== La Fonera come repeater == <
> a cura di Emix<
> Ultimo aggiornamento: 02/03/2007 01:15 ---- Per utilizzare la fonera come repeater è necessario accederci via ssh per modificare alcuni file, perciò bisogna avviare il demone !DropBear seguendo il tutorial [[LaFoneraDallaScatolaAOpenWrt|La Fonera: dalla scatola a OpenWrt - Tutorial]] fino al punto 4. I file necessari al nostro scopo sono: lo script ''ponte2'' e il suo relativo file di configurazione ''ponte2.conf'' editati da Antonio Anselmi. http://www.blogin.it/fonera4.php Attraverso i comandi {{{ scp /tmp/ponte2 root@IP-FONERA:/etc/ponte2 scp /tmp/ponte2.conf root@IP-FONERA:/etc/ponte2.conf }}} copiamo i due file dal nostro pc nella cartella /etc della Fonera, a questo punto editiamo il file di configurazione con le informazioni che ci interessano e diamo un {{{ chmod 755 /etc/ponte2 }}} per renderlo eseguibile. Eseguiamo lo script con {{{ sh ponte2 }}} e controlliamo che non ci siano errori. Teniamo presente che La fonera dispone di tre interfacce una ethernet e due wireless * ath0 - che farà da hot spot del segnale ricevuto * ath1 - che farà da link all'access point che vogliamo agganciare * eth0 - disabilitata nel file di configurazione ma se attiva in routing con ath0 Per utilizzare il supporto alla autenticazione WPA-PSK occorre scaricare wpa_supplicant e libopenssl reperibili nel repository ed installarli tramite {{{ ipkg }}} Se tutto è andato nel verso giusto la fonera dovrebbe avere un SSID che ci permetterà di collegarci alla rete dell'AP al quale ci siamo linkati. Per avviare in automatico lo script creiamo con vi il file S70ponte in /etc/init.d {{{ vi /etc/init.d/S70ponte }}} ci scriviamo dentro {{{ #!/bin/sh /etc/ponte2 # the end }}} e diamo un {{{ chmod 755 /etc/init.d/S70ponte }}} per renderlo eseguibile, ora ad ogni riavvio avermo il nostro repeater attivo. ---- file '''ponte2''' {{{ #!/bin/sh # /etc/ponte2 - 20072802 #**************************************************************************** # beta-1 realease # more about this script cab be found at: http://www.blogin.it/fonera4.php # ansanto@interfree.it #**************************************************************************** #---------------------------------------------------------------------------- # setup_env. Function that setups environment setup_env () { # Set the default values of all environment variables here logDir=/var/log tmpDir=/tmp white_list=/etc/white_list.conf myself=`basename $0` logFile=$logDir/$myself.log oggi=$(date) IWCONFIG=/usr/sbin/iwconfig IFCONFIG=/sbin/ifconfig WLANCONFIG=/usr/sbin/wlanconfig IWPRIV=/usr/sbin/iwpriv NETFILTER=/usr/sbin/iptables ROUTE=/sbin/route rm -f /tmp/results # echo "$oggi: start" >> $logFile if [ -f /etc/ponte2.conf ]; then . /etc/ponte2.conf else echo "/etc/ponte2.conf not found" echo "/etc/ponte2.conf not found" >> $logFile echo "stop and exit" >> $logFile exit 1 fi # ip_forward is set to 1 by default in fonera configuration # echo 1 > /proc/sys/net/ipv4/ip_forward # stop daemons local web=httpd local cron=crond local dns=dnsmasq #if [ ! -z "$( pidof $web )" ]; then # kill $(pidof $web) > /dev/null #fi if [ ! -z "$( pidof $cron )" ]; then kill $(pidof $cron) > /dev/null fi if [ ! -z "$( pidof $dns )" ]; then kill $(pidof $dns) >> /dev/null fi killall -9 udhcpc > /dev/null # flush_netfilter tables $NETFILTER -F $NETFILTER -P INPUT ACCEPT $NETFILTER -P OUTPUT ACCEPT $NETFILTER -P FORWARD ACCEPT $NETFILTER -t nat -F echo "netfilter tables flushed" >> $logFile } # setup_env #------------------------------------------------------------------------------- # hardening Function that sets some TCP/IP parameters hardening () { if [ $khard == 1 ]; then # Disable tcp_sack support echo "0" > /proc/sys/net/ipv4/tcp_sack # Disable TCP window_scaling echo "0" > /proc/sys/net/ipv4/tcp_window_scaling # Disable source