Difference between revisions of "Running Arch Linux"

From BubbaWiki
Jump to navigation Jump to search
m (→‎Setting up the root device: Update links to mybubba.org)
(Setup the Bubba as a router from a base install)
 
Line 42: Line 42:


Last but not least, ReedWood has made a [https://github.com/ReedWood/bubba3-ArchLinux repository] with B3 specific things for Arch, that you might want to take a look at.
Last but not least, ReedWood has made a [https://github.com/ReedWood/bubba3-ArchLinux repository] with B3 specific things for Arch, that you might want to take a look at.
= I have Arch, now what? =
Okay, you manage to install Arch on your Bubba. Congratulations! Now starts the configuration step, bringing your barely talkative device back to a functional router. ''The following steps are given as a guide to match a configuration similar to the one chosen by Excito. You may choose other configurations or technologies.''
== Prepare Network Interfaces ==
We'll first make sure our interfaces get a stable and useful name. This step is optional, but can prove quite useful in the long term. We simply use udev rules to fix interface names to our likings. Using '''ip link''', identify the respective MAC address for the three network interfaces: LAN, WAN and Wifi. Then, create '''/etc/udev/rules.d/10-network.rules''' and write
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wan0"
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="lan0"
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wifi0"
replacing the corresponding MAC addresses. You may choose different names for your interfaces, just remember what you choose for the following configuration files.
== Network Configuration ==
=== The netctl way ===
[https://wiki.archlinux.org/index.php/Netctl Netctl] is a network configuration tool based on profiles, very powerful and that integrates well with systemd. It should be provided by default, if not install it.
  # pacman -S netctl
Profiles are created in '''/etc/netctl'''. We will create two profiles, one for the WAN (external) interface, another for the LAN (internal) network, assembling the ethernet port and the wifi together. Create a first file, named something like '''wan'''. Use the following if the Bubba needs a static IP on that network (here 192.168.0.x address space).
  Description='Interface to Internet'
  Interface=wan0
  Connection=ethernet
  IP=static
  Address=('192.168.0.2/24')
  Gateway='192.168.0.1'
  DNS=('192.168.0.1')
  SkipNoCarrier=yes
To get a dynamic IP, you don't need that much:
  Description='Interface to Internet'
  Interface=wan0
  Connection=ethernet
  IP=dhcp
  SkipNoCarrier=yes
Now, let's configure the internal network. We will create a bridge, called br0, assembling lan0 and wifi0 in a virtual unique interface. First, install the required bridging tool:
  # pacman -S bridge-utils
Netctl will take care of the rest. Create a profile named to your likings, i.e. '''bridge'''.
  Description="LAN/Wifi Bridge connection"
  Interface=br0
  Connection=bridge
  BindsToInterfaces=(lan0) # hostapd will add wifi0 automatically
  IP=static
  Address=('192.168.1.1/24')
Now, start the profiles
  # netctl enable wan
  # netctl enable bridge
If you don't want to reboot, you can try
  # udevadm control --reload-rules
  # udevadm trigger --attr-match=subsystem=net
  # netctl start wan
  # netctl start bridge
but remember that it won't play nice if you're connected through SSH!
=== The systemd networkd way ===
All my attempts to understand this daemon failed miserably until now, so someone else, please write this section. :)
== Wifi Access Point ==
Let's now setup the [https://wiki.archlinux.org/index.php/Software_access_point software access point], which will allow other devices to connect to the internal network using the wifi. We'll use [http://wireless.kernel.org/en/users/Documentation/hostapd hostapd] for this, and configure it to create a WPA2 protected access point. However, the Bubba by itself doesn't generate enough entropy for all the cryptology needs, which would make the network rather slow. So we'll also need to install [http://www.issihosts.com/haveged/ haveged], an entropy generator daemon.
  # pacman -S hostapd haveged
The configuration of hostapd happens in '''/etc/hostapd/hostapd.conf'''. Here is a sample configuration:
  ssid=<your network name>
  # Use one of the following two lines
  #wpa_passphrase=<the clear text wifi password>
  wpa_psk=<generated by "wpa_passphrase <SSID> <password>">
  interface=wifi0
  bridge=br0
  auth_algs=3
  country_code=SE # Unlock channels for your country, here germany
  channel=7      # Channel to use (best performance when 2 channels away from other used channels in the neightbourhood)
  driver=nl80211
  hw_mode=g
  logger_stdout=-1
  logger_stdout_level=2
  max_num_sta=5
  rsn_pairwise=CCMP
  wpa=2
  wpa_key_mgmt=WPA-PSK
  wpa_pairwise=TKIP CCMP
You can find more options there: [http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf commented hostapd.conf]. wpa_passphrase is included in the wpa_supplicant package, but it can be run from your own PC, it is not required on the Bubba.
You're ready to activate the services.
  # systemctl enable hostapd
  # systemctl enable haveged
  # systemctl start haveged
  # systemctl start hostapd
== NAT and Firewall ==
=== Using Shorewall ===
The [https://wiki.archlinux.org/index.php/Shorewall Shoreline Firewall] is a simple to use overlay to iptables, yet powerful. Its configuration is done in '''/etc/shorewall''' in several files. For a good start, we'll pull the template for a typical two-interfaces configuration.
  # cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/
Now, let's look in '''/etc/shorewall'''. In the file '''interfaces''', you map network interfaces with shorewall's zones. Later, we will define rules between zones.
  #ZONE  INTERFACE      OPTIONS
  net    wan0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,arp_filter=1
  loc    br0            tcpflags,nosmurfs,routefilter,logmartians
You may review the options I suggest according to your needs refering to the [http://shorewall.net/manpages/shorewall-interfaces.html shorewall-interfaces manpage]. I consider the net zone to be the hostile Internet, and the loc zone as the private network. ARP who-has requests coming from the Internet are not supposed to be able to discover devices on the private network. If you have a static IP on the wan interface, remove the dhcp option from the net zone. If you plan to have a DHCP server on the Bubba, activate the dhcp options on the zones the server will server (probably only loc).
The '''policy''' file should already be configured to allow the traffic to go from loc to net. However, by default the firewall itself (the Bubba) may not access the Internet. To change this, modify the file:
  #SOURCE      DEST          POLICY        LOG LEVEL      LIMIT:BURST
 
