Differences between revisions 23 and 24
Revision 23 as of 2004-03-08 16:51:33
Size: 20821
Editor: 198
Comment:
Revision 24 as of 2004-03-08 16:54:01
Size: 20827
Editor: 198
Comment:
Deletions are marked like this. Additions are marked like this.
Line 168: Line 168:
===== Setup of NoCat ===== Setup of NoCat =====

Node name: 69th and WoodstockBR Live Date: It's live! BR Sponsor: [http://www.exocet.ca Exocet Industries] BR Contact: Brad Zimmerman * node172@exocet.ca

Equipment Donated

  • Nothin'!

Software Installed

  • Debian Stable, 2.4.25-OW1 kernel.

Network Topology

  • Address: 69.30.71.214
  • Gateway: 69.30.71.1
  • Wireless Address: 192.168.30.1
  • Wireless Network: 192.168.30.0/25
  • DHCP Pool: 192.168.30.2-254.
  • Domain: www.personaltelco.net

Installers / Organizers

  • Brad Zimmerman

Maintenance and System Log

  • This node is UP! As of 2004-03-06, the node is fully functional. However, I am only broadcasting off've a 5.5 magnetic mount omni antenna, so I doubt the range is very significant. I haven't tested yet. The omni is broadcasting from, roughly, the middle of the house. The node is likely to go down for brief periods of time while I move it around and do testing.

Notes

  • Stuff yet to do:
  • Add NoCatAuth splash page and local content.

  • Mode the node-on-a-laptop into the garage, mount on a platform near the peak of the garage.
  • Get 10-12dBi omni and mount on top of the garage.

Notes on my setup, from Start to Finish

The Hardware

  • Compaq Armada 1750 laptop: P2/333 w/ 196MB RAM, 6.5GB HD, built-in CDROM and floppy. Two PCMCIA slots. No built-in ethernet port. The specific type of laptop is not important. Any $100-150 laptop off've eBay should be fine. A built-in NIC is nice but is not required and is hard to find on an el cheapo laptop.

  • Senao SL-2511 wireless NIC. I think it's a very good wireless NIC.

  • Xircom Cardbus IIps wired NIC. Any single-height PCMCIA NIC will work but save yourself a headache and get Xircom, Intel or 3Com. Maybe Linksys.

  • 5.5 dBi magnetic mount omni (initially), a $15 buy from http://www.hyperlinktech.com/web/re05u.php

  • Cisco Catalyst 1900 programable switch. A programable switch, in my setup, is KEY. You can find one for about $100-120 (or less) on eBay. You don't need a fancy one - mine's just 10Mbit. However, you can get away without the switch - assuming that you feel your internal network is fairly resiliant to the relatively small chance of attack. I had the switch already, so I used it.

  • Some Cat-5 ethernet cable. Free or up to $20, depending on where you get it.
  • You might need some LMR-400 and a pigtail, if you get a fancy (big) omni. Expect to pay about $25 for the LMR-400 and $20 for the pigtail (1-1.5 foot).

Your total cost shouldn't really exceed: $150 laptop, $90 Senao NIC, $20 Xircom NIC, $20 antenna[1], $100 Cisco switch + $20 ethernet[2] + $25 LMR-400[3] + $20 pigtail[3] = $380-500. Spending about $400 gets you a kickass setup. Spending $500 gets you covering many blocks of your neighborhood.

[1] $20-80, depending on what you get. Could be more or less. You can always make a Cantenna for less than $5. [2] Ethernet cable can be had either cheaply or freely, if you ask on the list or maybe visit FreeGeek in SE Portland. [3] These items aren't necessary, depending on what sort of antenna you get. These items ARE necessary for a fancy (powerful) setup, though.

I personally picked up the laptop for $50 through my place of work - they were selling off old equipment. The switch was in lieu of payment at a job a few years ago. I have an extra, if anyone is interested. I'll sell it for $80. Since I started out with the RE05U from Hyperlinktech, I didn't need extra cable, pigtail, etc. That little antenna is good enough to get into the houses that "touch" yours. I found the Ethernet cable for free. The Xircom NIC came with the laptop. So my total "cost" was about $250. I couldn't go out and buy a commercially-made AP that would be as configurable or as far-reaching as my setup for $250, so I count myself ahead of the game.

The Software

  • I tried many, many Linux Live CD's. While they are all good, in their own right, none met my specific needs. I finally ended up using the Forked Boot Floppies with XFS support from http://people.debian.org/~blade/ ...I burned a CD of bootbf2_4-xfs_iso.zip and used that to boot up and get the Xircom wired NIC working. This is basically a super-stripoed version of Debian Stable. The reason I didn't like the Linux Live (bootable Linux) CD's is because either their install scripts didn't exist or were broken or the CD simply had a bunch of crap that I didn't want. In the end, installing "by hand" and getting the rest via the network was easier.

