HowTo- Internet Connection Sharing on "LINUX"

[echoblack]

Internet Connection Sharing on "LINUX"

& Jasager Pineapple Setup

This way run's the dnsmasq DHCP+DNS server on the Host Laptop

This HowTo is NOT the Best Way

Just left of for reference if you want to try it

or need to do this for some other reason

You Want to follow This other HowTo

Just Click the link or search these forums for the thread name

Best HowTo - Setup Internet Connection Forwarding on "Linux" & Jasager

http://hak5.org/forums/index.php?showtopic=15200

---------------------------------------------------

- On Pineapple -

Ethernet Port = ETH0

WiFi Port = WiFi

- On laptop -

Wireless Interface = wlan0

Ethernet Port = eth0

This is how it will all work in the end.

Internet > ("dhcp+dns" GW > wlan0) > ("dhcp+dns" eth0 > {"lan network" ETH0 > WiFi } )

^You understand that right ?

Well lets start on the Laptop Config.

Fist install LINUX . . . BSD or Solaris but the setup is different.

or not Windows is an Amazingly good OS for building Botnets. Wink wink, nudge nudge Matt Lestock.

You will need to install dnsmasq on your laptop.

On Archlinux

pacman -S dnsmasq

Now you need to edit the /etc/dnsmasq.conf

The main things that need to be changed in there are these.

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=eth0

# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
dhcp-range=10.110.0.50,10.110.0.150,255.255.255.0,12h

Change this MAC address to the MAC address of the ETH0 interface on "Your" Pineapple

This way it always has the same IP. . . MANDATORY

# Always allocate the host with ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
dhcp-host=00:18:84:1E:97:88,10.110.0.2

Now add the OpenDNS servers to your /etc/resolv.conf dnsmasq looks here for them.

echo "nameserver 127.0.0.1" >> /etc/resolv.conf
echo "nameserver 208.67.222.222" >> /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

Now Start dnsmasq as Root with sudo but Don't worry dnsmasq Drops Root privileges and runs as "nobody" after startup.

sudo dnsmasq

If that doesn't start dnsmasq then start it with this command

sudo /etc/init.d/dnsmasq start

-----------------------------------------------

Now

(You can do all this or just run this stupidly crappy shell script to set up your laptop. Run from a Root shell # not $)

#!/bin/bash
#
# This sets up internet connection shareing from wlan0 to eth0 for the Pineapple
#
#

ifconfig eth0 10.110.0.1 netmask 255.255.255.0 && ifconfig eth0 up && sleep 1 && echo 1 > /proc/sys/net/ipv4/ip_forward && iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 && iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE && /etc/rc.d/iptables save && sleep 1 && /etc/rc.d/iptables start && sleep 1 && /etc/rc.d/dnsmasq start && sleep 1 && echo "You can Plug in the Pineapple Now"

exit

Now To bridge the wlan0 Wireless interface on your laptop that is connected to a Wireless Router serving up the Internet. . . To the eth0 Ethernet interface that is connected to the Pineapple.

Agin . .

wlan0 = Internet facing

eth0 = Pineapple facing

Set the IP address of the interface and the Netmask of the network.

ifconfig eth0 10.110.0.1 netmask 255.255.255.0
ifconfig eth0 up

Now you need to enable IP-Forwarding.

I do this in a temporary way like this. . .

echo 1 > /proc/sys/net/ipv4/ip_forward

To make it persistant you can do this. .

Edit /etc/sysctl.conf

Change. . .

net.ipv4.ip_forward=0

to

net.ipv4.ip_forward=1

Ok, Now set a iptables rule to allow traffic form eth0 to be forwarded to wlan0 and off to the Internet. Also add the rule to forward all traffic origination from interface eth0 on Port 80 to port 10000 which is the default listening Port for sslstrip.

NOTE:if you put in the rule to Forward eth0 traffic on port 80 to port10000. You Have to have sslstrip running so the WiFi clients get there http traffic forwarded off to the Internet

iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
/etc/rc.d/iptables save
/etc/rc.d/iptables start

---------------------------------------

Chary

---------------------------------------

DON'T PLUG Pinapple INTO THE LAPTOP Ethernet YET !

Now To set up the Jasager Pineapple

Connect to it's WiFi interface. . . It should have an essid of OpenWRT or Pineapple....

If it is not sending off any essid. Then you probably need to plug the Pineapple into a computer that you didn't set up the Ethernet forwarding on, OR reboot the Linux laptop and start all over after setting up a Virtual WiFi Lan on the "lan network" in Webif Network/Wireless

Go ahead and add the OpenDNS servers to the /etc/resolv.conf on the Pineapple too.

So ssh into the Pineapple

ssh -c blowfish root@192.168.1.1

And add them. . .

echo "nameserver 127.0.0.1" >> /etc/resolv.conf
echo "nameserver 208.67.222.222" >> /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

Ok, So, now go to page Network/networks

http://192.168.1.1/cgi-bin/webif/network.sh

Now. You are going to have to flip the "Connection Type" back and forth. BUT in the end it will be set to "DHCP"

Connection Type = Static IP
Type = Bridged
IP Address = 10.110.0.2
Netmask = 255.255.255.0
Default Gateway = 10.110.0.1

Lan DNS servers = 10.110.0.1

Hum,.... you mite need to save here too and then go back in and change to DHCP... not sure.

NOW Flip that "Connection Type" back to "DHCP"

So, it will look like this when you hit the save. . .

Connection Type = DHCP
Type = Bridged
IP Address = 10.110.0.2
Netmask = 255.255.255.0

Now, hit the "Save Changes" Button then Apply Changes at the bottom.

It probably will not reconnect so just let it sit for like 5min's then Power Cycle

----------------------------------------

Now please Owe PLEASE Work !!!!

-----------------------------------------

OK, ....... Now after about 5-10min's The Jasager Powered Fon La Fonera Router Should be done booting up.

Note: You should be connected to the Internet with your laptops Wireless Interface "wlan0" to a Wireless Router.

Pull out your handy Ethernet cable.

Pluge one end into your laptop Ethernet Port eth0

Plug the other end into the Ethernet Port on the Fon La Fonera Router. . . . . . .

Should have worked ! . ... Give it a min or two then open FireFox and navigate to 10.110.0.2.... YES

Now SSH to ssh root@10.110.0.2 YES

Now start up a VirtualBox and Connect to the WiFi.... Open a Shell and. . .

ping 10.110.0.2 YES

ping 10.110.0.1 YES

ping (The wlan0 IP address) YES

ping (The GW address) YES

ping google.com YES

Now, If you have it set up for sslstrip. Fire that up so the Port80 traffic that is being forwarded to Port 10000 has sslstrip to send it off to the Internet...

sslstrip -w sslstrip.log

In the VirtualBox - Open FireFox and Navigate to http://google.com YES

----------------------------------------------------------------------

Navigate to the Jasager Admin Webpage and turn Karma ON.

Make sure you add Your Fon Routers essid of "pineapple" or "OpenWrt" to the "Black List" - Every Time you Reboot the router ! ! !

Now Start up Wireshark on your Host Laptop and listen on interface "eth0" and get your packet sniffing on.

------------------------------------------------------------------------------------

From now on just make a crappy shell script like I showed you.

Name it pineapple.sh and put it in /usr/bin and make it executable.

sudo cp pineapple.sh /usr/bin && sudo chmod 775 /usr/bin/pineapple.sh

This way form now on all you have to do to get the Jasager up and running is just

[Root@ArchLinux~]# pineapple.sh
[User@ArchLinux~]$ sslstrip -w sslstrip.log

& Plug in the Pineapple

------------------------------------------------------------------------------------

To Kill everything. . . As Root do this

killall dnsmasq
iptables -X
iptables -F
/etc/rc.d/iptables stop

# On Linux distros other then Archlinux
/etc/init.d/iptables stop

Hope this helped you

===============================================

P.S. I love the show guys and girl :) Keep on the Linux ! Windows is Dead !...

Well it sucked big balls to begin with. What the hell is with C:\Windows\$NtUninstallWindow98847977$ ? That is crazy crap only good for hiding Virus code. & I'll take a well documented config file over the cryptic Windows Registry any day :P

Thanks for the Pineapple :) I still can't find anywhere ells to buy one. If you do, buy them all. I am sure you'll sell'um.

[digininja]

Haven't tried this but the write up looks pretty good, thanks for the effort, hopefully we can direct some people here and save a load of support questions.

[echoblack]

Thank you digininja !

I'm glad this meats your expected level of quality. I try to write all my HowTo's right after I figure things out for the first time. This way I remember all the pitfalls a newbie can have. I am working with taiyed14 to try and have the DHCP server running on the Jasager-Pineapple but with that way Wireless Clients can never traverse form the network block 10.110.0.0/24 to 192.168.1.0/24.

I left the Windows flaming in because I figure anyone reading this is probably a Linux user.

Also, Matt Lestock knows a lot more then me so I figure he can take a little ribbing. He give a little ribbing to Linux. So you know, all in good fun.

All respect for Matt Lestock.

[digininja]

It is much better if you have the DHCP server running on the Fon as Jasager uses the ARP table to work out the IP addresses of connected clients, if the Fon isn't giving out DHCP addresses then its ARP table never gets populated so you don't get the IP address in the table.

Running it should just be a case of starting the DHCP server on boot making sure it is offering IPs on the correct subnet for your wireless clients.

[echoblack]

Ya, and I bet the Fon will dish out IP's faster then my Laptop. It is looking like I almost got it I just need to edit the /etc/config/dhcp

I'll write a new HowTo for the proper way and put a link to it at the top of this how to. I'll leave this howto alone though for diversity.

[echoblack]

Well, I was wrong !

I figured with the extra network hop it would slow it down but no. It is WAY FASTER to handle DHCP+DNS on my Host laptop. When having the Jasager-Pineapple doing DHCP+Passing DNS The Wireless Clients have almost unusably slow connection. Can't watch Youtube.

With the Pineapple doing DHCP+passing DNS

PING google.com (66.102.7.103) 56(84) bytes of data.
64 bytes from lax04s01-in-f103.1e100.net (66.102.7.103): icmp_seq=1 ttl=52 time=93.3 ms
^C64 bytes from lax04s01-in-f103.1e100.net (66.102.7.103): icmp_seq=2 ttl=52 time=80.2 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5219ms
rtt min/avg/max/mdev = 80.237/86.783/93.329/6.546 ms

With my laptop running dnsmasq doing DHCP+DNS & pushing Port 80 through sslstrip !

PING google.com (66.102.7.104) 56(84) bytes of data.
64 bytes from lax04s01-in-f104.1e100.net (66.102.7.104): icmp_seq=1 ttl=52 time=69.5 ms
64 bytes from lax04s01-in-f104.1e100.net (66.102.7.104): icmp_seq=2 ttl=52 time=70.8 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 69.523/70.198/70.874/0.725 ms

[Netshroud]

What if you do DNS on the laptop, and leave the pineapple to handle DHCP?

[taiyed14]

Here is a shell script I wrote (similar to the one echoblack posted) that will automatically enable routing traffic from the fon, through the laptop and out to the internet.

http://alex.hrck.net/docs/traffic-forwarding.sh

#!/bin/bash
#
# Enables "Internet Connection Sharing" on Linux
#
#

USER=`whoami`
if [ $USER == "root" ]; then
    read -p "Please enter Internet connected interface (wlan0): " WAN
    read -p "Please enter interface connected to Fon (eth0): " LAN
    
    if [ -z $WAN ]; then
        WAN="wlan0"
    fi
    if [ -z $LAN ]; then
        LAN="eth0"
    fi    
    
    ifconfig $LAN 10.168.1.1  netmask 255.255.255.0
    ipfwd=`cat /proc/sys/net/ipv4/ip_forward`
    if [ $ipfwd -eq 1 ]; then
        echo "IP forwarding enabled!"
    else
        echo '1' > /proc/sys/net/ipv4/ip_forward
    fi

    iptables --version > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        iptables -X
        iptables -F
        iptables -A FORWARD -i $WAN -o $LAN -s 10.168.1.0/24 -m state --state NEW -j ACCEPT
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A POSTROUTING -t nat -j MASQUERADE 
        echo "iptables configured..."
        
        #route del default
        GW=`ifconfig $WAN | grep "inet addr:"| grep -v "127.0.0.1" | cut -d: -f2 | awk '{ print $1}' | cut -d. -f1,2,3`
        GW=`echo $GW.1`
        
        route add default gw $GW $WAN
        echo "Default route set to $GW through $WAN"
    else
        echo "Please run as root or install iptables..."
    fi

else
    echo "Please run as root."
fi

[echoblack]

Woops.....

Sorry I am a dumbass. I was watching Wireshark and every time I made a DNS request I was seeing a ICMP Port Unreachable from my laptop Ethernet Port to the Pineapple 10.110.0.1 -> 10.110.0.2. Then Looked at the Webif page and it had automatically put my Host laptop Ethernet port as a DNS server.

I took that out and now it is just as fast as when I was running the dnsmasq on my laptop.

Sorry.....

------------------------

So, I guess I'll leave this HowTo up just for reference sake but Ya, taiyed14's script is the way to go.

[digininja]

I was going to say, DNS won't affect ICMP response times. DNS requests are fine to be handled externally, it was just DHCP that needed to be on the Fon.