[ La
Fonera Home ] [ disclaimer ]
[ bridge
]
[ bridge.conf
] [ habilitando ssh ] [
Fonerix: una distro
Full-Equipe ]
Autor: Víctor
Escudero Rubio
Sun-Microsystems.ORG Basado en el Excelente trabajo de Antonio Anselmi
This document could be accessed at http://sun-microsystems.org/fonera/
Sun-Microsystems.ORG Basado en el Excelente trabajo de Antonio Anselmi
This document could be accessed at http://sun-microsystems.org/fonera/
Sacando partido a 'La Fonera'
Configuración: Repetidor / Punto de Acceso / Tarjeta
inalámbrica (script bridge)
Este script bridge debe ser copiado al
directorio /etc de la fonera, hacerlo ejecutable con chmod
+x /etc/bridge e intentar lanzarlo a mano para ver si todo va
bien. Si todo funciona como se esperaba entonces la fonera
repetirá la señal de un Punto de acceso cercano.
Adicionalmente a este script /etc/bridge, existe unos ficheros de
configuración adicionales que deberías de descargar y
ajustar a tus necesiddades. Estos scripts son /etc/dnsmasq_repeater-br0.conf,
/etc/dnsmasq_repeater-ath0.conf, /etc/dnsmasq_repeater-eth0.conf
y por último el más importante /etc/config/bridge.conf
el cual controla toda la parametrización sobre que
red se quiere repetir, si se desea hacer broadcast en abierto o con
wpa2, etc.
Si tras ejecutar a mano el script /etc/bridge
todo funciona como uno espera, entonces se podría añadir
al arranque automático de tu fonera copiando o enlazando el
ejecutable así: ln /etc/bridge /etc/init.d/S98ponte2
y listo. NOTA: durante las pruebas no se recomienda hacer esto, pues en
caso de no enlazar con ningún punto de acceso, no podremos
entrar a nuestra fonera con facilidad.
Si esto ocurriese, podríamos intentar entrar poniéndonos
una ip fija como por ejemplo 169.254.255.2 y máscara
255.255.255.0 (o úna máscara de tipo B si se prefiere) y
tratar de entrar a la IP que la fonera siempre mantiene en la 169.254.255.1.
Si se pretende enlazar a un punto de acceso
con autenticación WPA-PSK, también debes de descargar e
instalar los paquetes wpa_supplicant
y libopenssl.
(La instalación es tan simple como hacer un 'ipkg install
wpa_supplicant.ipk' y un 'ipkg install libopenssl.ipk')
La descarga de todos estos ficheros de configuración junto con
el script /etc/bridge puedes realizarla desde esta página: aquí
download /etc/bridge
#!/bin/sh
# /etc/bridge
#****************************************************************************
#.- 20070320 version
#.- Script modified by Victor Escudero <Linux.RuleThemAll(at)yahoo(dot)es> ,
#.- based on the excellent work of Antonio Anselmi (http://www.blogin.it)
#.-
#****************************************************************************
#----------------------------------------------------------------------------
# setup_env. Function that setups environment
setup_env () {
# Set the default values of all environment variables here
logDir=/var/log
tmpDir=/tmp
acl_list=/etc/acl_list.conf
myself=`basename $0`
logFile=$logDir/$myself.log
datevar=$(date)
IWCONFIG=/usr/sbin/iwconfig
IFCONFIG=/sbin/ifconfig
WLANCONFIG=/usr/sbin/wlanconfig
IWPRIV=/usr/sbin/iwpriv
NETFILTER=/usr/sbin/iptables
ROUTE=/sbin/route
#.-
showresults=0
#.-
rm -f /tmp/results
#
echo "$datevar: start" >> $logFile
if [ -f /etc/config/bridge.conf ]; then
. /etc/config/bridge.conf
else
echo "/etc/config/bridge.conf not found"
echo "/etc/config/bridge.conf not found" >> $logFile
echo "stop and exit" >> $logFile
exit 1
fi
# ip_forward is enabled by default in fonera configuration
# echo 1 > /proc/sys/net/ipv4/ip_forward
# stop daemons
local web=httpd
local cron=crond
local dns=dnsmasq
#.-
local wpasupplicant=wpa_supplicant
local hostap=hostapd
#.-
# If you are not willing to use the web interface, you might want to uncomment this lines
#if [ ! -z "$( pidof $web )" ]; then