  • HostAP drivers for the wireless NIC from http://hostap.epitest.fi/ ...All I needed was hostap-driver-0.1.3.tar.gz to get my Senao card to work correctly.

  • The latest Linux kernel. For me, on this setup, that was 2.4.25 from kernel.org. I prefer to grab the whole kernel, rather than patching.

  • I also grabbed openwall.org's awesome security patch for the .25 kernel from: http://www.openwall.com/linux/linux-2.4.25-ow1.tar.gz

  • Stuff via apt-get: sudo, screen, wget, netdiag, dhcp, xinetd, wireless-tools, libglib1.2-dev, libncurses5-dev and probably a few others that I'm forgetting.

  • NoCatSplash, from http://nocat.net/download/NoCatSplash/

The Misc But Important stuff

  • One external STATIC IP address. These notes won't work all the way for people that are doing this off've a DHCP-assigned external/routable IP. You'll need to modify the firewall rules or get some software that auto-modifies the firewall rules. I don't know about any of that, though, and my advice is to just spend the $5-10 and get a couple of static IP's.

The End Goal

My goal was, first and foremost, to provide wireless access to my house. Secondly, that it be secured (locked down) as much as possible without making it cumbersome to use or effectively useless. Lastly, that the world be able to use the wireless to surf and not completely root my boxes at the drop of a hat. I'm altruistic but not naive.

The Process

Setup of the laptop - Installing Debian Linux
  • Burn bootbf2_4-xfs_iso to CD.
  • Get the setup of Debian Linux going. Be watchful: if you need to configure the "Device Driver Modules" the setup will NOT ask you to Configure PCMCIA Support. You need to arrow down the list of "to do" stuff and manually select Configure PCMCIA Support. If you don't do it now, it ain't gonna get done.

  • If you get prompted to set a hostname and configure the Network ("The interface eth0 seems to be a PCMCIA card...") then cardmgr has detected your PCMCIA card and you have network support. If not, go back to the big "to do" list, find Configure PCMCIA Support and try again. Maybe eject/insert your card.
  • Debian will run through the base install now.

  • I don't bother making a boot floppy. Live on the edge. :P

  • After you reboot, Debian will do some post-setup questions. Other than the defaults ...Enable MD5 passwords.

  • At some point, you will need to do Apt Configuration. Are you at work or behind a proxy? If so, enter the proxy information. It's best to use the IP address, not the name of the proxy.

  • You probably do not need to configure another Apt source.
  • Run tasksel. I normally just select laptop system and then "Finish".

  • I don't run Dselect.
  • Debian will grab many MB of software now. This will take awhile, depending on your network connection.
  • I tell Debian to ask me before stopping cardmgr.
  • I add a mime handler for less.
  • I select "en_US ISO-8859-1" and "en_US.UTF-8 UTF-8" - looks good to me.
  • In Configuring Locales, I select "en_US".
  • I don't enable IrDA.
  • Debian will install many MB of software now. This will take awhile, depending on your machine's CPU/HD speed.
  • I stop PCMCIA support and let the software install continue.

  • When setting up netenv, I usually choose "1" since I'm at home w/ a static IP. 2, I think, is just if you need to modify some settings.
  • For email setup, I usually choose "5" and do it myself, however you may want to choose "1" and put in your domain name, then enter for the next question, then your domain or enter if you already have a dedicated email server, then your non routable local network IP block, then the name of the local user you set up. If you got this wrong, hit "N" to the last question and run through the setup again.
  • Login as root.
  • Cardmgr may still have your card stopped. If there's no blinky lights on your card, eject and re-insert or do: /etc/init.d/pcmcia stop (and then start).

  • If you're behind a proxy, type: export http_proxy="http://###.###.###.###:####"

  • Now I do my own apt-get update ; apt-get upgrade. It may complain about non-free software.
  • Now I do: apt-get install sudo screen wget netdiag dhcp xinetd libglib1.2-dev libncurses5-dev ...I might have forgot one or two items, I'm not sure. Note, no commas.

Setup of the laptop - Minor Security Stuff
  • Do: apt-get remove portmap lpr ...You should also do: /etc/init.d/portmap stop ; rm /etc/init.d/portmap ...KeeganQuinn states that you can try removing portmap via: dpkg -P portmap ...Check to make sure the /etc/init.d/portmap script is actually gone.

  • One of the first things I do after getting the netdiag package is to do: strobe localhost and find out what's listening on a port. At this point, only port 22/ssh needs to be enabled. Everything else can be turned off.

  • Turn off a bunch of stuff by deleting everything except for "service smtp" out of /etc/xinetd.conf. Comment out service smtp - re-enable it later.

