Hi all,I put my notes on how I built a wireless accesspoint together into a hint. I hope someone likes it.
Regards, Thomas
AUTHOR: Thomas de Roo <tho...@de-roo.org> DATE: 21-08-2013 LICENSE: Free SYNOPSIS: Build an WiFi AccessPoint using (B)LFS DESCRIPTION: This hint will describe how you can build a WiFi AccesPoint with (B)LFS. It will turn your LFS-box into an NATing router for your wireless clients. The hostapd will create the WiFi-connections. PREREQUISITES: A PC with a NIC and a WiFi-adapter, LFS installed, From BLFS: dhcpd, sqlite3, libnl-3.2, iptables,openssl Optional: git HINT: CONTENTS: --------- 1) Introduction 2) Kernel options 3) Setup the WiFi-adapter 4) Installing hostapd 5) Configure hostapd 6) Starting hostapd 7) Configuring dhcpd 8) Configuring iptables 1) Introduction: ---------------- This hint reflects how I used LFS to setup a WiFi AccessPoint. I use hostapd to create the wireless network, and use the LFS-box as a masquerading box to give the wireless-clients access to the LAN and the internet. I assume the preriquisites are installed as by the BLFS instructions. Before we begin we need to identify the network devices of the PC. In my setup, eth0 is the LAN device and wlan0 is the WiFi device. I use git to download the sources of hostapd. You can also download and unpack a release-tarball instead. Also, we need to make an IP plan for the subnets. In my setup, I use 192.168.0.0/24 for the LAN, and 192.168.5.0/24 for the WiFi. Loop-up what you use as a DNS-server. I use 192.168.0.1. 2) Kernel options: ------------------ Make sure you compile the netfilter modules. See iptables in the BLFS book for more info. 3) Setup the WiFi-adapter: -------------------------- cat > /etc/sysconfig/ifconfig.wlan0 << "EOF" ONBOOT=yes IFACE=wlan0 SERVICE="ipv4-static" IP=192.168.5.1 GATEWAY= PREFIX=24 BROADCAST=192.168.5.255 EOF /etc/rc.d/init.d/network start 4) Installing hostapd: ---------------------- git clone git://w1.fi/srv/git/hostap.git hostap && cd hostap/hostapd && cat > .config << "EOF" && CONFIG_DEBUG_FILE=y CONFIG_DRIVER_HOSTAP=y CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_RADIUS_ACL=y CONFIG_EAP=y CONFIG_EAP_AKA=y CONFIG_EAP_AKA_PRIME=y CONFIG_EAP_EKE=y CONFIG_EAP_FAST=y CONFIG_EAP_GPSK=y CONFIG_EAP_GPSK_SHA256=y CONFIG_EAP_GTC=y CONFIG_EAP_IKEV2=y CONFIG_EAP_MD5=y CONFIG_EAP_MSCHAPV2=y CONFIG_EAP_PAX=y CONFIG_EAP_PEAP=y CONFIG_EAP_PSK=y CONFIG_EAP_PWD=y CONFIG_EAP_SAKE=y CONFIG_EAP_SIM=y CONFIG_EAP_TLS=y CONFIG_EAP_TNC=y CONFIG_EAP_TTLS=y CONFIG_FULL_DYNAMIC_VLAN=y CONFIG_IAPP=y CONFIG_IEEE80211AC=y CONFIG_IEEE80211N=y CONFIG_PEERKEY=y CONFIG_PKCS12=y CONFIG_RSN_PREAUTH=y CONFIG_SQLITE=y CONFIG_TLS=openssl CONFIG_VLAN_NETLINK=y CONFIG_WNM=y CONFIG_WPS2=y CONFIG_WPS=y CONFIG_WPS_NFC=y CONFIG_WPS_UPNP=y CONFIG_LIBNL32=y CFLAGS += -I/usr/include/libnl3 LIBS += -lnl-genl-3 -lnl-3 EOF make && cp -v hostapd /usr/bin/ && cp -v hostapd_cli /usr/bin/ && cp -v *.8 /usr/man/man8/ && cp -v *.1 /usr/man/man1/ 5) Configure hostapd: --------------------- cat > /etc/hostapd.conf << "EOF" && beacon_int=100 channel=9 country_code=NL ctrl_interface=/var/run/hostapd ctrl_interface_group=0 hw_mode=g ieee80211d=1 ieee80211h=1 ieee80211n=1 interface=wlan0 ssid="LFS-Box" wpa=2 wpa_passphrase=Sup3rS3cr3t EOF cat > /etc/rc.d/init.d/hostapd << "EOF" && #!/bin/sh ######################################################################## # Begin hostapd # # Description : Start hostap daemon # # Author : Bruce Dubbs - bdu...