[Reference] Debian Wireless Router Configuration


Recommended Posts

This is just a reference for anyone trying to setup a wired/wireless liux router to help smooth the transition. I'll try and be descriptive as possible.

This configuration uses WPA-PSK (AES) key encryption.

Debian 'Lenny' 2.6.24-1-686

Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ as eth0

Accton Technology Corporation SMC2-1211TX as eth1

3com 3CRDAG675B/Atheros Communications Inc. AR5413 802.11abg NIC as wifi0/wlan0

eth0: Wired WAN Interface

eth1: Wired LAN Interface

wlan0: Wireless LAN Interface

wifi0: Wireless LAN Interface (Actual physical interface, wlan0 is a virtual interface on top of wifi0. Use wlan0!)

br0: Wired/Wireless LAN Bridge

/etc/init.d/router:


### Enables IP Forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

### Configure the Wireless AP and Integrate the Wireless NIC with the LAN
# Delete the wireless vlan interface and remake as a Master (HostAP mode)
wlanconfig wlan0 destroy
wlanconfig wlan0 create wlandev wifi0 wlanmode master
# Configure the wireless interface
iwconfig wlan0 essid "NTech Router 1" channel 6 mode Master rate 11M auto txpower auto
ifconfig eth1 0.0.0.0 up
ifconfig wlan0 0.0.0.0 up
# Configure the bridge for joining the Wired and Wireless interfaces into a LAN
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 wlan0
# Sets the bridges LAN settings like Netmask and IP
ifconfig br0 192.168.6.1 netmask 255.255.255.0 up
# Run the wireless encryption daemon for WPA-PSK
hostapd -Bdd /etc/hostapd/hostapd.conf

### Load the firewall settings
/etc/fw-core.cfg

echo "NTech Router Config executed..."



/etc/fw-core.cfg:


### Clean IPTABLES
/sbin/iptables -F

### Allows us to Masquerade the data coming from the External NIC
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

### Allow routines for Firewall
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

### Custom Rules
/etc/fw-cust.cfg

### Reject these AFTER allow routines
/sbin/iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -i eth0 -p udp -j REJECT



/etc/fw-cust.cfg:

### NOTES:
###  eth0 WAN; eth1 Wired LAN; wlan0 Wireless LAN; br0 Wired/Wireless Bridge
###  Use eth0 for External and br0 for Internal firewalling unless you mean to restrict something based on where its coming from in the LAN
###  i.e.: Wireless clients cannot access x.x.x.x:xx while Wired can.

### Allow FTP 21 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT

### Allow SSH 22 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

### Allow DNS 53 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT

### Allow HTTP 80 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

### Allow HTTP (SSL) 443 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT

### Allow SquidGuard Proxy 3128 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT

### Allow MySQL Server 3306 on External NIC (eth0)
iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT

### Forward IDENTd 113 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 113 -j DNAT --to 192.168.6.90:113
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 113 -j ACCEPT

### Forward Remote Desktop (RDP) 3389 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 192.168.6.90:3389
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 3389 -j ACCEPT

### Forward BitTorrent 6920 to 192.168.6.90 (TCP)
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6920 -j DNAT --to 192.168.6.90:6920
iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 6920 -j ACCEPT



/etc/hostapd/hostapd.conf:


interface=wlan0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=NTech Router 1
#macaddr_acl=1
#accept_mac_file=/etc/hostapd/accept
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
wpa_psk_file=/etc/hostapd/wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP



/etc/hostapd/wpa_psk:

00:00:00:00:00:00 Neowin

# 00:00:00:00:00:00 tells it to allow all mac addresses to use the passkey "Neowin"

Edited by FuhrerDarqueSyde
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.