HostAP daemon

Hostapd est un IEEE 802.11 AP et aussi un IEEE 802.1X/WPA/WPA2/EAP/RADIUS authentificateur.

Hostapd permet la création d'un point d'accès Wi-Fi, technologie sans fil utilisée pour se connecter à un réseau informatique. Dans les réseaux informatiques, un point d'accès sans fil (Spot ou AP) est un dispositif qui relie les appareils de communication sans fil pour former un réseau sans fil. Le spot wifi se connecte généralement à un réseau câblé, et peut transmettre des données entre les appareils sans fil et les périphériques câblés. Plusieurs Spots peuvent être liés ensemble pour former un réseau plus large qui permet le "roaming" (l'itinérance). Pour rappel, en revanche, un réseau où les machines clientes gèrent eux-mêmes - sans avoir besoin de point d'accès - devient un réseau ad-hoc.

Votre adaptateur Wi-Fi doit supporter le mode AP ou Master, avant-tout vérifiez que votre adaptateur supporte ce mode avec la commande "iw".

Le mode AP doit apparaître:

# iw list

[...]
Supported interface modes:
                 * IBSS
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
[...]

Installation du daemon :

sudo apt-get install hostapd

Le fichier de configuration /etc/hostapd.conf contient tous les paramètres de configuration de votre du point d'accès Wi-Fi.

La configuration minimale (Wi-Fi ouvert/OPEN) :

# interface wlan du Wi-Fi
interface=wlan0

# nl80211 avec tous les drivers Linux mac80211 
driver=nl80211

# Nom du spot Wi-Fi
ssid=Nexus

# mode Wi-Fi (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g)
hw_mode=g

# canal de fréquence Wi-Fi (1-14)
channel=6

# Wi-Fi ouvert, pas d'authentification!
auth_algs=0

# Beacon interval in kus (1.024 ms)
beacon_int=100

# DTIM (delivery trafic information message) 
dtim_period=2

# Maximum number of stations allowed in station table
max_num_sta=255

# RTS/CTS threshold; 2347 = disabled (default)
rts_threshold=2347

# Fragmentation threshold; 2346 = disabled (default)
fragm_threshold=2346

Le driver nl80211 est utilisé avec tous les drivers Linux mac80211. Hostapd supporte les adaptateurs Wi-Fi utilisant les drivers madwifi, prism.

Activez le Filtrage des adresses MAC des clients sans fil :

# Station MAC address -based authentication (driver=hostap or driver=nl80211)
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=1

# Accept/deny lists are read from separate files
accept_mac_file=/etc/hostapd/hostapd.accept
#deny_mac_file=/etc/hostapd/hostapd.deny

Example de fichier hostapd.accept :

b4:24:63:73:f8:14
00:07:a5:f9:a7:80
...

Lancement de hostapd :

hostapd /etc/hostapd/hostapd.conf &

Exemple complet Wi-Fi WPA (WPA-PSK-TKIP) :

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either
# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
# RADIUS authentication server must be configured, and WPA-EAP must be included
# in wpa_key_mgmt.
# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
wpa=1

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
# (8..63 characters) that will be converted to PSK. This conversion uses SSID
# so the PSK changes when ASCII passphrase is used and the SSID is changed.
# wpa_psk (dot11RSNAConfigPSKValue)
# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
wpa_passphrase=passphrase

# Optionally, WPA PSKs can be read from a separate text file (containing list
# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
# Use absolute path name to make sure that the files can be read on SIGHUP
# configuration reloads.
#wpa_psk_file=/etc/hostapd/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
# added to enable SHA256-based stronger algorithms.
# (dot11RSNAConfigAuthenticationSuitesTable)
#wpa_key_mgmt=WPA-PSK WPA-EAP
wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# (unicast packets). This is a space separated list of algorithms:
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.
# (dot11RSNAConfigPairwiseCiphersTable)
# Pairwise cipher for WPA (v1) (default: TKIP)
wpa_pairwise=TKIP
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
#rsn_pairwise=CCMP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime)
#wpa_group_rekey=600

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict)
#wpa_strict_rekey=1

# Time interval for rekeying GMK (master key used internally to generate GTKs
# (in seconds).
#wpa_gmk_rekey=86400

# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
# PTK to mitigate some attacks against TKIP deficiencies.
#wpa_ptk_rekey=600

