Have you ever wanted to just set up a wireless network that replaces pictures with cats?

No? What’s wrong with you. In this article we’re going to talk about making the Kittynet. So you can leave it unsecured and have your neighbors be annoyed by pictures of cats everywhere, like so –

The Kittynet is Live!
(note: don’t go to that site.)

Read more after the jump.

For this setup, we will need the following:

  • 1 PC running Linux, with 3 Network Interface Cards
  • A spare wireless router, preferably flashed with DD-WRT or similar
  • The rest of your networking gear to serve your normal network.

First, we need to set up the router to just route. I have three interfaces in mine – eth1, eth2 and eth3. eth1 will be my internal network, eth2 will be the public network, and eth3 will be for the WAP.

Let’s configure our interfaces. On Debian-based systems this is as simple as editing /etc/network/interfaces –

auto lo
iface lo inet loopback
        post-up iptables-restore < /etc/iptables.up.rules
auto eth2
iface eth2 inet dhcp
auto eth1
iface eth1 inet static
        address 10.1.1.1
        netmask 255.255.255.0
auto eth3
iface eth3 inet static
        address 10.1.2.1
        netmask 255.255.255.0

Notice how eth1 and eth3 are on different subnets – this is important, make sure whatever internal addresses you use that they use different subnets.

Now, we need to tell the kernel that it’s allowed to forward traffic –

sysctl -w net.ipv4.ip_forward=1 >> /etc/sysctl.conf

Now that this is done, we need to set up some IPtables rules –

iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

This is your external interface, this will tell it to nat everything properly. Unless you want to set the default policy to DROP, then you will be done. If you do want to set it to drop, you need to allow your internal networks. 

-A PREROUTING -i eth3 -j ACCEPT
-A PREROUTING -i eth1 -j ACCEPT
-A PREROUTING -i lo -j ACCEPT
-A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

Now that it’s configured to route traffic through it, we need to set up a DHCP server on the router, I will be using dhcp3-server, you are welcome to use whatever you want – but this guide walks you through the configuration of this server.

In /etc/dhcp3/dhcpd.conf, you will need to set up your subnets –

update-static-leases on;
ignore client-updates;
option domain-name "failverse.local.";
default-lease-time 600;
max-lease-time 7200;

subnet 10.1.1.0 netmask 255.255.255.0 {
        interface eth1;
        option domain-name-servers 8.8.8.8, 8.8.4.4;
        option broadcast-address 10.1.1.255;
        option subnet-mask 255.255.255.0;
        option routers 10.1.1.1;
        range 10.1.1.100 10.1.1.254;
        # People who live here.
        group {
                # Dewey Main
                host illu {
                        hardware ethernet 00:24:1d:1f:ae:36;
                        fixed-address 10.1.1.220;
                        }
                # Dewey Media
                host ryuujin {
                        hardware ethernet 00:1b:11:c3:28:45;
                        fixed-address 10.1.1.221;
                        }
                # PS3
                host Maemi {
                        hardware ethernet a8:e3:ee:5f:1c:04;
                        fixed-address 10.1.1.222;
                        }
                # Xbox
                host Shana {
                        hardware ethernet 7c:ed:8d:25:7f:8b;
                        fixed-address 10.1.1.223;
                        }
                }
        # Sharaa
        host sharaa {
                hardware ethernet 1c:6f:65:a7:ca:cb;
                fixed-address 10.1.1.20;
                }
        # Sharaa Media
        host sharaa-media {
                hardware ethernet 00:16:3E:44:C8:18;
                fixed-address 10.1.1.21;
                }
        # Sharaa Windows
        host sharaa-windows {
                hardware ethernet 00:46:6E:A4:C8:58;
                fixed-address 10.1.1.23;
                }
        }

# KITTIES
subnet 10.1.2.0 netmask 255.255.255.0 {
        interface eth3;
        option domain-name-servers 8.8.8.8, 8.8.4.4;
        option broadcast-address 10.1.2.255;
        option routers 10.1.2.1;
        range 10.1.2.100 10.1.2.200;
}

I have included my entire config, in the event you want to set up machines that are statically assigned. The important parts are the options present in the KITTIES section. Go ahead and set up both subnets now, since we’d just come back and edit this file later anyway.