  $FW          net          ACCEPT
  loc          net          ACCEPT
  net          all          DROP          info
  # THE FOLLOWING POLICY MUST BE LAST
  all          all          REJECT        info
To activate masquerading, modify the file '''masq''' to replace the name of the interface (eth0) to the one you actually use as outgoing interface (wan0).
Edit the '''rules''' file to allow the necessary services. The following two lines show as example how to enable SSH on the usual port (22) for local connections, and on an alternative port for connections coming from the Internet (your SSH server has to be configured accordingly).
  SSH(ACCEPT)    loc      $FW
  ACCEPT          net      $FW      tcp      8022
Last but not least, enable Shorewall by changing the first option in '''/etc/shorewall/shorewall.conf''':
  STARTUP_ENABLED=Yes
Activate the firewall:
  # systemctl enable shorewall
  # systemctl start shorewall

Latest revision as of 19:35, 13 October 2014

Introduction

This guide will help you to get your B3 up and running with the latest release of Arch Linux.

Prerequisites

The Arch part

Setting up the root device

There are several ways of doing this, depending on whether you are using a USB device or HDD as root device.
I'm going to assume that you are using a HDD.

Now - Boot up your Rescue System.

Once booted download the latest Arch tarball

 wget http://archlinuxarm.org/os/ArchLinuxARM-kirkwood-latest.tar.gz

Write a partitiontable on the device you want to use as root device

 cfdisk /dev/sd? # new -> primary

And format it as EXT4

 mkfs.ext4 /dev/sd?1

Now mount it and unpack the good stuff

 mount /dev/sd?1 /mnt
 tar xvf ArchLinuxARM-kirkwood-latest.tar.gz -C /mnt
 umount /mnt

If everything goes well you should have a bootable Arch system. (login root/root)

 [root@alarm ~]# uname -a
 Linux alarm 3.16.1-1-ARCH #1 PREEMPT Fri Aug 15 20:35:00 MDT 2014 armv5tel GNU/Linux

Last but not least, ReedWood has made a repository with B3 specific things for Arch, that you might want to take a look at.

I have Arch, now what?

Okay, you manage to install Arch on your Bubba. Congratulations! Now starts the configuration step, bringing your barely talkative device back to a functional router. The following steps are given as a guide to match a configuration similar to the one chosen by Excito. You may choose other configurations or technologies.

Prepare Network Interfaces

We'll first make sure our interfaces get a stable and useful name. This step is optional, but can prove quite useful in the long term. We simply use udev rules to fix interface names to our likings. Using ip link, identify the respective MAC address for the three network interfaces: LAN, WAN and Wifi. Then, create /etc/udev/rules.d/10-network.rules and write

 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wan0"
 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="lan0"
 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wifi0"

replacing the corresponding MAC addresses. You may choose different names for your interfaces, just remember what you choose for the following configuration files.

Network Configuration

The netctl way

Netctl is a network configuration tool based on profiles, very powerful and that integrates well with systemd. It should be provided by default, if not install it.

 # pacman -S netctl

Profiles are created in /etc/netctl. We will create two profiles, one for the WAN (external) interface, another for the LAN (internal) network, assembling the ethernet port and the wifi together. Create a first file, named something like wan. Use the following if the Bubba needs a static IP on that network (here 192.168.0.x address space).

