|
|
Building a Slackware Wireless Access Point
patched by linky_fan
0. Introduction
This document provides step-by-step instructions for setting up a wireless access point using a PC running GNU/Linux and an 802.11b PCI WiFi card based on the Prism 2/2.5/3 chip sets. I wanted a system that would do firewalling, and would provide broadband Internet access to wireless hosts. For this article I chose Slackware 9 with the Netgear MA311 PCI card. Other distributions of GNU/Linux and wireless cards based on the Prism 2, 2.5, and 3 chip sets should work equally well.
Please email your success stories to eric.r.turner(at)bitbreather(dot)com. I am particularly interested in putting together a table of Linux distribution/WiFi card combinations that people have successfully set up using these instructions. If you had to do ANYTHING differently, please let me know so that I can incorporate your discoveries into this document. Thanks!
1. Copyright and Disclaimer
Copyright (C) 2003 by Eric R. Turner. This document may be distributed under the terms set forth in the LDP <http://www.tldp.org/LDP/LDP-Author-Guide/copyrights.html>
This is free documentation. It is distributed in the hope that it will be useful, but without any warranty. The information in this document is correct to the best of my knowledge, but there's a always a chance I've made some mistakes, so don't follow everything too blindly, especially if it seems wrong. Nothing here should have a detrimental effect on your computer, but just in case I take no responsibility for any damages incurred from the use of the information contained herein.
2. Assumptions
2.0 Software
You should have GNU/Linux installed with at least kernel 2.4, and should be comfortable editing files and using a command line. I did a full install of Slackware 9.0, which uses the 2.4.20 kernel. You need to have the wireless tools, Ethernet support, and iptables support too.
The files and commands listed here work for Slackware 9. I will gladly include differences between Linux distributions as people send them to me. It should not be too long before this document will be equally usable for all major Linux distributions. ;-)
2.1 Hardware
You should have a computer that is PCI 2.1 compliant. Most systems with a P166 or newer will work. Anything older may not work. You can find out if your system is compliant by checking the output of
dmesg | grep "PCI BIOS"
You should see something similar to
PCI: PCI BIOS revision 2.10 entry at 0xfb6c0, last bus=0
You need to have high-speed Internet, and and Ethernet card installed. You also need to have your wireless card installed, of course!
2.2 Experience
These instructions should work for you if you know how to use a command line, edit files, install packages, and have a basic understanding of Linux networking concepts. Section 3 shows you how to set up an Ethernet card, which you may safely skip if you know how to do this already.
3. Ethernet Setup
Ethernet setup can vary greatly between Linux distributions. If you have any difficulties setting up your Ethernet card, check out http://www.linuxquestions.org. This is hands down the best Linux support site! The following sections show how Ethernet card setup is accomplished in Slackware.
3.0. The Driver
First you need to make sure that the driver for your Ethernet card is available to the kernel. The easiest way to do this is to use a loadable kernel module. In /etc/rc.d/rc.modules uncomment the line that modprobes the module for your Ethernet card. I have a Netgear FA310TX, which uses the tulip module. Verify that the module is loaded by checking the output of the lsmod. In my case, lsmod shows
3.1. Configuration
You need to configure your Ethernet settings. Edit /etc/rc.d/rc.inet1. In most cases you will simply uncomment the line for eth0 that says "USE_DHCP=yes". You can now bring your Ethernet card up by executing /etc/rc.d/rc.inet1 as root. The next time you boot this will be done for you automatically.
3.2. Test
Verify that your Ethernet card is set up by checking the output of /sbin/ifconfig. You should see eth0 with reasonable settings. You should be able to ping a host on the Internet. For example, "ping www.linuxquestions.org".
4. Wireless Setup
4.0. The Driver
You need to make sure that the driver for your wireless card is available to the kernel. Download the hostap driver from http://hostap.epitest.fi/releases/hostap-0.0.4.tar.gz. With the advent of hotplug, your WiFi card will automatically be detected as orinoco_pci. I was unable to get the orinoco drivers working for me (despite some web pages that said they should support the Prism chip sets.) If you are using the hotplug system, add orinoco_cs, orinoco_pci, and orinoco_plx to /etc/hotplug/blacklist to prevent loading these modules when the system boots.
NOTE: Originally I tried to use the linux-wlan_ng driver, but was not able to get that driver working properly with my card. Lack of documentation for the linux-wlan_ng driver did not help matters! Their hardware compatibility list at http://www.linux-wlan.org/docs/wlan_adapters.html4.html said that my Netgear MA311 was supported, but it never detected the settings properly.
You will need to have the GNU/Linux kernel source code on your system, so download the package from your distribution's web site and install it.