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
# authentication and key handshake before actually associating with a new AP.
# (dot11RSNAPreauthenticationEnabled)
#rsn_preauth=1
#
# Space separated list of interfaces from which pre-authentication frames are
# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
# interface that are used for connections to other APs. This could include
# wired interfaces and WDS links. The normal wireless data interface towards
# associated stations (e.g., wlan0) should not be added, since
# pre-authentication is only used with APs other than the currently associated
# one.
#rsn_preauth_interfaces=eth0

# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
# allowed. This is only used with RSN/WPA2.
# 0 = disabled (default)
# 1 = enabled
#peerkey=1

# ieee80211w: Whether management frame protection (MFP) is enabled
# 0 = disabled (default)
# 1 = optional
# 2 = required
#ieee80211w=0

# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
# (maximum time to wait for a SA Query response)
# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
#assoc_sa_query_max_timeout=1000

# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
# (time between two subsequent SA Query requests)
# dot11AssociationSAQueryRetryTimeout, 1...4294967295
#assoc_sa_query_retry_timeout=201


# okc: Opportunistic Key Caching (aka Proactive Key Caching)
# Allow PMK cache to be shared opportunistically among configured interfaces
# and BSSes (i.e., all configurations within a single hostapd process).
# 0 = disabled (default)
# 1 = enabled
#okc=1

Exemple complet Wi-Fi WPA2 (WPA2-PSK-CCMP) :

##### WPA/IEEE 802.11i configuration ##########################################

# Enable WPA. Setting this variable configures the AP to require WPA (either
# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
# RADIUS authentication server must be configured, and WPA-EAP must be included
# in wpa_key_mgmt.
# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
wpa=2

# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
# (8..63 characters) that will be converted to PSK. This conversion uses SSID
# so the PSK changes when ASCII passphrase is used and the SSID is changed.
# wpa_psk (dot11RSNAConfigPSKValue)
# wpa_passphrase (dot11RSNAConfigPSKPassPhrase)
#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
wpa_passphrase=passphrase

# Optionally, WPA PSKs can be read from a separate text file (containing list
# of (PSK,MAC address) pairs. This allows more than one PSK to be configured.
# Use absolute path name to make sure that the files can be read on SIGHUP
# configuration reloads.
#wpa_psk_file=/etc/hostapd/hostapd.wpa_psk

# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
# added to enable SHA256-based stronger algorithms.
# (dot11RSNAConfigAuthenticationSuitesTable)
#wpa_key_mgmt=WPA-PSK WPA-EAP
wpa_key_mgmt=WPA-PSK

# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# (unicast packets). This is a space separated list of algorithms:
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.
# (dot11RSNAConfigPairwiseCiphersTable)
# Pairwise cipher for WPA (v1) (default: TKIP)
wpa_pairwise=TKIP CCMP
# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
rsn_pairwise=CCMP

# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds. (dot11RSNAConfigGroupRekeyTime)
#wpa_group_rekey=600

# Rekey GTK when any STA that possesses the current GTK is leaving the BSS.
# (dot11RSNAConfigGroupRekeyStrict)
#wpa_strict_rekey=1

# Time interval for rekeying GMK (master key used internally to generate GTKs
# (in seconds).
#wpa_gmk_rekey=86400

# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
# PTK to mitigate some attacks against TKIP deficiencies.
#wpa_ptk_rekey=600

# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
# authentication and key handshake before actually associating with a new AP.
# (dot11RSNAPreauthenticationEnabled)
#rsn_preauth=1
#
# Space separated list of interfaces from which pre-authentication frames are
# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
# interface that are used for connections to other APs. This could include
# wired interfaces and WDS links. The normal wireless data interface towards
# associated stations (e.g., wlan0) should not be added, since
# pre-authentication is only used with APs other than the currently associated
# one.
#rsn_preauth_interfaces=eth0

# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is
# allowed. This is only used with RSN/WPA2.
# 0 = disabled (default)
# 1 = enabled
#peerkey=1

# ieee80211w: Whether management frame protection (MFP) is enabled
# 0 = disabled (default)
# 1 = optional
# 2 = required
#ieee80211w=0

# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP)
# (maximum time to wait for a SA Query response)
# dot11AssociationSAQueryMaximumTimeout, 1...4294967295
#assoc_sa_query_max_timeout=1000

