Very Computer

Hello,

I am trying to get this working so I can serve my laptop wirelessly at home.
I have the card working in Linux (iwconfig commands work to set essid and
the mode) server & laptop. The problem I'm having is I think is I just don't
know routing/masquerading in Linux (yet).

Here is a crude listing of what I'm trying to do:

=Network Setup=
Cisco 804 ISDN Router, NAT, DHCP, DNS (points to isp dns servers)
(192.168.1.0 network, 255.255.255.0 mask)
Linux box, wired nic (static ip 192.168.1.2, 255.255.255.0 mask) (eth0) and
two other PC's using just a wired nic

=Linux box (a Linux AP is what I'm trying to do here)=
Cisco 350 PCI WiFi (AIR-PCI352) in Managed mode, static ip- 10.0.0.1, mask
255.255.255.0 (eth1)
running dhcpd (network 10.0.0.0 mask 255.255.255.0) (on eth1 only, the WiFi
interface)

First, I think this is right because:
1> DHCP can not be run but one time per network (and I have two networks
defined above)
2> I want wireless clients to get their DHCP address from Linux, and the two
wired cleints from the Cisco router since they have no wireless interface
(and I don't want Linux doing dhcp for them anyway).

I can:
a) Using wireless, I can ping the WiFi cards from the laptop to the Linux
box and from the Linux box to the laptop
    (laptop- ping 10.0.0.1; Server- ping 10.0.0.2) <ok here>

I can not:

a) I can not use DNS <ahh, this is helping me by writing this out...I'll
keep going> on the wireless interface (laptop) to ping a server by name
(i.e.- ping www.cnn.com) or via doing a lookup on that URL and trying to
ping or goto that site by ip address.
b) I can not access any other service over wireless (IRC, email, web, etc.)

Is this problem due to my setup above? I can not see the 10.0.0.0 network on
the Cisco router (sho ip route) at this point so I see why I can not ping a
WIRED interface. Is this setup correctly thusfar and I need to learn
masquerading/ip packet forwarding?

I'd like to KISS in the initial fix (i.e.- if it's a masq thing I need to do
I'd like to initially allow everthing and learn the filtering AFTER that is
working).

Thanks for any help!
David.
p.s.- sleep always helps too, that I will get before trying anything
tomorrow

You're right, it is a masq/routing thing.  You need to put in place some
"iptables" rules (if using kernel 2.4) to do the traffic
forwarding/masquerading for you.  Here's Kevin's sample script which helped
me to tailor a more complex one:
#------Begin------
#!/bin/sh

# rc.firewall for Delta Six internal network

# eth0   -  10.1.15.1   (kdegra14.resnet.calvin.edu)
# eth0:1 -  10.1.15.6   (jandru39.resnet.calvin.edu)
# eth1   -  192.168.1.1

# All iptables code is compiled into the kernel statically.
$IPT="/sbin/iptables"

# Set default policies
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Flush rules
$IPT -F
$IPT -t nat -F

# Masquerade outgoing connections
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow all packets from my LAN to ResNet
$IPT -A FORWARD -i eth1 -o eth0+ -j ACCEPT

# Allow packets from ResNet to my LAN if part of established connection
$IPT -A FORWARD -i eth0+ -o eth1 -m state \
  --state ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP, EST/REL, ssh to this box from anywhere
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 --syn -j ACCEPT

# Allow HTTP (for proxy autoconfig) from LAN only
$IPT -A INPUT -i eth1 -p tcp --dport 80 --syn -j ACCEPT

# Allow DHCP from LAN only
$IPT -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT

# Allow DNS (resolving, not auth) from LAN only
$IPT -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

# Send kdegra14.resnet HTTP to ugofast
$IPT -t nat -A PREROUTING -d 10.1.15.1 -p tcp --dport 80 \
  -j DNAT --to-dest 192.168.1.2
$IPT -A FORWARD -o eth1 -d 192.168.1.2 \
  -p tcp --dport 80 -j ACCEPT

# Send jandru39.resnet HTTP to udrive
$IPT -t nat -A PREROUTING -d 10.1.15.6 -p tcp --dport 80 \
  -j DNAT --to-dest 192.168.1.6
$IPT -A FORWARD -o eth1 -d 192.168.1.6 \
  -p tcp --dport 80 -j ACCEPT

# Send jandru39.resnet SSH to udrive
$IPT -t nat -A PREROUTING -d 10.1.15.6 -p tcp --dport 22 \
  -j DNAT --to-dest 192.168.1.6
$IPT -A FORWARD -o eth1 -d 192.168.1.6 \
  -p tcp --dport 22 -j ACCEPT

# Turn it all on!
echo "1" > /proc/sys/net/ipv4/ip_forward

#------End--------

Hope it helps.  You can also search the archives at www.grlug.org

Godwin

Quote:> Hello,

> I am trying to get this working so I can serve my laptop wirelessly at
home.
> I have the card working in Linux (iwconfig commands work to set essid and
> the mode) server & laptop. The problem I'm having is I think is I just
don't
> know routing/masquerading in Linux (yet).