Now that your server is serving dhcp leases, make sure you set everything to come up on boot. Next we set up the proxy, install squid and apache2 from your friendly repository and edit /etc/squid3/squid.conf.

We need to set up three lines, two of them are just commented out –

acl localnet src 10.1.2.0/24
http_access allow localnet
url_rewrite_program /var/www/scripts/images.pl

Now, create /var/www/scripts and /var/www/content and place ‘images.pl’ into scripts (source here.) We’re going to modify the original script to use our own web server –

#!/usr/bin/perl
########################################################################
# replaceImages.pl              --- Squid Script (Replace every image) #
# g0tmi1k 2011-03-25                                                   #
########################################################################
use IO::Handle;
use POSIX strftime;

$debug = 0;                      # Debug mode - create log file
$imageURL = "http://10.1.2.1/kitty.jpg";

$|=1;
$pid = $$;

if ($debug == 1) { open (DEBUG, '>>/tmp/replaceImages_debug.log'); }
autoflush DEBUG 1;

print DEBUG "########################################################################\n";
print DEBUG strftime ("%d%b%Y-%H:%M:%S\n",localtime(time()));
print DEBUG "########################################################################\n";
while (<>) {
   chomp $_;
   if ($debug == 1) { print DEBUG "Input: $_\n"; }
   if ($_ =~ m/.*$imageURL/) {
      print "$imageURL\n";
   }
   elsif ($_ =~ /(.*\.(gif|png|bmp|tiff|ico|jpg|jpeg|swf))/i) {   # Image format(s)
      print "$imageURL\n";
      if ($debug == 1) { print DEBUG "Image Replaced: $_ \n"; }
   }
   else {
      print "$_\n";
      if ($debug == 1) { print DEBUG "Output: $_\n"; }
   }
}

close (DEBUG);

Download a picture of a cat you like into /var/www/content/kitty.jpg, and then we need to modify our DocumentRoot (and DirectoryIndex), Debian by default uses virtual hosts, so in /etc/apache2/sites-available/default –

<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DirectoryIndex kitty.jpg
   DocumentRoot /var/www/content
   <Directory />
       Options FollowSymLinks
       AllowOverride None
   </Directory>
   <Directory /var/www/content>
       Options Indexes FollowSymLinks MultiViews
       AllowOverride None
       Order allow,deny
       allow from all
   </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>

</VirtualHost>

Now, we need to redirect their traffic from port 80, to our squid proxy –

iptables -t nat -A PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

In DDWRT on the WAP you’ll need to configure it to be a DHCP forwarded, pointing at 10.1.2.1, set its static ip to something like 10.1.2.6, and set it to just be a router and have no NAT, etc. This should be fairly straight forward to do, if you need help just glance through the DDWRT wiki.

Now that we have the WAP configured, we want to lock it down some.

iptables -A INPUT -s 10.1.2.0/24 -d 10.1.1.1/32 -m comment --comment "Prevent Access to 10.1.1.1 from 10.1.2.0/24" -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -s 10.1.2.6/32 -d 10.1.1.0/24 -m comment --comment "Allow Access from the WAP for administration purposes" -m mac --mac-source 68:7F:74:26:3E:CB -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -m comment --comment "Lockin down the networks" -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.1.2.0/24 -j REJECT --reject-with icmp-host-prohibited

The initial three rules prohibit anything to access the 10.1.1.1 IP from 10.1.2.0/24(It’s not considered “forwarded” because it never leaves the box), to allow access to the WAP so you can manage it(You’ll obviously need to replace the mac with the mac of your specific WAP, I accomplished this by doing a ping from the router to the WAP, and then used tcpdump -e -i eth3 icmp to get it.), and not to allow any access to your other subnet.

Then we have some ACCEPT statements for port 80(HTTP), 53(DNS) and ICMP (You could technically lock this down further and only allow ping, but just ICMP should be fine). The final rule is a reject so that they are not able to access any port externally – this should prohibit abusing your network for things like bit torrent in most cases, however there is still the threat of them just downloading tons of things via HTTP.

Unfortunately, there isn’t really a quick and easy button to do this – you can experiment with tc, or try utilizing transmission limits on your DD-WRT device. This is something you’ll just need to play around with!

Make sure all your settings are saved, and then go ahead and unsecure your wireless to let your neighbors experience the Kittynet.

« »