Difference between revisions of "Running Arch Linux"
m (→Setting up the root device: Update links to mybubba.org) |
(Setup the Bubba as a router from a base install) |
||
Line 42: | Line 42: | ||
Last but not least, ReedWood has made a [https://github.com/ReedWood/bubba3-ArchLinux repository] with B3 specific things for Arch, that you might want to take a look at. | Last but not least, ReedWood has made a [https://github.com/ReedWood/bubba3-ArchLinux repository] with B3 specific things for Arch, that you might want to take a look at. | ||
= I have Arch, now what? = | |||
Okay, you manage to install Arch on your Bubba. Congratulations! Now starts the configuration step, bringing your barely talkative device back to a functional router. ''The following steps are given as a guide to match a configuration similar to the one chosen by Excito. You may choose other configurations or technologies.'' | |||
== Prepare Network Interfaces == | |||
We'll first make sure our interfaces get a stable and useful name. This step is optional, but can prove quite useful in the long term. We simply use udev rules to fix interface names to our likings. Using '''ip link''', identify the respective MAC address for the three network interfaces: LAN, WAN and Wifi. Then, create '''/etc/udev/rules.d/10-network.rules''' and write | |||
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wan0" | |||
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="lan0" | |||
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wifi0" | |||
replacing the corresponding MAC addresses. You may choose different names for your interfaces, just remember what you choose for the following configuration files. | |||
== Network Configuration == | |||
=== The netctl way === | |||
[https://wiki.archlinux.org/index.php/Netctl Netctl] is a network configuration tool based on profiles, very powerful and that integrates well with systemd. It should be provided by default, if not install it. | |||
# pacman -S netctl | |||
Profiles are created in '''/etc/netctl'''. We will create two profiles, one for the WAN (external) interface, another for the LAN (internal) network, assembling the ethernet port and the wifi together. Create a first file, named something like '''wan'''. Use the following if the Bubba needs a static IP on that network (here 192.168.0.x address space). | |||
Description='Interface to Internet' | |||
Interface=wan0 | |||
Connection=ethernet | |||
IP=static | |||
Address=('192.168.0.2/24') | |||
Gateway='192.168.0.1' | |||
DNS=('192.168.0.1') | |||
SkipNoCarrier=yes | |||
To get a dynamic IP, you don't need that much: | |||
Description='Interface to Internet' | |||
Interface=wan0 | |||
Connection=ethernet | |||
IP=dhcp | |||
SkipNoCarrier=yes | |||
Now, let's configure the internal network. We will create a bridge, called br0, assembling lan0 and wifi0 in a virtual unique interface. First, install the required bridging tool: | |||
# pacman -S bridge-utils | |||
Netctl will take care of the rest. Create a profile named to your likings, i.e. '''bridge'''. | |||
Description="LAN/Wifi Bridge connection" | |||
Interface=br0 | |||
Connection=bridge | |||
BindsToInterfaces=(lan0) # hostapd will add wifi0 automatically | |||
IP=static | |||
Address=('192.168.1.1/24') | |||
Now, start the profiles | |||
# netctl enable wan | |||
# netctl enable bridge | |||
If you don't want to reboot, you can try | |||
# udevadm control --reload-rules | |||
# udevadm trigger --attr-match=subsystem=net | |||
# netctl start wan | |||
# netctl start bridge | |||
but remember that it won't play nice if you're connected through SSH! | |||
=== The systemd networkd way === | |||
All my attempts to understand this daemon failed miserably until now, so someone else, please write this section. :) | |||
== Wifi Access Point == | |||
Let's now setup the [https://wiki.archlinux.org/index.php/Software_access_point software access point], which will allow other devices to connect to the internal network using the wifi. We'll use [http://wireless.kernel.org/en/users/Documentation/hostapd hostapd] for this, and configure it to create a WPA2 protected access point. However, the Bubba by itself doesn't generate enough entropy for all the cryptology needs, which would make the network rather slow. So we'll also need to install [http://www.issihosts.com/haveged/ haveged], an entropy generator daemon. | |||
# pacman -S hostapd haveged | |||
The configuration of hostapd happens in '''/etc/hostapd/hostapd.conf'''. Here is a sample configuration: | |||
ssid=<your network name> | |||
# Use one of the following two lines | |||
#wpa_passphrase=<the clear text wifi password> | |||
wpa_psk=<generated by "wpa_passphrase <SSID> <password>"> | |||
interface=wifi0 | |||
bridge=br0 | |||
auth_algs=3 | |||
country_code=SE # Unlock channels for your country, here germany | |||
channel=7 # Channel to use (best performance when 2 channels away from other used channels in the neightbourhood) | |||
driver=nl80211 | |||
hw_mode=g | |||
logger_stdout=-1 | |||
logger_stdout_level=2 | |||
max_num_sta=5 | |||
rsn_pairwise=CCMP | |||
wpa=2 | |||
wpa_key_mgmt=WPA-PSK | |||
wpa_pairwise=TKIP CCMP | |||
