Configuring An Inexpensive Fedora Router/Access Point Using Pidora And An Edimax 802.11n USB Adapter
- Install Pidora.
- Remove superfluous packages.
yum -y install yum-plugin-fastestmirror yum -y remove blue\* yum-presto yumex xscreensaver-base # make sure that the date is set accurately to avoid clock skew later system-config-date
- Replace XFCE with LXDE.
yum -y remove xfce4\* yum -y install lx\* # note that the location of startlxde changed from fedora 18 to fedora 19 echo 'PREFERRED=/usr/bin/startlxde' > /etc/sysconfig/desktop
- Install vnc.
yum -y install tigervnc-server sudo -u dave mkdir /home/dave/.vnc cat <<EOS > /home/dave/.vnc/xstartup #!/bin/sh # dmjp unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS vncconfig -nowin & exec /etc/X11/xinit/xinitrc # ~dmjp EOS chown dave.dave /home/dave/.vnc/xstartup chmod a+x /home/dave/.vnc/xstartup sudo -u dave vncpasswd cat /usr/lib/systemd/system/vncserver@.service | sed 's/.USER./dave/g' > /etc/systemd/system/vncserver@:1.service systemctl daemon-reload systemctl disable firewalld systemctl stop firewalld systemctl enable vncserver@:1.service systemctl start vncserver@:1.service
- Install rpmbuild and other tools.
yum -y install rpm-build subversion vim-enhanced openjade docbook-style-dsssl gettext perl-XML-Parser intltool gkrellm gkrellm-daemon system-config-services python-iwlib firefox hostapd wpa_supplicant systemctl enable gkrellmd.service systemctl start gkrellmd.service
- Edit etc files (copy-and-paste one file at a time).
############################### vi /etc/vimrc +9999 A " dmjp: turn off auto-comment au FileType * setl fo=cql ############################### vi /etc/gkrellmd.conf +9999 A # dmjp allow-host 192.168.1.* ############################### vi /etc/bashrc +9999 A # dmjp alias egrep='egrep --color' alias fgrep='fgrep --color' alias df='df -h' alias vi=vim alias ssh='ssh -X' alias ssg='ssh -X -p 10176' alias cvs='cvs -z3' #alias vmware=vmwarearts #alias unison='unison -rsync -maxthreads 5' alias unison='unison -rsync' alias tidy='tidy -utf8 --indent-spaces 3 -w 132 -ibcum --drop-proprietary-attributes 1 --fix-uri 1 --word-2000 1 --tidy-mark 0' alias yum='yum --disableplugin=refresh-packagekit' alias mysqldump='mysqldump --skip-opt --add-drop-table --add-locks --create-options --quick --lock-tables --set-charset --disable-keys -c' ############################### vi /etc/profile +9999 A # dmjp export EDITOR=vim #export BROWSER=google-chrome #export JAVA_HOME=/usr/java/latest
- Remove superfluous packages.
- Customize.
- Download and prepare the kernel source.
cd /root/rpmbuild/SRPMS # find kernel source by matching the signature of rpm -q raspberrypi-kernel # for pidora 18; NOTE: there's a local copy here, as in ./raspberrypi-kernel-3.6.11-7.20130415git197d15b.rpfr18.src.rpm wget http://japan.proximity.on.ca/kojifiles/packages/raspberrypi-kernel/3.6.11/7.20130415git197d15b.rpfr18/src/raspberrypi-kernel-3.6.11-7.20130415git197d15b.rpfr18.src.rpm rpm -ihv raspberrypi-kernel* yum-builddep -y raspberrypi-kernel* cd ../SPECS rpmbuild -bp raspberrypi-kernel.spec # takes 4 minutes cd ../BUILD/raspberrypi-linux* make oldconfig make prepare make modules_prepare # takes 2 minutes cd arch ln -svf arm ./armv6l # NOTE: we're not just arm, we're armv6l cd /lib/modules/3.6.11 ln -svf /root/rpmbuild/BUILD/raspberrypi-linux-* ./build ln -svf ./build ./source
- Download and install the (latest) 8192cu driver and hostapd.
