Have you ever wanted to just set up a wireless network that replaces pictures with cats?
No? What’s wrong with you. In this article we’re going to talk about making the Kittynet. So you can leave it unsecured and have your neighbors be annoyed by pictures of cats everywhere, like so –
(note: don’t go to that site.)
Read more after the jump.
For this setup, we will need the following:
- 1 PC running Linux, with 3 Network Interface Cards
- A spare wireless router, preferably flashed with DD-WRT or similar
- The rest of your networking gear to serve your normal network.
First, we need to set up the router to just route. I have three interfaces in mine – eth1, eth2 and eth3. eth1 will be my internal network, eth2 will be the public network, and eth3 will be for the WAP.
Let’s configure our interfaces. On Debian-based systems this is as simple as editing /etc/network/interfaces –
auto lo iface lo inet loopback post-up iptables-restore < /etc/iptables.up.rules auto eth2 iface eth2 inet dhcp auto eth1 iface eth1 inet static address 10.1.1.1 netmask 255.255.255.0 auto eth3 iface eth3 inet static address 10.1.2.1 netmask 255.255.255.0
Notice how eth1 and eth3 are on different subnets – this is important, make sure whatever internal addresses you use that they use different subnets.
Now, we need to tell the kernel that it’s allowed to forward traffic –
sysctl -w net.ipv4.ip_forward=1 >> /etc/sysctl.conf
Now that this is done, we need to set up some IPtables rules –
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
This is your external interface, this will tell it to nat everything properly. Unless you want to set the default policy to DROP, then you will be done. If you do want to set it to drop, you need to allow your internal networks.
-A PREROUTING -i eth3 -j ACCEPT -A PREROUTING -i eth1 -j ACCEPT -A PREROUTING -i lo -j ACCEPT -A PREROUTING -i eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
Now that it’s configured to route traffic through it, we need to set up a DHCP server on the router, I will be using dhcp3-server, you are welcome to use whatever you want – but this guide walks you through the configuration of this server.
In /etc/dhcp3/dhcpd.conf, you will need to set up your subnets –
update-static-leases on; ignore client-updates; option domain-name "failverse.local."; default-lease-time 600; max-lease-time 7200; subnet 10.1.1.0 netmask 255.255.255.0 { interface eth1; option domain-name-servers 8.8.8.8, 8.8.4.4; option broadcast-address 10.1.1.255; option subnet-mask 255.255.255.0; option routers 10.1.1.1; range 10.1.1.100 10.1.1.254; # People who live here. group { # Dewey Main host illu { hardware ethernet 00:24:1d:1f:ae:36; fixed-address 10.1.1.220; } # Dewey Media host ryuujin { hardware ethernet 00:1b:11:c3:28:45; fixed-address 10.1.1.221; } # PS3 host Maemi { hardware ethernet a8:e3:ee:5f:1c:04; fixed-address 10.1.1.222; } # Xbox host Shana { hardware ethernet 7c:ed:8d:25:7f:8b; fixed-address 10.1.1.223; } } # Sharaa host sharaa { hardware ethernet 1c:6f:65:a7:ca:cb; fixed-address 10.1.1.20; } # Sharaa Media host sharaa-media { hardware ethernet 00:16:3E:44:C8:18; fixed-address 10.1.1.21; } # Sharaa Windows host sharaa-windows { hardware ethernet 00:46:6E:A4:C8:58; fixed-address 10.1.1.23; } } # KITTIES subnet 10.1.2.0 netmask 255.255.255.0 { interface eth3; option domain-name-servers 8.8.8.8, 8.8.4.4; option broadcast-address 10.1.2.255; option routers 10.1.2.1; range 10.1.2.100 10.1.2.200; }
I have included my entire config, in the event you want to set up machines that are statically assigned. The important parts are the options present in the KITTIES section. Go ahead and set up both subnets now, since we’d just come back and edit this file later anyway.
Now that your server is serving dhcp leases, make sure you set everything to come up on boot. Next we set up the proxy, install squid and apache2 from your friendly repository and edit /etc/squid3/squid.conf.
