Hi all,
I put my notes on how I built a wireless accesspoint together into a hint.
I hope someone likes it.
Regards,
Thomas
AUTHOR: Thomas de Roo <tho...@de-roo.org>
DATE: 21-08-2013
LICENSE: Free
SYNOPSIS: Build an WiFi AccessPoint using (B)LFS
DESCRIPTION: This hint will describe how you can build a WiFi AccesPoint
with (B)LFS. It will turn your LFS-box into an NATing router
for your wireless clients. The hostapd will create the
WiFi-connections.
PREREQUISITES: A PC with a NIC and a WiFi-adapter,
LFS installed,
From BLFS: dhcpd, sqlite3, libnl-3.2, iptables,openssl
Optional: git
HINT:
CONTENTS:
---------
1) Introduction
2) Kernel options
3) Setup the WiFi-adapter
4) Installing hostapd
5) Configure hostapd
6) Starting hostapd
7) Configuring dhcpd
8) Configuring iptables
1) Introduction:
----------------
This hint reflects how I used LFS to setup a WiFi AccessPoint. I use hostapd to
create the wireless network, and use the LFS-box as a masquerading box to give
the wireless-clients access to the LAN and the internet.
I assume the preriquisites are installed as by the BLFS instructions.
Before we begin we need to identify the network devices of the PC. In my setup,
eth0 is the LAN device and wlan0 is the WiFi device.
I use git to download the sources of hostapd. You can also download and unpack
a release-tarball instead. Also, we need to make an IP plan for the subnets.
In my setup, I use 192.168.0.0/24 for the LAN, and 192.168.5.0/24 for the WiFi.
Loop-up what you use as a DNS-server. I use 192.168.0.1.
2) Kernel options:
------------------
Make sure you compile the netfilter modules. See iptables in the BLFS book for
more info.
3) Setup the WiFi-adapter:
--------------------------
cat > /etc/sysconfig/ifconfig.wlan0 << "EOF"
ONBOOT=yes
IFACE=wlan0
SERVICE="ipv4-static"
IP=192.168.5.1
GATEWAY=
PREFIX=24
BROADCAST=192.168.5.255
EOF
/etc/rc.d/init.d/network start
4) Installing hostapd:
----------------------
git clone git://w1.fi/srv/git/hostap.git hostap &&
cd hostap/hostapd &&
cat > .config << "EOF" &&
CONFIG_DEBUG_FILE=y
CONFIG_DRIVER_HOSTAP=y
CONFIG_DRIVER_NL80211=y
CONFIG_DRIVER_RADIUS_ACL=y
CONFIG_EAP=y
CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y
CONFIG_EAP_EKE=y
CONFIG_EAP_FAST=y
CONFIG_EAP_GPSK=y
CONFIG_EAP_GPSK_SHA256=y
CONFIG_EAP_GTC=y
CONFIG_EAP_IKEV2=y
CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PAX=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_PSK=y
CONFIG_EAP_PWD=y
CONFIG_EAP_SAKE=y
CONFIG_EAP_SIM=y
CONFIG_EAP_TLS=y
CONFIG_EAP_TNC=y
CONFIG_EAP_TTLS=y
CONFIG_FULL_DYNAMIC_VLAN=y
CONFIG_IAPP=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211N=y
CONFIG_PEERKEY=y
CONFIG_PKCS12=y
CONFIG_RSN_PREAUTH=y
CONFIG_SQLITE=y
CONFIG_TLS=openssl
CONFIG_VLAN_NETLINK=y
CONFIG_WNM=y
CONFIG_WPS2=y
CONFIG_WPS=y
CONFIG_WPS_NFC=y
CONFIG_WPS_UPNP=y
CONFIG_LIBNL32=y
CFLAGS += -I/usr/include/libnl3
LIBS += -lnl-genl-3 -lnl-3
EOF
make &&
cp -v hostapd /usr/bin/ &&
cp -v hostapd_cli /usr/bin/ &&
cp -v *.8 /usr/man/man8/ &&
cp -v *.1 /usr/man/man1/
5) Configure hostapd:
---------------------
cat > /etc/hostapd.conf << "EOF" &&
beacon_int=100
channel=9
country_code=NL
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
hw_mode=g
ieee80211d=1
ieee80211h=1
ieee80211n=1
interface=wlan0
ssid="LFS-Box"
wpa=2
wpa_passphrase=Sup3rS3cr3t
EOF
cat > /etc/rc.d/init.d/hostapd << "EOF" &&
#!/bin/sh
########################################################################
# Begin hostapd
#
# Description : Start hostap daemon
#
# Author : Bruce Dubbs - bdu...@linuxfromscratch.org
#
# Version : LFS 7.0
#
########################################################################
### BEGIN INIT INFO
# Provides: hostap
# Required-Start: $network
# Should-Start: $remote_fs haldaemon
# Required-Stop: $network
# Should-Stop: haldaemon $remote_fs
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: Starts hostap daemon.
