Configuring An Inexpensive Fedora Router/Access Point Using Pidora And An Edimax 802.11n USB Adapter

  1. Install Pidora.
    • Remove superfluous packages.
      yum -y install yum-plugin-fastestmirror
      yum -y remove blue\* yum-presto yumex xscreensaver-base
      # make sure that the date is set accurately to avoid clock skew later
      system-config-date
      
    • Replace XFCE with LXDE.
      yum -y remove xfce4\*
      yum -y install lx\*
      # note that the location of startlxde changed from fedora 18 to fedora 19
      echo 'PREFERRED=/usr/bin/startlxde' > /etc/sysconfig/desktop
      
    • Install vnc.
      yum -y install tigervnc-server
      sudo -u dave mkdir /home/dave/.vnc
      cat <<EOS > /home/dave/.vnc/xstartup
      #!/bin/sh
      
      # dmjp
      unset SESSION_MANAGER
      unset DBUS_SESSION_BUS_ADDRESS
      vncconfig -nowin &
      exec /etc/X11/xinit/xinitrc
      # ~dmjp
      EOS
      chown dave.dave /home/dave/.vnc/xstartup
      chmod a+x /home/dave/.vnc/xstartup
      sudo -u dave vncpasswd
      cat /usr/lib/systemd/system/vncserver@.service | sed 's/.USER./dave/g' > /etc/systemd/system/vncserver@:1.service
      systemctl daemon-reload
      systemctl disable firewalld
      systemctl stop firewalld
      systemctl enable vncserver@:1.service
      systemctl start vncserver@:1.service
      
    • Install rpmbuild and other tools.
      yum -y install rpm-build subversion vim-enhanced openjade docbook-style-dsssl gettext perl-XML-Parser intltool gkrellm gkrellm-daemon system-config-services python-iwlib firefox hostapd wpa_supplicant
      
      systemctl enable gkrellmd.service 
      systemctl start gkrellmd.service 
      
    • Edit etc files (copy-and-paste one file at a time).
      ###############################
      vi /etc/vimrc +9999
      A
      
      " dmjp: turn off auto-comment
      au FileType * setl fo=cql
      
      
      ###############################
      vi /etc/gkrellmd.conf +9999
      A
      
      # dmjp
      allow-host      192.168.1.*
      
      
      ###############################
      vi /etc/bashrc +9999
      A
      
      # dmjp
      alias egrep='egrep --color'
      alias fgrep='fgrep --color'
      alias df='df -h'
      alias vi=vim
      alias ssh='ssh -X'
      alias ssg='ssh -X -p 10176'
      alias cvs='cvs -z3'
      #alias vmware=vmwarearts
      #alias unison='unison -rsync -maxthreads 5'
      alias unison='unison -rsync'
      alias tidy='tidy -utf8 --indent-spaces 3 -w 132 -ibcum --drop-proprietary-attributes 1 --fix-uri 1 --word-2000 1 --tidy-mark 0'
      alias yum='yum --disableplugin=refresh-packagekit'
      alias mysqldump='mysqldump --skip-opt --add-drop-table --add-locks --create-options --quick --lock-tables --set-charset --disable-keys -c'
      
      ###############################
      vi /etc/profile +9999
      A
      
      # dmjp
      export EDITOR=vim
      #export BROWSER=google-chrome
      #export JAVA_HOME=/usr/java/latest
      
      
  2. Customize.
    • Download and prepare the kernel source.
      cd /root/rpmbuild/SRPMS
      
      # find kernel source by matching the signature of
      rpm -q raspberrypi-kernel
      # for pidora 18; NOTE: there's a local copy here, as in ./raspberrypi-kernel-3.6.11-7.20130415git197d15b.rpfr18.src.rpm
      wget http://japan.proximity.on.ca/kojifiles/packages/raspberrypi-kernel/3.6.11/7.20130415git197d15b.rpfr18/src/raspberrypi-kernel-3.6.11-7.20130415git197d15b.rpfr18.src.rpm
      rpm -ihv raspberrypi-kernel*
      yum-builddep -y raspberrypi-kernel*
      cd ../SPECS
      rpmbuild -bp raspberrypi-kernel.spec # takes 4 minutes
      cd ../BUILD/raspberrypi-linux*
      make oldconfig
      make prepare
      make modules_prepare # takes 2 minutes
      cd arch
      ln -svf arm ./armv6l # NOTE: we're not just arm, we're armv6l
      cd /lib/modules/3.6.11
      ln -svf /root/rpmbuild/BUILD/raspberrypi-linux-* ./build
      ln -svf ./build ./source
      