You can find more options there: [http://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf commented hostapd.conf]. wpa_passphrase is included in the wpa_supplicant package, but it can be run from your own PC, it is not required on the Bubba. | |||
You're ready to activate the services. | |||
# systemctl enable hostapd | |||
# systemctl enable haveged | |||
# systemctl start haveged | |||
# systemctl start hostapd | |||
== NAT and Firewall == | |||
=== Using Shorewall === | |||
The [https://wiki.archlinux.org/index.php/Shorewall Shoreline Firewall] is a simple to use overlay to iptables, yet powerful. Its configuration is done in '''/etc/shorewall''' in several files. For a good start, we'll pull the template for a typical two-interfaces configuration. | |||
# cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/ | |||
Now, let's look in '''/etc/shorewall'''. In the file '''interfaces''', you map network interfaces with shorewall's zones. Later, we will define rules between zones. | |||
#ZONE INTERFACE OPTIONS | |||
net wan0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,arp_filter=1 | |||
loc br0 tcpflags,nosmurfs,routefilter,logmartians | |||
You may review the options I suggest according to your needs refering to the [http://shorewall.net/manpages/shorewall-interfaces.html shorewall-interfaces manpage]. I consider the net zone to be the hostile Internet, and the loc zone as the private network. ARP who-has requests coming from the Internet are not supposed to be able to discover devices on the private network. If you have a static IP on the wan interface, remove the dhcp option from the net zone. If you plan to have a DHCP server on the Bubba, activate the dhcp options on the zones the server will server (probably only loc). | |||
The '''policy''' file should already be configured to allow the traffic to go from loc to net. However, by default the firewall itself (the Bubba) may not access the Internet. To change this, modify the file: | |||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST | |||
$FW net ACCEPT | |||
loc net ACCEPT | |||
net all DROP info | |||
# THE FOLLOWING POLICY MUST BE LAST | |||
all all REJECT info | |||
To activate masquerading, modify the file '''masq''' to replace the name of the interface (eth0) to the one you actually use as outgoing interface (wan0). | |||
Edit the '''rules''' file to allow the necessary services. The following two lines show as example how to enable SSH on the usual port (22) for local connections, and on an alternative port for connections coming from the Internet (your SSH server has to be configured accordingly). | |||
SSH(ACCEPT) loc $FW | |||
ACCEPT net $FW tcp 8022 | |||
Last but not least, enable Shorewall by changing the first option in '''/etc/shorewall/shorewall.conf''': | |||
STARTUP_ENABLED=Yes | |||
Activate the firewall: | |||
# systemctl enable shorewall | |||
# systemctl start shorewall |
Latest revision as of 19:35, 13 October 2014
Introduction
This guide will help you to get your B3 up and running with the latest release of Arch Linux.
Prerequisites
- A Serial Console Access on B3
- The latest community u-boot (Tips for flashing can be found here + here)
- A USB device with the Rescue System
The Arch part
Setting up the root device
There are several ways of doing this, depending on whether you are using a USB device or HDD as root device.
I'm going to assume that you are using a HDD.
Now - Boot up your Rescue System.
Once booted download the latest Arch tarball
wget http://archlinuxarm.org/os/ArchLinuxARM-kirkwood-latest.tar.gz
Write a partitiontable on the device you want to use as root device
cfdisk /dev/sd? # new -> primary
And format it as EXT4
mkfs.ext4 /dev/sd?1
Now mount it and unpack the good stuff
mount /dev/sd?1 /mnt tar xvf ArchLinuxARM-kirkwood-latest.tar.gz -C /mnt umount /mnt
If everything goes well you should have a bootable Arch system. (login root/root)
[root@alarm ~]# uname -a Linux alarm 3.16.1-1-ARCH #1 PREEMPT Fri Aug 15 20:35:00 MDT 2014 armv5tel GNU/Linux
Last but not least, ReedWood has made a repository with B3 specific things for Arch, that you might want to take a look at.
I have Arch, now what?
Okay, you manage to install Arch on your Bubba. Congratulations! Now starts the configuration step, bringing your barely talkative device back to a functional router. The following steps are given as a guide to match a configuration similar to the one chosen by Excito. You may choose other configurations or technologies.
Prepare Network Interfaces
We'll first make sure our interfaces get a stable and useful name. This step is optional, but can prove quite useful in the long term. We simply use udev rules to fix interface names to our likings. Using ip link, identify the respective MAC address for the three network interfaces: LAN, WAN and Wifi. Then, create /etc/udev/rules.d/10-network.rules and write
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wan0" SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="lan0" SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wifi0"
replacing the corresponding MAC addresses. You may choose different names for your interfaces, just remember what you choose for the following configuration files.
