This configuration uses WPA-PSK (AES) key encryption.
Debian 'Lenny' 2.6.24-1-686
Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ as eth0
Accton Technology Corporation SMC2-1211TX as eth1
3com 3CRDAG675B/Atheros Communications Inc. AR5413 802.11abg NIC as wifi0/wlan0
eth0: Wired WAN Interface
eth1: Wired LAN Interface
wlan0: Wireless LAN Interface
wifi0: Wireless LAN Interface (Actual physical interface, wlan0 is a virtual interface on top of wifi0. Use wlan0!)
br0: Wired/Wireless LAN Bridge
CODE
/etc/init.d/router:
### Enables IP Forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
### Configure the Wireless AP and Integrate the Wireless NIC with the LAN
# Delete the wireless vlan interface and remake as a Master (HostAP mode)
wlanconfig wlan0 destroy
wlanconfig wlan0 create wlandev wifi0 wlanmode master
# Configure the wireless interface
iwconfig wlan0 essid "NTech Router 1" channel 6 mode Master rate 11M auto txpower auto
ifconfig eth1 0.0.0.0 up
ifconfig wlan0 0.0.0.0 up
# Configure the bridge for joining the Wired and Wireless interfaces into a LAN
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 wlan0
# Sets the bridges LAN settings like Netmask and IP
ifconfig br0 192.168.6.1 netmask 255.255.255.0 up
# Run the wireless encryption daemon for WPA-PSK
hostapd -Bdd /etc/hostapd/hostapd.conf
### Load the firewall settings
/etc/fw-core.cfg
echo "NTech Router Config executed..."
/etc/fw-core.cfg:
### Clean IPTABLES
/sbin/iptables -F
### Allows us to Masquerade the data coming from the External NIC
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### Allow routines for Firewall
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
### Custom Rules
/etc/fw-cust.cfg
### Reject these AFTER allow routines
/sbin/iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -i eth0 -p udp -j REJECT
/etc/fw-cust.cfg:
### NOTES:
### eth0 WAN; eth1 Wired LAN; wlan0 Wireless LAN; br0 Wired/Wireless Bridge
### Use eth0 for External and br0 for Internal firewalling unless you mean to restrict something based on where its coming from in the LAN
### i.e.: Wireless clients cannot access x.x.x.x:xx while Wired can.
### Allow FTP 21 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
### Allow SSH 22 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
### Allow DNS 53 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
### Allow HTTP 80 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
### Allow HTTP (SSL) 443 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
### Allow SquidGuard Proxy 3128 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
### Allow MySQL Server 3306 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
### Forward IDENTd 113 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 113 -j DNAT --to 192.168.6.90:113
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 113 -j ACCEPT
### Forward Remote Desktop (RDP) 3389 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 192.168.6.90:3389
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 3389 -j ACCEPT
### Forward BitTorrent 6920 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6920 -j DNAT --to 192.168.6.90:6920
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 6920 -j ACCEPT
/etc/hostapd/hostapd.conf:
interface=wlan0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=NTech Router 1
#macaddr_acl=1
#accept_mac_file=/etc/hostapd/accept
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
wpa_psk_file=/etc/hostapd/wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
/etc/hostapd/wpa_psk:
00:00:00:00:00:00 Neowin
# 00:00:00:00:00:00 tells it to allow all mac addresses to use the passkey "Neowin"
### Enables IP Forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
### Configure the Wireless AP and Integrate the Wireless NIC with the LAN
# Delete the wireless vlan interface and remake as a Master (HostAP mode)
wlanconfig wlan0 destroy
wlanconfig wlan0 create wlandev wifi0 wlanmode master
# Configure the wireless interface
iwconfig wlan0 essid "NTech Router 1" channel 6 mode Master rate 11M auto txpower auto
ifconfig eth1 0.0.0.0 up
ifconfig wlan0 0.0.0.0 up
# Configure the bridge for joining the Wired and Wireless interfaces into a LAN
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 wlan0
# Sets the bridges LAN settings like Netmask and IP
ifconfig br0 192.168.6.1 netmask 255.255.255.0 up
# Run the wireless encryption daemon for WPA-PSK
hostapd -Bdd /etc/hostapd/hostapd.conf
### Load the firewall settings
/etc/fw-core.cfg
echo "NTech Router Config executed..."
/etc/fw-core.cfg:
### Clean IPTABLES
/sbin/iptables -F
### Allows us to Masquerade the data coming from the External NIC
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### Allow routines for Firewall
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
### Custom Rules
/etc/fw-cust.cfg
### Reject these AFTER allow routines
/sbin/iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -i eth0 -p udp -j REJECT
/etc/fw-cust.cfg:
### NOTES:
### eth0 WAN; eth1 Wired LAN; wlan0 Wireless LAN; br0 Wired/Wireless Bridge
### Use eth0 for External and br0 for Internal firewalling unless you mean to restrict something based on where its coming from in the LAN
### i.e.: Wireless clients cannot access x.x.x.x:xx while Wired can.
### Allow FTP 21 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
### Allow SSH 22 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
### Allow DNS 53 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
### Allow HTTP 80 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
### Allow HTTP (SSL) 443 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
### Allow SquidGuard Proxy 3128 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT
### Allow MySQL Server 3306 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT
### Forward IDENTd 113 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 113 -j DNAT --to 192.168.6.90:113
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 113 -j ACCEPT
### Forward Remote Desktop (RDP) 3389 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 192.168.6.90:3389
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 3389 -j ACCEPT
### Forward BitTorrent 6920 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6920 -j DNAT --to 192.168.6.90:6920
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 6920 -j ACCEPT
/etc/hostapd/hostapd.conf:
interface=wlan0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=NTech Router 1
#macaddr_acl=1
#accept_mac_file=/etc/hostapd/accept
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
wpa_psk_file=/etc/hostapd/wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
/etc/hostapd/wpa_psk:
00:00:00:00:00:00 Neowin
# 00:00:00:00:00:00 tells it to allow all mac addresses to use the passkey "Neowin"