 Description='Interface to Internet'
 Interface=wan0
 Connection=ethernet
 IP=static
 Address=('192.168.0.2/24')
 Gateway='192.168.0.1'
 DNS=('192.168.0.1')
 SkipNoCarrier=yes

To get a dynamic IP, you don't need that much:

 Description='Interface to Internet'
 Interface=wan0
 Connection=ethernet
 IP=dhcp
 SkipNoCarrier=yes

Now, let's configure the internal network. We will create a bridge, called br0, assembling lan0 and wifi0 in a virtual unique interface. First, install the required bridging tool:

 # pacman -S bridge-utils

Netctl will take care of the rest. Create a profile named to your likings, i.e. bridge.

 Description="LAN/Wifi Bridge connection"
 Interface=br0
 Connection=bridge
 BindsToInterfaces=(lan0) # hostapd will add wifi0 automatically
 IP=static
 Address=('192.168.1.1/24')

Now, start the profiles

 # netctl enable wan
 # netctl enable bridge

If you don't want to reboot, you can try

 # udevadm control --reload-rules
 # udevadm trigger --attr-match=subsystem=net
 # netctl start wan
 # netctl start bridge

but remember that it won't play nice if you're connected through SSH!

The systemd networkd way

All my attempts to understand this daemon failed miserably until now, so someone else, please write this section. :)

Wifi Access Point

Let's now setup the software access point, which will allow other devices to connect to the internal network using the wifi. We'll use hostapd for this, and configure it to create a WPA2 protected access point. However, the Bubba by itself doesn't generate enough entropy for all the cryptology needs, which would make the network rather slow. So we'll also need to install haveged, an entropy generator daemon.

 # pacman -S hostapd haveged

The configuration of hostapd happens in /etc/hostapd/hostapd.conf. Here is a sample configuration:

 ssid=<your network name>
 # Use one of the following two lines
 #wpa_passphrase=<the clear text wifi password>
 wpa_psk=<generated by "wpa_passphrase <SSID> <password>">
 interface=wifi0
 bridge=br0
 auth_algs=3
 country_code=SE # Unlock channels for your country, here germany
 channel=7       # Channel to use (best performance when 2 channels away from other used channels in the neightbourhood)
 driver=nl80211
 hw_mode=g
 logger_stdout=-1
 logger_stdout_level=2
 max_num_sta=5
 rsn_pairwise=CCMP
 wpa=2
 wpa_key_mgmt=WPA-PSK
 wpa_pairwise=TKIP CCMP

You can find more options there: commented hostapd.conf. wpa_passphrase is included in the wpa_supplicant package, but it can be run from your own PC, it is not required on the Bubba.

You're ready to activate the services.

 # systemctl enable hostapd
 # systemctl enable haveged
 # systemctl start haveged
 # systemctl start hostapd

NAT and Firewall

Using Shorewall

The Shoreline Firewall is a simple to use overlay to iptables, yet powerful. Its configuration is done in /etc/shorewall in several files. For a good start, we'll pull the template for a typical two-interfaces configuration.

 # cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/

Now, let's look in /etc/shorewall. In the file interfaces, you map network interfaces with shorewall's zones. Later, we will define rules between zones.

 #ZONE   INTERFACE       OPTIONS
 net     wan0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,arp_filter=1
 loc     br0             tcpflags,nosmurfs,routefilter,logmartians

You may review the options I suggest according to your needs refering to the shorewall-interfaces manpage. I consider the net zone to be the hostile Internet, and the loc zone as the private network. ARP who-has requests coming from the Internet are not supposed to be able to discover devices on the private network. If you have a static IP on the wan interface, remove the dhcp option from the net zone. If you plan to have a DHCP server on the Bubba, activate the dhcp options on the zones the server will server (probably only loc).

The policy file should already be configured to allow the traffic to go from loc to net. However, by default the firewall itself (the Bubba) may not access the Internet. To change this, modify the file:

 #SOURCE       DEST          POLICY         LOG LEVEL      LIMIT:BURST
 
 $FW           net           ACCEPT
 loc           net           ACCEPT
 net           all           DROP           info
 # THE FOLLOWING POLICY MUST BE LAST
 all           all           REJECT         info

To activate masquerading, modify the file masq to replace the name of the interface (eth0) to the one you actually use as outgoing interface (wan0).

Edit the rules file to allow the necessary services. The following two lines show as example how to enable SSH on the usual port (22) for local connections, and on an alternative port for connections coming from the Internet (your SSH server has to be configured accordingly).

 SSH(ACCEPT)     loc       $FW
 ACCEPT          net       $FW       tcp      8022

Last but not least, enable Shorewall by changing the first option in /etc/shorewall/shorewall.conf:

 STARTUP_ENABLED=Yes

Activate the firewall:

 # systemctl enable shorewall
 # systemctl start shorewall