We need to set up three lines, two of them are just commented out –
acl localnet src 10.1.2.0/24 http_access allow localnet url_rewrite_program /var/www/scripts/images.pl
Now, create /var/www/scripts and /var/www/content and place ‘images.pl’ into scripts (source here.) We’re going to modify the original script to use our own web server –
#!/usr/bin/perl ######################################################################## # replaceImages.pl --- Squid Script (Replace every image) # # g0tmi1k 2011-03-25 # ######################################################################## use IO::Handle; use POSIX strftime; $debug = 0; # Debug mode - create log file $imageURL = "http://10.1.2.1/kitty.jpg"; $|=1; $pid = $$; if ($debug == 1) { open (DEBUG, '>>/tmp/replaceImages_debug.log'); } autoflush DEBUG 1; print DEBUG "########################################################################\n"; print DEBUG strftime ("%d%b%Y-%H:%M:%S\n",localtime(time())); print DEBUG "########################################################################\n"; while (<>) { chomp $_; if ($debug == 1) { print DEBUG "Input: $_\n"; } if ($_ =~ m/.*$imageURL/) { print "$imageURL\n"; } elsif ($_ =~ /(.*\.(gif|png|bmp|tiff|ico|jpg|jpeg|swf))/i) { # Image format(s) print "$imageURL\n"; if ($debug == 1) { print DEBUG "Image Replaced: $_ \n"; } } else { print "$_\n"; if ($debug == 1) { print DEBUG "Output: $_\n"; } } } close (DEBUG);
Download a picture of a cat you like into /var/www/content/kitty.jpg, and then we need to modify our DocumentRoot (and DirectoryIndex), Debian by default uses virtual hosts, so in /etc/apache2/sites-available/default –
<VirtualHost *:80> ServerAdmin webmaster@localhost DirectoryIndex kitty.jpg DocumentRoot /var/www/content <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/content> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>
Now, we need to redirect their traffic from port 80, to our squid proxy –
iptables -t nat -A PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
In DDWRT on the WAP you’ll need to configure it to be a DHCP forwarded, pointing at 10.1.2.1, set its static ip to something like 10.1.2.6, and set it to just be a router and have no NAT, etc. This should be fairly straight forward to do, if you need help just glance through the DDWRT wiki.
Now that we have the WAP configured, we want to lock it down some.
iptables -A INPUT -s 10.1.2.0/24 -d 10.1.1.1/32 -m comment --comment "Prevent Access to 10.1.1.1 from 10.1.2.0/24" -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -s 10.1.2.6/32 -d 10.1.1.0/24 -m comment --comment "Allow Access from the WAP for administration purposes" -m mac --mac-source 68:7F:74:26:3E:CB -j ACCEPT iptables -A FORWARD -i eth3 -o eth1 -m comment --comment "Lockin down the networks" -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -p udp --dport 53 -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT iptables -A FORWARD -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -s 10.1.2.0/24 -j REJECT --reject-with icmp-host-prohibited
The initial three rules prohibit anything to access the 10.1.1.1 IP from 10.1.2.0/24(It’s not considered “forwarded” because it never leaves the box), to allow access to the WAP so you can manage it(You’ll obviously need to replace the mac with the mac of your specific WAP, I accomplished this by doing a ping from the router to the WAP, and then used tcpdump -e -i eth3 icmp to get it.), and not to allow any access to your other subnet.
Then we have some ACCEPT statements for port 80(HTTP), 53(DNS) and ICMP (You could technically lock this down further and only allow ping, but just ICMP should be fine). The final rule is a reject so that they are not able to access any port externally – this should prohibit abusing your network for things like bit torrent in most cases, however there is still the threat of them just downloading tons of things via HTTP.
Unfortunately, there isn’t really a quick and easy button to do this – you can experiment with tc, or try utilizing transmission limits on your DD-WRT device. This is something you’ll just need to play around with!
Make sure all your settings are saved, and then go ahead and unsecure your wireless to let your neighbors experience the Kittynet.
« Setting up an Nginx Reverse Proxy cialis or levitra which is best »
シュプリームコピー,モンクレールコピー,グッチ tシャツ,ブランド服コピー,グッチ服,luxurybrandsale2019
tシャツ supreme コピー http://www.amecioc.com/
高品質パーカー人気ブランドSUPREME激安通販.シュプリームコピー,シュプリーム服コピー,シュプリーム激安,ルイヴィトン服コピー,ルイヴィトンTシャツコピー,ルイヴィトン洋服コピー,シュプリームTシャツコピー シュプリーム コピー,シュプリーム服コピー,シュプリーム服激安,シュプリームTシャツコピー, シュプリーム .
ブランド スーパー コピー http://copyle.com
ブランドTシャツコピー、ルイヴィトン半袖Tシャツコピー、ルイヴィトンTシャツコピー世界一流専門のブランドTシャツコピー販売ショップです。2019新作supreme スーパーコピー通販,2019新作シュプリームコ.スーパーブランドコピー激安通販専門店!
ブランド コピー levitra viagra cialis price comparison
The Merry Macs Natch https://creativecommons.smaatroll.biz/map.html Pakk Pakk