via WPA-PSK (WPA personal)
# need /etc/wpa_supplicant.conf !
#ath1_mode=4
#TargetWpa=reteprotetta 
#
# targeted external AP via WEP
#ath1_mode=5 
# key hex or ASCII
#WepKeyHex_ath1=
#WepKeyAscii_ath1=
# target SSID or MAC
#TargetWepSsid=
#TargetWepMac=
#
#--------------------------
# static IP config for ath1
#--------------------------
IP_ath1=192.168.1.10
MASK_ath1=255.255.255.0
# default gateway
DFGW=192.168.1.1
# name servers
NAMESERVER1=151.99.125.2
NAMESERVER2=159.213.32.232
#
#---------------------------------------
# configuring eth0 interface (wired lan)
#---------------------------------------
#keth0=0
keth0=1
IP_eth0=192.168.10.2
MASK_eth0=255.255.255.0
#
#--------------------------
# port forwarding for xMule
#--------------------------
#xmule=1
#IP_client_xmule=192.168.10.20
xmule=0
#
#btorrent=1
#IP_client_btorrent=192.168.10.20
btorrent=0
#
# the end