Network Configuration
The netctl way
Netctl is a network configuration tool based on profiles, very powerful and that integrates well with systemd. It should be provided by default, if not install it.
# pacman -S netctl
Profiles are created in /etc/netctl. We will create two profiles, one for the WAN (external) interface, another for the LAN (internal) network, assembling the ethernet port and the wifi together. Create a first file, named something like wan. Use the following if the Bubba needs a static IP on that network (here 192.168.0.x address space).
Description='Interface to Internet' Interface=wan0 Connection=ethernet IP=static Address=('192.168.0.2/24') Gateway='192.168.0.1' DNS=('192.168.0.1') SkipNoCarrier=yes
To get a dynamic IP, you don't need that much:
Description='Interface to Internet' Interface=wan0 Connection=ethernet IP=dhcp SkipNoCarrier=yes
Now, let's configure the internal network. We will create a bridge, called br0, assembling lan0 and wifi0 in a virtual unique interface. First, install the required bridging tool:
# pacman -S bridge-utils
Netctl will take care of the rest. Create a profile named to your likings, i.e. bridge.
Description="LAN/Wifi Bridge connection" Interface=br0 Connection=bridge BindsToInterfaces=(lan0) # hostapd will add wifi0 automatically IP=static Address=('192.168.1.1/24')
Now, start the profiles
# netctl enable wan # netctl enable bridge
If you don't want to reboot, you can try
# udevadm control --reload-rules # udevadm trigger --attr-match=subsystem=net # netctl start wan # netctl start bridge
but remember that it won't play nice if you're connected through SSH!
The systemd networkd way
All my attempts to understand this daemon failed miserably until now, so someone else, please write this section. :)
Wifi Access Point
Let's now setup the software access point, which will allow other devices to connect to the internal network using the wifi. We'll use hostapd for this, and configure it to create a WPA2 protected access point. However, the Bubba by itself doesn't generate enough entropy for all the cryptology needs, which would make the network rather slow. So we'll also need to install haveged, an entropy generator daemon.
# pacman -S hostapd haveged
The configuration of hostapd happens in /etc/hostapd/hostapd.conf. Here is a sample configuration:
ssid=<your network name> # Use one of the following two lines #wpa_passphrase=<the clear text wifi password> wpa_psk=<generated by "wpa_passphrase <SSID> <password>"> interface=wifi0 bridge=br0 auth_algs=3 country_code=SE # Unlock channels for your country, here germany channel=7 # Channel to use (best performance when 2 channels away from other used channels in the neightbourhood) driver=nl80211 hw_mode=g logger_stdout=-1 logger_stdout_level=2 max_num_sta=5 rsn_pairwise=CCMP wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP
You can find more options there: commented hostapd.conf. wpa_passphrase is included in the wpa_supplicant package, but it can be run from your own PC, it is not required on the Bubba.
You're ready to activate the services.
# systemctl enable hostapd # systemctl enable haveged # systemctl start haveged # systemctl start hostapd
NAT and Firewall
Using Shorewall
The Shoreline Firewall is a simple to use overlay to iptables, yet powerful. Its configuration is done in /etc/shorewall in several files. For a good start, we'll pull the template for a typical two-interfaces configuration.
# cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/
Now, let's look in /etc/shorewall. In the file interfaces, you map network interfaces with shorewall's zones. Later, we will define rules between zones.
#ZONE INTERFACE OPTIONS net wan0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,arp_filter=1 loc br0 tcpflags,nosmurfs,routefilter,logmartians
You may review the options I suggest according to your needs refering to the shorewall-interfaces manpage. I consider the net zone to be the hostile Internet, and the loc zone as the private network. ARP who-has requests coming from the Internet are not supposed to be able to discover devices on the private network. If you have a static IP on the wan interface, remove the dhcp option from the net zone. If you plan to have a DHCP server on the Bubba, activate the dhcp options on the zones the server will server (probably only loc).
The policy file should already be configured to allow the traffic to go from loc to net. However, by default the firewall itself (the Bubba) may not access the Internet. To change this, modify the file:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT loc net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
To activate masquerading, modify the file masq to replace the name of the interface (eth0) to the one you actually use as outgoing interface (wan0).
Edit the rules file to allow the necessary services. The following two lines show as example how to enable SSH on the usual port (22) for local connections, and on an alternative port for connections coming from the Internet (your SSH server has to be configured accordingly).
SSH(ACCEPT) loc $FW ACCEPT net $FW tcp 8022
Last but not least, enable Shorewall by changing the first option in /etc/shorewall/shorewall.conf:
STARTUP_ENABLED=Yes
Activate the firewall:
# systemctl enable shorewall # systemctl start shorewall