Linux: share 3g connection with the internal network

It’s very easy to share an internet connection with iptables and NAT+IP Forward+IP Masquerade. But in my case I needed to share the 3G connection via wifi, and my computer’s nic is not able to work in ad-hoc mode. So I have to use an external wifi router. This router is connected to my Thinkpad R61′s eth0 port, and it needs to obtain its wan IP address via DHCP. So a DHCP server is needed in order to provide the IP and the Gateway for the wifi router.

I coded a simple script as:

/etc/myserver_start.sh

#!/bin/sh

systemctl stop NetworkManager.service

sleep 2

ifconfig eth0 192.168.2.1 up
service dhcpd restart
sleep 2
ifconfig eth0 192.168.2.1 up

sleep 2
wvdial 3g &

sleep 2

/etc/firewall.sh

First relevant line disables the NetworkManager, to avoid the eth0 port gets an IP. eth0 must have an static ip.

Middle lines configures the static IP server address, restart the dhcpd server, and start the 3g connection with wvdial.

Last line launch the firewall (redundant if it is configured as a service).

All the need configurations can be grabbed from:

Linux: DHCP server

Linux: 3G connection with wvdial

Linux: a home firewall

Linux: 3G connection with wvdial

Simply configuration file for a Vodafone 3G connection with a Huawei modem:

/etc/wvdial.conf

[Dialer 3g]
Phone = *99***1#
Username = vodafone
Password = vodafone
Stupid Mode = 1
Dial Command = ATDT
Modem = /dev/ttyUSB0
Baud = 460800
Init2 = ATZ
Init3 = ATE0V1&D2&C1S0=0+IFC=2,2
ISDN = 0
Modem Type = Analog Modem
Init5 =AT+CGDCONT=1,”IP”,”ac.vodafone.es”

To connect:

wvdial 3g

(Remember replace fake quotes (“) in the script with the right ones)

Linux: DHCP server

An example of a DHCP server in my R61:

/etc/dhcp/dhcpd.conf:

# Add lines like below
# specify domain name
option domain-name      “sixone.world”;

# specify DNS’s hostname or IP address
option domain-name-servers      208.67.222.222, 208.67.220.220;

# default lease time
default-lease-time 600;

# max lease time
max-lease-time 7200;

# this DHCP server to be declared valid
authoritative;

# specify network address and subnet mask
subnet 192.168.2.0 netmask 255.255.255.0 {
        # specify the range of lease IP address
        range 192.168.2.100 192.168.2.200;

        # specify broadcast address
        option broadcast-address 192.168.2.255;

        # specify default gateway
        option routers 192.168.2.1;

        option ip-forwarding on;
}

Linux: a home firewall

A simple home firewall extracted from this web (in spanish) adapted to my needs:

/etc/firewall.sh

#!/bin/bash
#Source: http://www.ubuntu-es.org/node/422#.UTuvqFFVEy4

IPTABLES=`which iptables`

#-s to specify a source address
#-d to specify a destination address
#-p to specifiy a protocol
#-i to specify an input interface
#-o to specify an output interface
#-j to specify the action to execute over the packet
#–sport source port
#–dport destination port

#Delete all rules
$IPTABLES -F

#######################################
#Everything closed by default.
#Only established own connections can
#pass in/out
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#######################################
#Other
#No ping
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_all

#No answer to broadcast packages
/bin/echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Avoid spoofing (source packet address comes from the right interface)
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo “1″ > ${interface}
done

#No redirected ICMPs
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo “0″ > ${interface}
done

#No martian log
/bin/echo “1″ > /proc/sys/net/ipv4/conf/all/log_martians

#######################################
#NAT & PortForwarding
#More info at: http://www.revsys.com/writings/quicktips/nat.html
#deactivated by default
/bin/echo “0″ > /proc/sys/net/ipv4/ip_forward
#comment out to activate
#/bin/echo “1″ > /proc/sys/net/ipv4/ip_forward
#Example to share ppp connection (internet) with eth0 (internal network)
#Forwarding from  eth0 (LAN) to ppp0 (internet)
#$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT

#http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-es-4/s1-firewall-ipt-fwd.html
#Example to open an internal network port to the internet
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp –dport 80 -j DNAT –to 192.168.1.100:80
#$IPTABLES -A FORWARD -i ppp0 -p tcp –dport 80 -d 192.168.0.100 -j ACCEPT

#######################################
#Port rules (this host)

#Allow HTTP
#$IPTABLES -A INPUT -m state –state NEW -p TCP –dport 80 -j ACCEPT

#Allow SSH
#$IPTABLES -A INPUT -s 172.26.0.3 -p TCP –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -s 172.26.0.4 -p TCP –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -s 172.26.0.5 -p TCP –dport 22 -j ACCEPT

#$IPTABLES -A INPUT -p TCP –dport 22 -j ACCEPT

#Allow DNS
#$IPTABLES -A INPUT -p UDP –dport 53 -j ACCEPT
#$IPTABLES -A INPUT -p TCP –dport 53 -j ACCEPT

#Allow FTP
#$IPTABLES -A INPUT -p TCP –dport 21 -j ACCEPT

#Allow POP3
#$IPTABLES -A INPUT -p TCP –dport 110 -j ACCEPT

# Permitimos uso de smtp
#$IPTABLES -A INPUT -p TCP –dport 25 -j ACCEPT

#Allow IMAP
#$IPTABLES -A INPUT -p TCP –dport 143 -j ACCEPT
#$IPTABLES -A INPUT -p UDP –dport 143 -j ACCEPT

#Allow all traffic in LAN
$IPTABLES -A INPUT -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.2.0/24 -j ACCEPT

