Meilleur intitulé : comment transformer un pc portable en hotspot intranet wifi
Linux : Debian 3.2.0-4-amd64
Carte wifi : Intel Centrino Wireless-N 135
Firmware : iwlwifi
Tous mes plus vifs remerciements à Agentsteel
pour sa contribution majeure et à AnonymousCoward pour les détails de paramétrage du pare-feu qui me dépassaient largement.
Il faut d’abord vérifier si la carte wifi est capable de générer un réseau : elle doit pour cela supporter le mode master ou ap (access point).
Commande : iw list
Supported interface modes:
- IBSS
- managed
- AP
- AP/VLAN
- monitor
- P2P-client
- P2P-GO
L’avantage du mode master est qu’il rend (peut-être) possible la création du hotspot par une déclaration dans le fichier /etc/network/interfaces. Ce n’est malheureusement pas le cas de ma carte ce qui nous conduit à la solution beaucoup plus technique d’AgentSteel.
Tutoriel d’origine d’Agentsteel: https://www.isalo.org/wiki.debian-fr/Hotspot_wifi
Le script proposé permet de transformer un pc portable relié à internet en hotspot wifi. Notre objectif étant légèrement différent, garder à l’esprit qu’il ne faut PAS brancher le câble réseau. Il faut de plus apporter quelques modifications aux règles du pare-feu générées par l’instruction iptables.
Voici le script adapté : il ne vous reste plus qu’à personnaliser :
- le nom de votre réseau ;
- le mot de passe ;
- l’adresse ip du serveur ainsi que la plage DHCP désirée ;
- le nombre maximum de clients simultanés (instruction max_num_sta=35). Je n’ai pas encore pu tester si ma carte est limitée ou non à 8.
#!/bin/bash
#
# hotspot2014.sh
#
# Wireless Access Point (SoftAP)
#
# by AgentSteel for Debian-fr.org
# 24/Apr/2014
#
# USE AT YOUR OWN RISK!
#
# Tested on Debian Wheezy (7.0)
#
# Two modes of operation :
# - with a network bridge (see BRIDGE variable) for transparent connection sharing (no DNS logging...)
# or
# - with dnsmasq and iptables for packet forwarding between network interfaces (DNS logging)
#
# Run this script as root.
# This script will likely stop currently running network connections.
# You may also need to disable your local firewall.
#
# Required : dhclient, hostapd, firmware-realtek (non-free)
# Optional : bridge-utils, dnsmasq
# Adjust your settings here
WLAN="wlan0"
# the IP address of your SoftAP interface (if using dnsmasq)
# and the corresponding IP range for your SoftAP clients (if using dnsmasq)
WLAN_IP="192.168.0.10"
DHCP_RANGE="192.168.0.100,192.168.0.135"
# your SoftAP SSID, channel and passphrase
SSID="nomReseau"
CHANNEL=3
PASSPHRASE="motDePasse"
# Set your desired bridge interface name here
MY_BRIDGE="ap-br0"
# and the other network interface for bridge
IF_BRIDGE="eth0"
# Uncomment to use bridging, or comment to use dnsmasq/iptables
#BRIDGE="bridge=$MY_BRIDGE"
# (input) network interface when using dnsmasq/iptables
IF_IN="eth0"
# Set to "-d" for hostapd debugging output
# or "-B" (background mode) for default operation
HOSTAPD_OPT="-B"
# global exit code for script (0 = no error)
ret=0
# function : check for required software
function checklist()
{
local ret=0
# check if running as root
[[ $EUID -ne 0 ]] && { echo "You must be root to run this script!"; ret=1; }
if [[ -n "$BRIDGE" ]]; then
# when using a bridge, ensure brctl is found
hash brctl >/dev/null 2>&1 || { echo "brctl not found, please install bridge-utils package."; ret=1; }
else
# not using a bridge, we need dnsmasq and iptables
hash dnsmasq >/dev/null 2>&1 || { echo "dnsmasq not found, please install dnsmasq package."; ret=1; }
hash iptables >/dev/null 2>&1 || { echo "iptables not found, please install iptables package."; ret=1; }
fi
hash hostapd >/dev/null 2>&1 || { echo "hostapd not found, please install hostapd package."; ret=1; }
return $ret
}
# function : cleanup the mess when exiting
function cleanup()
{
# clean up a bit (the dirty way!)
sysctl net.ipv4.ip_forward=0
iptables-restore <iptables.save && echo "iptables rules restored."
killall hostapd >/dev/null 2>&1 && echo "hostapd killed."
[[ -f "$TMP_CONF" ]] && rm "$TMP_CONF"
killall dnsmasq >/dev/null 2>&1 && echo "dnsmasq killed."
killall dhclient >/dev/null 2>&1 && echo "dhclient killed."
ifconfig "$MY_BRIDGE" down >/dev/null 2>&1
sleep 2
brctl delif "$MY_BRIDGE" "$IF_BRIDGE" >/dev/null 2>&1
brctl delif "$MY_BRIDGE" "$WLAN" >/dev/null 2>&1
brctl delbr "$MY_BRIDGE" >/dev/null 2>&1 && echo "bridge $MY_BRIDGE destroyed."
}
# Main program
# check for requirements, abort eventually
checklist || exit 1
# trap for cleanup
trap cleanup SIGINT SIGTERM
# First, disable any network management software
echo -n ">>> Trying to disable any network management software... "
service network-manager stop >/dev/null 2>&1
service wicd stop >/dev/null 2>&1
echo "OK."
