QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 723|回复: 0

Slackware WIFI Access Point

[复制链接]
发表于 2004-10-30 22:46:53 | 显示全部楼层 |阅读模式
Building a Slackware Wireless Access Point

patched by linky_fan

0. Introduction

This document provides step-by-step instructions for setting up a wireless access point using a PC running GNU/Linux and an 802.11b PCI WiFi card based on the Prism 2/2.5/3 chip sets. I wanted a system that would do firewalling, and would provide broadband Internet access to wireless hosts. For this article I chose Slackware 9 with the Netgear MA311 PCI card. Other distributions of GNU/Linux and wireless cards based on the Prism 2, 2.5, and 3 chip sets should work equally well.

Please email your success stories to eric.r.turner(at)bitbreather(dot)com. I am particularly interested in putting together a table of Linux distribution/WiFi card combinations that people have successfully set up using these instructions. If you had to do ANYTHING differently, please let me know so that I can incorporate your discoveries into this document. Thanks!

1. Copyright and Disclaimer

Copyright (C) 2003 by Eric R. Turner. This document may be distributed under the terms set forth in the LDP <http://www.tldp.org/LDP/LDP-Author-Guide/copyrights.html>

This is free documentation. It is distributed in the hope that it will be useful, but without any warranty. The information in this document is correct to the best of my knowledge, but there's a always a chance I've made some mistakes, so don't follow everything too blindly, especially if it seems wrong. Nothing here should have a detrimental effect on your computer, but just in case I take no responsibility for any damages incurred from the use of the information contained herein.

2. Assumptions

2.0 Software

You should have GNU/Linux installed with at least kernel 2.4, and should be comfortable editing files and using a command line. I did a full install of Slackware 9.0, which uses the 2.4.20 kernel. You need to have the wireless tools, Ethernet support, and iptables support too.

The files and commands listed here work for Slackware 9. I will gladly include differences between Linux distributions as people send them to me. It should not be too long before this document will be equally usable for all major Linux distributions. ;-)

2.1 Hardware

You should have a computer that is PCI 2.1 compliant. Most systems with a P166 or newer will work. Anything older may not work. You can find out if your system is compliant by checking the output of

dmesg | grep "PCI BIOS"

You should see something similar to

PCI: PCI BIOS revision 2.10 entry at 0xfb6c0, last bus=0


You need to have high-speed Internet, and and Ethernet card installed. You also need to have your wireless card installed, of course!

2.2 Experience

These instructions should work for you if you know how to use a command line, edit files, install packages, and have a basic understanding of Linux networking concepts. Section 3 shows you how to set up an Ethernet card, which you may safely skip if you know how to do this already.

3. Ethernet Setup

Ethernet setup can vary greatly between Linux distributions. If you have any difficulties setting up your Ethernet card, check out http://www.linuxquestions.org. This is hands down the best Linux support site! The following sections show how Ethernet card setup is accomplished in Slackware.

3.0. The Driver

First you need to make sure that the driver for your Ethernet card is available to the kernel. The easiest way to do this is to use a loadable kernel module. In /etc/rc.d/rc.modules uncomment the line that modprobes the module for your Ethernet card. I have a Netgear FA310TX, which uses the tulip module. Verify that the module is loaded by checking the output of the lsmod. In my case, lsmod shows

tulip 41248 1


3.1. Configuration

You need to configure your Ethernet settings. Edit /etc/rc.d/rc.inet1. In most cases you will simply uncomment the line for eth0 that says "USE_DHCP=yes". You can now bring your Ethernet card up by executing /etc/rc.d/rc.inet1 as root. The next time you boot this will be done for you automatically.

3.2. Test

Verify that your Ethernet card is set up by checking the output of /sbin/ifconfig. You should see eth0 with reasonable settings. You should be able to ping a host on the Internet. For example, "ping www.linuxquestions.org".

4. Wireless Setup

4.0. The Driver

You need to make sure that the driver for your wireless card is available to the kernel. Download the hostap driver from http://hostap.epitest.fi/releases/hostap-0.0.4.tar.gz. With the advent of hotplug, your WiFi card will automatically be detected as orinoco_pci. I was unable to get the orinoco drivers working for me (despite some web pages that said they should support the Prism chip sets.) If you are using the hotplug system, add orinoco_cs, orinoco_pci, and orinoco_plx to /etc/hotplug/blacklist to prevent loading these modules when the system boots.

NOTE: Originally I tried to use the linux-wlan_ng driver, but was not able to get that driver working properly with my card. Lack of documentation for the linux-wlan_ng driver did not help matters! Their hardware compatibility list at http://www.linux-wlan.org/docs/wlan_adapters.html4.html said that my Netgear MA311 was supported, but it never detected the settings properly.
You will need to have the GNU/Linux kernel source code on your system, so download the package from your distribution's web site and install it.