  • Stop/Start the xinetd service (/etc/init.d/xinetd stop/start) and re-strobe your box. You should see many less ports open now.
  • If something is still running do: fuser -n tcp ### where ### is the port number. fuser will return a PID, so do: ps aux | grep PID ...Find out what process is running. It probably was started via /etc/init.d/naughty_script ...Find that script and move it or delete it.

  • Your machine is now much more secure - although we have quite a ways to go, later.

Setup of the laptop - Upgrading and Patching the Kernel
  • Grab the kernel and openwall stuff. Do: lynx http://www.kernel.org and get the latest 2.4.xx kernel. If you're reading this after, say, summer of 2004, consider getting a 2.6 kernel. I usually wait on a new kernel series until it hits 2.X.10 or better.

  • Grab the Openwall Linux kernel patch: lynx http://www.openwall.com ...Select the "Linux" link. Get the patch for your kernel. If a patch does not exist, get a different kernel. :)

  • Once you have the kernel and openwall stuff, move it into /usr/src and consider reading: http://www.digitalhermit.com/~kwan/kernel.html on how to compile your own kernel. My own basic notes follow.

  • I do a make menuconfig and make sure the Xircom NIC gets the support it needs, along with support for the XFS file system. I usually compile in wireless stuff related to my card, although I don't think it's really necessary. I suggest that you go through ALL the sections, just to see what's there and make sure you don't miss anything. You won't need any crap like USB or whatnot, though, because this is a basic machine and probably not your main Linux box.
  • The biggest stuff is in the setup of the networking options part of the kernel. I use the setup run-through at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1 ...do a find on the page for "Code maturity level options". I usually do everything as compiled-in "*" rather than a module "M". * Don't forget the extra Security Options, in the main menu. Only the last option should be un-used. Everything else makes your box that much less susceptable to attack.

  • I compile the kernel: make dep ; make clean ; make bzImage ; make modules ; make modules_install ; make install ...You MAY need to run: lilo -v ...in order to get your new kernel to "take". I normally don't have to do this, though. Some people bitch about LILO being unsecure or whatever, but that's the least of my worries. If someone has physical access to your machine, the game is already over.

  • I reboot, test the new kernel (next few steps).
  • First, assuming it booted up, make sure you're using the new kernel. Do: uname -a ...Do you see the version of kernel you just compiled listed in that little line? If not, the make install or lilo -v didn't work a few steps ago.

  • Make sure my wired NIC still works. Do: ifconfig eth0. See stuff about your NIC? If so, good. If not, you get to add the correct NIC in the kernel menuconfig area and recompile! Yay!
  • If you compiled in some Prism2 wireless card support, the light on your wireless NIC may be on. On the Senao, it is a steady green light. So that tells me that the system "sees" the card but isn't yet properly configured to work with the card. That's ok. See the next section!

Setup of the laptop - Installing HostAP drivers and using iwconfig
  • NOTE: Don't just stuff my example files into your setup without changing the IP addresses around to match your actual network setup!

  • I install the hostap drivers now. I followed the instructions at http://hostap.epitest.fi/ "README" ...which is basically, extract the drivers and do "make" and "make install". I got a few errors during the make process, but no show-stoppers.

  • I usually have to reboot in order for the HostAP stuff to start working correctly, although it's theoretically possible to do a "kill -HUP [cardmgr PID]" or /etc/init.d/pcmcia stop (and start). That never really works for me though. Reboots won't kill you. :P
  • After I reboot, I check to see if the wireless NIC seems to maybe be working. Do: ifconfig wlan0. It should return some sort of not-evil-looking-response. If not, probably email the PTP list.

  • I manually configure the wlan0 interface at this point. Later, I will stuff the final info into /etc/network/interfaces. You can check out my example at http://exocet.ca/files/slartibartfast_interfaces. A quick-n-dirty example setup: ifconfig wlan0 192.168.1.1 network 192.168.1.0 broadcast 192.168.1.255 You shouldn't need to add a route (gateway info) for this new interface.

  • I set the wireless card-specific info now. Do: iwconfig wlan0 mode master channel X essid "www.personaltelco.net"

  • I test the wireless NIC at this point with a known-good wireless client setup (laptop w/ card). If it works, huzzah! I think you're over the hump now. If it doesn't work ...eh, that's what searching via google and asking via the PTP list is for. Don't worry, it took me many times to get it right "the first time."
  • If you're testing your setup with a Win2K or WinXP setup, consider getting Netstumbler from http://www.netstumber.com ...Excellent site-survey and wardriving application.

Setup of the laptop - DHCP
  • This is really actually quite easy. I suggest you just look at my dhcpd.conf file at http://www.exocet.ca/files/slartibartfast_dhcpd.conf ...Assuming you have a similar setup (one statically assigned external IP address on eth0... You will need to change the DNS server, internal network (if you want), etc.

