[SOLVED] Help with creating Access Point for mobile phone

allend · 02-02-2015, 10:48 AM

I have been trying to create an access point on my netbook so that a mobile phone (Nokia Lumia 530) can access the internet via the USB modem.
I have installed hostapd-2.3 from Slackbuilds.org. The contents of /etc/hostapd/hostapd.conf are:

Code:

interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=<MySSID>
country_code=AU
hw_mode=g
channel=1
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=<MyPassPhrase>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

I use NetworkManager to connect to the internet with my USB modem and it appears as device wwan0.
As root,
i) I enable IP forwarding with 'sh /etc/rc,d/rc.ip_forward start'
ii) tell NetworkManager not to manage wifi with 'nmcli nm wifi off'
iii) assign an IP address to the wireless interface with 'ifconfig wlan0 192.168.0.1 up' (May need 'rfkill unblock wifi' first).
iv) start hostapd with 'sh /etc/rc.d/rc.hostapd start'
v) start dnsmasq with '/etc/rc.d/rc.dnsmasq start' with the following settings in /etc/dnsmasq.conf

Code:

interface=wlan0
dhcp-range=192.168.0.50,192.168.0.63,12h
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=/var/ftpd

All of the above seems to be working as the phone sees the access point and when connected (after entering the passphrase), the gateway and DNS server addresses appear as the expected 192.168.0.1.

The problem is that the phone then fails to connect to the internet.

When I capture a connection session with 'tcpdump -i any -w dump3.dmp' and then view with 'tcpdump -r dump3.dmp' I see:

Code:

