Gecancelt.
was Gecancelt ?
Mein posting. Es gibt hier keine Möglichkeit ein posting komplett zu löschen 😉
router mit raspberry pi (b) ?
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Hallo Farinet Achtung!!! Wenn du einen globalen Proxy setzt, dann reagieren nur Anwendungen darauf die auch einen Proxy unterstützen. Les dir mal Transparenter Proxy von Tor durch. Ich denke das scheint eher das zu sein was du suchst. Hier geht dann der gesamte TCP/IP Verkehr durch Tor, ohne einen globalen Proxy gesetzt zu haben. |
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Vielen Dank für den Hinweis. Ich habe auch eine Anleitung gefunden, wie man das auf einem RPi baut ( http://wordpress.fusion-zone.net/?p=7 ). Das sollte also auf jeden Fall funktionieren. Nun bliebe noch das Problem, wie man das mit privoxy (und/oder squid3) auf dem RPi kombiniert und zwar so, dass zumindest der http (und https (?) ) Verkehr da durch geht (wenn's denn möglich ist). Ganz ehrlich: iptables ist verwirrend und ziemlich komplex für mich. |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Guten Morgen 😀 Naja, das "Problem" an dieser besagten Konstruktion über den Netfilter ist, daß es so konstruiert ist, sämtlichen Verkehr eines physichen Netzwerkanschlusses durch den Transparenten Proxy von Tor zu leiten. Theorethisch könnte man den HTTP/HTTPS Verkehr vorher umbiegen auf Privoxy. Nur dann brauchst du auch ein lokales rereouting auf deinem Raspberry... *überleg* #!/bin/sh iptables -F iptables -t nat -F iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -p tcp --syn -m multiport --dports 80,443 -j REDIRECT --to-ports 8118 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -m multiport --dports 80,443 -j REDIRECT --to-ports 8118 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m owner --uid-owner "debain-tor" -j ACCEPT iptables -A OUTPUT -j REJECT Ungetestet!!! *jedimeisterhandbewegung* du willst iptables verstehen lernen 😀 EDIT: UUPPPPSSS!!! Schwerer Denkfehler!!! Ich glaub das sollte eher so aussehen. #!/bin/sh iptables -F iptables -t nat -F iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040 iptables -t nat -A PREROUTING -i wlan0 -p udp --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -m multiport --dports 80,443 -j DNAT --to-destination 127.0.0.1:8118 iptables -t nat -A PREROUTING -i wlan0 -p tcp --syn -j REDIRECT --to-ports 9040 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m owner --uid-owner "debain-tor" -j ACCEPT iptables -A OUTPUT -j REJECT Ich denke man sollte die DNS Ports anderst setzen, da das ganze auf localhost unter root laufen müsste aber man kanns ja mal probieren 🤓 |
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Also erst einmal vielen herzlichen Dank für die Geduld mit einem Dummi ... 😉
Ich probiere das im Augenblick auf einem alten netbook uns so richtig gelingen will es mir nicht. Deine Anregungen werde ich anzuwenden versuchen, wenn das Teil, ich hab's jetzt geordert, hier ist (und berichten respektive nerven:D ).
Genau das ist es, wovor mir graut: "Wenn du verstehen willst der Filter Macht . . . " so liest man's in so manchem thread zu diesem Thema. |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Sind wir nicht alle ein bisschen Bluna 😬
Okidoki 😀 Je mehr du das versuchst, desto mehr gefällt´s dir → Is zumindest mir so ergangen 💡
Ja, aber da hat Meister Yoda recht. Netfilter, respektive iptables haben eine morts Power. Mann muss nur denken wie ein Datenpaket dass dort durchrutscht. "First Match wins!" EDIT: Poste mal iptables script, dann könne wir uns da drüber stürzen 😎 |
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Ich habe mich (Anregung von elektronenblitz, so eine Art Vize-Joda, jedenfalls für mich 😉) mit Squid befasst und entdeckt (in den Arch Linux Foren), dass man damit *auch* filtern kann, wenigstens einiges (lokal probiert, scheint das auch zu funktionieren). Von der Logik der Sache her, denke ich, wäre es gleich bei der Einrichtung. Aber, eine praktische Frage: Ist die Cachefunktion effektiver als der lokale Cache in den Browsern (oder gibt's dazu irgendwelche links)? Ich habe nichts Signifikantes gefunden, habe aber den Eindruck, dass der Cache besser funktioniert. Und vor allem: Mit Squid3 als Cacheproxy schneide ich bei den verschiedenen Anonymitätstests besser ab als mit eingeschaltetem Cache (in Midori & FF). Hardwareseits: Ich habe eine kleine, ultraschnelle SSD (flash) disk, die ich an die RPi hängen könnte (mit swap und ext4 partition; Ich glaube ich werde da nicht mit lvm, das ich auf meinen lokalen Rechnern einsetze, herumexperimentieren 😀). |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Mit Squid kannst du sehr, sehr viel filtern. Sieh dir mal bei Squid-guard die DB an.