#Allow everything from localhost
#Dejamos a localhost, para mysql, etc..
$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow TORRENT ports
$IPTABLES -A INPUT -p tcp –destination-port 51413:51416 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –source-port 51413:51416 -j ACCEPT

#Allow aMule P2P
$IPTABLES -A INPUT -p tcp –destination-port 54662:54672 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –source-port 54662:54672 -j ACCEPT
$IPTABLES -A INPUT -p udp –destination-port 54662:54672 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –source-port 54662:54672 -j ACCEPT

#$IPTABLES -A INPUT -p tcp –destination-port 56662:56672 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp –source-port 56662:56672 -j ACCEPT
#$IPTABLES -A INPUT -p udp –destination-port 56662:56672 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp –source-port 56662:56672 -j ACCEPT

#$IPTABLES -A INPUT -p tcp –destination-port 57662:57672 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp –source-port 57662:57672 -j ACCEPT
#$IPTABLES -A INPUT -p udp –destination-port 57662:57672 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp –source-port 57662:57672 -j ACCEPT

To configure this script as a service, to be executed automatically in ubuntu/debian:

ln -s /etc/firewall.sh /etc/init.d

update-rc firewall.sh defaults

 

OpenBSD: /tmp in memory

My laptop is equipped with a reasonable amount of memory (8 Gb), never used in its entirety. Surplus memory can be used, for example, for memory file systems, and /tmp in particular. Simply edit /etc/fstab and comment the /tmp line if exists. After that add a new line like:

#/tmp 512Mb Memory File System
swap /tmp mfs rw,noatime,nodev,nosuid,-s=1024000 0 0

The size is expressed in sectors. Normally a sector is 512 bytes.

The change will be effective on next reboot or unmounting/mounting /tmp (be careful if there is daemons or applications using it).

OpenBSD: automate wired/wifi network connection

Despite of missing applications like NetworkManager in OpenBSD, it’s possible to implement some kind of network autodetection, wired and wireless. I launch the following script in the boot process:

/etc/activatewifi.sh

#!/bin/sh

IF_WIRED=em0
IF_WIRELESS=iwn0

WIFI_SCRIPT=”/etc/wifinwid ${IF_WIRELESS}”

STATE_IF_WIRED=`ifconfig $IF_WIRED |grep status|cut -d: -f 2 |sed -E “s/ //g” `

echo “${IF_WIRED}: ${STATE_IF_WIRED}”

if [ "$STATE_IF_WIRED" = "nocarrier" ]; then
        `$WIFI_SCRIPT $IF_WIRELESS ` &
fi

Take note of ‘/etc/wifinwid’ script. This script can be grabbed from:

http://foad2.obtuse.com/beck/wifinwid

When OpenBSD is starting this script is executed, launching the wifi script is wired network is down. If my wired nic is up then the wifi script is not launched.

The main problem with this solution is when the wireless network is off. You need mannually activate the wired one. I use another script:

/etc/wifi_deactivate.sh

#!/bin/sh

ifconfig iwn0 192.168.50.10
route delete default
route delete default
dhclient em0

I assign a not real address for the wireless nic and delete the gateway. Maybe using configuration files like hostname.em0 or so is better.

OpenBSD: adding a partition

Add a new partition to a whole system is a matter of editing the bsdlabel and format the partition. In my case, the disk is structured as:

# fdisk sd1
Disk: sd1       geometry: 32301/240/63 [488397168 Sectors]
Offset: 0       Signature: 0xAA55
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
——————————————————————————-
*0: A6      0   1   1 -  12918 224  63 [          63:   195334272 ] OpenBSD    
 1: A6  12918 225   1 -  25818  19  63 [   195334335:   195035085 ] OpenBSD    
 2: 0C  25837 210   1 -  32301  14  63 [   390668670:    97723395 ] Win95 FAT32L
 3: 00      0   0   0 -      0   0   0 [           0:           0 ] unused    

Partition 1 is the new one to add.

The bsdlabel looks like:

# disklabel sd1 
# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: HTS545025B9A300
duid: cd5b1acbd1dffc77
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 30401
total sectors: 488397168
boundstart: 63
boundend: 195334335
drivedata: 0

16 partitions:
#                size           offset  fstype [fsize bsize  cpg]
  a:          2104449               63  4.2BSD   2048 16384    1 # /
  b:         17398398          2104512    swap                   # none
  c:        488397168                0  unused                  
  d:          4209024         19502912  4.2BSD   2048 16384    1 # /var
  e:         61432544         23711936  4.2BSD   2048 16384    1 # /usr
  f:          1044224         85144480  4.2BSD   2048 16384    1
  g:        109145600         86188704  4.2BSD   2048 16384    1 # /home
  i:         97723395        390668670   MSDOS                   # /mnt/dos

So, the next is add the new partition to the bsdlabel. The command to do it is:

disklabel sd1

Then insert a new line after last slice like:

  h:        195035085        195334335  4.2BSD   2048 16384    1 # /mnt/store

In this case, I’ll mount the partition in /mnt/store.

It only rests to format the partition /dev/sd1h:

newfs sd1h

The mounted partition:

df -h

# df -h
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd1a     1008M    289M    669M    30%    /
/dev/sd1g     51.2G   41.2G    7.5G    85%    /home
mfs:25101      484M   43.0K    460M     0%    /tmp
/dev/sd1e     28.8G   13.7G   13.7G    50%    /usr
/dev/sd1d      2.0G    1.4G    505M    74%    /var
/dev/sd1i     46.5G   39.5G    7.0G    85%    /mnt/dos
/dev/sd0l     91.6G   11.6G   75.3G    13%    /mnt/linux
/dev/sd1h     91.5G    2.0K   87.0G     0%    /mnt/store