Monday July 5th, 2010

Sharing mobile broadband via WiFi using Ubuntu on my netbook

Filed under: Linux — lars @ 11:41:17 pm

I've had to move away from a fixed broadband connection for a few weeks.  To get by, I've gotten a 3G USB modem from my local telco Optus, and I've set up my Asus eee netbook (running Ubuntu 9.04) to work as a WiFi access point that will share this mobile broadband connection with my other devices.

To do this, I've hacked together a script that will disable NetworkManager in Ubuntu (as secured ad-hoc WiFi didn't really work for me using NetworkManager), sets up ad-hoc WiFi manually via iwconfig, then enables NAT routing using iptables and finally connects to the mobile broadband service using pppd.

The solution below is specific to the Optus 3G service in Australia, but with a different pppd setup it should work for any mobile broadband service.

  1. First, to set up pppd for Optus, create (as root) a file called /etc/ppp/chat-optus-3g
    ABORT BUSY
    ABORT 'NO CARRIER'
    ABORT ERROR
    REPORT CONNECT
    TIMEOUT 10
    "" "ATZ"
    OK "AT&F"
    OK 'AT+CGDCONT=1,"IP","preconnect"'
    SAY "Calling...\n"
    TIMEOUT 120
    OK "ATD*99***1#"
    CONNECT /c
  2. Then create (also as root) a file called /etc/ppp/peers/optus-3g
    /dev/ttyUSB0
    460800
    lock
    crtscts
    modem
    noauth
    defaultroute
    user
    password
    connect "/usr/sbin/chat -V -f /etc/ppp/chat-optus-3g"
    noipdefault
    usepeerdns
    nobsdcomp
    novj
  3. Now, you should be able to connect to Optus simply by plugging in your USB modem and typing the commands:
    sudo /etc/init.d/NetworkManager stop
    sudo pppd call optus-3g debug nodetach dump
    Pressing ctrl-c will disconnect you.
  4. If this is working so far, you can create the following script called "optusShare.sh".  It will handle setting up an adhoc WiFi network secured using WPA, setting up NAT routing and finally connecting to the Internet using the above command.
    #!/bin/bash
    ###############################
    ### Configure ad-hoc WiFi
    ###############################
    sudo /etc/init.d/NetworkManager stop
    sudo ifconfig -v wlan1 down
    sudo iwconfig wlan1 mode Ad-Hoc
    sudo iwconfig wlan1 channel 4
    sudo iwconfig wlan1 essid myeeeadhoc
    sudo iwconfig wlan1 nick myeee
    sudo iwconfig wlan1 rate auto
    sudo iwconfig wlan1 key 1234567890 #CHANGE PASSWORD! (not very secure)
    sudo iwconfig wlan1 ap off
    sudo ifconfig -v wlan1 10.0.0.33 netmask 255.255.255.0
    sudo ifconfig -v wlan1 up

    #seems to set wifi power to minimum
    sudo iwconfig wlan1 txpower 0


    ###############################
    ### Set up NAT Routing
    ###############################
    ### Simple "insecure" nat - DO NOT USE (TESTING ONLY)
    #sudo sysctl net.ipv4.ip_forward=1
    #sudo iptables -P FORWARD ACCEPT
    #sudo iptables --table nat -A POSTROUTING -o ppp0 -j MASQUERADE

    #Temporarily block all traffic
    sudo sysctl net.ipv4.ip_forward=0
    sudo iptables -P OUTPUT DROP
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP

    # Delete/Flush old iptables rules
    sudo iptables -F
    sudo iptables -t nat -F
    sudo iptables -t mangle -F
    sudo iptables -X

    # Set default policies
    sudo iptables -P OUTPUT ACCEPT
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP

    # Prevent external packets from using loopback addresses [OPTIONAL]
    sudo iptables -A INPUT   -i ppp0 -s 127.0.0.1 -j DROP
    sudo iptables -A INPUT   -i ppp0 -d 127.0.0.1 -j DROP
    sudo iptables -A FORWARD -i ppp0 -s 127.0.0.1 -j DROP
    sudo iptables -A FORWARD -i ppp0 -d 127.0.0.1 -j DROP

    # Anything coming from/going to Internet should not
    # use private addresses [OPTIONAL]
    sudo iptables -A INPUT   -i ppp0 -s 172.16.0.0/12  -j DROP
    sudo iptables -A INPUT   -i ppp0 -s 10.0.0.0/8     -j DROP
    sudo iptables -A INPUT   -i ppp0 -s 192.168.0.0/24 -j DROP
    sudo iptables -A FORWARD -i ppp0 -s 172.16.0.0/12  -j DROP
    sudo iptables -A FORWARD -i ppp0 -s 10.0.0.0/8     -j DROP
    sudo iptables -A FORWARD -i ppp0 -s 192.168.0.0/24 -j DROP