Genau dafür ist ein Cache Proxy da. Je weniger du lokal im Browser zur Verfügung stellst, desto besser.
Ich würde die interne SD Karte verwenden. Im Endeffekt kommt es auf die Ressourcen des Pi an, ob er diese Aufgaben alle erledigen kann. 1.) Routing 2.) Cache Proxy 3.) Tor → Wobei ich hier eher als ClientOnly arbeiten würde. Ich denke der kleine Racker würde als Tor-relay gleichmal überlastet sein... |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Hallo Farinet Ich hab auf meinem Router den transparenten Proxy mittlerweile laufen 😀 Das funktioniert verd.... gut 👍 Am Router is es einfacher als auf einem Client 🦆 Ich habs auch am Client am laufen, und alle Programme die einen Proxy unterstützen laufen dort durch (ssh, Filezilla, Apper) ohne an diesen Programmen einen Proxy eingestellt zu haben 😬 😲 Wenn du Hilfe brauchst, grad melden. Die iptables rules am Router sind lächerlich, wobei ich ohne Privoxy fahre. Soweit ich mich durch Privoxy gelesen habe, sollte ein globaler Proxy auf einem interface aber möglich sein. Am Client hab ich Privoxy laufen mit einem Script, dass alle Dienste und die iptables rules startet 😎 EDIT: Wenn ich mit meinem Client (auf dem Tor+Privoxy läuft) über den Router gehe (wo der transparente Proxy läuft), dauern meine Verbindungen zwar um einiges länger als wenn ich am Client "offen" am Weg bin, stört mich aber nicht weiter. Das wäre dann das Konzept des Isolating Proxy. EDIT1: Bei Windows Clients ist das Isolating Proxy Konzept ein wenig problematisch, da Windows seine Zeiten von seinem time.windows.com Timeserver holt, und der mag Tor garnicht oder umverkehrt 😠 Bis jetzt ohne Probleme. Ziemlich cool das Ganze 😬 💡 |
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Dein transparenter Proxy auf dem Router ist tor only? Und hast Du den nach einer Anleitung "gebaut"? Ein paar, vielleicht ganz blöde Fragen: 1) Wäre es sinnvoller squid3 auch auf dem RPi laufen zu lassen? Privoxy hätte ich wirklich gerne so eingerichtet, dass zumindest http und https da hindurch *MÜSSEN*, weil die anderen hier ausser einigen Adblocks kaum etwas in ihren Browsern filtern. Und tor danach sowieso. Auf der anderen Seite, wenn das eine funktioniert, dann sollte es auch mit squid + privoxy gehen ... (?) 2) Ich stelle mir das - im Idealfall - so vor, dass (squid3 +) privoxy gewissermassen ein partieller Vorfilter sind, der am Ende wie alles andere, das an ihm vorbeigeht durch tor muss (das als transparenter proxy eingestellt ist). 3) Hast Du mal apt-get ausprobiert? Geht das? |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Guten Morgen Farinet: schrieb:
Mein Router hat vier interfaces. eth0 WAN eth1 DMZ eth2 LAN → Client im LAN scriptgesteuerter Transparenter Proxy wlan0 Alles was über eth2 reinkommt wird durch Tor geleitet. Der Rest geht seine normalen Wege 😀
Also Privoxy einzurichten ist kein Problem. Dazu noch Squid einzurichten wird dann Problematisch, da der Netzwerkverkehr verschlüsselt ist und die Destination Addressen ja ein Tor-Knoten sind und keine "bösen" Websites.
Ich würd's bei Privoxy erstmal belassen. Im späteren Verlauf kann man/n dann mit Squid experimentieren.
