seb/2024-bsc-sebastian-lenzlinger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2024-bsc-sebastian-lenzlinger/notes/journal/2024-03-19-tue.md
Sebastian Lenzlinger 86f60da6ec WHAT
2024-06-28 23:49:16 +02:00

5.3 KiB
Raw Blame History

Example hostapd.conf Simple article for basic setup here AP can be started an iPhone manages to connect. Now must 1:.ensure WPA2 or WPA3 and 2. enable ipmasquerading for internet connection. Then finally should be able to setup devices properly and start sniffing on traffic.

1st attempt AP setup

Config files

File:/etc/dnsmasq.d/dhcp-for-ap.conf Content:

interface=wlp0s20f0u1
dhcp-range=10.0.0.3,10.0.0.20,12h

BEWARE: Must load above into /etc/dnsmasq.conf with a line that goes conf-file=/etc/dnsmasq.d/dhcp-for-ap.conf or conf-dir=/etc/dnsmasq.d/,*.conf see here Other configs in code/ directory.

Used commands

See code/ dir commit devel@299912e .

Sanity Check

$ sudo hostapd ./hostapd.conf
# Output upon trying to connect with iPhone
wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
wlp0s20f0u1: AP-ENABLED 
wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session 9C7F40AA0385E2B2
wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05

Connection established but no internet as expected.

Test

Input

sudo ./initSwAP wlp

Output

net.ipv4.ip_forward = 1
wlp0s20f0u1: interface state UNINITIALIZED->ENABLED
wlp0s20f0u1: AP-ENABLED 
wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: authenticated
wlp0s20f0u1: STA f2:10:60:95:28:05 IEEE 802.11: associated (aid 1)
wlp0s20f0u1: AP-STA-CONNECTED f2:10:60:95:28:05
wlp0s20f0u1: STA f2:10:60:95:28:05 RADIUS: starting accounting session C77A903F5D15F3B3
wlp0s20f0u1: STA f2:10:60:95:28:05 WPA: pairwise key handshake completed (RSN)
wlp0s20f0u1: EAPOL-4WAY-HS-COMPLETED f2:10:60:95:28:05

Unfortunatly still no internet connection.

Analysis

Had forgot to import dhcp config file. Changes: Add dnsmasq dhcp config and change wpa=3 to wpa=2 s.t. only WPA2 is used -> Now iPhone doesn't warn for security. Unfortunatly still no internet connectino can be established.

Todays 2nd attempt at Establishing an internet connection.

Remarks/Observations:

  • iPhone connects to AP. Receieves IP Address 169.254.196.21 with subnet mask 255.255.0.0. I
  • P is a reserved non-routable for link-local ->Thus it seems that iPhone did not get an address from dhcp server.
  • Could firewall be the problem? TODO -> iptables for dns and dhcp
  • Maybe need to set static ip first etc as mentioned here 
    # nano /etc/network/interfaces
auto wlp0s20f0u1
iface wlp0s20f0u1 inet static
address 10.10.0.1
netmask 255.255.255.0
  • /etc/network/interfaces doesn't exist on my machine...

Some configs to remember for later

dnsmasq:

#interface=wlp0s20f0u1
listen-address=10.0.0.2
dhcp-range=10.0.0.3,10.0.0.20,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
domain-needed
bogus-priv
filterwin2k
server=1.1.1.1
no-hosts

Maybe need to enable ipv6 forwarding?

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

Flushing iptables: iptables -F flushes all tables. For more see archwiki/iptables/Reset Rules

  • sudo systemctl status iptables says there is no such service unit!? -> Fedora uses firewalld, which is reported as running .........

Firewalld exploring

sudo firewall-cmd --get-active-zones
# Output:
#	FedoraWorkstation (default)
#	  interfaces: wlp44s0

Steps taken after restarting with firewalld

  1. Followed steps in chapters 2.3.3 and 2.4 here. This should have enabled masquerading and have the ports ACCEPT for dns and dhcp.
  2. Firewalld is not powerfull enough it seems

nftables

  • #TODO : What is the source of this info?!

Overview of a common configuration and packet flow

A host acting as a simple firewall and gateway may define only a small number of nft chains, each matching a kernel hook:

a prerouting chain, for all newly-arrived IP traffic
an input chain, for traffic addressed to the local host itself
an output chain, for traffic originating from the local host itself
a forward chain, for packets the host is asked to simply pass from one network to another
a postrouting chain for all IP traffic leaving the firewall

For configuration convenience and by convention, we group the input, output, and forward chains into a filter table. Most rules in setups like this attach to the forward chain.

If NAT is required, we follow the convention of creating a nat table to hold the prerouting and postrouting chains. Source-NAT rules (where we rewrite the packet source) attach to the postrouting chain, and destination-NAT rules (where we rewrite the packets destination) attach to the prerouting chain.

Packet flow is straightforward. Only one chain attaches to each hook. The first accept or drop rule a packet matches wins.