Update.

code/hostapd.conf

@@ -6,8 +6,7 @@ channel=11
 macaddr_acl=0
 auth_algs=1
 ignore_broadcast_ssid=0
-wpa=3
+wpa=2
 wpa_passphrase=11help22help33
 wpa_key_mgmt=WPA-PSK
-wpa_pairwise=TKIP
 rsn_pairwise=CCMP

code/initSwAP

@@ -0,0 +1,35 @@
+#!/bin/bash
+# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM:
+# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/
+# Usage: ./initSoftAP
+########### Initial wifi interface configuration #############
+ip link set $1 down
+ip addr flush dev $1
+ip link set $1 up
+ip addr add 10.0.0.1/24 dev $1
+ 
+# If you still use ifconfig for some reason, replace the above lines with the following
+# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0
+sleep 2
+###########
+ 
+########### Start dnsmasq ##########
+if [ -z "$(ps -e | grep dnsmasq)" ]
+then
+ dnsmasq
+fi
+###########
+########### Enable NAT ############
+iptables -t nat -A POSTROUTING -o $2 -j MASQUERADE
+iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i $1 -o $2 -j ACCEPT
+ 
+#Thanks to lorenzo
+#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
+#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ 
+sysctl -w net.ipv4.ip_forward=1
+###########
+########## Start hostapd ###########
+hostapd $PWD/hostapd.conf ## TODO! either put config in normal place
+#killall dnsmasq

code/initSwAP_nftables

@@ -0,0 +1,36 @@
+#!/bin/bash
+# DISCLAIMER! THIS CODE HAS BEEN TAKEN FROM:
+# https://nims11.wordpress.com/2012/04/27/hostapd-the-linux-way-to-create-virtual-wifi-access-point/
+# Usage: ./initSoftAP
+########### Initial wifi interface configuration #############
+ip link set $1 down
+ip addr flush dev $1
+ip link set $1 up
+ip addr add 10.0.0.1/24 dev $1
+ 
+# If you still use ifconfig for some reason, replace the above lines with the following
+# ifconfig $1 up 10.0.0.1 netmask 255.255.255.0
+sleep 2
+###########
+ 
+########### Start dnsmasq ##########
+if [ -z "$(ps -e | grep dnsmasq)" ]
+then
+ dnsmasq
+fi
+###########
+########### Enable NAT ############
+nft add table nat
+nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
+nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
+nft add rule nat postrouting oifname wlp44s0 wlp masquerade
+
+#Thanks to lorenzo
+#Uncomment the line below if facing problems while sharing PPPoE, see lorenzo's comment for more details
+#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ 
+sysctl -w net.ipv4.ip_forward=1
+###########
+########## Start hostapd ###########
+hostapd $PWD/hostapd.conf ## TODO! either put config in normal place
+#killall dnsmasq

notes/journal/Mon, 25 March 2024.md

@@ -0,0 +1,5 @@
+First success using mac mini.
+Could record some data of amazon echo.
+Setup gues network on router without any security, this enabled some capture since no keys had to be configured or handshakes captured (would be an issue without any channel controll)
+Issue: Channalhopping -> missing a lot of traffic
+To avoid channelhopping: Somehow fix the channel on router.