:] Jope 😀 Ich schreib dir aml meine configs hier hin. ROUTER: ACHTUNG!!! Ich habe bei Tor die DEV, also Experimentelle Version laufen. Ich hab auch den DNSPort geändert, da Fehlermeldungen wegen Zugriffsrechten kamen. sudo echo "deb http://deb.torproject.org/torproject.org experimental-precise main" >> /etc/apt/sources.list sudo echo "deb-src http://deb.torproject.org/torproject.org experimental-precise main" >> /etc/apt/sources.list sudo gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - sudo aptitude -vVD update sudo aptitude install tor tor-dbg tor-arm tor-geoipdb sudo service tor stop TOR CONFIG am ROUTER als ClientOnly ## Configuration file for a typical Tor user ## Last updated 12 September 2012 for Tor 0.2.4.3-alpha. ## (may or may not work for much older or much newer versions of Tor.) ## RunAsDaemon 1 ControlPort 9051 Log notice file /var/log/tor/notices.log HashedControlPassword 16:irgendwelchebuchstabenundzahlen SafeSocks 1 TestSocks 1 VirtualAddrNetworkIPv4 172.16.0.0/12 TransPort xxx.xxx.xxx.xxx:9040 -> Interface wo die Kommunikation herkommt AutomapHostsOnResolve 1 DNSPort xxx.xxx.xxx.xxx:9053 -> Interface wo die Kommunikation herkommt DirReqStatistics 1 ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, ## for more options you can use in this file. ## ## Tor will look for this file in various places based on your platform: ## https://www.torproject.org/docs/faq#torrc ## Tor opens a socks proxy on port 9050 by default -- even if you don't ## configure one below. Set "SocksPort 0" if you plan to run Tor only ## as a relay, and not make any local application connections yourself. SocksPort 9050 # Default: Bind to localhost:9050 for local connections. #SocksPort 192.168.0.1:9100 # Bind to this address:port too. ## Entry policies to allow/deny SOCKS requests based on IP address. ## First entry that matches wins. If no SocksPolicy is set, we accept ## all (and only) requests that reach a SocksPort. Untrusted users who ## can access your SocksPort may be able to learn about the connections ## you make. #SocksPolicy accept 192.168.0.0/16 #SocksPolicy reject * ## Logs go to stdout at level "notice" unless redirected by something ## else, like one of the below lines. You can have as many Log lines as ## you want. ## ## We advise using "notice" in most cases, since anything more verbose ## may provide sensitive information to an attacker who obtains the logs. ## ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log #Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log #Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles #Log notice syslog ## To send all messages to stderr: #Log debug stderr ## Uncomment this to start the process in the background... or use ## --runasdaemon 1 on the command line. This is ignored on Windows; ## see the FAQ entry if you want Tor to run as an NT service. #RunAsDaemon 1 ## The directory for keeping all the keys/etc. By default, we store ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. #DataDirectory /var/lib/tor ## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. #ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:irgendwelchebuchstabenundzahlen #CookieAuthentication 1 ############### This section is just for location-hidden services ### ## Once you have configured a hidden service, you can look at the ## contents of the file ".../hidden_service/hostname" for the address ## to tell people. ## ## HiddenServicePort x y:z says to redirect requests on port x to the ## address y:z. #HiddenServiceDir /var/lib/tor/hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServiceDir /var/lib/tor/other_hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServicePort 22 127.0.0.1:22 ################ This section is just for relays ##################### # ## See https://www.torproject.org/docs/tor-doc-relay for details. ## Required: what port to advertise for incoming Tor connections. #ORPort 9001 ## If you want to listen on a port other than the one advertised in ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as ## follows. You'll need to do ipchains or other port forwarding ## yourself to make this work. #ORPort 443 NoListen #ORPort 127.0.0.1:9090 NoAdvertise ## The IP address or full DNS name for incoming connections to your ## relay. Leave commented out and Tor will guess. #Address noname.example.com ## If you have multiple network interfaces, you can specify one for ## outgoing traffic to use. # OutboundBindAddress 10.0.0.5 ## A handle for your relay, so people don't have to refer to it by key. #Nickname ididnteditheconfig ## Define these to limit how much relayed traffic you will allow. Your ## own traffic is still unthrottled. Note that RelayBandwidthRate must ## be at least 20 KB. ## Note that units for these config options are bytes per second, not bits ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. #RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) ## Use these to restrict the maximum traffic per day, week, or month. ## Note that this threshold applies separately to sent and received bytes, ## not to their sum: setting "4 GB" may allow up to 8 GB total before ## hibernating. ## ## Set a maximum of 4 gigabytes each way per period. #AccountingMax 4 GB ## Each period starts daily at midnight (AccountingMax is per day) #AccountingStart day 00:00 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax ## is per month) #AccountingStart month 3 15:00 ## Contact info to be published in the directory, so we can contact you ## if your relay is misconfigured or something else goes wrong. Google ## indexes this, so spammers might also collect it. #ContactInfo Random Person <nobody AT example dot com> ## You might also