routing echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/lo/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route # Enable TCP SYN Cookie potection echo "1" > /proc/sys/net/ipv4/tcp_syncookies # No ICMP Redirect echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/lo/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects # Enable IP spoofing protection echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter echo "1" > /proc/sys/net/ipv4/conf/ath0/rp_filter echo "1" > /proc/sys/net/ipv4/conf/ath1/rp_filter echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter echo "fonera hardened" >> $logFile fi } # hardening #------------------------------------------------------------------------------- # logging. Function that logs Spoofed, Source Routed and Redirect packets logging () { if [ $klog == 1 ]; then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/lo/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/ath0/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/ath1/log_martians = 1 echo "1" > /proc/sys/net/ipv4/conf/default/log_martians = 1 echo "logging malicyous packests activated" >> $logFile fi } # logging #------------------------------------------------------------------------------- # setup_ath0. Function that setup ath0 as an Access Point setup_ath0 () { if [ $whiteList == 1 ]; then $IWPRIV ath0 maccmd 3 $IWPRIV ath0 maccmd 1 for i in $(cat $white_list); do $IWPRIV ath0 addmac $i done fi # catch external AP ESSID $IWCONFIG ath1 | grep ESSID > /tmp/ponte_per INI=32 FIN=$(cat /tmp/ponte_per | wc -c) : $((FIN = $FIN - 4)) AP=$(cut /tmp/ponte_per -c $INI-$FIN) $IWCONFIG ath0 essid "relay_$AP" echo "ath0 is relay for "$AP >> $logFile # if [ $WepKeyAscii_ath0 ]; then $IWCONFIG ath0 key s:$WepKeyAscii_ath0 echo "ath0 WEP key: "$WepKeyAscii_ath0 >> $logFile fi $IFCONFIG ath0 $IP_ath0 netmask $MASK_ath0 up } # setup_ath0 #------------------------------------------------------------------------------- # setup_ath1. Function that setup ath1 as repeater setup_ath1 () { case $ath1_mode in 2) #targeted external AP by SSID $IWCONFIG ath1 mode managed essid $TargetSsid echo "ath1 via SSID: "$TargetSsid >> $logFile ;; 3) #targeted external AP by MAC $IWCONFIG ath1 mode managed ap $TargetMac echo "ath1 via MAC: "$TargetMac >> $logFile ;; 4) #targeted external AP via WPA-PSK $IWCONFIG ath1 mode managed essid $TargetWpa $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -d echo "ath1 interface via WPA PSK" >> $logFile ;; 5) #targeted external AP via WEP # what kind of key if [ $WepKeyHex_ath1 ]; then $IWCONFIG ath1 key $WepKeyHex_ath1 else if [ $WepKeyAscii_ath1 ]; then $IWCONFIG ath1 key "s:$WepKeyAscii_ath1" else echo "error: WEP key not configured" >> $logFile exit 1 fi fi # target we look for if [ $TargetWepSsid ]; then $IWCONFIG ath1 mode managed essid $TargetWepSsid else if [ $TargetWepMac ]; then $IWCONFIG ath1 mode managed ap $TargetWepMac else echo "error: no target AP for WEP" >> $logFile exit 1 fi fi echo "ath1 interface via WEP" >> $logFile ;; esac # IP config for ath1 if [ $ath1_mode == 1 ]; then #simply discover strongest external AP + dyanamic IP configuration /sbin/udhcpc -i ath1 >> $logFile $IWCONFIG ath1 | grep ESSID | awk '"external AP " {print $4}' >> $logFile echo "ath1 interface via external dhcp" >> $logFile else # satic IP configuration $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up $ROUTE del default $ROUTE add default gw $DFGW echo "nameserver " $NAMESERVER1 > /etc/resolv.conf echo "nameserver " $NAMESERVER2 >> /etc/resolv.conf fi } # setup_ath1 #------------------------------------------------------------------------------- # setup_eth0. Function that setup eth0 (wired lan) setup_eth0 () { if [ $keth0 == 1 ]; then $IFCONFIG eth0 $IP_eth0 netmask $MASK_eth0 up $NETFILTER -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo "eth0 interface: "$IP_eth0/$MASK_eth0 >> $logFile fi } # setup_eth0 #------------------------------------------------------------------------------- # std_routing. Standard routing std_routing () { # forwarding between the subnets if [ $btorrent == 1 ]; then BTports="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899" for pt in $BTports; do $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport $pt -j DNAT --to $IP_client_btorrent:$pt done fi if [ $xmule == 1 ]; then echo "32752" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max $NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport 4662 -j DNAT --to $IP_client_xmule:4662 $NETFILTER -t nat -A PREROUTING -i ath1 -p udp --dport 4672 -j DNAT --to $IP_client_xmule:4672 fi $NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE } # std_routing # main #------------------------------------------------------------------------------- clear setup_env hardening logging # destroy VAPs devices $WLANCONFIG ath0 destroy $WLANCONFIG ath1 destroy # bring up first (!) VAP ath0 as Access Point $WLANCONFIG ath0 create wlandev wifi0 wlanmode ap # bring up VAP ath1 as station managed (no hardware beacon timers) $WLANCONFIG ath1 create wlandev wifi0 wlanmode sta nosbeacon # setup Wireless Lans setup_ath1 setup_ath0 # basic netfilter rules std_routing # setup Ethernet Lan setup_eth0 # bring up DHCP if [ $kdhcp == 1 ]; then /usr/sbin/dnsmasq fi # show results clear $IWCONFIG > /tmp/results $IFCONFIG >> /tmp/results clear more /tmp/results exit 0 # have fun! }}} file '''pont2.conf''' {{{ # /etc/ponte2.conf 20072802 # NO SPACE BETWEEN = AND VALUE # parameter = value <---- WRONG way # parameter=value <---- RIGHT way # #--------------------------------- # hardening some TCP/IP parameters #--------------------------------- #khard=1 khard=0 # #---------------------------------- # logging malicyous TCP/IP packests #---------------------------------- #klog=1 klog=0 # # ------------ # DHCP service # ------------ # If you want a dynamic IP configuration for WiFi/wired # ifaces of your pc, use dnsmasq as DHCPD on ath0 and/or eth0 # Remember: you must edit /etc/dnsmasq.conf #kdhcp=1 kdhcp=0 # #-------------------------------- # configuring ath0 interface (AP) #-------------------------------- # white_list # you must create the file /etc/white_list.conf with # ONLY one mac address allowed per line #whiteList=1 whiteList=0 # # if you want WEP auth on ath0 insert ASCII key #WepKeyAscii_ath0= # # IP configuration for ath0 # wifi iface of your pc must be in this subnet IP_ath0=192.168.10.1 MASK_ath0=255.255.255.0 # #------------------------------------- # configuring ath1 interface (station) #------------------------------------- # discovering stronger external AP and his dhcpd #ath1_mode=1 # # targeted external AP by SSID ath1_mode=2 #TargetSsid=outdoor-net TargetSsid=Cinigiano-wireless-network # # targeted external AP by MAC #ath1_mode=3 #TargetMac=aa:bb:cc:dd:ee:ff # # targeted external AP via WPA-PSK (WPA personal) # need /etc/wpa_supplicant.conf ! #ath1_mode=4 #TargetWpa=reteprotetta # # targeted external AP via WEP #ath1_mode=5 # key hex or ASCII #WepKeyHex_ath1= #WepKeyAscii_ath1= # target SSID or MAC #TargetWepSsid= #TargetWepMac= # #-------------------------- # static IP config for ath1 #-------------------------- IP_ath1=192.168.1.10 MASK_ath1=255.255.255.0 # default gateway DFGW=192.168.1.1 # name servers NAMESERVER1=151.99.125.2 NAMESERVER2=159.213.32.232 # #--------------------------------------- # configuring eth0 interface (wired lan) #--------------------------------------- #keth0=0 keth0=1 IP_eth0=192.168.10.2 MASK_eth0=255.255.255.0 # #-------------------------- # port forwarding for xMule #-------------------------- #xmule=1 #IP_client_xmule=192.168.10.20 xmule=0 # #btorrent=1 #IP_client_btorrent=192.168.10.20 btorrent=0 # # the end }}}