Uncompress and inflate the hostap source code using "tar -zxvf hostap-0.0.4.tar.gz". Change to the hostap source code directory and follow the instructions for compiling the source code and installing. You only need to compile the hostap_pci module.
After you have compiled and installed the hostap_pci module, add

/sbin/modprobe hostap_pci

to /etc/rc.d/rc.modules so that the hostap_pci driver is loaded when the computer boots.
Now, as root, execute the

/sbin/modprobe hostap_pci

command. Verify that the hostap_pci module is loaded using the lsmod command. Now, verify that the card is recognized by using the iwconfig command. You should see wlan0 listed in the output.

4.1. Configuration

You need to add some code to configure wlan0. The address I am using for wlan0 is 192.168.1.1/24. I like to create a separate rc script for each network interface that I need to configure. I'll create a script called rc.wlan0, and call it from the appropriate location:

Slackware: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.inet1.

Debian: place rc.wlan0 in the /etc/rc.boot/ directory. This script will automatically be run at boot.

SuSe: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.boot.

Others: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.local.

So, as root create a file called rc.wlan0 that contains the following:

   #!/bin/sh
   #
   # rc.wlan0
   #

   CHANNEL=1
   ESSID="mynetwork"
   INTERFACE="wlan0"
   IPADDR="192.168.1.1"
   KEY="0123-4567-89AB-CDEF-0123-4567-89"
   # Change this to some random value
   MODE="Master"
   NETMASK="255.255.255.0"

   # Determine broadcast and network addresses from the IP address and netmask:

   BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
   NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`

   # Set up the WiFi card

   echo "Configuring ${INTERFACE}:"
   /sbin/ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask  
   ${NETMASK}
   /usr/sbin/iwconfig ${INTERFACE} essid ${ESSID}
   /usr/sbin/iwconfig ${INTERFACE} channel ${CHANNEL}
   /usr/sbin/iwconfig ${INTERFACE} mode ${MODE}
   sleep 2
   /usr/sbin/iwconfig ${INTERFACE} key ${KEY}


You may have noticed the sleep command in rc.wlan0. Without giving the card a short nap, I could not set the key. Someone suggested that some of the Intersil firmwares are a bit buggy. You may need to adjust the number of seconds you sleep in order to get encryption working

NOTE: If your card uses 40/64 bit encryption you just use a shorter hexadecimal string for the key (e.g. 0123-4567-89).

NOTE: There is confusion about 40 bit versus 64 bit WEP, and 104 bit versus 128 bit WEP. The Wireless 802.11b FAQ found at http://www.iss.net/wireless/WLAN_FAQ.php explains it:
   The original 802.11 specification defined a 40-bit key. This key is combined with a 24 bit quantity known as the "initialization vector" (which is created automatically by the wireless network hardware) and these 64 bits are used within the RC4 encryption in order to produce the encrypted data. Some vendors describe this as 64-bit encryption (since technically RC4 is using 64 bits), but others describe it as 40-bits (since the initialization vector is public unencrypted data so it does not contribute to the security of the system). Therefore 40-bit and 64-bit WEP keys are the same thing, just being described from different points of view. Most 802.11 hardware now supports a larger 104-bit key; this also has a 24-bit initialization vector and so it is also sometimes marketed as a 128-bit system.



One last comment on security. Even 104/128 bit WEP is not that great. You would do well to add additional layers of encryption by setting up a VPN, using ssh instead of telnet, etc. These things are beyond the scope of this document (for now), but there is a lot of info on the Net about doing this. The VPN HOWTO would probably be a good place to start.

Make sure that the file is executable using "chmod 755 rc.wlan0".
Edit the script that will call rc.wlan0 and add something similar to the following code:

   if [ -x /etc/rc.d/rc.wlan0 ]; then
      /etc/rc.d/rc.wlan0
   fi


Bring up the wlan0 interface by executing rc.wlan0 as root.

NOTE: the link light on the wireless PCI card will always blink. For some reason I expected it to go solid!

4.2 Test

Verify that the wlan0 interface is up by checking the output of /sbin/ifconfig. Also, verify that additional wlan0 settings (essid, mode, key, channel, etc...) are correct by checking the output of iwconfig.

5. Firewalling and Masquerading

5.0. Configuration

The last thing we need to do is use iptables to enable masquerading and firewalling, so that wireless clients can access the Internet. My firewall rules may or may not be exactly what you want. If you run an email or web server, then you will need to add additional rules to allow incoming connections for those services. I have a file called /etc/rc.d/rc.firewall. Slackware 9 calls this script from /etc/rc.d/rc.inet2. Your distribution may vary. Here's the script:

   #!/bin/sh

   ###############################################################################
   #
   # The syntax of iptables is basically:
   #
   #    iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]
   #
   ###############################################################################

   IPT=/usr/sbin/iptables

   # Use a trusted PATH

   PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
   export PATH

   # Disable IP forwarding until the rules are in place.

   echo 0 > /proc/sys/net/ipv4/ip_forward

   # Install the necessary kernel modules.

   /sbin/modprobe ip_tables
   /sbin/modprobe ip_nat_ftp
   /sbin/modprobe ip_conntrack_ftp

   # Flush the tables and delete the non-builtin chains
   # to ensure that we are starting from scratch.

   for i in filter nat mangle
   do
      $IPT --table $i --flush
      $IPT --table $i --delete-chain
   done

   # Set up a user-defined chain called "rules" in the filter table that
   # prevents anyone from connecting to local computers from the outside, but
   # allows local computers to establish connections to the outside. We'll
   # specify that the INPUT and FORWARD chains use the rules defined in our
   # "rules" chain after we've established those rules.