include your PGP or GPG fingerprint if you have one: #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com> ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. #DirPort 9030 # what port to advertise for directory connections ## If you want to listen on a port other than the one advertised in ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as ## follows. below too. You'll need to do ipchains or other port ## forwarding yourself to make this work. #DirPort 80 NoListen #DirPort 127.0.0.1:9091 NoAdvertise ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source ## distribution for a sample. #DirPortFrontPage /etc/tor/tor-exit-notice.html ## Uncomment this if you run more than one Tor relay, and add the identity ## key fingerprint of each Tor relay you control, even if they're on ## different networks. You declare it here so Tor clients can avoid ## using more than one of your relays in a single circuit. See ## https://www.torproject.org/docs/faq#MultipleRelays ## However, you should never include a bridge's fingerprint here, as it would ## break its concealability and potentionally reveal its IP/TCP address. #MyFamily $keyid,$keyid,... ## A comma-separated list of exit policies. They're considered first ## to last, and the first match wins. If you want to _replace_ ## the default exit policy, end this with either a reject *:* or an ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the ## default exit policy. Leave commented to just use the default, which is ## described in the man page or at ## https://www.torproject.org/documentation.html ## ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses ## for issues you might encounter if you use the default exit policy. ## ## If certain IPs and ports are blocked externally, e.g. by your firewall, ## you should update your exit policy to reflect this -- otherwise Tor ## users will be told that those destinations are down. ## ## For security, by default Tor rejects connections to private (local) ## networks, including to your public IP address. See the man page entry ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". ## #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more #ExitPolicy accept *:119 # accept nntp as well as default exit policy #ExitPolicy reject *:* # no exits allowed ## Bridge relays (or "bridges") are Tor relays that aren't listed in the ## main directory. Since there is no complete public list of them, even an ## ISP that filters connections to all the known Tor relays probably ## won't be able to block all the bridges. Also, websites won't treat you ## differently because they won't know you're running Tor. If you can ## be a real relay, please do; but if not, be a bridge! #BridgeRelay 1 ## By default, Tor will advertise your bridge to users through various ## mechanisms like https://bridges.torproject.org/. If you want to run ## a private bridge, for example because you'll give out your bridge ## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 IPTABLES-Rules am ROUTER: INTERFACE für LAN eth2 #!/bin/bash # FIREWALL SERVER MODEL by Elrippo 2012 # Use at your own RISK!!! # do source validation by reversed path (Recommended option for single homed hosts) if [ -r /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo "Enabling rp_filter" echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter fi # enable syn cookies (prevent against the common 'syn flood attack') if [ -r /proc/sys/net/ipv4/tcp_syncookies ]; then echo "Enabling tcp_syncookies" echo "1" > /proc/sys/net/ipv4/tcp_syncookies fi # don't accept packets with SRR option if [ -r /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo "Disabling source routing" echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi # log packets with impossible addresses to kernel log if [ -r /proc/sys/net/ipv4/conf/all/log_martians ]; then echo "Enabling logging of martians" echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # disable ping #echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # disable ICMP redirect message #echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects # don't send redirects #echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # disable logging of bogus responses to broadcast frames echo "1" > /proc/sys/net/ipv4/ip_forward # enable forwarding sysctl -w net.ipv4.ip_forward=1 modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe ip_conntrack modprobe ip_conntrack_irc modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_limit modprobe ipt_multiport modprobe iptable_mangle modprobe ipt_state modprobe iptable_filter modprobe iptable_nat modprobe ipt_REJECT modprobe ipt_LOG modprobe xt_recent modprobe ipt_mac # increase the number of addresses remembered per table from default 100 echo "Increasing ip_list_tot to" chmod 722 /sys/module/xt_recent/parameters/ip_list_tot echo "1000000" > /sys/module/xt_recent/parameters/ip_list_tot chmod 400 /sys/module/xt_recent/parameters/ip_list_tot cat /sys/module/xt_recent/parameters/ip_list_tot # increase the number of packets per address remembered from default 20 echo "Increasing ip_pkt_list_tot to" chmod 722 /sys/module/xt_recent/parameters/ip_pkt_list_tot echo "110" > /sys/module/xt_recent/parameters/ip_pkt_list_tot chmod 400 /sys/module/xt_recent/parameters/ip_pkt_list_tot cat /sys/module/xt_recent/parameters/ip_pkt_list_tot # set the UID from default 0 echo "Setting ip_list_uid to" chmod 722 /sys/module/xt_recent/parameters/ip_list_uid echo "1000" > /sys/module/xt_recent/parameters/ip_list_uid chmod 400 /sys/module/xt_recent/parameters/ip_list_uid cat /sys/module/xt_recent/parameters/ip_list_uid #-------------------------------------------------------------------------------------------------------------------- # #--------------------------------------------------------------------------------------------------------------------- echo "--loading lists--" echo "lists loaded" #--------------------------------------------------------------------------------------------------------------------- echo "--loading default behaviour and log--" # Remove all rules iptables -F iptables -X iptables -t nat -F #################################################################### # First set the default behaviour => accept connections iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #################################################################### # Create the badguy chain, which allows you to use a blacklist against som curious servers iptables -N BADGUY iptables -t filter -I BADGUY -m recent --set --name badguys # Create the Malwarechain, which allows you to use a blacklist for known Servers compromised my malware iptables -N MALWARE iptables -t filter -I MALWARE -m recent --set --name malware ################################################################################ # Block any packet from IP's that are present in the badguys list immediately iptables -A INPUT -i eth0 -m recent --name badguys --rcheck -j DROP # Block any packet from IP´ s to our LAN that are present in the badguy list immediately #iptables -A FORWARD -i eth0 -o eth1 -m recent --name badguys --rcheck -j DROP iptables -A FORWARD -i eth0 -o wlan0 -m recent --name malware --rcheck -j DROP iptables -A FORWARD -i wlan0 -o eth0 -m recent --name malware --rcheck -j DROP iptables -A FORWARD -i wlan0 -o eth0 -m recent --name badguys --rcheck -j DROP # Block spoofed internal addresses from the WAN iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j DROP iptables -A FORWARD -i eth0 -s 192.168.2.0/24 -j DROP iptables -A FORWARD -i eth0 -s 192.168.3.0/24 -j DROP iptables -A FORWARD -i eth0 -s 127.0.0.0/8 -j DROP # Block New and Invalid packets iptables -A INPUT -i eth0 -m state --state INVALID -m recent --set --name badguys -j LOG_DROP_INVALID iptables -A INPUT -i wlan0 -m state --state INVALID -m recent --set --name badguys -j LOG_DROP_INVALID # Block any unclean packet iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -m recent --set --name badguys -j LOG_DROP iptables -A INPUT -i wlan0 -p tcp -m tcp --tcp-flags ACK,URG URG -m recent --set --name badguys -j LOG_DROP ################################################################################ # PREROUTING and FORWARDING rules for our DMZ on eth1 ################################################################################ # ALLOW forwarding and do the prerouting for the DMZ Server on eth1 iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -m multiport --dports 20,21,22,25,80,143,443,465,587,993,9001,9030 -j DNAT --to-destination xxx.xxx.xxx.xxx iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 41361:65534 -j DNAT --to-destination xxx.xxx.xxx.xxx iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx iptables -A FORWARD -i eth0 -o eth1 -d xxx.xxx.xxx.xxx -j ACCEPT # incomming NEW connections -> SERVER iptables -A FORWARD -i eth0 -o eth1 -d xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT # incomming ESTABLISHED and RELATED connections iptables -A FORWARD -i eth0 -o eth1 -d xxx.xxx.xxx.xxx -p tcp -m tcp -m multiport --dports 20,21,22,25,80,143,443,465,587,993,9001,9030 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -d xxx.xxx.xxx.xxx -p tcp -m tcp --dport 41361:65534 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -d xxx.xxx.xxx.xxx -p udp -m udp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -s xxx.xxx.xxx.xxx -o eth0 -j ACCEPT # outgoing NEW connections -> CLIENT iptables -A FORWARD -i eth1 -s xxx.xxx.xxx.xxx -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # outgoing ESTABLISHED and RELATED connections ################################################################################ # FORWARDING rules for our LAN on eth2 to the WAN without TOR ################################################################################ #iptables -A FORWARD -i eth0 -o eth2 -d xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -i eth2 -s xxx.xxx.xxx.xxx -o eth0 -j ACCEPT ################################################################################ # TOR Transparent Proxy from LAN eth2 to the WAN ################################################################################ iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 22 -j DNAT --to-destination xxx.xxx.xxx.xxx:ssh iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp --dport 222 -j DNAT --to-destination xxx.xxx.xxx.xxx:ssh iptables -t nat -A PREROUTING -i eth2 -p udp --dport 53 -j REDIRECT --to-ports 9053 iptables -t nat -A PREROUTING -i eth2 -p icmp -j REDIRECT --to-ports 9040 iptables -t nat -A PREROUTING -i eth2 -p tcp --syn -j REDIRECT --to-ports 9040 ############################################################################### # Allow communication from LAN eth2 to DMZ without TOR ############################################################################## iptables -A FORWARD -i eth2 -s xxx.xxx.xxx.xxx -o eth1 -d xxx.xxx.xxx.xxx -j ACCEPT iptables -A FORWARD -i eth1 -s xxx.xxx.xxx.xxx -o eth2 -d xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT ################################################################################ # FORWARDING rules for our WirelessLAN on wlan0 ############################################################################### iptables -A FORWARD -i eth0 -o wlan0 xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i wlan0 -s xxx.xxx.xxx.xxx -o eth0 -j ACCEPT # ALLOW communication from the