Re: need help setting up wireless network
- From: Garry Knight <garryknight@xxxxxxx>
- Date: Wed, 27 Dec 2006 21:02:11 +0000
Peter C Hinkle wrote:
Hi, I am trying to setup my linuxbox to simply provide internet and
mail etc. to my ipaq and laptop over a SMC smcwpci-g wireless card with
a realtek chipset.
If all 3 machines have WiFi cards that work and are recognised, possibly the
simplest way to set it up is the way I've done it with my desktop PC,
Thinkpad laptop, and iPAQ rx1950. I'm currently using Ubuntu 6.06 but I've
had it all working with Suse 10.0 as well.
You don't need to set up your desktop as an access point, and you don't need
an external wireless router. Your desktop becomes a wireless router for the
laptop and the iPAQ.
All you need to do is to configure each card to have a static IP address and
set them all up to run in Ad-hoc mode with the same ESSID, and with the
desktop as the gateway device. I'll tell you how I set mine up and you can
figure out how to do this in Suse yourself. None of what I'm suggesting
here should affect your hub or the other machines on your LAN. All you need
to do is select suitable IP values for the laptop and iPAQ.
My desktop is pc.garry.org and has eth0, the internet-facing NIC that gets
its IP through my ISP's DHCP server. It also has eth1 (192.168.0.1) which
is an old 802.11b card. My laptop is thinkpad.garry.org with a Belkin
802.11g PCMCIA card, and this is 192.168.0.2; it also has a standard
ethernet port which I've disabled as I no longer need to use it through
cable. My iPAQ (ipaq.garry.org) is 192.168.0.3 and has built-in WiFi. On
the desktop, eth0 is the gateway device; on the laptop and iPAQ,
192.168.0.1 (the desktop's WiFi card) is the gateway device, so all
requests on the laptop and iPAQ are routed through the desktop machine. All
three machines are set up to use my ISP's DNS servers.
If you set your system up similarly, using IPs that relate to your own LAN,
all you need to do then is to ensure that all three WiFi devices are set up
to work in Ad-Hoc mode with the same ESSID, and then set up your desktop's
firewall ruleset to do NAT. It sounds like you've already taken care of
this last bit, but make sure that your ruleset caters for the IPs of the
wireless devices as well as everything hanging off the hub.
In Ubuntu I configured the WiFi cards using the Networking dialog, then
manually edited /etc/network/interfaces to look something like this (this
is the laptop version):
iface ra0 inet static
wireless-essid ariel
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
wireless-key XXXXXXXXXXXXXXXX
wireless-mode Ad-hoc
All I have to do is turn on the PC, then when it's up, insert the WiFi card
in my laptop and it immediately links to the PC wirelessly.
I could achieve the same thing on the laptop with this command (as root):
iwconfig ra0 essid ariel mode Ad-Hoc key XXXXXXXXXXXXXX
My three machines map onto the LAN as follows:
machine name IP Gateway
PC pc.garry.org 192.168.0.1 eth0
laptop thinkpad.garry.org 192.168.0.2 192.168.0.1
iPAQ ipaq.garry.org 192.168.0.3 192.168.0.1
I don't know how clear all the above is, but the steps so far are:
- Decide on a wireless ESSID ('ariel' in my case)
- Give your WiFi cards static IPs (remember to put them in /etc/hosts)
- Ensure the gateway for the laptop and iPAQ are set to the IP of the PC
to which they are wirelessly attached
- Define firewall rules so that anything requested by the laptop and iPAQ
is NATed out onto the Net
For most people's use, with one or more machines hooked up to a single PC
that acts as a router and gateway to the Net, a simple 4-line firewall
would suffice:
modprobe iptable_nat
modprobe ip_nat_ftp
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
The only thing that might need to be altered in the above is the Net-facing
device, 'eth0' in the above ruleset.
My own firewall rules are a little more complicated, and look like this:
#!/bin/bash
# Firewall taken from Linux Administration: A Beginner's Guide
# This version is for a host that will be doing NAT
echo -n "Loading firewall rules..."
# Internet gateway device
GW=eth0
# Flush any existing rules
iptables -F
# load modules
modprobe iptable_nat
modprobe ip_nat_ftp
# define default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# iptables -t nat -p PREROUTING ACCEPT
# Let users on the inside network make connections to the Internet
# but don't let the Internet make connections back. We define a new chain
# called 'block' that we use for grouping our state tracking rules together.
# The first rule states that any packet that is part of an established
# connection or is related to an established connection is allowed through.
# The second rule states that in order for a packet to create a new
# connection,
# it cannot originate from the $GW (Internet-facing) interface. If a packet
# does not match either of these two rules, the third rule forces it to be
dropped.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $GW -j ACCEPT
iptables -A block -j DROP
# We need to call on the blocking chain from the INPUT and FORWARD chains.
# We aren't worried about the OUTPUT chain since only packets originating
# from the firewall itself come from there. When doing NAT, the INPUT chain
# will not be hit so we need to have FORWARD do the check. If a packet is
# destined to the firewall itself, we need the checks done from the INPUT
chain.
iptables -A INPUT -j block
iptables -A FORWARD -j block
# Finally, as the packet leaves the system, we perform the MASQUERADE
# function from the POSTROUTING chain in the NAT table. All packets that
# leave from the $GW interface go through this chain.
iptables -t nat -A POSTROUTING -o $GW -j MASQUERADE
# Enable IP forwarding, SYN cookie protection, protection from Smurf attacks
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ADDITIONAL STUFF
# Allow ssh in from local network
iptables -t nat -A PREROUTING -i $GW -p tcp --dport 22 -j
DNAT --to-destination 192.168.0.0
iptables -I FORWARD -p tcp -d 192.168.0.0/24 --dport 22 -j ACCEPT
# Allow portmapper from local network for NFS
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.0.0/24 --dport 111 -j ACCEPT
# Allow Azureus tracker
iptables -I INPUT -p tcp --dport 44662 -j ACCEPT
iptables -I INPUT -p udp --dport 44662 -j ACCEPT
This ruleset is installed, of course, on the net-facing machine. You'll see
I've added a few extra bits to allow SSHing in, file serving, and torrent
tracking. Feel free to steal any of this. I've set my firewall script up to
install the ruleset during system initialization. Suse has its own built-in
ruleset handled by YAST, so you'll simply need to check that it NATs
anything going out of or coming into the LAN's IP space. Once the WiFi
cards are set up in Ad-Hoc mode with static IPs, all on the same ESSID, the
fact that those connections are wireless is totally transparent.
If you want the iPAQ and/or the laptop to be able to access files on the
LAN, you'll need to set up Samba and/or NFS.
It all looks complicated just dumped in a newsgroup post like this, but it's
simple in practice. If you decide to go this route, give us a yell if you
need any more help.
--
Garry Knight
garryknight@xxxxxxx
.
- References:
- need help setting up wireless network
- From: Peter C Hinkle
- need help setting up wireless network
- Prev by Date: Encryption Problem
- Next by Date: Suse Linux+LDAP+Mac OS X Server
- Previous by thread: need help setting up wireless network
- Next by thread: KWiFiManager and SuSE 9.3
- Index(es):
Relevant Pages
|