# Association SA Query retry timeout (in TU = 1.024 ms; for MFP)
# (time between two subsequent SA Query requests)
# dot11AssociationSAQueryRetryTimeout, 1...4294967295
#assoc_sa_query_retry_timeout=201


# okc: Opportunistic Key Caching (aka Proactive Key Caching)
# Allow PMK cache to be shared opportunistically among configured interfaces
# and BSSes (i.e., all configurations within a single hostapd process).
# 0 = disabled (default)
# 1 = enabled
#okc=1

Cette exemple vous permettra de créer un point d'accès Wi-Fi sur une interface wlan0 (Wireless LAN) avec un partage de la connexion Internet d'une autre interface wlan6 (mais aussi bien eth0…)

Client Wi-Fi [PhoneWeb/Blu-Ray Disc/TV] ←—100 mètres—→ AP Wi-Fi ←—[ PC Linux ]—→ Client Wi-Fi ←—300 mètres—→ [Spot/AP Router] Internet

Ce type de configuration WI-Fi permet à des adaptateurs WI-Fi installés sur des périphériques, comme votre WebPhone, votre Blu-Ray Disc ou bien votre Téléviseur par exemple, d'accéder à votre réseau local maison et à Internet. De distribuer en Wi-Fi tout type de contenu, comme de la vidéo, images, musiques par l'intermédiaire de minidlna par exemple…

La création d'un point d'accès Wi-Fi nécessite qu'il existe un sous-réseau configuré derrière ce spot Wi-Fi. Un serveur DHCP distribuera automatiquement des adresses aux clients sans fil. Configurons le serveur dhcpd-server avec un sous-réseau ayant pour adresse et masque 192.168.0.0/24.

Le fichier de configuration /etc/dhcpd3/dhcpd.conf

option domain-name-servers 192.168.0.1;

default-lease-time 600;
max-lease-time 7200;

authoritative;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
     #option domain-name "wifi.localhost";
     option routers 192.168.0.1;
     option subnet-mask 255.255.255.0;
     option broadcast-address 192.168.0.0;
     option domain-name-servers 192.168.0.1; 
     range dynamic-bootp 192.168.0.15 192.168.0.100;
}

Lancement de dhcpd-server :

dhcpd3 -d -f -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf wlan0 &

Notre sous-réseau étant créé, il ne reste plus qu'à configurer un serveur de cache DNS sur notre interface, qui transformera toute demande d'un domaine en adresse Ip.

Attention notre DNS ne fait que lire le fichier '/etc/resolv.conf' déjà alimenté de serveur DNS par une autre interface ayant Internet.

Le fichier de configuration /etc/dnsmasq.conf

bogus-priv
filterwin2k
# no-resolv
interface=wlan0
no-dhcp-interface=wlan0

Bien que dnsmasq puisse distribuer des adresses IPs d'un sous-réseau, nous n'utiliserons pas cette fonctionnalité puisque nous utilisons déjà dhcpd-server.

Lancement de dnsmasq :

dnsmasq -x /var/run/dnsmasq.pid -C /etc/dnsmasq.conf

Notre interface nouvellement créée wlan à besoin de communiquer avec notre seconde interface ayant Internet, nous devons configurer l'Ip forwarding.

Activez la prise en charge de l'IP forwarding, pour faire suivre les paquets d'une interface à l'autre :

echo 1 > /proc/sys/net/ipv4/ip_forward

Ou bien si vous voulez rend cela permanent :

Editez le fichier /etc/sysctl.conf et décommentez la ligne :

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Notre sous-réseau 192.168.0.0/24 étant opérationnel, il ne reste plus qu'à activer la Mascarade et de lui permet de traverser notre firewall.

Pour traduire des adresses entre deux interfaces nous devons activer le masquerading (NAT/Network Address Translation) dans le noyaux Linux :

Chargez le module :

sudo modprobe ipt_MASQUERADE

Activer la mascarade sur l'interface partageant Internet :

sudo iptables -A POSTROUTING -t nat -o wlan6 -j MASQUERADE

Accepter toutes les connexions établies et reliées entre elles :

sudo iptables -A FORWARD --match state --state RELATED,ESTABLISHED --jump ACCEPT

Accepter les nouvelles connexions venant de l'interface wlan0 et ayant pour destination notre sous-réseau :

sudo iptables -A FORWARD -i wlan0 --destination 192.168.0.0/24 --match state --state NEW --jump ACCEPT