# kill $(pidof $web) > /dev/null
#fi
if [ ! -z "$( pidof $cron )" ]; then
kill $(pidof $cron) > /dev/null
fi
if [ ! -z "$( pidof $dns )" ]; then
kill $(pidof $dns) >> /dev/null
fi
killall -9 udhcpc > /dev/null
#.- If you've run this script before maybe wpa_supplicant could be running
if [ ! -z "$( pidof $wpasupplicant )" ]; then
kill $(pidof $wpasupplicant) >> /dev/null
fi
#.- Maybe hostapd is running because of Whisher signal
if [ ! -z "$( pidof $hostap )" ]; then
kill $(pidof $hostap) >> /dev/null
fi
# flush_netfilter tables
$NETFILTER -F
$NETFILTER -P INPUT ACCEPT
$NETFILTER -P OUTPUT ACCEPT
$NETFILTER -P FORWARD ACCEPT
$NETFILTER -t nat -F
echo "netfilter tables flushed" >> $logFile
} # setup_env
#-------------------------------------------------------------------------------
# hardening Function that sets some TCP/IP parameters
hardening () {
if [ $khard == 1 ]; then
# Disable tcp_sack support
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Disable TCP window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
# Disable source routing
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/lo/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
# Enable TCP SYN Cookie potection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# No ICMP Redirect
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/lo/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/ath0/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/ath1/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
# Enable IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ath0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/ath1/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo "fonera hardened" >> $logFile
fi
if [ $klog == 1 ]; then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/lo/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/ath0/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/ath1/log_martians = 1
echo "1" > /proc/sys/net/ipv4/conf/default/log_martians = 1
echo "logging malicious packests activated" >> $logFile
fi
} # hardening
#-------------------------------------------------------------------------------
create_AP () {
# bring up first (!) VAP ath0 as Access Point
$WLANCONFIG ath0 destroy
$WLANCONFIG ath0 create wlandev wifi0 wlanmode ap
echo "created VAP ath0 as AP" >> $logFile
} # create_AP
#-------------------------------------------------------------------------------
create_STA () {
# bring up VAP ath1 as station managed (no hardware beacon timers)
$WLANCONFIG ath1 destroy
$WLANCONFIG ath1 create wlandev wifi0 wlanmode sta nosbeacon
echo "created VAP ath1 as station" >> $logFile
} # create_STA
#-------------------------------------------------------------------------------
create_MONITOR () {
# bring up VAP ath2 in monitor mode
$IFCONFIG ath2 >/dev/null 2>&1 # Test if ath2 exist from a previous run
if [ $? == 0 ]; then
$WLANCONFIG ath2 destroy
fi
case $kheaders in
11) # Only 802.11 headers
echo '801' > /proc/sys/net/ath0/dev_type
;;
2) # Prism2 headers
echo '802' > /proc/sys/net/ath0/dev_type
;;
3) # Radiotap headers
echo '803' > /proc/sys/net/ath0/dev_type
;;
4) # Atheros Descriptors
echo '804' > /proc/sys/net/ath0/dev_type
;;
esac
$WLANCONFIG ath2 create wlandev wifi0 wlanmode monitor
$IFCONFIG ath2 up
echo "created VAP ath2 as monitor" >> $logFile
} # create_MONITOR
#-------------------------------------------------------------------------------
# catchExternalESSID. Function that sets our ESSID as relay of the external AP
catchExternalESSID() {
$IWCONFIG ath1 | grep ESSID > /tmp/bridge_tmp
INI=32
FIN=$(cat /tmp/bridge_tmp | wc -c)
: $((FIN = $FIN - 4))
SSID_ath0=$(cut /tmp/bridge_tmp -c $INI-$FIN)
SSID_ath0="relay_$SSID_ath0"