> Here is a crude listing of what I'm trying to do:

> =Network Setup=
> Cisco 804 ISDN Router, NAT, DHCP, DNS (points to isp dns servers)
> (192.168.1.0 network, 255.255.255.0 mask)
> Linux box, wired nic (static ip 192.168.1.2, 255.255.255.0 mask) (eth0)
and
> two other PC's using just a wired nic

> =Linux box (a Linux AP is what I'm trying to do here)=
> Cisco 350 PCI WiFi (AIR-PCI352) in Managed mode, static ip- 10.0.0.1, mask
> 255.255.255.0 (eth1)
> running dhcpd (network 10.0.0.0 mask 255.255.255.0) (on eth1 only, the
WiFi
> interface)

> First, I think this is right because:
> 1> DHCP can not be run but one time per network (and I have two networks
> defined above)
> 2> I want wireless clients to get their DHCP address from Linux, and the
two
> wired cleints from the Cisco router since they have no wireless interface
> (and I don't want Linux doing dhcp for them anyway).

> I can:
> a) Using wireless, I can ping the WiFi cards from the laptop to the Linux
> box and from the Linux box to the laptop
>     (laptop- ping 10.0.0.1; Server- ping 10.0.0.2) <ok here>

> I can not:

> a) I can not use DNS <ahh, this is helping me by writing this out...I'll
> keep going> on the wireless interface (laptop) to ping a server by name
> (i.e.- ping www.cnn.com) or via doing a lookup on that URL and trying to
> ping or goto that site by ip address.
> b) I can not access any other service over wireless (IRC, email, web,
etc.)

> Is this problem due to my setup above? I can not see the 10.0.0.0 network
on
> the Cisco router (sho ip route) at this point so I see why I can not ping
a
> WIRED interface. Is this setup correctly thusfar and I need to learn
> masquerading/ip packet forwarding?

> I'd like to KISS in the initial fix (i.e.- if it's a masq thing I need to
do
> I'd like to initially allow everthing and learn the filtering AFTER that
is
> working).

> Thanks for any help!
> David.
> p.s.- sleep always helps too, that I will get before trying anything
> tomorrow

Thanks Superman, I thought that was it....braincells too tired to think last
night ;)

If I understand correctly I'll also have to recompile the kernel (2.4.18
here) to turn on kernel support (or module supprt) for ip forwarding and
masq as well, right? I actually ran into why I need to use masq in a new
book I just bought, Red Hat Linux 7.2 Bible (ISBN 0-7645-3630-3).

David.

Quote:> You're right, it is a masq/routing thing.  You need to put in place some
> "iptables" rules (if using kernel 2.4) to do the traffic
> forwarding/masquerading for you.  Here's Kevin's sample script which
helped
> me to tailor a more complex one:

---<snip>---

Actually, the stock RedHat kernel already has modularized support for
iptables (MASQ, FORWARD and stuff).  No need to recompile.  These are the
modules I tipically load:

# Unload ipchains module.
echo "Unloading ipchains - if running."
/sbin/ipchains -F > /dev/null 2>&1
/sbin/modprobe -r ipchains > /dev/null 2>&1

# Load appropriate modules.
echo "Loading appropriate modules."
/sbin/modprobe ip_tables > /dev/null 2>&1
/sbin/modprobe ip_conntrack > /dev/null 2>&1
/sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1
# For Slackware 8.0
/sbin/modprobe iptable_filter > /dev/null 2>&1
/sbin/modprobe iptable_nat > /dev/null 2>&1
/sbin/modprobe ipt_state > /dev/null 2>&1
/sbin/modprobe ip_nat_ftp > /dev/null 2>&1
/sbin/modprobe ipt_LOG > /dev/null 2>&1

And some things I'd consider indispensable:

## Kernel flags
# To dynamically change kernel parameters and variables on the fly you need
# CONFIG_SYSCTL defined in your kernel. I would advise the following:

# Make sure that IP forwarding is turned on.
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

# Disable response to ping.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Disable response to broadcasts.
# We don't want to become a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to
generate
# traffic pretending to be from inside your network, but which is routed
back along
# the path from which it came, namely outside, so attackers can compromise
your
# network. Source routing is rarely used for legitimate purposes.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your
routing
# tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the
network
# interface they're arriving on. This has security advantages because it
prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric
routing
# (packets from you to a host take a different path than packets from that
host to you)
# or if you operate a non-routing host which has several IP addresses on
different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).

echo "Turning on path filtering."
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > ${interface}
done

Have fun,
Godwin

The easiest way was just to turn on ip forwarding and to use a DHCP relay
server on your linux box. In this way you could get an ip from your CISCO
router and the linux computer would serve as an bridge.

Jonathan,

Great idea !

I am having problems with the comm between the laptop (air-pcm352) and the
server (air-pci352). I can only get the two talking in ad-hoc mode. I asumed
I'd want the air-pci352 in Master mode (reading the man for iwconfig led me
here). If anyone has this working please reply.

tia,
david.

Quote:> The easiest way was just to turn on ip forwarding and to use a DHCP relay
> server on your linux box. In this way you could get an ip from your CISCO
> router and the linux computer would serve as an bridge.

---<snip>---