    #Extra security stuff
    sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 

    # Block outgoing NetBios [OPTIONAL]
    sudo iptables -A FORWARD -p tcp --sport 137:139 -o ppp0 -j LOG --log-prefix "FORWARD DROP: "
    sudo iptables -A FORWARD -p tcp --sport 137:139 -o ppp0 -j DROP
    sudo iptables -A FORWARD -p udp --sport 137:139 -o ppp0 -j LOG --log-prefix "FORWARD DROP: "
    sudo iptables -A FORWARD -p udp --sport 137:139 -o ppp0 -j DROP
    sudo iptables -A OUTPUT  -p tcp --sport 137:139 -o ppp0 -j LOG --log-prefix "OUTPUT DROP: "
    sudo iptables -A OUTPUT  -p tcp --sport 137:139 -o ppp0 -j DROP
    sudo iptables -A OUTPUT  -p udp --sport 137:139 -o ppp0 -j LOG --log-prefix "OUTPUT DROP: "
    sudo iptables -A OUTPUT  -p udp --sport 137:139 -o ppp0 -j DROP

    # Allow local loopback [NEEDED]
    sudo iptables -A INPUT -i lo -j ACCEPT

    # Allow pings [OPTIONAL]
    sudo iptables -A INPUT   -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

    # START STATE STUFF
    # Accept existing connections [NEEDED]
    sudo iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow any new conections from internal network
    # [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
    sudo iptables -A INPUT -m state --state NEW -i wlan0 -j ACCEPT
    # I *think* this would allow *all* outbound instead of just explicit ports permitted below
    #sudo iptables -A FORWARD -m state --state NEW -i wlan0 -o ppp0 -j ACCEPT
    # END STATE STUFF

    # Internal inbound services [OPTIONAL - DNS NEEDED]
    #sudo iptables -A INPUT -p udp -i wlan0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
    #sudo iptables -A INPUT -p tcp -i wlan0 --dport 53      -m state --state NEW -j ACCEPT #DNS cache
    #sudo iptables -A INPUT -p udp -i wlan0 --dport 137:139 -m state --state NEW -j ACCEPT #SAMBA
    #sudo iptables -A INPUT -p tcp -i wlan0 --dport 445     -m state --state NEW -j ACCEPT #SAMBA

    # Allow forwarding of essential services [NEEDED]
    sudo iptables -A FORWARD -p tcp --dport 53 -j ACCEPT #DNS
    sudo iptables -A FORWARD -p udp --dport 53 -j ACCEPT #DNS
    sudo iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
    sudo iptables -A FORWARD -p tcp --dport 81 -j ACCEPT #WEB
    sudo iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
    sudo iptables -A FORWARD -p tcp --dport 143 -j ACCEPT #IMAP
    sudo iptables -A FORWARD -p tcp --dport 993 -j ACCEPT #IMAP SSL
    sudo iptables -A FORWARD -p tcp --dport 995 -j ACCEPT #YAHOOMAIL?
    sudo iptables -A FORWARD -p tcp --dport 25 -j ACCEPT #SMTP
    sudo iptables -A FORWARD -p tcp --dport 465 -j ACCEPT #SMTP SSL
    sudo iptables -A FORWARD -p tcp --dport 5223 -j ACCEPT #IPHONE PUSH
    sudo iptables -A FORWARD -p tcp --dport 2195 -j ACCEPT #IPHONE PUSH
    sudo iptables -A FORWARD -p tcp --dport 1919 -j ACCEPT #IPHONE PINGCHAT!

    # Masquerade [NEEDED]
    sudo iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    # Enable routing.
    sudo sysctl net.ipv4.ip_forward=1


    ###############################
    ### Connecting to Optus
    ###############################
    sudo pppd call optus-3g debug nodetach dump
  5. Now running optusShare.sh should be all you need to do to get back online.

    Note - The default WPA password is 1234567890.  You should change this to a stronger password of your choosing.
    Note2 - The NAT rules in this script only allow access to certain predefined ports, and I do not promise it is secure.
    Note3 - In it's current state, this script does not set up DNS forwarding.  Your WiFi clients will need to configure their own Internet DNS service (in my case, the one provided by Optus)

Comments

No Comments for this post yet...

    Leave a comment

    Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>


    Options:
    (Line breaks become <br />)
    (Set cookies for name, email & url)




    powered by  b2evolution