文章目录
  1. 1. udhcpd
  2. 2. hostapd
  • 启用IP转发
    1. 1. iptables
    2. 2. 效果
    3. 3. 后记
    4. 4. 参考
  • 心血来潮想把raspberry做一个无线路由器,网络上这样杂如牛毛,但是靠谱的却不多。我这里记录并且解释下里面一步步是在干什么。详细的文档还是需要参考相关书籍和相关RFC。

    udhcpd

    1
    sudo apt-get install udhcpd

    关于udhcpd的内容可以看这里,就是一个小型的dhcp服务器。

    什么是DHCP?

    维基一段讲的很清楚了

    动态主机设置协议(DHCP)是一种使网络管理员能够集中管理和自动分配IP网络地址的通信协议。在IP网络中,每个连接Internet的设备都需要分配唯一的IP地址。DHCP使网络管理员能从中心结点监控和分配IP地址。当某台计算机移到网络中的其它位置时,能自动收到新的IP地址。

    维基这里还提到了技术细节。实际上,接下来的配置都和DHCPOFFER有关,验证下,用wireshark抓个包玩玩

    wireshark

    那个lease是什么鬼?

    我把lease设置成10秒,你看看数据包

    设置长点就没有问题,lease的意思也就不言自明了。

    配置如下

    1
    2
    3
    4
    5
    6
    7
    8
    start 192.168.42.2 # This is the range of IPs that the hostspot will give to client devices.
    end 192.168.42.20
    interface wlan0 # The device uDHCP listens on.
    remaining yes
    opt dns 8.8.8.8 4.2.2.2 # The DNS servers client devices will use.
    opt subnet 255.255.255.0
    opt router 192.168.42.1 # The Pi's IP address on wlan0 which we will set up shortly.
    opt lease 864000 # 10 day DHCP lease time in seconds

    去掉注释符号并改动下面这行为我们的配置文件路径:

    1
    DAEMON_CONF="/etc/hostapd/hostapd.conf"

    下面要修改/etc/netowrk/interfaces文件了

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    auto lo
    iface lo inet loopback
    auto eth0
    allow-hotplug eth0
    iface eth0 inet manual
    allow-hotplug wlan0
    iface wlan0 inet static
    address 192.168.42.1
    netmask 255.255.255.0
    up iptables-restore < /etc/iptables.ipv4.nat

    请注意wlan0那部分,和udhcp是配套的。

    hostapd

    1
    sudo apt-get install hostapd

    以下摘自官网

    hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server. The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).

    hostapd is designed to be a “daemon” program that runs in the background and acts as the backend component controlling authentication. hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.

    你还可以看下我翻译的Arch维基词条Software access point (简体中文))

    配置如下

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    interface=wlan0
    driver=rtl871xdrv
    ssid=My_SSID_Name
    hw_mode=g
    channel=6
    macaddr_acl=0
    auth_algs=1
    ignore_broadcast_ssid=0
    wpa=2
    wpa_passphrase=MYPASSWORD
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=TKIP CCMP

    抓个包看看

    看到里面有很多EAPOL,EAPOL是什么呢?摘自维基

    IEEE 802.1X defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802,[1][2] which is known as “EAP over LAN” or EAPOL.[3] EAPOL was originally designed for IEEE 802.3 Ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as IEEE 802.11 wireless and Fiber Distributed Data Interface (ISO 9314-2) in 802.1X-2004.[4] The EAPOL protocol was also modified for use with IEEE 802.1AE (“MACsec”) and IEEE 802.1AR (Secure Device Identity, DevID) in 802.1X-2010[5][6] to support service identification and optional point to point encryption over the local LAN segment.

    没错,抓包的时候这里出现了TKIP这个安全协议。

    具体的协议请参考RFC文档及相关书籍,我也不懂╮(╯▽╰)╭

    启用IP转发

    什么是IP转发?请看stackexchange里面的解释

    IP forwarding” is a synonym for “routing.” It is called “kernel IP forwarding” because it is a feature of the Linux kernel.

    A router has multiple network interfaces. If traffic comes in on one interface that matches a subnet of another network interface, a router then forwards that traffic to the other network interface.

    So, let’s say you have two NICs, one (NIC 1) is at address 192.168.2.1/24, and the other (NIC 2) is 192.168.3.1/24. If forwarding is enabled, and a packet comes in on NIC 1 with a “destination address” of 192.168.3.8, the router will resend that packet out of the NIC 2.

