Example [hostapd.conf](http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) Simple article for basic setup [here](https://medium.com/p/3c18760e6f7e) AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic. # 1st attempt AP setup ### Config files File:`/etc/dnsmasq.d/dhcp-for-ap.conf` Content: ```config interface=wlp0s20f0u1 dhcp-range=10.0.0.3,10.0.0.20,12h ``` **BEWARE**: Must load above into `/etc/dnsmasq.conf` with a line that goes `conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf` or `conf-dir=/etc/dnsmasq.d/,*.conf` see [here](https://wiki.archlinux.org/title/Dnsmasq#Configuration) Other configs in `code/` directory. ## Used commands See `code/` dir commit `devel@299912e` . ## Sanity Check ```bash $ sudo hostapd ./hostapd.conf # Output upon trying to connect with iPhone wlp0s20f0u1: interface state UNINITIALIZED->ENABLED wlp0s20f0u1: AP-ENABLED wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2 wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 ``` Connection established but no internet as expected. ## Test *Input* ```bash sudo ./initSwAP wlp ``` *Output* ``` net.ipv4.ip_forward = 1 wlp0s20f0u1: interface state UNINITIALIZED->ENABLED wlp0s20f0u1: AP-ENABLED wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1) wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05 wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3 wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN) wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05 ``` Unfortunatly still no internet connection. ## Analysis Had forgot to import dhcp config file. **Changes**: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security. Unfortunatly still no internet connectino can be established. ## Todays 2nd attempt at Establishing an internet connection. __Remarks/Observations:__ - iPhone connects to AP. Receieves IP Address `169.254.196.21` with subnet mask `255.255.0.0`. I - P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server. - Could firewall be the problem? TODO -> iptables for dns and dhcp - Maybe need to set static ip first etc as mentioned [here](https://woshub.com/create-wi-fi-access-point-hotspot-linux/) ```bash # nano /etc/network/interfaces auto wlp0s20f0u1 iface wlp0s20f0u1 inet static address 10.10.0.1 netmask 255.255.255.0 ``` - `/etc/network/interfaces` doesn't exist on my machine... ### Some configs to remember for later dnsmasq: ``` #interface=wlp0s20f0u1 listen-address=10.0.0.2 dhcp-range=10.0.0.3,10.0.0.20,12h dhcp-option=3,192.168.1.1 dhcp-option=6,192.168.1.1 domain-needed bogus-priv filterwin2k server=1.1.1.1 no-hosts ``` Maybe need to enable ipv6 forwarding? ``` net.ipv4.ip_forward = 1 net.ipv4.conf.all.forwarding = 1 net.ipv6.conf.all.forwarding = 1 ``` Flushing iptables: `iptables -F` flushes all tables. For more see [archwiki/iptables/Reset Rules](https://wiki.archlinux.org/title/Iptables#Resetting_rules) - `sudo systemctl status iptables` says there is no such service unit!? -> Fedora uses [[firewalld]], which _is_ reported as running ......... #### Firewalld exploring ```bash sudo firewall-cmd --get-active-zones # Output: # FedoraWorkstation (default) # interfaces: wlp44s0 ``` ### Steps taken after restarting with [[firewalld]] 1. Followed steps in chapters 2.3.3 and 2.4 [here](https://wiki.archlinux.org/title/Internet_sharing#Enable_packet_forwarding). This should have enabled masquerading and have the ports ACCEPT for dns and dhcp. 2. Firewalld is not powerfull enough it seems ### nfttables Overview of a common configuration and packet flow A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook: a prerouting chain, for all newly-arrived IP traffic an input chain, for traffic addressed to the local host itself an output chain, for traffic originating from the local host itself a forward chain, for packets the host is asked to simply pass from one network to another a postrouting chain for all IP traffic leaving the firewall For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain. If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packet’s destination) attach to the prerouting chain. Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins.