echoblack Posted December 19, 2009 Posted December 19, 2009 Internet Connection Sharing on "LINUX" & Jasager Pineapple Setup This way run's the dnsmasq DHCP+DNS server on the Host Laptop This HowTo is NOT the Best Way Just left of for reference if you want to try it or need to do this for some other reason You Want to follow This other HowTo Just Click the link or search these forums for the thread name Best HowTo - Setup Internet Connection Forwarding on "Linux" & Jasager http://hak5.org/forums/index.php?showtopic=15200 --------------------------------------------------- - On Pineapple - Ethernet Port = ETH0 WiFi Port = WiFi - On laptop - Wireless Interface = wlan0 Ethernet Port = eth0 This is how it will all work in the end. Internet > ("dhcp+dns" GW > wlan0) > ("dhcp+dns" eth0 > {"lan network" ETH0 > WiFi } ) ^You understand that right ? Well lets start on the Laptop Config. Fist install LINUX . . . BSD or Solaris but the setup is different. or not Windows is an Amazingly good OS for building Botnets. Wink wink, nudge nudge Matt Lestock. You will need to install dnsmasq on your laptop. On Archlinux pacman -S dnsmasq Now you need to edit the /etc/dnsmasq.conf The main things that need to be changed in there are these. # If you want dnsmasq to listen for DHCP and DNS requests only on # specified interfaces (and the loopback) give the name of the # interface (eg eth0) here. # Repeat the line for more than one interface. interface=eth0 # This is an example of a DHCP range where the netmask is given. This # is needed for networks we reach the dnsmasq DHCP server via a relay # agent. If you don't know what a DHCP relay agent is, you probably # don't need to worry about this. dhcp-range=10.110.0.50,10.110.0.150,255.255.255.0,12h Change this MAC address to the MAC address of the ETH0 interface on "Your" Pineapple This way it always has the same IP. . . MANDATORY # Always allocate the host with ethernet address 11:22:33:44:55:66 # The IP address 192.168.0.60 dhcp-host=00:18:84:1E:97:88,10.110.0.2 Now add the OpenDNS servers to your /etc/resolv.conf dnsmasq looks here for them. echo "nameserver 127.0.0.1" >> /etc/resolv.conf echo "nameserver 208.67.222.222" >> /etc/resolv.conf echo "nameserver 208.67.220.220" >> /etc/resolv.conf Now Start dnsmasq as Root with sudo but Don't worry dnsmasq Drops Root privileges and runs as "nobody" after startup. sudo dnsmasq If that doesn't start dnsmasq then start it with this command sudo /etc/init.d/dnsmasq start ----------------------------------------------- Now (You can do all this or just run this stupidly crappy shell script to set up your laptop. Run from a Root shell # not $) #!/bin/bash # # This sets up internet connection shareing from wlan0 to eth0 for the Pineapple # # ifconfig eth0 10.110.0.1 netmask 255.255.255.0 && ifconfig eth0 up && sleep 1 && echo 1 > /proc/sys/net/ipv4/ip_forward && iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 && iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE && /etc/rc.d/iptables save && sleep 1 && /etc/rc.d/iptables start && sleep 1 && /etc/rc.d/dnsmasq start && sleep 1 && echo "You can Plug in the Pineapple Now" exit Now To bridge the wlan0 Wireless interface on your laptop that is connected to a Wireless Router serving up the Internet. . . To the eth0 Ethernet interface that is connected to the Pineapple. Agin . . wlan0 = Internet facing eth0 = Pineapple facing Set the IP address of the interface and the Netmask of the network. ifconfig eth0 10.110.0.1 netmask 255.255.255.0 ifconfig eth0 up Now you need to enable IP-Forwarding. I do this in a temporary way like this. . . echo 1 > /proc/sys/net/ipv4/ip_forward To make it persistant you can do this. . Edit /etc/sysctl.conf Change. . . net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1 Ok, Now set a iptables rule to allow traffic form eth0 to be forwarded to wlan0 and off to the Internet. Also add the rule to forward all traffic origination from interface eth0 on Port 80 to port 10000 which is the default listening Port for sslstrip. NOTE:if you put in the rule to Forward eth0 traffic on port 80 to port10000. You Have to have sslstrip running so the WiFi clients get there http traffic forwarded off to the Internet iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE /etc/rc.d/iptables save /etc/rc.d/iptables start --------------------------------------- Chary --------------------------------------- DON'T PLUG Pinapple INTO THE LAPTOP Ethernet YET ! Now To set up the Jasager Pineapple Connect to it's WiFi interface. . . It should have an essid of OpenWRT or Pineapple.... If it is not sending off any essid. Then you probably need to plug the Pineapple into a computer that you didn't set up the Ethernet forwarding on, OR reboot the Linux laptop and start all over after setting up a Virtual WiFi Lan on the "lan network" in Webif Network/Wireless Go ahead and add the OpenDNS servers to the /etc/resolv.conf on the Pineapple too. So ssh into the Pineapple ssh -c blowfish root@192.168.1.1 And add them. . . echo "nameserver 127.0.0.1" >> /etc/resolv.conf echo "nameserver 208.67.222.222" >> /etc/resolv.conf echo "nameserver 208.67.220.220" >> /etc/resolv.conf Ok, So, now go to page Network/networks http://192.168.1.1/cgi-bin/webif/network.sh Now. You are going to have to flip the "Connection Type" back and forth. BUT in the end it will be set to "DHCP" Connection Type = Static IP Type = Bridged IP Address = 10.110.0.2 Netmask = 255.255.255.0 Default Gateway = 10.110.0.1 Lan DNS servers = 10.110.0.1 Hum,.... you mite need to save here too and then go back in and change to DHCP... not sure. NOW Flip that "Connection Type" back to "DHCP" So, it will look like this when you hit the save. . . Connection Type = DHCP Type = Bridged IP Address = 10.110.0.2 Netmask = 255.255.255.0 Now, hit the "Save Changes" Button then Apply Changes at the bottom. It probably will not reconnect so just let it sit for like 5min's then Power Cycle ---------------------------------------- Now please Owe PLEASE Work !!!! ----------------------------------------- OK, ....... Now after about 5-10min's The Jasager Powered Fon La Fonera Router Should be done booting up. Note: You should be connected to the Internet with your laptops Wireless Interface "wlan0" to a Wireless Router. Pull out your handy Ethernet cable. Pluge one end into your laptop Ethernet Port eth0 Plug the other end into the Ethernet Port on the Fon La Fonera Router. . . . . . . Should have worked ! . ... Give it a min or two then open FireFox and navigate to 10.110.0.2.... YES Now SSH to ssh root@10.110.0.2 YES Now start up a VirtualBox and Connect to the WiFi.... Open a Shell and. . . ping 10.110.0.2 YES ping 10.110.0.1 YES ping (The wlan0 IP address) YES ping (The GW address) YES ping google.com YES Now, If you have it set up for sslstrip. Fire that up so the Port80 traffic that is being forwarded to Port 10000 has sslstrip to send it off to the Internet... sslstrip -w sslstrip.log In the VirtualBox - Open FireFox and Navigate to http://google.com YES ---------------------------------------------------------------------- Navigate to the Jasager Admin Webpage and turn Karma ON. Make sure you add Your Fon Routers essid of "pineapple" or "OpenWrt" to the "Black List" - Every Time you Reboot the router ! ! ! Now Start up Wireshark on your Host Laptop and listen on interface "eth0" and get your packet sniffing on. ------------------------------------------------------------------------------------ From now on just make a crappy shell script like I showed you. Name it pineapple.sh and put it in /usr/bin and make it executable. sudo cp pineapple.sh /usr/bin && sudo chmod 775 /usr/bin/pineapple.sh This way form now on all you have to do to get the Jasager up and running is just [Root@ArchLinux~]# pineapple.sh [User@ArchLinux~]$ sslstrip -w sslstrip.log & Plug in the Pineapple ------------------------------------------------------------------------------------ To Kill everything. . . As Root do this killall dnsmasq iptables -X iptables -F /etc/rc.d/iptables stop # On Linux distros other then Archlinux /etc/init.d/iptables stop Hope this helped you =============================================== P.S. I love the show guys and girl :) Keep on the Linux ! Windows is Dead !... Well it sucked big balls to begin with. What the hell is with C:\Windows\$NtUninstallWindow98847977$ ? That is crazy crap only good for hiding Virus code. & I'll take a well documented config file over the cryptic Windows Registry any day :P Thanks for the Pineapple :) I still can't find anywhere ells to buy one. If you do, buy them all. I am sure you'll sell'um. Quote
digininja Posted December 20, 2009 Posted December 20, 2009 Haven't tried this but the write up looks pretty good, thanks for the effort, hopefully we can direct some people here and save a load of support questions. Quote
echoblack Posted December 20, 2009 Author Posted December 20, 2009 Thank you digininja ! I'm glad this meats your expected level of quality. I try to write all my HowTo's right after I figure things out for the first time. This way I remember all the pitfalls a newbie can have. I am working with taiyed14 to try and have the DHCP server running on the Jasager-Pineapple but with that way Wireless Clients can never traverse form the network block 10.110.0.0/24 to 192.168.1.0/24. I left the Windows flaming in because I figure anyone reading this is probably a Linux user. Also, Matt Lestock knows a lot more then me so I figure he can take a little ribbing. He give a little ribbing to Linux. So you know, all in good fun. All respect for Matt Lestock. Quote
digininja Posted December 20, 2009 Posted December 20, 2009 It is much better if you have the DHCP server running on the Fon as Jasager uses the ARP table to work out the IP addresses of connected clients, if the Fon isn't giving out DHCP addresses then its ARP table never gets populated so you don't get the IP address in the table. Running it should just be a case of starting the DHCP server on boot making sure it is offering IPs on the correct subnet for your wireless clients. Quote
echoblack Posted December 20, 2009 Author Posted December 20, 2009 Ya, and I bet the Fon will dish out IP's faster then my Laptop. It is looking like I almost got it I just need to edit the /etc/config/dhcp I'll write a new HowTo for the proper way and put a link to it at the top of this how to. I'll leave this howto alone though for diversity. Quote
echoblack Posted December 21, 2009 Author Posted December 21, 2009 Well, I was wrong ! I figured with the extra network hop it would slow it down but no. It is WAY FASTER to handle DHCP+DNS on my Host laptop. When having the Jasager-Pineapple doing DHCP+Passing DNS The Wireless Clients have almost unusably slow connection. Can't watch Youtube. With the Pineapple doing DHCP+passing DNS PING google.com (66.102.7.103) 56(84) bytes of data. 64 bytes from lax04s01-in-f103.1e100.net (66.102.7.103): icmp_seq=1 ttl=52 time=93.3 ms ^C64 bytes from lax04s01-in-f103.1e100.net (66.102.7.103): icmp_seq=2 ttl=52 time=80.2 ms --- google.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 5219ms rtt min/avg/max/mdev = 80.237/86.783/93.329/6.546 ms With my laptop running dnsmasq doing DHCP+DNS & pushing Port 80 through sslstrip ! PING google.com (66.102.7.104) 56(84) bytes of data. 64 bytes from lax04s01-in-f104.1e100.net (66.102.7.104): icmp_seq=1 ttl=52 time=69.5 ms 64 bytes from lax04s01-in-f104.1e100.net (66.102.7.104): icmp_seq=2 ttl=52 time=70.8 ms ^C --- google.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 69.523/70.198/70.874/0.725 ms Quote
Netshroud Posted December 21, 2009 Posted December 21, 2009 What if you do DNS on the laptop, and leave the pineapple to handle DHCP? Quote
taiyed14 Posted December 21, 2009 Posted December 21, 2009 Here is a shell script I wrote (similar to the one echoblack posted) that will automatically enable routing traffic from the fon, through the laptop and out to the internet. http://alex.hrck.net/docs/traffic-forwarding.sh #!/bin/bash # # Enables "Internet Connection Sharing" on Linux # # USER=`whoami` if [ $USER == "root" ]; then     read -p "Please enter Internet connected interface (wlan0): " WAN     read -p "Please enter interface connected to Fon (eth0): " LAN         if [ -z $WAN ]; then         WAN="wlan0"     fi     if [ -z $LAN ]; then         LAN="eth0"     fi            ifconfig $LAN 10.168.1.1  netmask 255.255.255.0     ipfwd=`cat /proc/sys/net/ipv4/ip_forward`     if [ $ipfwd -eq 1 ]; then         echo "IP forwarding enabled!"     else         echo '1' > /proc/sys/net/ipv4/ip_forward     fi     iptables --version > /dev/null 2>&1     if [ $? -eq 0 ]; then         iptables -X         iptables -F         iptables -A FORWARD -i $WAN -o $LAN -s 10.168.1.0/24 -m state --state NEW -j ACCEPT         iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT         iptables -A POSTROUTING -t nat -j MASQUERADE         echo "iptables configured..."                 #route del default         GW=`ifconfig $WAN | grep "inet addr:"| grep -v "127.0.0.1" | cut -d: -f2 | awk '{ print $1}' | cut -d. -f1,2,3`         GW=`echo $GW.1`                 route add default gw $GW $WAN         echo "Default route set to $GW through $WAN"     else         echo "Please run as root or install iptables..."     fi else     echo "Please run as root." fi Quote
echoblack Posted December 21, 2009 Author Posted December 21, 2009 Woops..... Sorry I am a dumbass. I was watching Wireshark and every time I made a DNS request I was seeing a ICMP Port Unreachable from my laptop Ethernet Port to the Pineapple 10.110.0.1 -> 10.110.0.2. Then Looked at the Webif page and it had automatically put my Host laptop Ethernet port as a DNS server. I took that out and now it is just as fast as when I was running the dnsmasq on my laptop. Sorry..... ------------------------ So, I guess I'll leave this HowTo up just for reference sake but Ya, taiyed14's script is the way to go. Quote
digininja Posted December 21, 2009 Posted December 21, 2009 I was going to say, DNS won't affect ICMP response times. DNS requests are fine to be handled externally, it was just DHCP that needed to be on the Fon. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.