Debian Router With USB 3G Modem

Caurse some of my friends have bought this modem fro 3.dk – they still wanted to be able to have more than one Computer on the internet – and have been told from 3 – that it was possible to buy a router that could handle that – for 4000danish kt. Way to much – At the same time they bougth a house in the country where 3 had no good coverage – so we needed to make this work untill they could get rid of the 3G modem – so here’s what I did:

I started out with moving my mailserver from my Lexcom lexligth and installed Ubuntu Gutsy 7.10 on it.

Started out after the install by editing /etc/apt/sources.list and enabled all repos in that file ( Not enabled as standard). Afterwards I installed the following packages for being able to make it all work:

$ apt-get update
$ apt-get install openssh-server dhcp bind9 wvdial

The DHCP-server is quite easy – but needed to fill in the info about the DNS server in the conf-file – so I’d made at subnet internal for them in the range: 172.16.7.0/24 – that’ll means they got 254 IP adresses on their sybnet. I ended up with a configurationfile for the DHCP-server looking like this:

#
# Sample configuration file for ISC dhcpd for Debian
#
# $Id: dhcpd.conf,v 1.4.2.2 2002/07/10 03:50:33 peloy Exp $
#

# option definitions common to all supported networks…
option domain-name “example.com”;
option domain-name-servers 80.251.192.244;
option domain-name-servers 80.251.192.245;

option subnet-mask 255.255.255.0;
default-lease-time 600;
max-lease-time 7200;

subnet 172.16.7.0 netmask 255.255.255.0 {
range 172.16.7.2 172.16.7.250;
option broadcast-address 172.16.7.255;
option routers 172.16.7.1;
}

#host confusia {
# hardware ethernet 02:03:04:05:06:07;
# filename “vmunix.confusia”;
# server-name “bb.home.vix.com”;
#}

As you can see here – the range for DHCP adresses are from 172.16.7.2 – 250 !
REMEMBER TO ADD THE DEFAULT INTERFACE TO /etc/default/dhcp

After that worked – I continued further on to getting the modem to work – luckly for me – there was already a guide for that – but still had to make some small changes for it to work. So started out with making the directory where I place all my scripts:

$ mkdir /scripts

Started out with getting the modemdriver to the huwai modem and placed in the /scripts directory. You can download the driver here

And afterwards made the script for loading the rigth modules,drivers etc! It’ll end up looking like this:

#!/bin/bash
# This script is made for using a 3G modem with Ubuntu
# Made 20080112 by PBJ

echo “removing USB-Storage..”
rmmod usb-storage
sleep 1

echo “Loading modem”
modprobe usbserial vendor=0x12d1 product=0x1003
sleep 1

echo “Loading driver”
/scripts/huaweiAktBbo-i386.out
sleep 1

echo “Connecting”
wvdial

As you can see in that script – we’re ending up with calling the wvdial default configuration – therefor you need to add/edit the /etc/wvdial.conf default section to also holds these informations:

[Dialer default]
Phone = *99***1#
Username = irrelevant
Password = irrelevant
Stupid Mode = 1
Dial Command = ATDT
Modem = /dev/ttyUSB0
Baud = 460800
Init2 = ATZ
Init3 = ATE0V1&D2&C1S0=0+IFC=2,2
ISDN = 0
Modem Type = Analog Modem
Init5 =AT+CGDCONT=1,”IP”,”data.tre.dk”;

This will get the Modem connection to connect to the 3.dk server with a POINT TO POINT connection. But it’ll take around 15-20seconds before the connection is working. and the ligth in it will change from green to blue/violet!