} # catchExternalESSID
#-------------------------------------------------------------------------------
# setup_wpa_ath0. Function that sets wpa/wpa2 encryption on ath0 (our AP)
setup_wpa_ath0 () {
if [ ! -z "$( pidof hostapd )" ]; then
kill $(pidof hostapd) >> /dev/null
fi
cat > /tmp/hostapd_repeater.conf <<EOF
interface=ath0
driver=madwifi
debug=0
eapol_key_index_workaround=1
wpa=$wpamode
wpa_pairwise=$wpapairwise
wpa_passphrase=$wpapassphrase
wpa_group_rekey=3600
EOF
hostapd -B /tmp/hostapd_repeater.conf
}
#-------------------------------------------------------------------------------
# setup_AP. Function that setup ath0 as an Access Point
setup_AP () {
# wireless mode
case $wMode in
0) $IWPRIV ath0 mode auto ;;
1) $IWPRIV ath0 mode 11a ;;
2) $IWPRIV ath0 mode 11b ;;
3) $IWPRIV ath0 mode 11g ;;
4) $IWPRIV ath0 mode fh ;;
5) $IWPRIV ath0 mode 11adt/111at ;;
6) $IWPRIV ath0 mode 11gdt/11gt ;;
7) $IWPRIV ath0 mode 11ast ;;
esac
if [ $kssid == 1 ]; then
catchExternalESSID
fi
$IWCONFIG ath0 essid "$SSID_ath0"
echo "setting AP essid to ath0: $SSID_ath0"
# WEP key
case $kwep in
1) #WEP key as ASCII string
$IWCONFIG ath0 key s:$WepKeyAscii_ath0
echo "ath0 ascii WEP key: "$WepKeyAscii_ath0 >> $logFile
;;
2) #targeted external AP via WEP key in hex
$IWCONFIG ath0 key $WepKeyHex_ath0
echo "ath0 hex WEP key: "$WepKeyHex_ath0 >> $logFile
;;
esac
if [ $ath0_authmode == 2 ]; then
$IWPRIV ath0 authmode $ath0_authmode
fi
if [ $kwpa == 1 ]; then
setup_wpa_ath0
fi
# enable 802.11 SSID broadcasting on ath0
$IWPRIV ath0 hide_ssid 0
if [ $hideSSID == 1 ]; then
$IWPRIV ath0 hide_ssid 1
fi
# ACL management
case $aclMode in
1) # only allow MACSs in the ACL list
$IWPRIV ath0 maccmd 3
$IWPRIV ath0 maccmd 1
for i in $(cat $acl_list); do
$IWPRIV ath0 addmac $i
done
;;
2) # only deny MACs in the ACL list
$IWPRIV ath0 maccmd 3
$IWPRIV ath0 maccmd 2
for i in $(cat $acl_list); do
$IWPRIV ath0 addmac $i
done
;;
*) # no ACL checking is performed
$IWPRIV ath0 maccmd 0
;;
esac
} # setup_AP
#-------------------------------------------------------------------------------
# setup_STA. Function that setup ath1 as repeater
setup_STA () {
case $ath1_mode in
2) #targeted external AP by SSID
$IWCONFIG ath1 mode managed essid $TargetSsid
echo "ath1 via SSID: "$TargetSsid >> $logFile
;;
3) #targeted external AP by MAC
$IWCONFIG ath1 mode managed ap $TargetMac
echo "ath1 via MAC: "$TargetMac >> $logFile
;;
4) #targeted external AP via WPA-PSK
$IWCONFIG ath1 mode managed essid $TargetWpa
#.- $IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
$IFCONFIG ath1 up
#.- You must let wpa_supplicant do its job in the background
wpa_supplicant -iath1 -c/etc/wpa_supplicant.conf -B
echo "ath1 interface via WPA PSK" >> $logFile
;;
5) #targeted external AP via WEP (ascii key)
if [ $WepKeyAscii_ath1 ]; then
$IWCONFIG ath1 key "s:$WepKeyAscii_ath1"
else
echo "error: ascii WEP key not configured" >> $logFile
exit 1
fi
;;
6) #targeted external AP via WEP (hex key)
if [ $WepKeyHex_ath1 ]; then
$IWCONFIG ath1 key "$WepKeyHex_ath1"
else
echo "error: WEP hex key not configured" >> $logFile
exit 1
fi
;;
esac
if [ $ath1_mode == 5 ] || [ $ath1_mode == 6 ] ; then
# We look for target ssid or AP
if [ $TargetWepSsid ]; then
$IWCONFIG ath1 mode managed essid $TargetWepSsid
else
if [ $TargetWepMac ]; then
$IWCONFIG ath1 mode managed ap $TargetWepMac
else
echo "No target AP for WEP, we will scan the strongest AP" >> $logFile
fi
fi
if [ $ath1_authmode == 2 ]; then
$IWPRIV ath1 authmode $ath1_authmode
fi
echo "ath1 interface via WEP" >> $logFile
fi
# IP config for ath1
if [ $ath1_mode == 1 ] || [ $ath1_dhcp == 1 ] ; then
# Dyanamic IP configuration
echo "waiting 5 seconds to let dhcp gathers info from the AP through ath1 ..."