  • Plonk my file (if you used it) into /etc/dhcpd.conf
  • /etc/init.d/dhcp start ...easy!

Setup of the laptop - The Firewall
  • Note: KeeganQuinn has informed me that my unfinished "last step" (install NoCat) will wreck all the firewall rules here. In that case, you may skip this step if you are going to use NoCatAuth. If you don't wanna use NoCatAuth, this is a good step for you.

  • I start setting up the firewall crap about now. I use the script provided at: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X to get me started. You will need to tweak your setup a bit, but you are welcome to use my setup as a working example: http://exocet.ca/files/slartibartfast_firewall_rules ...Note, eth0 is my external (routable IP address) interface, wlan0 is the internal, wireless interface. As you can see, I have enabled the outside world to access, via eth0/69.30.71.214, port 22 (ssh), 25 (smtp) and 80. Everything else is blocked from outside access. From the internal point of view, NOTHING is blocked.

  • If you grab my example and tweak it (recycling is good), you can enable your desired rules by doing: iptables-restore < the_name_of_your_firewall_rules_textfile. Do: iptables -L to see if it "took".

  • Don't forget to do: echo "1" > /proc/sys/net/ipv4/ip_forward ...To enable the firewalling and all that. I often forget to do this and it's annoying.

  • I test the wireless setup again. Make sure it all seems to work ok. If not, you get to tweak your firewall. Consider clearing all the rules via: iptables -F and testing your setup again. If it works NOW, then your firewall needs more tweaking.

Setup of the Cisco Catalyst 1900
  • Note that this (and the next) section of my documentation is technically optional. Based on what's been done, your node-on-a-laptop is already "fairly secure". If you just have one or two other not-very-important computers OR you don't consider your data to be particularily valuable, you can quite safety skip this and the next step.

  • If you're going to do this setup, I suggest you do a before and after test.
  • To test as thoroughly complete as possible, try taking the firewall down (do: iptables -F) and change some IP's around.
  • TESTING: do: ifconfig wlan0 192.168.15.120 network 192.168.15.0 broadcast 255.255.255.0 ; route add default gw 192.168.15.1 metric 1 (...this is because my intenal network is on 192.168.15.0. No point in trying to ping 192.168.15.1 from 192.168.30.1 because the two networks can't talk anyway.)
  • TESTING: do: ping 192.168.15.1 ...This should work. If it does, good. It means your network is "insecure" but is going to get a lot more secure in just a few minutes.
  • I setup the Cisco VLAN stuff now. It's actually quite easy, although I don't recall exactly how to do it. I think I selected "[B]ridge Setup or Something or Other" from the main Cisco Catalyst 1900 setup menu. The setup of the VLAN is really a rather important part of the setup here.
  • Once you select the right [B]ridge option (straight off the main menu, maybe?), it will ask you what ports you want in Bridge Group 1. I said 1-16 in Bridge Group 1. That means 17-24 went to Bridge Group 2. That's it. There will be some more testing at the end of the next section, so don't reboot anything or change anything back quite yet.

Setup of your (my) network
  • My main linux box, deepthought, runs my mail, web, ssh, everything. It has two NICs. One, eth0, has the routable (69.30.71.212) IP address.

  • Deepthought's eth1 (a second NIC) has the internal IP address (not the same class C as what the wireless uses).

  • The eth1 cable goes into what will be VLAN1. The rest of the computers in the house, on the internal network (192.168.15.0) also get plugged into what will be VLAN1.

  • In VLAN2 goes the DSL router's ethernet cable, my main Linux box's eth0 ethernet cable, and the eth0 ethernet cable from Slartibartfast aka the node-on-a-laptop.

  • The outcome of all this: anything plugged into VLAN2 can NOT talk to anything plugged into VLAN1 ...Except via my main linux box, because it's plugged in to both VLAN1 and VLAN2. Security, baby.

  • MORE TESTING: do: ping 192.168.15.1 ...This should NOT work. If it fails, good. It means your "external" computers are isolated from your "internal" computers via the switch.
  • You can probably do ifdown wlan0 ; ifup wlan0. If that doesn't get your wlan0 interface back to using 192.168.30.1 as it's IP, then you probably need to either edit /etc/network/interfaces or just reboot and see if it happens that way.
  • Once you're back to using 192.168.30.1 (or whatever you decided to use as your internal network) then you're done with this section.

Setup of NoCat
  • The wireless setup is basically complete at this point. Some people don't bother with the NoCatSplash stuff, or so they say. I however, wanted the whole deal. However, I haven't completed the NoCatSplash setup, so I can't write about that yet!


[CategoryDocumentation]

Node172 (last edited 2007-11-23 18:02:56 by localhost)