Uncompress and inflate the hostap source code using "tar -zxvf hostap-0.0.4.tar.gz". Change to the hostap source code directory and follow the instructions for compiling the source code and installing. You only need to compile the hostap_pci module.
After you have compiled and installed the hostap_pci module, add
/sbin/modprobe hostap_pci
to /etc/rc.d/rc.modules so that the hostap_pci driver is loaded when the computer boots.
Now, as root, execute the
/sbin/modprobe hostap_pci
command. Verify that the hostap_pci module is loaded using the lsmod command. Now, verify that the card is recognized by using the iwconfig command. You should see wlan0 listed in the output.
4.1. Configuration
You need to add some code to configure wlan0. The address I am using for wlan0 is 192.168.1.1/24. I like to create a separate rc script for each network interface that I need to configure. I'll create a script called rc.wlan0, and call it from the appropriate location:
Slackware: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.inet1.
Debian: place rc.wlan0 in the /etc/rc.boot/ directory. This script will automatically be run at boot.
SuSe: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.boot.
Others: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.local.
So, as root create a file called rc.wlan0 that contains the following:
#!/bin/sh
#
# rc.wlan0
#
CHANNEL=1
ESSID="mynetwork"
INTERFACE="wlan0"
IPADDR="192.168.1.1"
KEY="0123-4567-89AB-CDEF-0123-4567-89"
# Change this to some random value
MODE="Master"
NETMASK="255.255.255.0"
# Determine broadcast and network addresses from the IP address and netmask:
BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`
# Set up the WiFi card
echo "Configuring ${INTERFACE}:"
/sbin/ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask
${NETMASK}
/usr/sbin/iwconfig ${INTERFACE} essid ${ESSID}
/usr/sbin/iwconfig ${INTERFACE} channel ${CHANNEL}
/usr/sbin/iwconfig ${INTERFACE} mode ${MODE}
sleep 2
/usr/sbin/iwconfig ${INTERFACE} key ${KEY}
You may have noticed the sleep command in rc.wlan0. Without giving the card a short nap, I could not set the key. Someone suggested that some of the Intersil firmwares are a bit buggy. You may need to adjust the number of seconds you sleep in order to get encryption working
NOTE: If your card uses 40/64 bit encryption you just use a shorter hexadecimal string for the key (e.g. 0123-4567-89).
NOTE: There is confusion about 40 bit versus 64 bit WEP, and 104 bit versus 128 bit WEP. The Wireless 802.11b FAQ found at http://www.iss.net/wireless/WLAN_FAQ.php explains it:
The original 802.11 specification defined a 40-bit key. This key is combined with a 24 bit quantity known as the "initialization vector" (which is created automatically by the wireless network hardware) and these 64 bits are used within the RC4 encryption in order to produce the encrypted data. Some vendors describe this as 64-bit encryption (since technically RC4 is using 64 bits), but others describe it as 40-bits (since the initialization vector is public unencrypted data so it does not contribute to the security of the system). Therefore 40-bit and 64-bit WEP keys are the same thing, just being described from different points of view. Most 802.11 hardware now supports a larger 104-bit key; this also has a 24-bit initialization vector and so it is also sometimes marketed as a 128-bit system.
One last comment on security. Even 104/128 bit WEP is not that great. You would do well to add additional layers of encryption by setting up a VPN, using ssh instead of telnet, etc. These things are beyond the scope of this document (for now), but there is a lot of info on the Net about doing this. The VPN HOWTO would probably be a good place to start.
Make sure that the file is executable using "chmod 755 rc.wlan0".
Edit the script that will call rc.wlan0 and add something similar to the following code:
if [ -x /etc/rc.d/rc.wlan0 ]; then
/etc/rc.d/rc.wlan0
fi
Bring up the wlan0 interface by executing rc.wlan0 as root.
NOTE: the link light on the wireless PCI card will always blink. For some reason I expected it to go solid!
4.2 Test
Verify that the wlan0 interface is up by checking the output of /sbin/ifconfig. Also, verify that additional wlan0 settings (essid, mode, key, channel, etc...) are correct by checking the output of iwconfig.
5. Firewalling and Masquerading
5.0. Configuration
The last thing we need to do is use iptables to enable masquerading and firewalling, so that wireless clients can access the Internet. My firewall rules may or may not be exactly what you want. If you run an email or web server, then you will need to add additional rules to allow incoming connections for those services. I have a file called /etc/rc.d/rc.firewall. Slackware 9 calls this script from /etc/rc.d/rc.inet2. Your distribution may vary. Here's the script:
#!/bin/sh
###############################################################################
#
# The syntax of iptables is basically:
#
# iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]
#
###############################################################################
IPT=/usr/sbin/iptables
# Use a trusted PATH
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH
# Disable IP forwarding until the rules are in place.
echo 0 > /proc/sys/net/ipv4/ip_forward
# Install the necessary kernel modules.
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
# Flush the tables and delete the non-builtin chains
# to ensure that we are starting from scratch.
for i in filter nat mangle
do
$IPT --table $i --flush
$IPT --table $i --delete-chain
done
# Set up a user-defined chain called "rules" in the filter table that
# prevents anyone from connecting to local computers from the outside, but
# allows local computers to establish connections to the outside. We'll
# specify that the INPUT and FORWARD chains use the rules defined in our
# "rules" chain after we've established those rules.
$IPT --table filter --new-chain rules
# Accept traffic (and related traffic on different ports) coming in on
# any interface if the traffic has been seen before in both directions.
$IPT --table filter \
--append rules \
--match state \
--state ESTABLISHED,RELATED \
--jump ACCEPT
# Accept new traffic coming in on any interface except eth0 (the
# Internet interface).
$IPT --table filter \
--append rules \
--in-interface ! eth0 \
--match state \
--state NEW \
--jump ACCEPT
# The catch-all rule: drop new or invalid traffic coming in on any
# network interface.
$IPT --table filter \
--append rules \
--match state \
--state NEW,INVALID \
--jump DROP
# Use the rules defined in the "rules" chain for the INPUT and
# FOREWARD chains.
$IPT --table filter \
--append INPUT \
--jump rules
$IPT --table filter \
--append FORWARD \
--jump rules
# Make sure the default policy for the filter table's INPUT and
# FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
# the firewall.
$IPT --table filter \
--policy INPUT DROP
$IPT --table filter \
--policy FORWARD DROP
# Add masquerading to the POSTROUTING chain in the nat table.
$IPT --table nat \
--append POSTROUTING \
--out-interface eth0 \
--source 192.168.1.0/24 \
--destination 0/0 \
--jump MASQUERADE
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Make the file executable with "chmod 755 /etc/rc.d/rc.firewall". Now, execute /etc/rc.d/rc.firewall. You should have a working wireless access point!
5.1. Test
Double check the output of lsmod. Here is my lsmod:
Module Size Used by Not tainted
hostap_crypt_wep 3020 1 (autoclean)
ipt_MASQUERADE 1272 2 (autoclean)
ipt_state 536 4 (autoclean)
iptable_mangle 2072 0 (autoclean) (unused)
iptable_filter 1644 1 (autoclean)
ip_conntrack_ftp 3888 1 (autoclean)
ip_nat_ftp 2928 0 (unused)
iptable_nat 14904 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 18016 3 [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp
iptable_nat]
ip_tables 11768 7 [ipt_MASQUERADE ipt_state iptable_mangle iptable_filter
iptable_nat]
uhci 24560 0 (unused)
usbcore 58144 1 [uhci]
hostap_pci 33716 1
hostap 74372 0 [hostap_pci]
hostap_crypt 1360 0 [hostap_crypt_wep hostap]
tulip 41248 2
Double check the output of ifconfig. Here is my ifconfig:
eth0 Link encap:Ethernet HWaddr ?? ?????
inet addr??.???.???.??? Bcast??.???.???.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112346 errors:0 dropped:0 overruns:0 frame:0
TX packets:121312 errors:1 dropped:0 overruns:1 carrier:0
collisions:5131 txqueuelen:100
RX bytes:19980541 (19.0 Mb) TX bytes:68587897 (65.4 Mb)
Interrupt:10 Base address:0x6400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr ?????:??:??
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107421 errors:0 dropped:725 overruns:0 frame:0
TX packets:106212 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:53350539 (50.8 Mb) TX bytes:47579017 (45.3 Mb)
Interrupt:12 Memory:c6d9d000-c6d9e000
Double check the output of iwconfig. Here is my iwconfig:
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11b ESSID:"bitbreather"
Mode:Master Frequency:2.412GHz Access Point: ??:??:??:??:??:??
Bit Rate:11Mb/s Sensitivity=1/3
Retry min limit:8 RTS thr ff Fragment thrff
Encryption key:????-????-????-????-????-????-?? Encryption mode:restricted
Power Managementff
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:6 Rx invalid frag:1
Tx excessive retries:4 Invalid misc:676 Missed beacon:0
Set up a wireless host to use your new access point. You'll need to use the same settings on both the access point and the client, except that the client will need to be in Managed mode. The client will need an IP address from the same range (e.g. 192.168.1.2) and a default gateway of 192.168.1.1.
6. To Do
Set up DHCP to configure wireless clients automatically. Set up DNS so that my wireless clients have DNS entries. Set up VPN for additional security. |
|
IP卡
狗仔卡
发表于 2004-10-30 22:46:53
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