This post is one of a series of posts about OpenWRT hacking. My OpenNews friends [@malev][at_malev], [@gaba][at_gaba], and I have been doing a lot of research into OpenWRT, and we’re finally taking the time to write up our findings. All these posts are co-written. Hope you’ll enjoy!
Now that you know a little bit about the project (link to whatever), that you wan to share some of your Internet bandwidth (link) and that you know how to “un-brick” your PirateBox, why don’t we move one step forward in the craziness ad we setup two (yes two) different networks on your device. Let’s think on a private secured network and a open to the public network. Both on the same device! Keep in mind that since we are dealing with an unpowerful device we are going to be hammering our PirateBox. But … Why not?
By this point, you already have one WiFi network on your PirateBox. Connect to it via ssh (or telnet), and run
ifconfig. You should see that the PirateBox has an IP address on the same subnet as your router. Now, open another terminal window, and run
ifconfig on your own machine. You’ll notice that you have an IP address on that very same subnet. This isn’t a bad thing, but it presents a security hole if you plan on sharing your network, because any machine that connects to this network has access to the same stuff as your router does.
At this point, I’d like to ask you if you’ve enabled network encryption! If you have, your network is somewhat more secure because at least only people who know your password can have network access. But, boogey-man alert: passwords can be cracked! Anyway, I’m getting ahead of myself… Back to the subnet stuff.
Thankfully, we can create a new interface that will put connected devices on a different subnet. That way, your private network that you share with your router is kept apart from the network your guests are using. Let’s create this interface. Open up
/etc/config/network and add a new interface similar to the one that describes your lan:
Now, let’s link up the interface we created to the radio by telling the wireless manifest about it. Pop open
/etc/config/wireless and add after the lan description:
Next, let’s add give our interface a DHCP pool of its own, so it can automatically assign IPs to devices when they connect. In
OK, now we do the important part: we set up our firewall to properly jail devices on our public network, restricting them to only what we want them to be allowed to do. Edit
- Setup the “zone” with its basic iptable rules:
- Link the interface to the router’s network
This is the basic setup! Now let’s add specific rules to guide what connected users can and cannot do.
- Now let’s set a rule that allows users to get a DHCP lease:
- Next, set a rule to allow connected clients to make DNS queries: