Squirrelington Posted June 18, 2008 Share Posted June 18, 2008 (edited) This is just a reference for anyone trying to setup a wired/wireless liux router to help smooth the transition. I'll try and be descriptive as possible. This configuration uses WPA-PSK (AES) key encryption. Debian 'Lenny' 2.6.24-1-686 Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ as eth0 Accton Technology Corporation SMC2-1211TX as eth1 3com 3CRDAG675B/Atheros Communications Inc. AR5413 802.11abg NIC as wifi0/wlan0 eth0: Wired WAN Interface eth1: Wired LAN Interface wlan0: Wireless LAN Interface wifi0: Wireless LAN Interface (Actual physical interface, wlan0 is a virtual interface on top of wifi0. Use wlan0!) br0: Wired/Wireless LAN Bridge /etc/init.d/router: ### Enables IP Forwarding echo 1 >/proc/sys/net/ipv4/ip_forward ### Configure the Wireless AP and Integrate the Wireless NIC with the LAN # Delete the wireless vlan interface and remake as a Master (HostAP mode) wlanconfig wlan0 destroy wlanconfig wlan0 create wlandev wifi0 wlanmode master # Configure the wireless interface iwconfig wlan0 essid "NTech Router 1" channel 6 mode Master rate 11M auto txpower auto ifconfig eth1 0.0.0.0 up ifconfig wlan0 0.0.0.0 up # Configure the bridge for joining the Wired and Wireless interfaces into a LAN brctl addbr br0 brctl addif br0 eth1 brctl addif br0 wlan0 # Sets the bridges LAN settings like Netmask and IP ifconfig br0 192.168.6.1 netmask 255.255.255.0 up # Run the wireless encryption daemon for WPA-PSK hostapd -Bdd /etc/hostapd/hostapd.conf ### Load the firewall settings /etc/fw-core.cfg echo "NTech Router Config executed..." /etc/fw-core.cfg: ### Clean IPTABLES /sbin/iptables -F ### Allows us to Masquerade the data coming from the External NIC /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ### Allow routines for Firewall /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT ### Custom Rules /etc/fw-cust.cfg ### Reject these AFTER allow routines /sbin/iptables -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -i eth0 -p udp -j REJECT /etc/fw-cust.cfg: ### NOTES: ### eth0 WAN; eth1 Wired LAN; wlan0 Wireless LAN; br0 Wired/Wireless Bridge ### Use eth0 for External and br0 for Internal firewalling unless you mean to restrict something based on where its coming from in the LAN ### i.e.: Wireless clients cannot access x.x.x.x:xx while Wired can. ### Allow FTP 21 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT ### Allow SSH 22 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT ### Allow DNS 53 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT ### Allow HTTP 80 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT ### Allow HTTP (SSL) 443 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT ### Allow SquidGuard Proxy 3128 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 3128 -j ACCEPT ### Allow MySQL Server 3306 on External NIC (eth0) iptables -A INPUT -p tcp -i eth0 --dport 3306 -j ACCEPT ### Forward IDENTd 113 to 192.168.6.90 (TCP) iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 113 -j DNAT --to 192.168.6.90:113 iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 113 -j ACCEPT ### Forward Remote Desktop (RDP) 3389 to 192.168.6.90 (TCP) iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 192.168.6.90:3389 iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 3389 -j ACCEPT ### Forward BitTorrent 6920 to 192.168.6.90 (TCP) iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6920 -j DNAT --to 192.168.6.90:6920 iptables -A FORWARD -p tcp -i eth0 -d 192.168.6.90 --dport 6920 -j ACCEPT /etc/hostapd/hostapd.conf: interface=wlan0 bridge=br0 driver=madwifi logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=0 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=NTech Router 1 #macaddr_acl=1 #accept_mac_file=/etc/hostapd/accept auth_algs=3 eapol_key_index_workaround=0 eap_server=0 wpa=3 wpa_psk_file=/etc/hostapd/wpa_psk wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP /etc/hostapd/wpa_psk: 00:00:00:00:00:00 Neowin # 00:00:00:00:00:00 tells it to allow all mac addresses to use the passkey "Neowin" Edited June 19, 2008 by FuhrerDarqueSyde Link to comment Share on other sites More sharing options...
Recommended Posts