# If not using a bridge, start dnsmasq (dns and dhcp) server
if [[ -z "$BRIDGE" ]]; then
killall dnsmasq >/dev/null 2>&1
# TODO : additional hosts file
dnsmasq --interface "$WLAN" --dhcp-range="$DHCP_RANGE" --log-queries || { echo "dnsmasq failed to start!"; exit 1; }
# assign IP to the wireless interface
ifconfig "$WLAN" "$WLAN_IP"
# now you could start a webserver to share some files (eg. gatling lightweight www server)
# and allow your SoftAP clients to go to http://$WLAN_IP/
# save current firewall rules
iptables-save >iptables.save && echo ">>> Current firewall configuration saved."
# reset firewall rules
iptables -F; iptables -X; iptables -P INPUT DROP; iptables -P OUTPUT ACCEPT; iptables -P FORWARD DROP
# allow loopback
iptables -A INPUT -i lo -j ACCEPT; iptables -A OUTPUT -o lo -j ACCEPT
# allow already established connections on eth0 (useful for SSH)
iptables -A INPUT -i $IF_IN -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping on $IF_IN
iptables -A INPUT -i $IF_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
# allow SSH in, on $IF_IN only
#iptables -A INPUT -i $IF_IN -p tcp -m tcp --dport 22 -j ACCEPT
# allow HTTP in, on $IF_IN only (hotspot's web server)
#iptables -A INPUT -i $IF_IN -p tcp -m tcp --dport 80 -j ACCEPT
# Modifs pour hotspot wifi
iptables -A INPUT -i $WLAN -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WLAN -p tcp -m tcp --dport 443 -j ACCEPT
# allow DNS in, on $WLAN
iptables -A INPUT -i $WLAN -p udp -m udp --dport 53 -j ACCEPT
# allow DHCP in, on $WLAN
iptables -A INPUT -i $WLAN -p udp -m udp --dport 67 -j ACCEPT
# packet forwarding
sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o $IF_IN -j MASQUERADE
iptables -A FORWARD -i $IF_IN -o $WLAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow HTTP and HTTPS to be forwarded
iptables -A FORWARD -i $WLAN -o $IF_IN -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $WLAN -o $IF_IN -p tcp -m tcp --dport 443 -j ACCEPT
#iptables -A FORWARD -i $WLAN -o $IF_IN -p tcp -m tcp --dport 8080 -j ACCEPT
# uncomment below to allow SSH to be forwarded
#iptables -A FORWARD -i $WLAN -o $IF_IN -p tcp -m tcp --dport 22 -j ACCEPT
# (everything else will be forbidden)
else
# we create a new network bridge to share network (and internet) access
brctl addbr "$MY_BRIDGE"
brctl addif "$MY_BRIDGE" "$IF_BRIDGE"
# $WLAN interface will be added later to the bridge
fi
# create a temporary file with our hostapd conf
# (adapted from Realtek's examples)
# (see proprietary driver package from Realtek's website)
TMP_CONF=$(mktemp)
if [[ -z "$TMP_CONF" ]]; then
echo "Error creating hostapd temporary configuration file!"
ret=1
else
# read-only for root
chmod 600 "$TMP_CONF"
cat >"$TMP_CONF" <<EOF
# hostapd configuration starts here
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
interface=$WLAN
$BRIDGE
ssid=$SSID
channel=$CHANNEL
beacon_int=100
# (hardware limit for some wireless chipsets)
max_num_sta=24
hw_mode=g
# we use 802.11n (wifi N)
ieee80211n=1
wme_enabled=1
ht_capab=[SHORT-GI-20][SHORT-GI-40][HT40+]
# We use WPA2 of course
wpa=2
wpa_passphrase=$PASSPHRASE
wpa_key_mgmt=WPA-PSK
# Note: TKIP not supported with RTL8188RU chip!
wpa_pairwise=CCMP
wpa_group_rekey=86400
# other settings
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
#dump_file=/tmp/hostapd.dump
dtim_period=2
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
EOF
echo ">>> Starting hostapd."
# start hostapd
if ! hostapd $HOSTAPD_OPT "$TMP_CONF"; then
echo "hostapd failed to start."
ret=1
else
# finally get an IP address for the bridge, only when using a bridge (assume we have a dhcp server in our LAN)
[[ -n "$BRIDGE" ]] && dhclient "$MY_BRIDGE" && echo ">>> Network bridge $MY_BRIDGE is up."
# TODO : handle dhclient failure
[[ -z "$BRIDGE" ]] && echo ">>> Using dnsmasq and iptables."
iwconfig $WLAN
echo ">>> SoftAP is up and running! SSID = $SSID"
echo ">>> Hit ctrl-c to stop."
# display syslog to see what happens
tail -f /var/log/syslog
fi
fi
cleanup
echo -e "\n>>> SoftAP terminated!"
exit $ret
Comment exécuter ce script ?
- Ouvrir un éditeur de texte comme Kate ou Kwrite et y copier le code. Enregistrer sous le nom hotspot.sh par exemple.
- Supposons que ce script soit enregistré dans un dossier nommé wifi. En ligne de commande et en mode root, placez-vous dans le répertoire père (cd …) puis exécutez l’instruction : ./wifi/hotspot.sh
Encore merci à tous !
Mike