    It’s common for routers functioning as gateways to the Internet to have a default route whereby any traffic that doesn’t match any NICs will go through the default route’s NIC. So in the above example, if you have an internet connection on NIC 2, you’d set NIC 2 as your default route and then any traffic coming in from NIC 1 that isn’t destined for something on 192.168.2.0/24 will go through NIC 2. Hopefully there’s other routers past NIC 2 that can further route it (in the case of the Internet, the next hop would be your ISP’s router, and then their providers upstream router, etc.)

    Enabling ip_forward tells your Linux system to do this. For it to be meaningful, you need two network interfaces (any 2 or more of wired NIC cards, Wifi cards or chipsets, PPP links over a 56k modem or serial, etc.).

    When doing routing, security is important and that’s where Linux’s packet filter, iptables, gets involved. So you will need an iptables configuration consistent with your needs.

    Note that enabling forwarding with iptables disabled and/or without taking firewalling and security into account could leave you open to vulnerabilites if one of the NICs is facing the Internet or a subnet you don’t have control over.

    真详细^_^。

    iptables

    IPTABLES又是很蛋疼很复杂的东西,man iptables一共有将近2000页orz,我表示真的没兴趣能力读下来。

    配置如下

    1
    2
    3
    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

    来一段Arch Wiki里对于IP Table的描述

    iptables 可以检测、修改、转发、重定向和丢弃 IPv4 数据包。过滤 IPv4 数据包的代码已经内置于内核中,并且按照不同的目的被组织成 表 的集合。表 由一组预先定义的 链 组成,链 包含遍历顺序规则。每一条规则包含一个谓词的潜在匹配和相应的动作(称为 目标),如果谓词为真,该动作会被执行。也就是说条件匹配。iptables 是用户工具,允许用户使用 链 和 规则。

    想要看看的你表-链-规则,你可以使用iptables-save -c查看,其中我的raspberrypi是这样的

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    # Generated by iptables-save v1.4.14 on Sun Aug 30 16:04:55 2015
    *filter
    :INPUT ACCEPT [21005:1265849]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [27895:18148076]
    [43172:36711171] -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    [44307:5781465] -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    COMMIT
    # Completed on Sun Aug 30 16:04:55 2015
    # Generated by iptables-save v1.4.14 on Sun Aug 30 16:04:55 2015
    *nat
    :PREROUTING ACCEPT [4855:334868]
    :INPUT ACCEPT [149:25460]
    :OUTPUT ACCEPT [248:33605]
    :POSTROUTING ACCEPT [74:13593]
    [4822:314729] -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Sun Aug 30 16:04:55 2015

    默认的表是filter,所以某些命令不用(-t)来选择是哪个表。下面解释下MASQUERADE,RELATED和ESTABLISHED的意思,本人水平有限,直接照搬。

    MASQUERADE
    This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a
    static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going
    out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have
    the same interface address (and hence any established connections are lost anyway).

    至于RELATED和ESTABLISHED这两个state,在Iptables网站有着更为详尽的解释。

    ESTABLISHED The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. ESTABLISHED connections are fairly easy to understand. The only requirement to get into an ESTABLISHED state is that one host sends a packet, and that it later on gets a reply from the other host. The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state. ICMP reply messages can also be considered as ESTABLISHED, if we created a packet that in turn generated the reply ICMP message.
    RELATED The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection. What this means, is that for a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, if the conntrack module is able to understand that it is RELATED. Some good examples of connections that can be considered as RELATED are the FTP-data connections that are considered RELATED to the FTP control port, and the DCC connections issued through IRC. This could be used to allow ICMP error messages, FTP transfers and DCC’s to work properly through the firewall. Do note that most TCP protocols and some UDP protocols that rely on this mechanism are quite complex and send connection information within the payload of the TCP or UDP data segments, and hence require special helper modules to be correctly understood.

    效果

    (噪点好多TAT)
    信号强度还行,但是隔了一段距离就连不上热点了,iperf速度20Mbit/sec,慢的像乌龟一样。

    后记

    本来想写一个完整的解释的,发现因为能力和篇幅所限,无法展开。赶紧回去看《计算机网络-自顶向下方法》提高姿势水平。欢迎批评和指正。

    参考

    文章目录
    1. 1. udhcpd
    2. 2. hostapd
  • 启用IP转发
    1. 1. iptables
    2. 2. 效果
    3. 3. 后记
    4. 4. 参考