Masquerading Access Point

Scenario 1: Masquerading access point

This is the simplest of the scenarios, and is especially useful in situations where you want a single access point for an office setting. This is easiest in a situation where:

1. There is an existing dedicated firewall and gateway running Linux, and you just want to add a wireless interface.
2. You have an old refurbished computer or laptop available, and prefer to use that as an access point.
3. You require more power in terms of monitoring, logging and/or security than most commercial access points provide, but don't want to splurge on an enterprise access point.
4. You would like a single machine to act as 2 access points (and firewall) so that you can offer both a secure network access to the intranet, as well as open access to guests.

Initial setup

Start of with an already configured computer running GNU/Linux. This could be an Ubuntu Server installation, or Fedora Core. The computer must have at least 2 interfaces for this to work, and at least one of these interfaces should be wireless. The rest of this description assumes that your cabled Ethernet port (eth0) is connected to the Internet, and that there is a wireless interface (wlan0) that will provide the access point functionality.

To find out if your chipset supports master mode, try the following command as root:

# iwconfig wlan0 mode Master

...replacing wlan0 with the name of your interface.

If you get an error message, then your wireless card doesn't support access point mode. You can still try the same setup in Ad-hoc mode, which is supported by all chipsets. This requires that you to set all the laptops that are connecting to this “access point” into Ad-hoc mode as well, and may not work quite the way you are expecting. It is usually better to find a wireless card that will support AP mode. See the HostAP and MADWiFi websites mentioned earlier for a list of supported cards.

Before continuing, make sure dnsmasq is installed on your machine. You can use the graphical package manager of your distribution to install it. In Ubuntu you can simply run the following as root:

# apt-get install dnsmasq

Setting up the interfaces

Set up your server so that eth0 is connected to the Internet. Use the graphical configuration tool that came with your distribution.

If your Ethernet network uses DHCP, you could try the following command as root:

# dhclient eth0

You should receive an IP address and default gateway. Next, set your wireless interface to Master mode and give it a name of your choice:

# iwconfig wlan0 essid “my network” mode Master enc off

The enc off switch turns off WEP encryption. To enable WEP, add a hex-key string of the correct length:

# iwconfig wlan0 essid “my network” mode Master enc 1A2B3C4D5E

Alternately, you can use a readable string by starting with “s:”

# iwconfig wlan0 essid “my network” mode Master enc “s:apple”

Now give your wireless interface an IP address in a private subnet, but make sure it is not the same subnet as that of your Ethernet adapter:

# ifconfig wlan0 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255 up

Setting up masquerading in the kernel

In order for us to be able to translate addresses between the two interfaces on the computer, we need to enable masquerading (NAT) in the linux kernel. First we load the relevant kernel module:

# modprobe ipt_MASQUERADE

Now we will flush all existing firewall rules to ensure that the firewall is not blocking us from forwarding packets between the two interfaces. If you have an existing firewall running, make sure you know how to restore the existing rules later before proceeding.

# iptables -F

Enable the NAT functionality between the two interfaces

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Finally we need to enable the kernel to forward packets between interfaces:

# echo 1 > /proc/sys/net/ipv4/ip_forward

On Debian-based Linux distributions such as Ubuntu, this change can also be made by editing the file /etc/network/options, and changing the line

ip_forward=no

to

ip_forward=yes

and then restarting the network interfaces with:

# /etc/init.d/network restart

or

# /etc/init.d/networking restart

Setting up the DHCP server

At this point we actually should have a working access point. It can be tested by connecting to the wireless network “my network” with a separate machine and giving that machine an address in the same address range as our wireless interface on the server (10.0.0.0/24 if you followed the examples). If you have enabled WEP, be sure to use the same key that you specified on the AP.

In order to make it easier for people to connect to the server without knowing the IP address range, we will set up a DHCP server to automatically hand out addresses to wireless clients.

We use the program dnsmasq for this purpose. As the name indicates, it provides a caching DNS server as well as a DHCP server. This program was developed especially for use with firewalls performing NAT. Having a caching DNS server is especially helpful if your Internet connection is a high-latency and/or low-bandwidth connection, such as a VSAT or dial-up. It means that many DNS queries can be resolved locally, saving a lot of traffic on the Internet connection, and also making the connection feel noticeably faster for those connecting.

Install dnsmasq with your distributions package manager. If dnsmasq is not available as a package, download the source code and install it manually. It is available from thekelleys.org.uk.

All that is required for us to run dnsmasq is to edit a few lines of the dnsmasq configuration file, /etc/dnsmasq.conf.

The configuration file is well commented, and has many options for various types of configuration. To get the basic DHCP server up and running we just need to uncomment and/or edit two lines.

Find the lines that starts:

interface=

...and make sure it reads:

interface=wlan0

...changing wlan0 to match name of your wireless interface. Then find the line that starts with:

#dhcp-range=

Uncomment the line and edit it to suit the match addresses being used, i.e.

dhcp-range=10.0.0.10,10.0.0.110,255.255.255.0,6h

Then save the file and start dnsmasq:

# /etc/init.d/dnsmasq start

That's it, you should now be able to connect to the server as an access point, and get an IP address using DHCP. This should let you connect to the Internet through the server.

Adding extra security: Setting up a Firewall

Once this is set up and tested, you can add extra firewall rules using whatever firewall tool is included in your distribution. Some typical front-ends for setting up firewall rules include:

• firestarter -a graphical client for Gnome, which requires that your server is running Gnome
• knetfilter – a graphical client for KDE, which requires that your server is running KDE
• Shorewall – a set of scripts and configuration files that will make it easier to setup an iptables firewall. There are also frontends for shorewall, such as webmin-shorewall
• fwbuilder -a powerful, but slightly complex graphical tool that will let you create iptables scripts on a machine separate from your server, and then transfer them to the server later. This does not require you to be running a graphical desktop on the server, and is a strong option for the security conscious.

Once everything is configured properly, make sure that all settings are reflected in the system startup scripts. This way, your changes will continue to work should the machine need to be rebooted.