# Description: Starts hostap daemon.
# X-LFS-Provided-By: BLFS / LFS 7.0
### END INIT INFO
. /lib/lsb/init-functions
#$LastChangedBy: dj $
#$Date: 2011-12-05 07:38:40 +0000 (Mon, 05 Dec 2011) $
case $1 in
start)
log_info_msg "Starting hostap daemon..."
start_daemon /usr/bin/hostapd -t -B -P /var/run/hostapd.pid -f
/var/log/hostapd.log /etc/hostapd.conf
evaluate_retval
;;
stop)
log_info_msg "Stopping hostap daemon..."
killproc /usr/bin/hostapd
evaluate_retval
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
statusproc /usr/bin/hostapd
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
# End /etc/init.d/hostapd
EOF
chmod a+x /etc/rc.d/init.d/hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc2.d/S22hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc3.d/S22hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc4.d/S22hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc5.d/S22hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc1.d/K10hostapd &&
ln -sv ../init.d/hostapd /etc/rc.d/rc6.d/K10hostapd
6) Starting hostapd:
--------------------
/etc/rc.d/init.d/hostapd start
Check /var/log/hostapd.log for the results. Your wireless-clients should be
able to see and connect to the network now. DHCP isn't working yet though.
7) Configuring dhcpd:
---------------------
If you have dhcpd already running for the LAN, you need to add a scope for
the subnet of the WiFi:
cat >> /etc/dhcp/dhcpd.conf << "EOF"
# This is the scope for the wireless-clients:
subnet 192.168.5.0 netmask 255.255.255.0 {
authoritative;
range 192.168.5.101 192.168.5.199;
option domain-name "lan";
option domain-name-servers 192.168.0.1;
option routers 192.168.5.1;
}
EOF
8) Configuring iptables:
------------------------
cat > /etc/rc.d/rc.iptables << "EOF" &&
#!/bin/sh
# Begin rc.iptables
echo
echo "This script is just an example to get the WiFi AccessPoint working."
echo "If you need a secure firewall, make sure you adjust it!!!"
echo
# Insert iptables modules (not needed if built into the kernel).
modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
iptables -t nat -A POSTROUTING -o ens192 -j MASQUERADE
iptables -A FORWARD -i ens192 -o wls256u1u5 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wls256u1u5 -o ens192 -j ACCEPT
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
EOF
chmod a+x /etc/rc.d/rc.iptables &&
/etc/rc.d/init.d/iptables start
Now the wireless clients should be able to connect and use your LAN! If the
routes on the LFS-box are set to connect to the internet, you wireless
clients should be able to do so now too. In my setup, my internet-router
on the LAN is a NATing router itself. So the wireless clients go through
two NATing routers. This is not ideal.
CHANGELOG:
[21-08-2013]
* initial hint
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