Enfin accepter les connexions entrantes venant de notre sous-réseau :

sudo iptables -A INPUT -s 192.168.0.0/24 --jump ACCEPT

Editer le fichier /etc/ufw/sysctl.conf qui doit contenir ceci pour l'activer l'Ip forwarding :

net.ipv4.ip_forward=1

Editer le fichier /etc/ufw/before.rules qui contient les règles de ufw :

Juste après l'entête du fichier ajouter une nouvelle section NAT :

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o wlan6 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

Dans la section *filter ajoutez :

-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -i wlan0 -s 192.168.0.0/24 -o wlan6 -m state --state NEW -j ACCEPT

Finalement autorisez le sous-réseau :

sudo ufw allow from 192.168.0.0/24

ou bien avec Gufw :

Fichier bash wifi_ap.sh

#!/bin/bash

#Description: Création d'un point d'accès wifi sur une interface wlan et partage la connexion Internet d'une autre interface avec celle-ci.
#Requirements: Necessite les paquets hostapd dhcp3-server dhcp3-common dhcp3-client dnsmasq dnsmasq-base macchanger
#Optionnel: paquet macchanger optionnel
#Auteur: Nexus6[at]altern.org 01.12.2010

### WARNING : kill hostapd dnsmasq & dhcpd3 à la fin...

# Configuration des interfaces 
INT_WIFI="wlan0" # interface du point d'accès wifi
INT_NET="wlan6" # interface wlan ou eth0 ayant Internet

# IP & mask du sous-réseau créé sur l'interface wlan
SUBNET="192.168.0.0/24" 
IP="192.168.0.1"
MASK="255.255.255.0"
#GW="192.168.0.1"

# Change l'adresse mac ?
MACCHANGER="0" #0=change la MAC, 1 garde la MAC d'origine

# Definition de quelques couleurs 
red='\e[0;31m'
redhl='\e[0;31;7m'
RED='\e[1;31m'
blue='\e[0;34m'
BLUE='\e[1;34m'
cyan='\e[0;36m'
CYAN='\e[1;36m'
NC='\e[0m' # No Color

#Mode Debug Dhcp ?
DBG="-d"
#DBG=""     #Ligne à décommenter pour désactiver le debug du serveur dhcpd


#Regarde si l'execution est bien en root (i.e. sudo)
if [ $USER != "root" ]
then
    echo -e $RED"Vous devez être root pour lancer ce progamme!"$NC
    exit 1
fi

#Verifie si tous les modules sont bien installes
ifconfig=$(which ifconfig) 
if [ $? != 0 ]
then
    echo -e $RED"Erreur Fatale: Un problème est survenue: Impossible de trouver la commande ifconfig!"$NC
    exit 1
fi

hostapd=$(which hostapd)
if [ $? != 0 ]
then
    echo -e $RED"Erreur Fatale: Vous devez installer hostapd!"$NC
    exit 1
fi

dnsmasq=$(which dnsmasq)
if [ $? != 0 ]
then
    echo -e $RED"Erreur Fatale: Vous devez installer dnsmasq!"$NC
    exit 1
fi

dhcpd3=$(which dhcpd3)
if [ $? != 0 ]
then
    echo -e $RED"Erreur Fatale: Vous devez installer dhcpd!"$NC
    exit 1
fi

macchanger=$(which macchanger)
if [ $? != 0 ]
then
    echo -e $RED"Avertissement: macchanger non trouvé. L'adresse mac ne sera pas modifiée!"$NC
    MACCHANGER="1"
fi

#Change les @ MAC si macchanger trouve
if [ $MACCHANGER == "0" ]
then
    echo -e $blue"Macchanger random..."$NC
    sudo $ifconfig $INT_WIFI down
    sudo $macchanger --random $INT_WIFI $NC
fi


echo -e $blue"Démarrage et configuration de l'interface wifi $INT_WIF..."$NC
sudo ifconfig $INT_WIFI down
sleep 0.5
sudo ifconfig $INT_WIFI $IP netmask $MASK up

echo -e $blue"Démarrage deamon hostapd..."$NC
# start hostapd server (see /etc/hostapd/hostapd.conf)
sudo hostapd /etc/hostapd/hostapd.conf &
sleep 1