   $IPT --table filter --new-chain rules

   # Accept traffic (and related traffic on different ports) coming in on
   # any interface if the traffic has been seen before in both directions.

   $IPT --table filter \
        --append rules \
        --match state \
        --state ESTABLISHED,RELATED \
        --jump ACCEPT

   # Accept new traffic coming in on any interface except eth0 (the
   # Internet interface).

   $IPT --table filter \
        --append rules \
        --in-interface ! eth0 \
        --match state \
        --state NEW \
        --jump ACCEPT

   # The catch-all rule: drop new or invalid traffic coming in on any
   # network interface.

   $IPT --table filter \
        --append rules \
        --match state \
        --state NEW,INVALID \
        --jump DROP

   # Use the rules defined in the "rules" chain for the INPUT and
   # FOREWARD chains.

   $IPT --table filter \
        --append INPUT \
        --jump rules

   $IPT --table filter \
        --append FORWARD \
        --jump rules

   # Make sure the default policy for the filter table's INPUT and
   # FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
   # the firewall.

   $IPT --table filter \
        --policy INPUT DROP

   $IPT --table filter \
        --policy FORWARD DROP


   # Add masquerading to the POSTROUTING chain in the nat table.

   $IPT --table nat \
        --append POSTROUTING \
        --out-interface eth0 \
        --source 192.168.1.0/24 \
        --destination 0/0 \
        --jump MASQUERADE

   # Enable IP forwarding

   echo 1 > /proc/sys/net/ipv4/ip_forward


Make the file executable with "chmod 755 /etc/rc.d/rc.firewall". Now, execute /etc/rc.d/rc.firewall. You should have a working wireless access point!

5.1. Test

Double check the output of lsmod. Here is my lsmod:

   

    Module Size Used by Not tainted
    hostap_crypt_wep 3020 1 (autoclean)
    ipt_MASQUERADE 1272 2 (autoclean)
    ipt_state 536 4 (autoclean)
    iptable_mangle 2072 0 (autoclean) (unused)
    iptable_filter 1644 1 (autoclean)
    ip_conntrack_ftp 3888 1 (autoclean)
    ip_nat_ftp 2928 0 (unused)
    iptable_nat 14904 2 [ipt_MASQUERADE ip_nat_ftp]
    ip_conntrack 18016 3 [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp
                       iptable_nat]
    ip_tables 11768 7 [ipt_MASQUERADE ipt_state iptable_mangle iptable_filter
                        iptable_nat]
    uhci 24560 0 (unused)
    usbcore 58144 1 [uhci]
    hostap_pci 33716 1
    hostap 74372 0 [hostap_pci]
    hostap_crypt 1360 0 [hostap_crypt_wep hostap]
    tulip 41248 2



Double check the output of ifconfig. Here is my ifconfig:

   
  
    eth0 Link encap:Ethernet HWaddr ???????
    inet addr??.???.???.??? Bcast??.???.???.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:112346 errors:0 dropped:0 overruns:0 frame:0
    TX packets:121312 errors:1 dropped:0 overruns:1 carrier:0
    collisions:5131 txqueuelen:100
    RX bytes:19980541 (19.0 Mb) TX bytes:68587897 (65.4 Mb)
    Interrupt:10 Base address:0x6400

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    wlan0 Link encap:Ethernet HWaddr ?????:??:??
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:107421 errors:0 dropped:725 overruns:0 frame:0
    TX packets:106212 errors:2 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:53350539 (50.8 Mb) TX bytes:47579017 (45.3 Mb)
    Interrupt:12 Memory:c6d9d000-c6d9e000



Double check the output of iwconfig. Here is my iwconfig:

   

    lo no wireless extensions.

    eth0 no wireless extensions.

    wlan0 IEEE 802.11b ESSID:"bitbreather"
    Mode:Master Frequency:2.412GHz Access Point: ??:??:??:??:??:??
    Bit Rate:11Mb/s Sensitivity=1/3
    Retry min limit:8 RTS thrff Fragment thrff
    Encryption key:????-????-????-????-????-????-?? Encryption mode:restricted
    Power Managementff
    Link Quality:0 Signal level:0 Noise level:0
    Rx invalid nwid:0 Rx invalid crypt:6 Rx invalid frag:1
    Tx excessive retries:4 Invalid misc:676 Missed beacon:0


Set up a wireless host to use your new access point. You'll need to use the same settings on both the access point and the client, except that the client will need to be in Managed mode. The client will need an IP address from the same range (e.g. 192.168.1.2) and a default gateway of 192.168.1.1.

6. To Do

Set up DHCP to configure wireless clients automatically. Set up DNS so that my wireless clients have DNS entries. Set up VPN for additional security.
您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-7 05:42 , Processed in 0.044713 second(s), 15 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表