/sbin/udhcpc -b -i ath1 >> $logFile
sleep 5
$IWCONFIG ath1 | grep ESSID | awk '"external AP " {print $4}' >> $logFile
echo "ath1 interface via external dhcp" >> $logFile
else
# static IP configuration
$IFCONFIG ath1 $IP_ath1 netmask $MASK_ath1 up
$ROUTE del default
$ROUTE add default gw $DFGW
echo "nameserver " $NAMESERVER1 > /etc/resolv.conf
echo "nameserver " $NAMESERVER2 >> /etc/resolv.conf
echo "nameserver " $NAMESERVER3 >> /etc/resolv.conf
fi
#
$NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE
} # setup_STA
#-------------------------------------------------------------------------------
# setup_2ifaces. Function that sets up 2 IP interface (eth0 and ath0)
setup_2ifaces () {
$IFCONFIG br0 >/dev/null 2>&1 # Test if br0 exist from a previous run
if [ $? == 0 ]; then
$IFCONFIG br0 down
brctl delbr br0
fi
# static eth0 IP configuration
$IFCONFIG eth0 $IP_eth0 netmask $MASK_eth0 up
echo "eth0 interface: "$IP_eth0/$MASK_eth0 >> $logFile
# static ath0 IP configuration
$IFCONFIG ath0 $IP_ath0 netmask $MASK_ath0 up
echo "ath0 interface: "$IP_ath0/$MASK_ath0 >> $logFile
} # setup_2ifaces
#-------------------------------------------------------------------------------
# setup_bridge. Function that setup a bridge between eth0 and ath0
setup_bridge () {
$IFCONFIG br0 >/dev/null 2>&1 # Test if br0 exist from a previous running
if [ $? == 0 ]; then
$IFCONFIG br0 down
brctl delbr br0
fi
$IFCONFIG eth0 0.0.0.0 up
$IFCONFIG ath0 0.0.0.0 up
# bring up a bridge called br0
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 ath0
# static br0 IP configuration
$IFCONFIG br0 $IP_br0 netmask $MASK_br0 up
echo "br0 interface: "$IP_br0/$MASK_br0 >> $logFile
} # setup bridge
#-------------------------------------------------------------------------------
# std_routing. Standard routing
std_routing () {
# forwarding between the subnets
echo 1 > /proc/sys/net/ipv4/ip_forward
$NETFILTER -t nat -A POSTROUTING -o ath1 -j MASQUERADE
# support for p2p
if [ $btorrent == 1 ]; then
BTports="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
for pt in $BTports; do
$NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport $pt -j DNAT --to $IP_client_btorrent:$pt
done
fi
if [ $xmule == 1 ]; then
echo "32752" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
$NETFILTER -t nat -A PREROUTING -i ath1 -p tcp --dport 4662 -j DNAT --to $IP_client_xmule:4662
$NETFILTER -t nat -A PREROUTING -i ath1 -p udp --dport 4672 -j DNAT --to $IP_client_xmule:4672
fi
} # std_routing
#-------------------------------------------------------------------------------
# main
#-------------------------------------------------------------------------------
clear
# learn environment
setup_env
# WIRELESS setup:
# create ath0 as Access Point
create_AP
setup_AP
if ! [ $only_AP == 1 ]; then
# create ath1 as Station
create_STA
setup_STA
fi
setup_AP # Maybe in the first run we did not knew the right essid
# IP (ath0 and eth0) setup:
# two separated interfaces (ath0+eth0) or a bridge (br0)
if [ $bridge_mode == 1 ]; then
setup_bridge
$NETFILTER -t nat -A POSTROUTING -o br0 -j MASQUERADE
else
setup_2ifaces
$NETFILTER -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$NETFILTER -t nat -A POSTROUTING -o ath0 -j MASQUERADE
fi
# create ath2 as monitor, but only after the other interfaces are
# up and if the variable ModeMonitor=1
if [ $modeMonitor == 1 ]; then
create_MONITOR
fi
# hardening some TCP/IP parameters
hardening
# and setting some netfilter rules
std_routing
# start DHCP
if [ $kdhcp == 1 ]; then
# /usr/sbin/dnsmasq -a $IP_dhcp
if [ $bridge_mode == 1 ]; then
/usr/sbin/dnsmasq --interface=br0 -C /etc/dnsmasq_repeater-br0.conf
else
/usr/sbin/dnsmasq --interface=eth0 -C /etc/dnsmasq_repeater-eth0.conf
/usr/sbin/dnsmasq --interface=ath0 -C /etc/dnsmasq_repeater-ath0.conf
fi
fi
# so, show results
$IWCONFIG > /tmp/results
$IFCONFIG >> /tmp/results
clear
if [ $showresults == 1 ]; then
/bin/more /tmp/results
fi
exit 0
# Enjoy your Fonera !!
Configuración: leer la
página sobre la configuración de /etc/config/bridge.conf
y los scripts para dnsmasq aquí
