Create a wireless local area network

From LQWiki
Jump to navigation Jump to search

To create a wireless local area network, you set up an access point.

It is fairly simple to setup an AP in linux. This is how I did.

I purchased a D-Link DWL-G520 pci card. You need a card that supports Master mode. Check this (linux-wless.passys.nl) site for compatibility with Linux, I think ndiswrapper doesn't have support for Master mode, not sure though.

Creating the AP

Then if your interface is ath0:

 $ iwconfig ath0 mode Master
 $ iwconfig ath0 essid "LinuxAP"
 $ ifconfig ath0 192.168.1.1 up

I chose an IP that wasn't in my wired LANs subnet. Now you should be able to see the AP if you scan for APs.

Configure statically your client's card

Then on the client side (if your interface is ath0) you do:

 $ iwconfig ath0 mode Managed
 $ iwconfig essid "LinuxAP"
 $ iwconfig ap 00:11:22:AA:22:11 
 $ ifconfig ath0 192.168.1.10 netmask 255.255.255.0 up 
 $ route add -net default gw 192.168.1.1

It's not always necessary to specify the mac address for the ap, but sometimes it's a good thing. As you can see I chose an ip that was in the same subnet as the ap, it's important.

DHCP server, firewall and stuff

Now, that was the static ip way and you probably want a dhcp-server and some firewall-rules for the ap. Guess what... here they come!

iptables

I have some rules with iptables in a script:

 #!/bin/sh
 IPTABLES='/sbin/iptables'
 EXTIF='eth0'
 INTIF='eth1'
 WLAN='ath0'
 WAN='85.235.31.133'

 /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

 $IPTABLES -F
 $IPTABLES -X

 $IPTABLES -X -t nat
 $IPTABLES -F -t nat

 $IPTABLES -X -t filter
 $IPTABLES -F -t filter

 # enable masquerading to allow LAN internet access
 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

 # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
 $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

 # allow ping
 $IPTABLES -A INPUT -p icmp -i $EXTIF -j ACCEPT

 # Allowing access to the FTP server"
 $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j ACCEPT

 # Allowing access to the ssh server on port 2200 (I've changed it)
 $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 2200 -j ACCEPT

 # block out all other Internet access on $EXTIF
 $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
 $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

dnsmasq

And my dnsmasq.config looks like this:

 resolv-file=/etc/resolv.conf
 no-poll
 domain-needed
 bogus-priv
 strict-order

 interface=ath0
 dhcp-range=192.168.1.10,192.168.1.50,12h

 interface=eth1
 dhcp-range=192.168.0.10,192.168.0.50,12h

 # alice and bob are declared in /etc/hosts
 dhcp-host=00:0A:E4:52:6B:12,alice
 dhcp-host=00:40:CA:45:10:9C,bob

 dhcp-authoritative

And that's it! Just run the script, start dnsmasq and connect to the ap described in the top of this wiki.

stuff

By the way, if you want to ping some host in the 192.168.0.0 subnet make sure that you don't have another interface that's not alive with an ip in that subnet. So if you have an ordinary wired card eth0 with an ip in the 192.168.0.0 subnet (but no cable in maybe) make sure that you bring that interface down.

 $ ifconfig eth0 down

Now you can ping hosts in that subnet with your wifi card.