notes/journal/Tue, 19. March 2024.md

@@ -1,3 +1,117 @@
 Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)
 Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e)
 AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic.
+
+# 1st attempt AP setup
+### Config files
+File:`/etc/dnsmasq.d/dhcp-for-ap.conf`
+Content: 
+```config
+interface=wlp0s20f0u1
+dhcp-range=10.0.0.3,10.0.0.20,12h
+```
+**BEWARE**: Must load above into `/etc/dnsmasq.conf` with a line that goes `conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf`  or `conf-dir=/etc/dnsmasq.d/,*.conf` see [here](https://wiki.archlinux.org/title/Dnsmasq#Configuration) 
+Other configs in `code/` directory.
+## Used commands
+See `code/` dir commit `devel@299912e` .
+## Sanity Check
+```bash
+$ sudo hostapd ./hostapd.conf
+# Output upon trying to connect with iPhone
+wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
+wlp0s20f0u1: AP-ENABLED 
+wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
+wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
+wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
+wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
+wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2
+wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
+wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05
+```
+Connection established but no internet as expected.
+## Test
+*Input* 
+```bash
+sudo ./initSwAP wlp
+```
+*Output*
+```
+net.ipv4.ip_forward = 1
+wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
+wlp0s20f0u1: AP-ENABLED 
+wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
+wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
+wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
+wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3
+wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
+wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05
+```
+Unfortunatly still no internet connection.
+
+## Analysis
+Had forgot to import dhcp config file. 
+**Changes**: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security.
+Unfortunatly still no internet connectino can be established.
+
+## Todays 2nd attempt at Establishing an internet connection.
+__Remarks/Observations:__
+- iPhone connects to AP. Receieves IP Address `169.254.196.21` with subnet mask `255.255.0.0`. I
+- P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server.
+- Could firewall be the problem? TODO -> iptables for dns and dhcp
+- Maybe need to set static ip first etc as mentioned [here](https://woshub.com/create-wi-fi-access-point-hotspot-linux/) 
+	```bash
+	# nano /etc/network/interfaces
+	auto wlp0s20f0u1
+	iface wlp0s20f0u1 inet static
+	address 10.10.0.1
+	netmask 255.255.255.0
+	```
+- `/etc/network/interfaces` doesn't exist on my machine...
+### Some configs to remember for later
+dnsmasq:
+```
+#interface=wlp0s20f0u1
+listen-address=10.0.0.2
+dhcp-range=10.0.0.3,10.0.0.20,12h
+dhcp-option=3,192.168.1.1
+dhcp-option=6,192.168.1.1
+domain-needed
+bogus-priv
+filterwin2k
+server=1.1.1.1
+no-hosts
+```
+Maybe need to enable ipv6 forwarding?
+```
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.forwarding = 1
+net.ipv6.conf.all.forwarding = 1
+```
+Flushing iptables: `iptables -F` flushes all tables. For more see [archwiki/iptables/Reset Rules](https://wiki.archlinux.org/title/Iptables#Resetting_rules) 
+- `sudo systemctl status iptables` says there is no such service unit!? -> Fedora uses [[firewalld]], which _is_ reported as running .........
+#### Firewalld exploring
+```bash
+sudo firewall-cmd --get-active-zones
+# Output:
+#	FedoraWorkstation (default)
+#	  interfaces: wlp44s0
+```
+### Steps taken after restarting with [[firewalld]]
+1. Followed steps in chapters 2.3.3 and 2.4 [here](https://wiki.archlinux.org/title/Internet_sharing#Enable_packet_forwarding). This should have enabled masquerading and have the ports ACCEPT for dns and dhcp.
+2. Firewalld is not powerfull enough it seems
+### nfttables
+Overview of a common configuration and packet flow
+
+A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook:
+
+    a prerouting chain, for all newly-arrived IP traffic
+    an input chain, for traffic addressed to the local host itself
+    an output chain, for traffic originating from the local host itself
+    a forward chain, for packets the host is asked to simply pass from one network to another
+    a postrouting chain for all IP traffic leaving the firewall
+
+For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain.
+
+If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packet’s destination) attach to the prerouting chain.
+
+Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins.

notes/todos/todo.md

@@ -3,3 +3,12 @@
 - [ ] Have not managed to setup AP/Hotspot: Amazon echodot needs iOS app but iPhone will not connect to AP on fedora Laptop
 - [x] ~~Ask Valentyna/Nima for other approach to capture traffic~~ Preliminary Fix: USB Plugable Wifi Adapters.
 - [ ] Look into how to route to internet!
+
+
+
+
+IEEE 802.11: www.ieee802.org/11/
+FCC 2.4 GHz: https://transition.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00312.pdf
+WPA3 Specification: www.wi-fi.org/download.php?file=/sites/default/files/private/WPA3_Specification_v3.0.pdf
+Wireless LAN Display Filters: www.wireshark.org/docs/dfref/w/wlan.html
+WPA-PSK Key Generator Tool: www.wireshark.org/tools/wpa-psk.html

notes/wiki/firewalld.md

@@ -0,0 +1 @@
+Resources: [Firewalld](https://wiki.archlinux.org/title/Firewalld), [Internet Sharing](https://wiki.archlinux.org/title/Internet_sharing#With_firewalld)

notes/wiki/nmcli.md

@@ -1,6 +1,8 @@
-***TLDR:*** Command line utility of NetworkManager
+**TLDR:** Command line utility of [NetworkManager](https://networkmanager.dev)
+
 Benefit: Automates setting up WiFi, DHCP server and NAT config, according to [here](https://variwiki.com/index.php?title=Wifi_NetworkManager#Configuring_WiFi_Access_Point_with_NetworkManager).
 
+
 # Commands
 ```bash
 nmcli dev #list network devices
@@ -17,4 +19,30 @@ sudo systemctl restart NetworkManager # for config changes to take effect
 ```bash
 sudo nmcli device set <interface-name> managed no # make sure itnerface is not managed by NetworkManager. Can use d instead of device.
 ```
+More examples [here](https://networkmanager.dev/docs/api/latest/nmcli-examples.html)
+
+# Config
+## Ignoring specific devices
+This is mostly taken from different parts of [archwiki/NetworkManager](https://wiki.archlinux.org/title/NetworkManager). This is desirable so it wont interfere with our [[hostapd]] or [[dnsmasq]] config.
+In ``/etc/NetworkManager/conf.d/unmanaged.conf`` :
+MAC addr based:
+```config
+[keyfile]
+unmanaged-devices=mac:<hwaddr>
+```
+Interface name based:
+```config
+[keyfile]
+unmanaged-devices=interface-name:<ifname>
+```
+After modifying run
+```bash
+sudo nmcli general reload
+```
+
+Resources: https://wiki.archlinux.org/title/Software_access_point#NetworkManager_is_interfering and https://wiki.archlinux.org/title/NetworkManager#Ignore_specific_devices
+
+
+
+