Child pages
  • 802.1X secured wifi installation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Imported ~/Documents/Debian9-base.ova into Virtual Box as Debian9-base_8021x, re-initializing all MAC addresses. The description for this virtual machine template is:

Code Block
Debian 9 amd64 installation
- Hostname:
- User accounts (username password):
ls last
root last
- Partitioning:
--- Physical:
------ 1GB RAID boot flag
------ 29GB RAID
--- RAID:
------ md0: ext3 /boot
------ md1: LVM - part of volume group debian9-base
--- LVM (VG/LV):
------ debian9-base/root: 18.6GB ext4 /
------ debian9-base/swap: 3.72GB swap area
- Up to date as of 2017-09-27
- sources.list includes:
Sections: main contrib non-free
Additional repository: backports
- Apt-cacher configured as per Last School site (Proxy credentials will need to be entered in /etc/apt/apt.conf.d/02proxy by user)
- SSH access installed and enabled

- Gnome and Firefox configured to auto-detect proxy settings
- Extra software installed:
vlc gimp emacs fonts-indic tcpdump iperf exfat-utils wireshark

- One network interface as bridged adapter, cable connected.

Added a second ethernet adapter in settings, connected to "Not attached", re-initialized its MAC address
Increased the allocated CPUs to 2

The network configuration is now as follows:

enp0s3 - Adapter 1 - Bridged adapter


Installed my ssh public key in root's .ssh/authorized_keys file.


Installation of relevant services:

Shorewall (based on LASTSCHL-207):


Code Block
apt-get install shorewall
apt-get install ipset
mv /etc/shorewall{,-orig}
mkdir /etc/shorewall
root@server.lastschl:~# scp /etc/shorewall/* root@
#commented all entries related to loc and vpn zones (including dynamic zone man) in all files
#removed all MAC addresses of wifi clients

Code Block
cp -r shorewall{,-remove-loc-vpn-man-wifimac}
updated interface names in interfaces, masq
cp -r shorewall{,-updated-interfaces}
/etc/default/shorewall startup=1

removed postfix, proxy rules (did not update config backups)
root@debian9-base:/etc/shorewall# for i in `ls`; do echo "========= $i ========="; cat $i | grep -v "^#" | grep -v "^$"; echo "========= $i ========="; echo ""; done
========= hosts =========
wifi1         enp0s8:dynamic
========= hosts =========

========= interfaces =========
net     enp0s3         detect      tcpflags,dhcp,nosmurfs,routefilter,logmartians
wifi	enp0s8		   detect	   tcpflags,nosmurfs,routefilter,logmartians
========= interfaces =========

========= masq =========
========= masq =========

========= policy =========
$FW		net		REJECT		INFO(uid)
$FW		wifi	ACCEPT		INFO(uid)
wifi	all		REJECT
wifi1	net		ACCEPT		INFO
wifi1	$FW		ACCEPT		INFO(uid)
$FW		wifi1	ACCEPT		INFO(uid)
net		all		DROP		INFO
all		all		REJECT		info
========= policy =========

========= routestopped =========
========= routestopped =========

========= rules =========
Invalid(DROP)		 net			 all
ACCEPT:INFO(uid)     net             $FW             tcp     22
ACCEPT:INFO(uid)     net             $FW             udp     123
ACCEPT:INFO(uid)     net	     	 $FW	     	 icmp
ACCEPT:INFO(uid)     $FW             net             tcp     465,587,995,993
ACCEPT:INFO(uid)     $FW             net             udp     53,123
ACCEPT:INFO(uid)     $FW	     	 net	     	 icmp
ACCEPT:INFO(uid)     $FW             net             tcp     -            -               -               -               root
ACCEPT:INFO(uid)     $FW             net             udp     -            -               -               -               root
ACCEPT:INFO(uid)     $FW             net             icmp    -            -               -               -               root
ACCEPT:INFO(uid)     $FW             net             tcp     -            -               -               -               _apt
ACCEPT:INFO(uid)     $FW             net             udp     -            -               -               -               _apt
ACCEPT:INFO(uid)     $FW             net             icmp    -            -               -               -               _apt
========= rules =========

========= shorewall.conf =========
========= shorewall.conf =========

========= zones =========
fw			firewall
net			ipv4
wifi		ipv4
wifi1:wifi	ipv4				dynamic_shared
========= zones =========

In /etc/default/shorewall, set

Code Block
Code Block
root@server.lastschl:~# scp /etc/rsyslog.d/40-shorewall.conf
root@server.lastschl:~# scp /etc/logrotate.d/shorewall
root@server.lastschl:~# scp /etc/logrotate.d/rsyslog
root@server.lastschl:~# scp /etc/logrotate.conf

systemctl enable shorewall.service

added shorewall rules _apt

Configure network and DHCP (based on LASTSCHL-212):