WiFi Router
Acest proiect are ca scop crearea unui router wireless folosind un Raspberry Pi. Routerul are sarcina să lege rețeaua la care este conectat fizic prin Ethernet de rețeaua wireless la care se vor conecta clienții. Routerul este setat să se comporte ca un server DHCP și DNS pentru clienți și are de asemenea un firewall configurat.
Supplies
- Raspberry Pi 3 model B
- Cablu de încărcare pentru Raspberry Pi
- Cablu Ethernet
- Cablu HDMI
- Monitor extern
- Tastatură USB
- Card microSD 32GB
Get Rasperry Pi OS
Am instalat Raspberry Pi OS Lite pentru că aveam nevoie doar de linia de comandă pentru a face toate configurările.
Hostapd
Pentru a configura interfața wireless a routerului am instalat serviciul hostapd (host access point daemon). Odată instalat, am modificat fișierul /etc/hostapd/hostapd.conf astfel:
interface=wlan0 #interfața wireless
driver=nl80211
ssid=Adriana's-Router #numele routerului
hw_mode=g #2.4GHz
channel=6
wmm_enabled=0 #disable QoS
macaddr_acl=0
auth_algs=1 #wpa
ignore_broadcast_ssid=0
wpa=2 #wpa2 only
wpa_passphrase=1qaz2wsx3edc
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
DNSmasq
Pentru a configura serviciul de DNS am folosit DNSmasq, cu configurările următoare în fișierul /etc/dnsmasq.conf:
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# If you don't want dnsmasq to read /etc/resolv.conf or any
# other file, getting its servers from this file instead (see
# below), then uncomment this.
no-resolv
# Add other name servers here, with domain specs if they are for
# non-public domains.
server=8.8.8.8
server=8.8.4.4
# If you want dnsmasq to listen for DHCP and DNS requests only
# on specified interfaces (and the loopback) give the name of
# the interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=wlan0
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts
# This is an example of a DHCP range where the netmask is given. # This is needed for networks we reach the dnsmasq DHCP server
# via a relay agent. If you don't know what a DHCP relay agent
# is, you probably don't need to worry about this.
dhcp-range=192.168.42.100,192.168.42.200,255.255.255.0,12h
# Set the cachesize here.
cache-size=1000
bind-dynamic
address=/gw-wlan/192.168.42.1
Tot în dnsmasq.conf am configurat și pool-ul DHCP din care să își asigneze clienții adresele IP.
DHCP
Pentru a configura serverul DHCP am modificat /etc/dhcpcd.conf:
# Inform the DHCP server of our hostname for DDNS.
hostname
# Use the hardware address of the interface for the Client ID.
clientid
# Persist interface configuration when dhcpcd exits.
persistent
# Rapid commit support.
# Safe to enable by default because it requires the equivalent
# option set on the server to actually work.
option rapid_commit
# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Respect the network MTU. This is applied to DHCP routes.
option interface_mtu
# A ServerID is required by RFC2131.
require dhcp_server_identifier
# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private
nohook wpa_supplicant
interface wlan0
static ip_address=192.168.42.1/24
IPv4 Forwarding & NAT
Pentru a permite forwardarea pachetelor IPv4 între cele 2 interfețe ale routerului, eth0 și wlan0, am decomentat linia net.ipv4.ip_forward=1 din /etc/sysctl.conf.
Pentru a putea avea o conexiune în afara rețelei locale, trebuie să activăm translatarea adreselor IP pe gateway, adică o regulă nouă în tabela NAT.
iptables -t nat -A POSTROUTING -j MASQUERADE
Firewall
Am implementat firewall-ul printr-un set de reguli iptables pe chain-ul de input și forward în felul următor, într-un script /usr/local/bin/firewall.sh:
#!/bin/sh
#Clear all rules
iptables -F
# FORWARD chain
# Allow PING for everyone
iptables -A FORWARD -p icmp -j ACCEPT
# Allow HTTP/HTTPS for WiFi clients
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
# Allow POP/IMAP/SMTP for WiFi clients
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 993 -j ACCEPT
# Allow DNS
iptables -A FORWARD -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT
iptables -A FORWARD -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT
# Allow NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Log iptables denied calls
iptables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop eveything else
iptables -A FORWARD -j DROP
#INPUT chain
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow HTTP and HTTPS connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
iptables -A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#Drop everything else
iptables -A INPUT -j DROP
# Allow DNS
iptables -A INPUT -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT
#OUTPUT chain
# Allow all outbound traffic
iptables -A OUTPUT -j ACCEPT