echo -e $blue"Démarrage deamon dnsmasq... "$NC
# start dnsmasq server (see /etc/dnsmasq.conf) -7 /etc/dnsmasq.d
sudo dnsmasq -x /var/run/dnsmasq.pid -C /etc/dnsmasq.conf
sleep 1

echo -e $blue"Démarrage deamon dhcp3... "$NC
# start or resart dhcpd3 server (see /etc/dhcpd3/dhcpd.conf)
sudo touch /var/lib/dhcp3/dhcpd.leases
#sudo mkdir -p /var/run/dhcp3-server
#sudo chown dhcpd:dhcpd /var/run/dhcp3-server
sudo dhcpd3 $DBG -f -pf /var/run/dhcp3-server/dhcpd.pid -cf /etc/dhcp3/dhcpd.conf $INT_WIFI &
#/etc/init.d/dhcp3-server restart
sleep 2

# Turn on IP forwarding (faire suivre les paquets d'une interface à l'autre)
echo 1 > /proc/sys/net/ipv4/ip_forward

echo -e $blue"Activation iptables NAT MASQUERADE interface $NC$red$INT_NET$NC"
# load masquerade module
sudo modprobe ipt_MASQUERADE
sudo iptables -A POSTROUTING -t nat -o $INT_NET -j MASQUERADE

echo -e $blue"Activation iptables FORWARD & INPUT entre interface $NC $red$INT_WIFI$NC$blue & sous-réseau $NC$red$SUBNET$NC"
sudo iptables -A FORWARD --match state --state RELATED,ESTABLISHED --jump ACCEPT
sudo iptables -A FORWARD -i $INT_WIFI --destination $SUBNET --match state --state NEW --jump ACCEPT
sudo iptables -A INPUT -s $SUBNET --jump ACCEPT

# Wait user interaction !!!
echo -e $redhl"[Terminé!!! Ne pas fermer la console! ]"$NC
echo -e $redhl"[ENTER = STOP hostapd dhcpd3 dnsmasq  ]"$NC
echo -e $redhl"[        STOP interface wifi $INT_WIFI    ]"$NC
echo -e $redhl"[        EFFACE les règles iptables   ]"$NC
read none


echo -e $cyan"Stop hostapd, dhcpd3, dnsmasq & interface wifi $INT_WIFI..."$NC
# kill hostapd, dnsmasq & dhcpd3
sudo killall hostapd dnsmasq dhcpd3
echo -e $cyan"Désactivation iptables NAT MASQUERADE...$NC$red$INT_NET$NC"$NC
sudo iptables -D POSTROUTING -t nat -o $INT_NET -j MASQUERADE 2>/dev/null || echo -e $cyan"POSTROUTING $INT_NET MASQUERADE clean OK!"$NC
sudo iptables -D FORWARD -i $INT_WIFI --destination $SUBNET --match state --state NEW --jump ACCEPT 2>/dev/null || echo -e $cyan"FORWARD $INT_NET/$SUBNET clean OK!"$NC
sudo iptables -D FORWARD --match state --state RELATED,ESTABLISHED --jump ACCEPT 2>/dev/null || echo -e $cyan"FORWARD ESTABLISHED clean OK!"$NC
sudo iptables -D INPUT -s $SUBNET --jump ACCEPT 2>/dev/null || echo -e $cyan"INPUT $SUBNET clean OK!"$NC

echo -e $cyan"Désactivation iptables FORWARD & INPUT...$NC $red$INT_WIFI$NC$blue & $NC$red$SUBNET$NC"
# interface down
sudo ifconfig $INT_WIFI down

# Turn off IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
echo -e $blue"Done!"$NC

Lancement :

# ./wifi_ap.sh

L'outil 'iw' permet d'avoir une vue d'ensemble sur notre installation, les clients connectés à l'AP wlan0, l'AP Wi-Fi lui-même wlan0, mais aussi la passerelle Wi-Fi wlan6 vers Internet :

watch -d -n 3 "iw dev wlan0 station dump; iwconfig wlan0; iwconfig mon.wlan0; iw dev wlan6 station dump; iwconfig wlan6;cat /proc/net/wireless"

• http://wireless.kernel.org/en/users/Documentation/hostapd site officiel de hostapd (anglais)
• http://wireless.kernel.org/en/users/Drivers Drivers et Documentations Linux (anglais)
• http://doc.ubuntu-fr.org/partage_de_connexion_internet Partage de connexion Internet

Création par Nexus6