WirelessLAN to the DMZ iptables -A FORWARD -i wlan0 -s xxx.xxx.xxx.xxx -o eth1 -d xxx.xxx.xxx.xxx -j ACCEPT iptables -A FORWARD -i eth1 -s xxx.xxx.xxx.xxx -o wlan0 -d xxx.xxx.xxx.xxx -m state --state ESTABLISHED,RELATED -j ACCEPT ################################################################################ # INPUT -eger- INCOMMING rules for ALL INTERFACES ################################################################################ # ALLOW ESTABLISHED and RELATED incoming connections iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT # ALLOW incomming connections on our internal interfaces iptables -A INPUT -i eth1 -j ACCEPT iptables -A INPUT -i eth2 -j ACCEPT # ALLOW self communication iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ################################################################################ echo "--meinedomain.net--" # REDIRECT every "meinedomain.net" connection fron the LAN to the DMZ iptables -t nat -A PREROUTING -i wlan0 -d "elrippoisland.net" -j DNAT --to xxx.xxx.xxx.xxx iptables -t nat -A PREROUTING -i eth2 -p tcp -d "elrippoisland.net" --dport 222 -j DNAT --to xxx.xxx.xxx.xxx iptables -t nat -A PREROUTING -i eth2 -d "elrippoisland.net" -j DNAT --to xxx.xxx.xxx.xxx echo "meinedomain.net" # --------------------------------------------------------------------------------------------------------------------- # ALLOW INCOMMING # -------------------------------------------------------------------------------------------------------------------- # ALLOW ssh iptables -A INPUT -i eth2 -p tcp -m tcp --dport 222 -j ACCEPT #----------------------------------------------------------------------------------------------------------------------- ################################################################################ # DROP everything else that does not match a FORWARD rule iptables -A FORWARD -t filter -i eth0 -j DROP -m recent --set --name badguys iptables -A FORWARD -t filter -i wlan0 -j DROP -m recent --set --name badguys ################################################################################ # IMPORTANT Send all DROP package from INPUT chain to the badguys list - port scan iptables -A INPUT -t filter -i eth0 -j DROP -m recent --set --name badguys iptables -A INPUT -t filter -i wlan0 -j DROP -m recent --set --name badguys ################################################################################ #----------------------------------------------------------------------------------------------------------------------- # #----------------------------------------------------------------------------------------------------------------------- # ALLOW OUTGOING #----------------------------------------------------------------------------------------------------------------------- # ---------------------------------------------------------------------------------------------------------------------- # Do MASQUERADING for every OUTPUT package iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # ----------------------------------------------------------------------------------------------------------------------- echo "trusted rules loaded" # End message echo " [End iptables rules setting]" CONFIG AM CLIENT TOR ClientOnly sudo add-apt-repository 'deb http://deb.torproject.org/torproject.org experimental-precise main' gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - sudo aptitude -vVD update sudo aptitude install tor tor-dbg torchat tor-arm tor-geoipdb sudo service tor stop sudo aptitude install privoxy sudo service privoxy stop sudo update-rc.d tor disable sudo update-rc.d privoxy disable TOR CONFIG am CLIENT ## Configuration file for a typical Tor user ## Last updated 12 September 2012 for Tor 0.2.4.3-alpha. ## (may or may not work for much older or much newer versions of Tor.) ## RunAsDaemon 1 Log notice file /var/log/tor/notices.log ControlPort 9051 HashedControlPassword 16:vielebuchstabenundzahlen SafeSocks 1 TestSocks 1 VirtualAddrNetworkIPv4 172.16.0.0/12 TransPort 9040 -> localhost AutomapHostsOnResolve 1 DNSPort 9053 -> localhost DirReqStatistics 1 ## Lines that begin with "## " try to explain what's going on. Lines ## that begin with just "#" are disabled commands: you can enable them ## by removing the "#" symbol. ## ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, ## for more options you can use in this file. ## ## Tor will look for this file in various places based on your platform: ## https://www.torproject.org/docs/faq#torrc ## Tor opens a socks proxy on port 9050 by default -- even if you don't ## configure one below. Set "SocksPort 0" if you plan to run Tor only ## as a relay, and not make any local application connections yourself. #SocksPort 9050 # Default: Bind to localhost:9050 for local connections. #SocksPort 192.168.0.1:9100 # Bind to this address:port too. ## Entry policies to allow/deny SOCKS requests based on IP address. ## First entry that matches wins. If no SocksPolicy is set, we accept ## all (and only) requests that reach a SocksPort. Untrusted users who ## can access your SocksPort may be able to learn about the connections ## you make. #SocksPolicy accept 192.168.0.0/16 #SocksPolicy reject * ## Logs go to stdout at level "notice" unless redirected by something ## else, like one of the below lines. You can have as many Log lines as ## you want. ## ## We advise using "notice" in most cases, since anything more verbose ## may provide sensitive information to an attacker who obtains the logs. ## ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log #Log notice file /var/log/tor/notices.log ## Send every possible message to /var/log/tor/debug.log #Log debug file /var/log/tor/debug.log ## Use the system