cd # NOTE: as of 2013.11.16, there's a local copy here, as in ./RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip # NOTE: requires a javascript enabled browser firefox 'http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=21&PFid=48&Level=5&Conn=4&DownTypeID=3&GetDown=false&Downloads=true#2772' unzip *8192*.zip cd *8192* chmod a+x install.sh ./install.sh # warns that Symbol version dump /root/rpmbuild/BUILD/raspberrypi-linux-197d15b/Module.symvers is missing; modules will have no dependencies and modversions. - should probably fix that; takes 12 minutes cd wpa_supplicant_hostapd tar -xvzf wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812 cd hostapd cat Makefile | sed 's@/usr/local/bin@/usr/sbin@' > Makefile.dmjp ; mv Makefile Makefile.original ; mv Makefile.dmjp Makefile # overwrite the rpm installed hostapd make # takes 9 minutes make install cat <<EOS > /etc/hostapd/hostapd.conf # dmjp auth_algs=1 channel=1 ctrl_interface_group=wheel ctrl_interface=/var/run/hostapd driver=rtl871xdrv hw_mode=g ieee80211n=1 ignore_broadcast_ssid=0 interface=wlan0 macaddr_acl=0 rsn_pairwise=CCMP ssid=nyc wmm_enabled=1 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP wpa_passphrase=supersecret # didn't work: #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][SHORT-GI-20][MAX-AMSDU-7935] EOS systemctl --system daemon-reload systemctl restart hostapd.service
- Enable the GUI for system-config-network.
cd yum -y remove system-config-network yumdownloader --source system-config-network rpmbuild --rebuild system-config-network-*.src.rpm --with gui yum -y localinstall /root/rpmbuild/RPMS/noarch/system-config-network*
- Configure wpa_supplicant if the public interface is wireless and connects via an encrypted
connection. The sed portion of the command below inserts 'scan_ssid=1' in to the network stanza
so that hidden networks can be found.
wpa_passphrase my_ssid mypassphrase | sed 's/ssid=/scan_ssid=1\nssid=/' >> /etc/wpa_supplicant/wpa_supplicant.conf systemctl enable wpa_supplicant.service systemctl restart wpa_supplicant.service
- Download and prepare the kernel source.
- NAT.
- Enable forwarding.
sysctl -w net.ipv4.ip_forward=1
- Masquerade.
export INTIF=wlan0 export EXTIF=eth0 iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE iptables -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
- Enable forwarding.
- Harden.
- Install and configure nagios.
yum -y install nagios nagios-plugins-all # enable ping, dns, and/or other service checks that restart openvpn or whatever # don't dick around with permissioning visudo G A nagios ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL
- Fix ping, believe it or not, (there's probably a better, selinux way) and light-up nagios.
chmod u+s /bin/ping systemctl enable nagios.service systemctl enable httpd.service systemctl restart nagios.service systemctl restart httpd.service
- Install and configure nagios.
- (Add a Ralink Technology RT5370 usb wireless adapter to the mix to make the Pi a wireless relay.)
- Upgrade the firmware used by the rt2800usb kernel module to avoid rt2x00usb_vendor_request
errors that render the device useless.
cd /lib/firmware/ mv rt2870.bin rt2870.bin.original wget http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/attachments/20130111/f8ebe4d3/attachment.bin -O rt2870.bin md5sum rt2870.bin # should match ac4f6d8b679945208a978e397c016aa7 modprobe -vr rt2800usb modprobe -v rt2800usb
- Make the device less flaky by disabling power management.
iwconfig wifi0 power off
- Upgrade the firmware used by the rt2800usb kernel module to avoid rt2x00usb_vendor_request
errors that render the device useless.
- Rejoice!