@linuxfromscratch.org # # Version : LFS 7.0 # ######################################################################## ### BEGIN INIT INFO # Provides: hostap # Required-Start: $network # Should-Start: $remote_fs haldaemon # Required-Stop: $network # Should-Stop: haldaemon $remote_fs # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: Starts hostap daemon. # Description: Starts hostap daemon. # X-LFS-Provided-By: BLFS / LFS 7.0 ### END INIT INFO . /lib/lsb/init-functions #$LastChangedBy: dj $ #$Date: 2011-12-05 07:38:40 +0000 (Mon, 05 Dec 2011) $ case $1 in start) log_info_msg "Starting hostap daemon..." start_daemon /usr/bin/hostapd -t -B -P /var/run/hostapd.pid -f /var/log/hostapd.log /etc/hostapd.conf evaluate_retval ;; stop) log_info_msg "Stopping hostap daemon..." killproc /usr/bin/hostapd evaluate_retval ;; restart) $0 stop sleep 1 $0 start ;; status) statusproc /usr/bin/hostapd ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac # End /etc/init.d/hostapd EOF chmod a+x /etc/rc.d/init.d/hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc2.d/S22hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc3.d/S22hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc4.d/S22hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc5.d/S22hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc1.d/K10hostapd && ln -sv ../init.d/hostapd /etc/rc.d/rc6.d/K10hostapd 6) Starting hostapd: -------------------- /etc/rc.d/init.d/hostapd start Check /var/log/hostapd.log for the results. Your wireless-clients should be able to see and connect to the network now. DHCP isn't working yet though. 7) Configuring dhcpd: --------------------- If you have dhcpd already running for the LAN, you need to add a scope for the subnet of the WiFi: cat >> /etc/dhcp/dhcpd.conf << "EOF" # This is the scope for the wireless-clients: subnet 192.168.5.0 netmask 255.255.255.0 { authoritative; range 192.168.5.101 192.168.5.199; option domain-name "lan"; option domain-name-servers 192.168.0.1; option routers 192.168.5.1; } EOF 8) Configuring iptables: ------------------------ cat > /etc/rc.d/rc.iptables << "EOF" && #!/bin/sh # Begin rc.iptables echo echo "This script is just an example to get the WiFi AccessPoint working." echo "If you need a secure firewall, make sure you adjust it!!!" echo # Insert iptables modules (not needed if built into the kernel). modprobe nf_conntrack modprobe nf_conntrack_ftp modprobe xt_conntrack modprobe xt_LOG modprobe xt_state # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don't send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects # Drop Spoofed Packets coming in on an interface where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Disable Explicit Congestion Notification # Too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE iptables -A FORWARD -i ens192 -o wls256u1u5 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wls256u1u5 -o ens192 -j ACCEPT # (last of all rules, but before policy rules) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward EOF chmod a+x /etc/rc.d/rc.iptables && /etc/rc.d/init.d/iptables start Now the wireless clients should be able to connect and use your LAN! If the routes on the LFS-box are set to connect to the internet, you wireless clients should be able to do so now too. In my setup, my internet-router on the LAN is a NATing router itself. So the wireless clients go through two NATing routers. This is not ideal. CHANGELOG: [21-08-2013] * initial hint
-- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page