    • Download and install the (latest) 8192cu driver and hostapd.
      cd
      # NOTE: as of 2013.11.16, there's a local copy here, as in ./RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
      # NOTE: requires a javascript enabled browser
      firefox 'http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=21&PFid=48&Level=5&Conn=4&DownTypeID=3&GetDown=false&Downloads=true#2772'
      unzip *8192*.zip
      cd *8192*
      chmod a+x install.sh
      ./install.sh # warns that Symbol version dump /root/rpmbuild/BUILD/raspberrypi-linux-197d15b/Module.symvers is missing; modules will have no dependencies and modversions. - should probably fix that; takes 12 minutes
      cd wpa_supplicant_hostapd
      tar -xvzf wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz
      cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812
      cd hostapd
      cat Makefile | sed 's@/usr/local/bin@/usr/sbin@' > Makefile.dmjp ; mv Makefile Makefile.original ; mv Makefile.dmjp Makefile # overwrite the rpm installed hostapd
      make # takes 9 minutes
      make install
      cat <<EOS > /etc/hostapd/hostapd.conf
      # dmjp
      auth_algs=1
      channel=1
      ctrl_interface_group=wheel
      ctrl_interface=/var/run/hostapd
      driver=rtl871xdrv
      hw_mode=g
      ieee80211n=1
      ignore_broadcast_ssid=0
      interface=wlan0
      macaddr_acl=0
      rsn_pairwise=CCMP
      ssid=nyc
      wmm_enabled=1
      wpa=2
      wpa_key_mgmt=WPA-PSK
      wpa_pairwise=TKIP
      wpa_passphrase=supersecret
      
      # didn't work:
      #ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][SHORT-GI-20][MAX-AMSDU-7935]
      EOS
      systemctl --system daemon-reload
      systemctl restart hostapd.service
      
    • Enable the GUI for system-config-network.
      cd
      yum -y remove system-config-network
      yumdownloader --source system-config-network
      rpmbuild --rebuild system-config-network-*.src.rpm --with gui
      yum -y localinstall /root/rpmbuild/RPMS/noarch/system-config-network*
      
    • Configure wpa_supplicant if the public interface is wireless and connects via an encrypted connection. The sed portion of the command below inserts 'scan_ssid=1' in to the network stanza so that hidden networks can be found.
      wpa_passphrase my_ssid mypassphrase | sed 's/ssid=/scan_ssid=1\nssid=/' >> /etc/wpa_supplicant/wpa_supplicant.conf
      systemctl enable wpa_supplicant.service
      systemctl restart wpa_supplicant.service
      
  3. NAT.
    • Enable forwarding.
      sysctl -w net.ipv4.ip_forward=1
      
    • Masquerade.
      export INTIF=wlan0
      export EXTIF=eth0
      
      iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
      iptables -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
      
  4. Harden.
    • Install and configure nagios.
      yum -y install nagios nagios-plugins-all
      
      # enable ping, dns, and/or other service checks that restart openvpn or whatever
      
      # don't dick around with permissioning
      visudo
      G
      A
      
      nagios ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL
      
    • Fix ping, believe it or not, (there's probably a better, selinux way) and light-up nagios.
      chmod u+s /bin/ping
      systemctl enable nagios.service
      systemctl enable httpd.service
      systemctl restart nagios.service
      systemctl restart httpd.service
      
  5. (Add a Ralink Technology RT5370 usb wireless adapter to the mix to make the Pi a wireless relay.)
    • Upgrade the firmware used by the rt2800usb kernel module to avoid rt2x00usb_vendor_request errors that render the device useless.
      cd /lib/firmware/
      mv rt2870.bin rt2870.bin.original
      wget http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/attachments/20130111/f8ebe4d3/attachment.bin -O rt2870.bin
      md5sum rt2870.bin # should match ac4f6d8b679945208a978e397c016aa7
      modprobe -vr rt2800usb
      modprobe -v  rt2800usb
      
    • Make the device less flaky by disabling power management.
      iwconfig wifi0 power off
      
  6. Rejoice!