Sharing mobile broadband via WiFi using Ubuntu on my netbook
I've had to move away from a fixed broadband connection for a few weeks. To get by, I've gotten a 3G USB modem from my local telco Optus, and I've set up my Asus eee netbook (running Ubuntu 9.04) to work as a WiFi access point that will share this mobile broadband connection with my other devices.
To do this, I've hacked together a script that will disable NetworkManager in Ubuntu (as secured ad-hoc WiFi didn't really work for me using NetworkManager), sets up ad-hoc WiFi manually via iwconfig, then enables NAT routing using iptables and finally connects to the mobile broadband service using pppd.
The solution below is specific to the Optus 3G service in Australia, but with a different pppd setup it should work for any mobile broadband service.
- First, to set up pppd for Optus, create (as root) a file called /etc/ppp/chat-optus-3g
ABORT BUSY
ABORT 'NO CARRIER'
ABORT ERROR
REPORT CONNECT
TIMEOUT 10
"" "ATZ"
OK "AT&F"
OK 'AT+CGDCONT=1,"IP","preconnect"'
SAY "Calling...\n"
TIMEOUT 120
OK "ATD*99***1#"
CONNECT /c - Then create (also as root) a file called /etc/ppp/peers/optus-3g
/dev/ttyUSB0
460800
lock
crtscts
modem
noauth
defaultroute
user
password
connect "/usr/sbin/chat -V -f /etc/ppp/chat-optus-3g"
noipdefault
usepeerdns
nobsdcomp
novj - Now, you should be able to connect to Optus simply by plugging in your USB modem and typing the commands:
sudo /etc/init.d/NetworkManager stop
Pressing ctrl-c will disconnect you.
sudo pppd call optus-3g debug nodetach dump - If this is working so far, you can create the following script called "optusShare.sh". It will handle setting up an adhoc WiFi network secured using WPA, setting up NAT routing and finally connecting to the Internet using the above command.
#!/bin/bash
###############################
### Configure ad-hoc WiFi
###############################
sudo /etc/init.d/NetworkManager stop
sudo ifconfig -v wlan1 down
sudo iwconfig wlan1 mode Ad-Hoc
sudo iwconfig wlan1 channel 4
sudo iwconfig wlan1 essid myeeeadhoc
sudo iwconfig wlan1 nick myeee
sudo iwconfig wlan1 rate auto
sudo iwconfig wlan1 key 1234567890 #CHANGE PASSWORD! (not very secure)
sudo iwconfig wlan1 ap off
sudo ifconfig -v wlan1 10.0.0.33 netmask 255.255.255.0
sudo ifconfig -v wlan1 up
#seems to set wifi power to minimum
sudo iwconfig wlan1 txpower 0
###############################
### Set up NAT Routing
###############################
### Simple "insecure" nat - DO NOT USE (TESTING ONLY)
#sudo sysctl net.ipv4.ip_forward=1
#sudo iptables -P FORWARD ACCEPT
#sudo iptables --table nat -A POSTROUTING -o ppp0 -j MASQUERADE
#Temporarily block all traffic
sudo sysctl net.ipv4.ip_forward=0
sudo iptables -P OUTPUT DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
# Delete/Flush old iptables rules
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -X
# Set default policies
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
# Prevent external packets from using loopback addresses [OPTIONAL]
sudo iptables -A INPUT -i ppp0 -s 127.0.0.1 -j DROP
sudo iptables -A INPUT -i ppp0 -d 127.0.0.1 -j DROP
sudo iptables -A FORWARD -i ppp0 -s 127.0.0.1 -j DROP
sudo iptables -A FORWARD -i ppp0 -d 127.0.0.1 -j DROP
# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
sudo iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
sudo iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
sudo iptables -A INPUT -i ppp0 -s 192.168.0.0/24 -j DROP
sudo iptables -A FORWARD -i ppp0 -s 172.16.0.0/12 -j DROP
sudo iptables -A FORWARD -i ppp0 -s 10.0.0.0/8 -j DROP
sudo iptables -A FORWARD -i ppp0 -s 192.168.0.0/24 -j DROP
#Extra security stuff
sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Block outgoing NetBios [OPTIONAL]
sudo iptables -A FORWARD -p tcp --sport 137:139 -o ppp0 -j LOG --log-prefix "FORWARD DROP: "
sudo iptables -A FORWARD -p tcp --sport 137:139 -o ppp0 -j DROP
sudo iptables -A FORWARD -p udp --sport 137:139 -o ppp0 -j LOG --log-prefix "FORWARD DROP: "
sudo iptables -A FORWARD -p udp --sport 137:139 -o ppp0 -j DROP
sudo iptables -A OUTPUT -p tcp --sport 137:139 -o ppp0 -j LOG --log-prefix "OUTPUT DROP: "
sudo iptables -A OUTPUT -p tcp --sport 137:139 -o ppp0 -j DROP
sudo iptables -A OUTPUT -p udp --sport 137:139 -o ppp0 -j LOG --log-prefix "OUTPUT DROP: "
sudo iptables -A OUTPUT -p udp --sport 137:139 -o ppp0 -j DROP
# Allow local loopback [NEEDED]
sudo iptables -A INPUT -i lo -j ACCEPT
# Allow pings [OPTIONAL]
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
# START STATE STUFF
# Accept existing connections [NEEDED]
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
sudo iptables -A INPUT -m state --state NEW -i wlan0 -j ACCEPT
# I *think* this would allow *all* outbound instead of just explicit ports permitted below
#sudo iptables -A FORWARD -m state --state NEW -i wlan0 -o ppp0 -j ACCEPT
# END STATE STUFF
# Internal inbound services [OPTIONAL - DNS NEEDED]
#sudo iptables -A INPUT -p udp -i wlan0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
#sudo iptables -A INPUT -p tcp -i wlan0 --dport 53 -m state --state NEW -j ACCEPT #DNS cache
#sudo iptables -A INPUT -p udp -i wlan0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
#sudo iptables -A INPUT -p tcp -i wlan0 --dport 445 -m state --state NEW -j ACCEPT #SAMBA
# Allow forwarding of essential services [NEEDED]
sudo iptables -A FORWARD -p tcp --dport 53 -j ACCEPT #DNS
sudo iptables -A FORWARD -p udp --dport 53 -j ACCEPT #DNS
sudo iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
sudo iptables -A FORWARD -p tcp --dport 81 -j ACCEPT #WEB
sudo iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
sudo iptables -A FORWARD -p tcp --dport 143 -j ACCEPT #IMAP
sudo iptables -A FORWARD -p tcp --dport 993 -j ACCEPT #IMAP SSL
sudo iptables -A FORWARD -p tcp --dport 995 -j ACCEPT #YAHOOMAIL?
sudo iptables -A FORWARD -p tcp --dport 25 -j ACCEPT #SMTP
sudo iptables -A FORWARD -p tcp --dport 465 -j ACCEPT #SMTP SSL
sudo iptables -A FORWARD -p tcp --dport 5223 -j ACCEPT #IPHONE PUSH
sudo iptables -A FORWARD -p tcp --dport 2195 -j ACCEPT #IPHONE PUSH
sudo iptables -A FORWARD -p tcp --dport 1919 -j ACCEPT #IPHONE PINGCHAT!
# Masquerade [NEEDED]
sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Enable routing.
sudo sysctl net.ipv4.ip_forward=1
###############################
### Connecting to Optus
###############################
sudo pppd call optus-3g debug nodetach dump - Now running optusShare.sh should be all you need to do to get back online.
Note - The default WPA password is 1234567890. You should change this to a stronger password of your choosing.
Note2 - The NAT rules in this script only allow access to certain predefined ports, and I do not promise it is secure.
Note3 - In it's current state, this script does not set up DNS forwarding. Your WiFi clients will need to configure their own Internet DNS service (in my case, the one provided by Optus)
Comments
No Comments for this post yet...
Leave a comment
Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>