02:23:05.608293 Null Unnumbered, xid, Flags [Response], length 6: 01 00
02:23:05.613076 EAPOL key (3) v2, len 95
02:23:05.639454 EAPOL key (3) v1, len 117
02:23:05.640239 EAPOL key (3) v2, len 151
02:23:05.644890 EAPOL key (3) v1, len 95
02:23:05.697386 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 84:63:d6:f8:8c:f8 (oui Unknown), length 300
02:23:05.697484 IPX 64ad0000.80:11:d4:f8:00:00.0000 > 8463d6f8.8c:f8:08:00:45:00.0148: ipx-#148 65505
02:23:05.698179 IP 192.168.0.1.bootps > 192.168.0.52.bootpc: BOOTP/DHCP, Reply, length 300
02:23:05.709824 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 84:63:d6:f8:8c:f8 (oui Unknown), length 323
02:23:05.709888 IPX 64ae0000.80:11:d4:e0:00:00.0000 > 8463d6f8.8c:f8:08:00:45:00.015f: ipx-#15f 65505
02:23:05.711955 IP6 fe80::54be:be68:df20:ee40.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:23:05.712029 IPX 00651101.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -29
02:23:05.789278 ARP, Request who-has 169.254.238.64 tell 0.0.0.0, length 28
02:23:05.789315 IPX 06040001.84:63:d6:f8:8c:f8.0000 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:05.790828 IP6 :: > ff02::1:ff20:ee40: ICMP6, neighbor solicitation, who has fe80::54be:be68:df20:ee40, length 24
02:23:05.790898 IPX 00183aff.00:00:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 65282
02:23:05.793097 IP6 fe80::54be:be68:df20:ee40 > ff02::2: ICMP6, router solicitation, length 8
02:23:05.793154 IPX 00083aff.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:05.794812 IP6 fe80::54be:be68:df20:ee40 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
02:23:05.794861 IPX 00240001.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:06.290932 IP6 fe80::54be:be68:df20:ee40 > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
02:23:06.290979 IPX 00240001.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:06.337086 IP 192.168.0.1.bootps > 192.168.0.52.bootpc: BOOTP/DHCP, Reply, length 310
02:23:06.433593 ARP, Request who-has 192.168.0.1 tell 192.168.0.52, length 28
02:23:06.433660 ARP, Reply 192.168.0.1 is-at c4:17:fe:af:86:b1 (oui Unknown), length 28
02:23:06.433700 IPX 06040001.84:63:d6:f8:8c:f8.c0a8 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:06.516978 IP 192.168.0.52.64167 > 224.0.0.252.5355: UDP, length 1
02:23:06.517044 IPX 25d80000.01:11:f2:1f:c0:a8.0034 > 8463d6f8.8c:f8:08:00:45:00.001d: ipx-#1d 24034
02:23:06.570593 IP 192.168.0.52.51101 > 192.168.0.1.domain: 64453+ A? www.msftncsi.com. (34)
02:23:06.570933 IP 10.145.159.235.46625 > dns.mel.optusnet.com.au.domain: 22757+ A? www.msftncsi.com. (34)
02:23:06.571032 IP 10.145.159.235.46625 > dns.mas.optusnet.com.au.domain: 22757+ A? www.msftncsi.com. (34)
02:23:06.708542 IP6 fe80::54be:be68:df20:ee40.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:23:06.708585 IPX 00651101.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -29
02:23:06.788979 ARP, Request who-has 192.168.0.52 tell 0.0.0.0, length 28
02:23:06.789015 IPX 06040001.84:63:d6:f8:8c:f8.0000 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:06.789950 IP6 fe80::54be:be68:df20:ee40 > ff02::1: ICMP6, neighbor advertisement, tgt is fe80::54be:be68:df20:ee40, length 32
02:23:06.790044 IPX 00203aff.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:06.790975 IP6 fe80::54be:be68:df20:ee40 > ff02::2: ICMP6, router solicitation, length 16
02:23:06.791010 IPX 00103aff.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:07.202278 IP dns.mel.optusnet.com.au.domain > 10.145.159.235.46625: 22757 4/0/0 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g.akamai.net., A 23.79.243.40, A 23.79.243.35 (139)
02:23:07.202581 IP 192.168.0.1.domain > 192.168.0.52.51101: 64453 4/0/0 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g.akamai.net., A 23.79.243.40, A 23.79.243.35 (139)
02:23:07.271437 IP 192.168.0.52.51596 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1791246713, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:07.472402 IP dns.mas.optusnet.com.au.domain > 10.145.159.235.46625: 22757 4/0/0 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g.akamai.net., A 125.56.205.50, A 125.56.205.49 (139)
02:23:07.472526 IP 10.145.159.235 > dns.mas.optusnet.com.au: ICMP 10.145.159.235 udp port 46625 unreachable, length 175
02:23:08.332235 ARP, Request who-has 192.168.0.52 tell 0.0.0.0, length 28
02:23:08.332271 IPX 06040001.84:63:d6:f8:8c:f8.0000 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:08.333223 IP6 fe80::54be:be68:df20:ee40 > ff02::2: ICMP6, router solicitation, length 16
02:23:08.333272 IPX 00103aff.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -30
02:23:08.727009 IP6 fe80::54be:be68:df20:ee40.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:23:08.727054 IPX 00651101.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -29
02:23:08.789340 ARP, Request who-has 192.168.0.52 tell 0.0.0.0, length 28
02:23:08.789367 IPX 06040001.84:63:d6:f8:8c:f8.0000 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:09.801925 ARP, Request who-has 192.168.0.52 tell 192.168.0.52, length 28
02:23:09.801984 IPX 06040001.84:63:d6:f8:8c:f8.c0a8 > 8463d6f8.8c:f8:08:06:00:01.0800: ipx-#800 65505
02:23:10.285808 IP 192.168.0.52.51596 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1791246713, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:11.577724 ARP, Request who-has 10.145.159.233 tell 10.145.159.235, length 28
02:23:11.578882 ARP, Reply 10.145.159.233 is-at 02:50:f3:00:00:00 (oui Unknown), length 28
02:23:12.728778 IP6 fe80::54be:be68:df20:ee40.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:23:12.728823 IPX 00651101.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -29
02:23:13.352640 IP 192.168.0.52.51597 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 512195564, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:16.356848 IP 192.168.0.52.51597 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 512195564, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:18.302092 ARP, Request who-has 192.168.0.1 (c4:17:fe:af:86:b1 (oui Unknown)) tell 192.168.0.52, length 28
02:23:18.302144 ARP, Reply 192.168.0.1 is-at c4:17:fe:af:86:b1 (oui Unknown), length 28
02:23:19.406444 IP 192.168.0.52.56267 > 192.168.0.1.domain: 27321+ A? www.msftncsi.com. (34)
02:23:19.406906 IP 10.145.159.235.30372 > dns.mel.optusnet.com.au.domain: 53936+ A? www.msftncsi.com. (34)
02:23:20.012279 IP dns.mel.optusnet.com.au.domain > 10.145.159.235.30372: 53936 4/0/0 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g.akamai.net., A 23.79.243.40, A 23.79.243.35 (139)
02:23:20.012552 IP 192.168.0.1.domain > 192.168.0.52.56267: 27321 4/0/0 CNAME www.msftncsi.com.edgesuite.net., CNAME a1961.g.akamai.net., A 23.79.243.40, A 23.79.243.35 (139)
02:23:20.061741 IP 192.168.0.52.51598 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1708966181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:20.758122 IP6 fe80::54be:be68:df20:ee40.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit
02:23:20.758172 IPX 00651101.fe:80:00:00:00:00.0000 > 8463d6f8.8c:f8:86:dd:60:00.0000: ipx-#0 -29
02:23:23.074670 IP 192.168.0.52.51598 > a23-79-243-40.deploy.static.akamaitechnologies.com.http: Flags [S], seq 1708966181, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:25.017755 ARP, Request who-has 192.168.0.52 tell 192.168.0.1, length 28
02:23:25.074342 ARP, Reply 192.168.0.52 is-at 84:63:d6:f8:8c:f8 (oui Unknown), length 28
02:23:25.153469 IP 192.168.0.52.63838 > 192.168.0.1.domain: 17014+ A? discoveryservice.windowsphone.com. (51)
02:23:25.153924 IP 10.145.159.235.29571 > dns.mel.optusnet.com.au.domain: 63752+ A? discoveryservice.windowsphone.com. (51)
02:23:25.161768 IP 192.168.0.52.51351 > 192.168.0.1.domain: 7557+ A? api.live.net. (30)
02:23:25.162074 IP 10.145.159.235.57576 > dns.mel.optusnet.com.au.domain: 63002+ A? api.live.net. (30)
02:23:25.561543 IP 192.168.0.52.63008 > 192.168.0.1.domain: 43579+ A? blu402-m.hotmail.com. (38)
02:23:25.561846 IP 192.168.0.1.domain > 192.168.0.52.63008: 43579 1/0/0 A 134.170.0.199 (54)
02:23:25.565456 IP 192.168.0.52.51599 > blu402-m.hotmail.com.https: Flags [S], seq 2084557239, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:25.802280 IP dns.mel.optusnet.com.au.domain > 10.145.159.235.29571: 63752 2/0/0 CNAME principal.discoveryservice.windowsphone.glbdns2.microsoft.com., A 65.52.176.185 (139)
02:23:25.802555 IP 192.168.0.1.domain > 192.168.0.52.63838: 17014 2/0/0 CNAME principal.discoveryservice.windowsphone.glbdns2.microsoft.com., A 65.52.176.185 (139)
02:23:25.813103 IP 192.168.0.52.51600 > 65.52.176.185.https: Flags [S], seq 3225546853, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:26.042028 IP dns.mel.optusnet.com.au.domain > 10.145.159.235.57576: 63002 2/0/0 CNAME snapi.skyprod.akadns.net., A 134.170.108.26 (81)
02:23:26.042277 IP 192.168.0.1.domain > 192.168.0.52.51351: 7557 2/0/0 CNAME snapi.skyprod.akadns.net., A 134.170.108.26 (81)
02:23:26.052912 IP 192.168.0.52.51601 > by3301-skpfe.onedrive.live.com.https: Flags [S], seq 3064143503, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:23:26.056340 IP 192.168.0.52.51602 > by3301-skpfe.onedrive.live.com.https: Flags [S], seq 569522264, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

