Network basics related to wifi hosting (2/2) Packet Processing in Linux
This is a series of posts of building wifi access point on Kali Linux with Raspberry Pi.
Please first read the previous article if you haven’t read yet.
In this article, I’ll explain network architecture and its background.
Final Network Configuration
Below is the network architecture for WiFi access point hosted to actually work.
Let’s dive into detail!
Packet Processing in the Linux Kernel
When packets reach the Raspberry Pi through wireless network, the kernel will perform filtering, NAT, and other processing. It is composed of chains, tables and rules.
There are five types of chains: PREROUTING, FORWARD, POSTROUTING, INPUT, and OUTPUT. In each chain there are five types of process: raw, mangle, nat, filter, and security. And each rule belongs to those matrix.
The whole system is managed in the following way:
Each chain contains the following operations.
iptables
command displays each rule.
$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destinationChain INPUT (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destinationChain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all — anywhere anywhere
The packet processing rules are ACCEPT, DROP, RETURN, and various other extension rules.
Packet processing in Linux Kernel
This is the overall picture of packet processing in the Linux kernel.
Inbound
1. Routing preprocessing
2. forwarding or passing through the receiving firewall
Outbound
1. forwarding or through the sending firewall
2. post-routing processing
The following is a more detailed description of the processing flow.
Inbound packet processing
When a packet arrives at the kernel through the data link layer, three chains of processing are applied, and the subsequent processing depends on whether this host (i.e., this Raspberry Pi) is the final destination of the packet. If yes, the firewall is applied to the inbound packets, and if no, the packets are forwarded.
After processing according to the FORWARD chain rules, it checks if it is possible to determine where this packet should be sent. Here, the routing table managed by the kernel.
You can check the routing table by using the route
command (or netstat -r
).
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 600 0 0 wlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
The most matched rule is applied (not first matched rule). In the above example, the default routing is set, so basically everything is “routable” and it will go to the POSTROUTING chain.
After NAT is made in POSTROUTING chain, the packets will finally flow to the outbound interface of the data link layer.
(Optional) Inbound packet processing where the host is the final destination
In this WiFi access point hosting, the packets are not basically destined for this host, but for reference, the firewall order of Inbound packets is as follows.
(Optional) Processing packets to the Outbound generated by applications
And also, if an application running on Linux send packets to the outside world through a socket, the Outbound packet firewall will be applied first.
Summary
This is a summary of the whole process.
The rule that I set up this time
When I built WiFi access point, I added the following two rules to the packet processing.
$ iptables — table nat — append POSTROUTING — out-interface <WLAN1> -j MASQUERADE
$ iptables — append FORWARD — in-interface <WLAN0> -j ACCEPT
- MASQUERADE action at POSTROUTING chain “nat” table
- ACCEPT action at FORWARD chain “filter” table
MASQUERADE at POSTROUTING
This is a type of NAT action that translates host IPs in a private network into a single IP address instead. Masquerade means “to pretend to be someone else”.
IP masquerade is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single IP address.
(Quoted from Linux Network Administrator’s Guide, 2nd Edition)
ACCEPT at FORWARD
The intention is to allow packets from the — in-interface argument. This might be set by default.
Command Usage List
Finally, the following is a list of Linux commands I used.
ifconfig
configure a network interface
# Configure all network interfaces, whether Wireless or LAN.
$ ifconfig# stop the wlan0 interface
$ ifconfig wlan0 down# turn on the wlan0 interface
$ ifconfig wlan0 up# Start the wlan0 interface with its own IP and subnet mask
$ ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
iwconfig
configure a wireless network interface
# Configure a wireless network interface
$ iwconfig# Switch the mode of the Wireless network interface (monitor mode)
# $ iwconfig wlan0 mode monitor mode $ iwconfig wlan0 mode monitor mode
$ iwconfig wlan0 mode monitor
iptable
administration tool for IPv4/IPv6 packet filtering and NAT
# Display the nat table rule
$ iptable -t nat -L -v -n# Without -t option, show filter table.
$ iptable -L -v -n
route
show / manipulate the IP routing table
$ route# iptable -L -v -n route show / manipulate the IP routing table $ route
# route # IP packet routing table on the kernel # ex) If a packet comes in at 192.168.1.0/24, route it to 192.168.1.1
# Route it to the network interface
$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
dig
DNS lookup utility
# Query netflix.com
$ dig netflix.com# query name server 8.8.8.8 for domain netflix.com
$ dig netflix.com @8.8.8.8
lsof
list open files
# List the processes using port 53
$ lsof -i :53
That’s it!
Happy WiFi hosting! 🚀
Please read articles below as well. References for these articles are listed in “Wifi access point on Kali Linux with Raspberry Pi”.