Setup a guest Wifi Hotspot using Yocto
Category : Yocto
In this tutorial we will show how to setup a guest Wifi hotspot and configure it to restrict the internet access to only web surfing.
We will showcase this setup using Poky/Yocto as Linux distribution and connman as network manager. As hardware we will use:
- Raspberry-Pi
- Beaglebone-black
For both boards we will use a Realtek RTL8192CU based Wifi USB dongle.
Yocto Layers Setup
First we clone Poky repository:
$ cd Projects $ git clone -b master git://git.yoctoproject.org/poky
Add the meta-raspberrypi layer:
$ cd poky $ git clone git://git.yoctoproject.org/meta-raspberrypi
Enable it in bblayers.conf:
$ source oe-init-build-env $ echo 'BBLAYERS += "~/Projects/poky/meta-raspberrypi"' >> conf/bblayers.conf
Beaglebone Black machine configuration is already contained in Poky so no need for other layers unless you want to build it for other hardware not supported in those layers.
Kernel Configuration
In order to support tethering, the following kernel configuration options
need to be enabled either as modules (m) or builtin (y):
CONFIG_BRIDGE CONFIG_IP_NF_TARGET_MASQUERADE CONFIG_NETFILTER CONFIG_NF_CONNTRACK_IPV4 CONFIG_NF_NAT_IPV4
For routing and statistic support , the following options need to be enabled as modules (m) or builtin (y):
CONFIG_IP_NF_IPTABLES CONFIG_IP_MULTIPLE_TABLES CONFIG_NETFILTER_NETLINK_ACCT CONFIG_NETFILTER_XT_MATCH_NFACCT CONFIG_NETFILTER_XT_CONNMARK CONFIG_NETFILTER_XT_TARGET_CONNMARK CONFIG_NETFILTER_XT_MATCH_CONNMARK
Finally the RTL8192Cu driver option need to be enabled as modules (m) or builtin (y):
CONFIG_RTL8192CU=m CONFIG_RTLWIFI=m #CONFIG_RTLWIFI_DEBUG=y CONFIG_RTL8192C_COMMON=m
You can use kernel fragments to set the configurations above.
Also make sure that ip_tables module is autoloaded by setting in kernel recipe or local.conf:
KERNEL_MODULE_AUTOLOAD_append = " ip_tables"
Yocto Recipes
Your image recipe must include connman and connmanctl packages:
require recipes-core/images/core-image-minimal.bb IMAGE_INSTALL += "connman connman-client iptables"
Rtl8192cu firmware package must be also included:
IMAGE_INSTALL += "linux-firmware-rtl8192cu"
Ready to build an image either for the Bone or the Pi:
$ MACHINE=beaglebone bitbake hotspot-image $ MACHINE=raspberrypi bitbake hotspot-image
Now we can write the output image to an SD card and start the corresponding board to setup tethering in connman.
Connman Setup
Plug in a Network cable on Ethernet interface and configure NAT(Network Address Translation):
$ sysctl -w net.ipv4.ip_forward=1
Enable Wifi:
$ connmanctl enable wifi
Finally activate tethering for Wifi using EmbexuSpot as SSID and 12345678 as password:
$ connmanctl tether wifi on EmbexuSpot 123456789
Firewall Setup
To restrict guest to browse only internet (No bittorrent, No nasty stuffs) we configure the firewall with the following rules:
# Flush existing tables $ iptables -F $ iptables -X # Drop every connection by default $ iptables -P INPUT DROP $ iptables -P OUTPUT DROP $ iptables -P FORWARD DROP # Allow dns traffic on tcp/udp $ iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT $ iptables -A INPUT -p tcp --sport 53 -j ACCEPT $ iptables -A OUTPUT -p udp --dport 53 -j ACCEPT $ iptables -A INPUT -p udp --sport 53 -j ACCEPT # Allow traffic on the loopback interface $ iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j ACCEPT # Allow related connections $ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $ iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow http traffic $ iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT $ iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT # Allow https traffic $ iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT $ iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT # Allow ping traffic from outside $ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT # Allow ping traffic from inside $ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
This will allow only http/https traffic and drop everything else.