It is likely that I have a problem with firewall rules. This is the content of the firewall script.

Code:

IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="wwan0"
echo "  External Interface:  $EXTIF"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{print $2;exit}'`"
echo "  External IP: $EXTIP"
echo "  ---"
UNIVERSE="0.0.0.0/0"
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n   - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate \
 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p all -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o wlan0  -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading FORWARD rulesets"
$IPTABLES -A POSTROUTING -t nat -s 192.168.0.0/24 -d $UNIVERSE -j MASQUERADE
echo -e "\nDone.\n

The masquerading seems to be working for DNS requests, but the masquerading seems to be failing for direct connections to external IP addresses.

If anybody has bothered reading this far, I feel like I am close, but have hit a spot where I am failing to see the wood for the trees. Help would be much appreciated.

PS - I have also tried bridging, but so far that has not been successful for me.

jostber · 02-02-2015, 01:01 PM

This seems like a good overview:

http://www.zoros.org/wiki/index.php?...as_wireless_AP

Labinnah · 02-03-2015, 01:24 AM

You drop everything in FORWARD chain by policy settings. And IMHO "-d $UNIVERSE" can create problems.

allend · 02-03-2015, 06:37 PM

Thanks for the responses.
Especially thanks for the fresh eyes on the problem from Labinnah, as initialising the FORWARD chain seems to be the answer.
With this updated firewall script, all works as expected.

Code:

IPTABLES=/usr/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="wwan0"
echo "  External Interface:  $EXTIF"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{print $2;exit}'`"
echo "  External IP: $EXTIP"
echo "  ---"
UNIVERSE="0.0.0.0/0"
HOSTAPD_LAN="192.168.0.0/24"
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n   - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m conntrack --ctstate \
 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i wlan0 -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading OUTPUT rulesets"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o wlan0  -d $HOSTAPD_LAN -j ACCEPT
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e "   - Loading FORWARD rulesets"
$IPTABLES -A FORWARD -i wlan0 -j ACCEPT
$IPTABLES -A FORWARD -o wlan0 -j ACCEPT
$IPTABLES -A POSTROUTING -t nat -s $HOSTAPD_LAN -d $UNIVERSE -o $EXTIF -j MASQUERADE
echo -e "\nDone.\n"

perezomail · 02-12-2015, 04:35 AM

both my nexus 4&7 connect through kdeconnect visavie Bluetooth I can transfer files although slowly between my desktop and mentioned devices