But before that we need to check some things are working correct – we need to make sure the rigth modules etc are there – if there’s not 3 units in /dev/ttyU* – remove the modem – wait 10seconds – plug it in again – run the script: here’s what it should look like:

$ ls -lah /dev/ttyU*
crw-rw—- 1 root dialout 188, 0 2008-01-15 13:25 /dev/ttyUSB0
crw-rw—- 1 root dialout 188, 0 2008-01-15 13:25 /dev/ttyUSB1
crw-rw—- 1 root dialout 188, 0 2008-01-15 13:25 /dev/ttyUSB2

If there’s not 3 lines – don’t try connecting – it’ll not work!

Now we need to make sure (since it should be a router/firewall) to make sure that the modem also connects after powerfailure etc! So I added these lines into /etc/rc.local:

echo “Starting Scripts for ppp0”
/scripts/init_usb_modem.sh &
sleep 30

Reason for sleep 30 – is when we’re adding the firewall – We’ll have to make sure that the modem connection works – othervise the firewall script will fail – caurse of unknown parameters.

Now reboot your machine – and check the console output to make sure the internet is comming up. If this is working – where ready to add the firewall to the machine.

The script I’d made is this:

#!/bin/bash
#
# Created by: Per Jørgensen 2007
# Mail: linux@pbj-design.dk
#
# Revision History
#
# Version 0.1: Added pppo for Internetconnection
# Version 0.0: Started with the script
#
# ——————————————————————-
# Setup the enviroment variables
# ——————————————————————-
# External Program
IPTABLES=”/sbin/iptables”

# Setting up the interfaces
LO=”lo”
WAN=”ppp0″
LAN=”eth0″
#GW=”`ifconfig $WAN | grep \”inet addr\” | cut -f 3 -d \”:\” | cut -f 1 -d \” \”`”
GW=”10.64.64.64″

# The IP-addresses for the interfaces
LAN_IP=”172.16.7.1″
WAN_IP=”`ifconfig $WAN | grep \”inet addr\” | cut -f 2 -d \”:\” | cut -f 1 -d \” \”`”
LO_IP=”127.0.0.1″

#Networks
LAN_NET=”172.16.7.0/24″
WAN_NET=”$WAN_IP”
LO_NET=”127.0.0.1/8″

# The machines on the net
MILO=”172.16.7.1″

#——————————————————————-
# Starting the scripts and write to syslog & Console
# ——————————————————————
echo “‘date’:FIREWALL SCRIPT Started ” >> /var/log/messages

echo
echo “Linux Firewall at PBJ IT & Webdesign ”
echo “(C) Copyrigth by Per Jørgensen – 2006″
echo ” All rigths reserved!”

echo
echo “Initializing firewall with these settings:”
echo “- WAN IP-address: $WAN ($WAN_IP)”
echo “- LAN IP-address: $LAN ($LAN_IP)”
echo “- GATEWAY hos 3: GW ($GW)”
echo
echo “Initiating script:”
echo ” Done”

# —————————————————————
# Start by loading IPTABLES modules
# —————————————————————
echo “Loading IPTABLES modules”
modprobe ip_tables
modprobe ip_conntrack

echo ” Done”
# —————————————————————
# Flush existing Connections and removing rules
# —————————————————————
echo “Flashing and zeroing the chains”
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
echo ” Done”
echo
# —————————————————————
# Initialize and setup defaults rules
# —————————————————————
echo “Initialzing and setup defaults policies”

# Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# IP spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

echo ” Done”
echo
# ————————————————————–
# Create and flush chains
# ————————————————————–
echo “Creating and flushing the chains”
$IPTABLES -N wantolan
$IPTABLES -N lantowan
$IPTABLES -N lo
$IPTABLES -N lan
$IPTABLES -N wan
echo ” Done. Chains are made”
echo
################################################################
# Setting up the INPUT chain
# ————————————————————–
echo “Setting up the INPUT chain”
# Allowing all trafic from the inside
$IPTABLES -A lan -m state –state NEW -j ACCEPT

## DNS ##
$IPTABLES -t filter -A INPUT -p udp –dport 53 -j ACCEPT
$IPTABLES -t filter -A INPUT -p tcp –dport 53 -j ACCEPT