log instead of Tor's logfiles #Log notice syslog ## To send all messages to stderr: #Log debug stderr ## Uncomment this to start the process in the background... or use ## --runasdaemon 1 on the command line. This is ignored on Windows; ## see the FAQ entry if you want Tor to run as an NT service. #RunAsDaemon 1 ## The directory for keeping all the keys/etc. By default, we store ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. #DataDirectory /var/lib/tor ## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. #ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:vielebuchstabenundzahlen #CookieAuthentication 1 ############### This section is just for location-hidden services ### ## Once you have configured a hidden service, you can look at the ## contents of the file ".../hidden_service/hostname" for the address ## to tell people. ## ## HiddenServicePort x y:z says to redirect requests on port x to the ## address y:z. #HiddenServiceDir /var/lib/tor/hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServiceDir /var/lib/tor/other_hidden_service/ #HiddenServicePort 80 127.0.0.1:80 #HiddenServicePort 22 127.0.0.1:22 ################ This section is just for relays ##################### # ## See https://www.torproject.org/docs/tor-doc-relay for details. ## Required: what port to advertise for incoming Tor connections. #ORPort 9001 ## If you want to listen on a port other than the one advertised in ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as ## follows. You'll need to do ipchains or other port forwarding ## yourself to make this work. #ORPort 443 NoListen #ORPort 127.0.0.1:9090 NoAdvertise ## The IP address or full DNS name for incoming connections to your ## relay. Leave commented out and Tor will guess. #Address noname.example.com ## If you have multiple network interfaces, you can specify one for ## outgoing traffic to use. # OutboundBindAddress 10.0.0.5 ## A handle for your relay, so people don't have to refer to it by key. #Nickname ididnteditheconfig ## Define these to limit how much relayed traffic you will allow. Your ## own traffic is still unthrottled. Note that RelayBandwidthRate must ## be at least 20 KB. ## Note that units for these config options are bytes per second, not bits ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. #RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) ## Use these to restrict the maximum traffic per day, week, or month. ## Note that this threshold applies separately to sent and received bytes, ## not to their sum: setting "4 GB" may allow up to 8 GB total before ## hibernating. ## ## Set a maximum of 4 gigabytes each way per period. #AccountingMax 4 GB ## Each period starts daily at midnight (AccountingMax is per day) #AccountingStart day 00:00 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax ## is per month) #AccountingStart month 3 15:00 ## Contact info to be published in the directory, so we can contact you ## if your relay is misconfigured or something else goes wrong. Google ## indexes this, so spammers might also collect it. #ContactInfo Random Person <nobody AT example dot com> ## You might also include your PGP or GPG fingerprint if you have one: #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com> ## Uncomment this to mirror directory information for others. Please do ## if you have enough bandwidth. #DirPort 9030 # what port to advertise for directory connections ## If you want to listen on a port other than the one advertised in ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as ## follows. below too. You'll need to do ipchains or other port ## forwarding yourself to make this work. #DirPort 80 NoListen #DirPort 127.0.0.1:9091 NoAdvertise ## Uncomment to return an arbitrary blob of html on your DirPort. Now you ## can explain what Tor is if anybody wonders why your IP address is ## contacting them. See contrib/tor-exit-notice.html in Tor's source ## distribution for a sample. #DirPortFrontPage /etc/tor/tor-exit-notice.html ## Uncomment this if you run more than one Tor relay, and add the identity ## key fingerprint of each Tor relay you control, even if they're on ## different networks. You declare it here so Tor clients can avoid ## using more than one of your relays in a single circuit. See ## https://www.torproject.org/docs/faq#MultipleRelays ## However, you should never include a bridge's fingerprint here, as it would ## break its concealability and potentionally reveal its IP/TCP address. #MyFamily $keyid,$keyid,... ## A comma-separated list of exit policies. They're considered first ## to last, and the first match wins. If you want to _replace_ ## the default exit policy, end this with either a reject *:* or an ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the ## default exit policy. Leave commented to just use the default, which is ## described in the man page or at ## https://www.torproject.org/documentation.html ## ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses ## for issues you might encounter if you use the default exit policy. ## ## If certain IPs and ports are blocked externally, e.g. by your firewall, ## you should update your exit policy to reflect this -- otherwise Tor ## users will be told that those destinations are down. ## ## For security, by default Tor rejects connections to private (local) ## networks, including to your public IP address. See the man page entry ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". ## #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more #ExitPolicy accept *:119 # accept nntp as well as default exit policy #ExitPolicy reject *:* # no exits allowed ## Bridge relays (or "bridges") are Tor relays that aren't listed in