Setup a guest Wifi Hotspot using Yocto

  • 0

Setup a guest Wifi Hotspot using Yocto

In this tutorial we will show how to setup a guest Wifi hotspot and configure it to restrict the internet access to only web surfing.

We will showcase this setup using Poky/Yocto as Linux distribution and connman as network manager. As hardware we will use:

  • Raspberry-Pi
  • Beaglebone-black

For both boards we will use a Realtek RTL8192CU based Wifi USB dongle.

 

Yocto Layers Setup

First we clone Poky repository:

$ cd Projects
$ git clone -b master git://git.yoctoproject.org/poky

Add the meta-raspberrypi layer:

$ cd poky
$ git clone git://git.yoctoproject.org/meta-raspberrypi

Enable it in bblayers.conf:

$ source oe-init-build-env

$ echo 'BBLAYERS += "~/Projects/poky/meta-raspberrypi"' >> conf/bblayers.conf

Beaglebone Black machine configuration is already contained in Poky so no need for other layers unless you want to build it for other hardware not supported in those layers.

 

Kernel Configuration

In order to support tethering, the following kernel configuration options
need to be enabled either as modules (m) or builtin (y):

CONFIG_BRIDGE
CONFIG_IP_NF_TARGET_MASQUERADE
CONFIG_NETFILTER
CONFIG_NF_CONNTRACK_IPV4
CONFIG_NF_NAT_IPV4

For routing and statistic support , the following options need to be enabled as modules (m) or builtin (y):

CONFIG_IP_NF_IPTABLES
CONFIG_IP_MULTIPLE_TABLES
CONFIG_NETFILTER_NETLINK_ACCT
CONFIG_NETFILTER_XT_MATCH_NFACCT
CONFIG_NETFILTER_XT_CONNMARK
CONFIG_NETFILTER_XT_TARGET_CONNMARK
CONFIG_NETFILTER_XT_MATCH_CONNMARK

Finally the RTL8192Cu driver option need to be enabled as modules (m) or builtin (y):

CONFIG_RTL8192CU=m
CONFIG_RTLWIFI=m
#CONFIG_RTLWIFI_DEBUG=y
CONFIG_RTL8192C_COMMON=m

You can use kernel fragments to set the configurations above.

Also make sure that ip_tables module is autoloaded by setting in kernel recipe or local.conf:

KERNEL_MODULE_AUTOLOAD_append = " ip_tables"

 

Yocto Recipes

Your image recipe must include connman and connmanctl packages:

require recipes-core/images/core-image-minimal.bb

IMAGE_INSTALL += "connman connman-client iptables"

Rtl8192cu firmware package must be also included:

IMAGE_INSTALL += "linux-firmware-rtl8192cu"

Ready to build an image either for the Bone or the Pi:

$ MACHINE=beaglebone bitbake hotspot-image
$ MACHINE=raspberrypi bitbake hotspot-image

Now we can write the output image to an SD card and start the corresponding board to setup tethering in connman.

Connman Setup

Plug in a Network cable on Ethernet interface and configure NAT(Network Address Translation):

$ sysctl -w net.ipv4.ip_forward=1

Enable Wifi:

$ connmanctl enable wifi

Finally activate tethering for Wifi using EmbexuSpot as SSID and 12345678 as password:

$ connmanctl tether wifi on EmbexuSpot 123456789

 

Firewall Setup

To restrict guest to browse only internet (No bittorrent, No nasty stuffs) we configure the firewall with the following rules:

# Flush existing tables
$ iptables -F
$ iptables -X

# Drop every connection by default
$ iptables -P INPUT DROP
$ iptables -P OUTPUT DROP
$ iptables -P FORWARD DROP

# Allow dns traffic on tcp/udp
$ iptables -A OUTPUT -p tcp --dport 53  -j ACCEPT
$ iptables -A INPUT  -p tcp --sport 53  -j ACCEPT
$ iptables -A OUTPUT -p udp --dport 53  -j ACCEPT
$ iptables -A INPUT  -p udp --sport 53  -j ACCEPT

# Allow traffic on the loopback interface
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT

# Allow related connections
$ iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow http traffic
$ iptables -A OUTPUT -p tcp -m tcp --dport 80  -j ACCEPT
$ iptables -A INPUT  -p tcp -m tcp --sport 80  -j ACCEPT

# Allow https traffic
$ iptables -A OUTPUT -p tcp -m tcp --dport 443  -j ACCEPT
$ iptables -A INPUT  -p tcp -m tcp --sport 443  -j ACCEPT

# Allow ping traffic from outside
$ iptables -A INPUT  -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A OUTPUT -p icmp --icmp-type echo-reply   -j ACCEPT

# Allow ping traffic from inside
$ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT

This will allow only http/https traffic and drop everything else.