## ICMP ##
$IPTABLES -t filter -A INPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN -p icmp –icmp-type echo-request -m state –state NEW -j ACCEPT
$IPTABLES -t filter -A INPUT -i $WAN -p icmp –icmp-type echo-request -m state –state NEW -j ACCEPT

echo ” Done. INPUT chain is up and running”
echo

# ————————————————————–
# Setting up the OUTPUT chain
# ————————————————————–
#
## DNS ##
$IPTABLES -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT

# Accepting outgoing trafik
$IPTABLES -t filter -A OUTPUT -p ALL -s $LAN_NET -j ACCEPT

# Rejecting Ident
#$IPTABLES -A wan -m state –state NEW -p tcp –dport 113 -j REJECT

echo ” Done. OUTPUT chain is up and running”
echo

################################################################
# Setting up rules for LO interface
# ————————————————————–
echo “Setting up LOCAL interface ”
$IPTABLES -A lo -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $LO -j ACCEPT
$IPTABLES -A OUTPUT -o $LO -j ACCEPT

echo ” Done. LO is up and running”
echo

# ————————————————————–
# Setting up the LAN interface
# ————————————————————–
echo “Setting up the LAN interface”
$IPTABLES -t filter -A lan -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

echo ” Done. LAN is up and running”
echo

# ————————————————————–
# Setting up the WAN interface
# ————————————————————–
echo “Setting up the WAN interface”
$IPTABLES -t filter -A wan -m state –state ESTABLISHED,RELATED -j ACCEPT

echo ” Done. WAN is up and running”
echo

################################################################
# Setting up rules for LANTOWAN chain
# ————————————————————–
echo “Setting up the LANTOWAN chain”
$IPTABLES -t filter -A lantowan -s $LAN_NET -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

echo ” Done. LANTOWAN chain is up and running”
echo

################################################################
# Setting up rules for WANTOLAN interface
# ————————————————————–
echo “Setting up the WANTOLAN chains”

# Accepting only returntraffic to lan
$IPTABLES -A wantolan -m state –state ESTABLISHED,RELATED -j ACCEPT

echo ” Done. WANTOLAN chain is up and running”
echo

################################################################
# Setting up Masquerading
# ————————————————————–
echo “Setting up MASQUERADING”
# From all interfaces – but not WAN
$IPTABLES -t nat -A POSTROUTING -s ! $WAN_IP -j SNAT –to-source $WAN_IP

echo ” Done. MASQUERADING is up and running”
echo

##################################################################
# Activating the Chains
# —————————————————————-
echo “Activating the chains”
$IPTABLES -A INPUT -i $WAN -j wan
$IPTABLES -A INPUT -i $LAN -j lan
$IPTABLES -A INPUT -i $LO -j lo
$IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan
$IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan

echo “Done. The chains are now activated”

echo
echo “Firewall has been setup succesfully and are now”
echo ” protecting your network. No garanty is given.”
echo
echo “This script is designet by PBJ IT & Webdesign”
echo ” This is released under GPL licens”
echo ” Remember OpenSource is not nessecary FREE”

And afterwards add also these lines ion /etc/rc.local in the bottom after sleep 30.

echo “Running firewall.”
sh /scripts/firewall.sh

exit 0

Well – now you’re ready to reboot once more – and hopefully everything is working well.

FAQ:

Everything went well – but no internet:
Check out your route table with the command: route -vn

I discovered several times that no default gw was set – instead there was an empty line . So I did this:

$ route del default
$ route add default gw 10.64.64.64

Which make the default gateway to be the gateway at 3.dk!
But my project was working without an default gateway – and without setting it in the route table.

Now everything should work – and hopefully you be able to get a router working along with a 3G modem.

I have put all the default configurationsfiles and scripts into a tar.gz archive – which can be downloaded here.

 

Hopefully have fun with it!