the ## main directory. Since there is no complete public list of them, even an ## ISP that filters connections to all the known Tor relays probably ## won't be able to block all the bridges. Also, websites won't treat you ## differently because they won't know you're running Tor. If you can ## be a real relay, please do; but if not, be a bridge! #BridgeRelay 1 ## By default, Tor will advertise your bridge to users through various ## mechanisms like https://bridges.torproject.org/. If you want to run ## a private bridge, for example because you'll give out your bridge ## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 PRIVOXY AM CLIENT forward-socks4 / 127.0.0.1:9050 . forward-socks4a / 127.0.0.1:9050 . forward-socks5 / 127.0.0.1:9050 . SCRIPT zum starten der DIENSTE inkl. iptables rules. Bei beenden von Tor-arm wird der Ursprungszustand hergestellt #!/bin/bash # Let us call this script anonymity.bash and do some netfilter rules on the local machine. torsuperuser=sudo # Load the Kernel modules $torsuperuser modprobe ip_tables $torsuperuser modprobe ip_nat_ftp $torsuperuser modprobe ip_nat_irc $torsuperuser modprobe ip_conntrack_irc $torsuperuser modprobe ip_conntrack_ftp $torsuperuser modprobe iptable_filter $torsuperuser modprobe iptable_nat $torsuperuser modprobe ipt_REJECT $torsuperuser modprobe xt_recent $torsuperuser modprobe ipt_mac # Remove all rules $torsuperuser iptables -F $torsuperuser iptables -t nat -F $torsuperuser iptables -X # Default Policy $torsuperuser iptables -P INPUT DROP $torsuperuser iptables -P OUTPUT DROP $torsuperuser iptables -P FORWARD DROP # Allow Established and Related connetcions $torsuperuser iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $torsuperuser iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow localhostloop $torsuperuser iptables -A INPUT -i lo -j ACCEPT $torsuperuser iptables -A OUTPUT -o lo -j ACCEPT # Ruleset for Tor Transparent Proxy $torsuperuser iptables -t nat -A OUTPUT -o lo -j RETURN $torsuperuser iptables -t nat -A OUTPUT -m owner --uid-owner "debian-tor" -j RETURN $torsuperuser iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053 $torsuperuser iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040 $torsuperuser iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $torsuperuser iptables -A OUTPUT -m owner --uid-owner "debian-tor" -j ACCEPT for NET in 127.0.0.0/8; do $torsuperuser iptables -A OUTPUT -d $NET -j ACCEPT done $torsuperuser iptables -A OUTPUT -j REJECT # Start Privoxy $torsuperuser service privoxy restart # Start TOR $torsuperuser service tor restart # Start TOR-ARM sleep 3 $torsuperuser -u debian-tor arm # Stop TOR $torsuperuser service tor stop # Stop Privoxy $torsuperuser service privoxy stop # Remove all rules $torsuperuser iptables -F $torsuperuser iptables -t nat -F $torsuperuser iptables -X # Set the default policies $torsuperuser iptables -P INPUT ACCEPT $torsuperuser iptables -P OUTPUT ACCEPT $torsuperuser iptables -P FORWARD ACCEPT Du kannst die CLIENT Konfiguration auf deinem raspberry anwenden, da er nur das WLAN und den WAN Anschluss hat. Allerdings musst du dazu dann die iptables-rules vom Router mit in dein Script reinnehmen und permanent beim Systemstart aufrufen 😀 Überprüfen obs funktioniert, kannst du in dem du diese Addresse im Browser eingiebst (Duckduckgo.com hidden service) → https://3g2upl4pq6kufc4m.onion/ |
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Das Teil ist jetzt angekommen - und nun scheitere ich schon fast am Anfang: Ich habe erst einmal versucht, einen wlan access point einzurichten mit hostapd. Dabei bin ich dieser Anleitung gefolgt: http://www.gtkdb.de/index_7_2179.html Aber mein usb wireless adapter akzeptiert nl80211 nicht. Er sollte eigentlich erkannt werden: lsusb: Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. Bus 001 Device 004: ID 0bda:8176 Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter iwconfig: wlan0 unassociated Nickname:"<WIFI@REALTEK>"
Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
Sensitivity:0/0
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
lo no wireless extensions.
eth0 no wireless extensions.
iwlist: Usage: iwlist [interface] scanning [essid NNN] [last]
[interface] frequency
[interface] channel
[interface] bitrate
[interface] rate
[interface] encryption
[interface] keys
[interface] power
[interface] txpower
[interface] retry
[interface] ap
[interface] accesspoints
[interface] peers
[interface] event
[interface] auth
[interface] wpakeys
[interface] genie
[interface] modulation Eigentlich sollten die Treiber für den Realtek stick bereits im Kernel sein. Die zugehörige Firmware ist auch installiert. In meiner /etc/hostapd/hostapd.conf findet sich diese Zeile, die offensichtlich fehlerhaft ist: driver=nl80211 Aber was müsste dahin? |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
|
|
(Themenstarter)
Anmeldungsdatum: Beiträge: 611 |
Das hängt genau an demselben Punkt: driver=nl82011 . Ich habe danach gegooglet, und die Antwort, die ich gefunden habe, macht mich nicht glücklich (der usb wireless unterstützt den Treiber nicht: "With this device you can only use the old tools iwconfig / iwlist.")
Das hoffe ich . . . 😀 😀 |
|
Anmeldungsdatum: Beiträge: 713 Wohnort: Im Inntal |
Hallo Farinet Hast du diese Tools installiert? sudo aptitude install wireless-tools hostapd pwgen Poste mal die Ausgaben von lspci |grep -i net lspci -v iwlist chan Hast du in der "/etc/default/hostapd.d" DAEMON_CONF="/etc/hostapd.conf" RUN_DAEMON=yes auskommentiert? Hast du die Datei verschoben? sudo cp /usr/share/doc/hostapd/examples/hostapd.conf.gz /etc/hostapd.conf.gz sudo gunzip /etc/hostapd.conf.gz Zeig mal deine /etc/hostapd.conf |