interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

correct description about '--dhcp-dns(6)'

This commit is contained in:
garywill 2021-11-07 10:28:36 +08:00
parent 61a5af2202
commit 0ccdcf647a
2 changed files with 50 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
README.md
View File

@ -4,7 +4,7 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
[More tools and projects](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md) [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## Features ## Features
@ -12,15 +12,16 @@ Basic features:
- Create a NATed sub-network - Create a NATed sub-network
- Provide Internet - Provide Internet
- DHCP server and RA - DHCP server (and RA) + DNS server
- DNS server - Configuring what DNS the DHCP server offers to clients
- Configuring upstream DNS for local DNS server (kind of a DNS proxy)
- IPv6 (behind NATed LAN, like IPv4) - IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot: - Creating Wifi hotspot:
- Channel selecting - Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (require same channel) - Create AP on the same interface you are getting Internet (usually require same channel)
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- DNS proxy - Transparent DNS proxy (hijack port 53 packets)
- Compatible with NetworkManager (automatically set interface as unmanaged) - Compatible with NetworkManager (automatically set interface as unmanaged)
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -62,21 +63,19 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
### Provide Internet to an interface ### Provide Internet to an interface
No matter which interface (other than `eth1`) you're getting Internet from
``` ```
sudo lnxrouter -i eth1 sudo lnxrouter -i eth1
``` ```
### Create Wifi hotspot no matter which interface (other than `eth1`) you're getting Internet from.
No matter which interface you're getting Internet from (even from `wlan0`) ### Create Wifi hotspot
``` ```
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
``` ```
It will create virtual Interface `x0wlan0` for hotspot. no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.
### Provide an interface's Internet to another interface ### Provide an interface's Internet to another interface
@ -88,10 +87,10 @@ Clients access Internet through only `isp5`
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111] sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
``` ```
It's recommended to: > In this case of usage, it's recommended to:
>
1. Stop serving local DNS to clients on our Linux host > 1. Stop serving local DNS
2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example) > 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
> Also, read *Notice 1* > Also, read *Notice 1*
@ -274,6 +273,7 @@ Options:
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create Wifi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet (See Notice 1)
@ -298,15 +298,14 @@ Options:
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host whose destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host). Set IPv4 DNS offered by DHCP (default: this host).
This will enable '--no-dns' (Do not serve DNS)
--dhcp-dns6 <IP1[,IP2]>|no --dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA) Set IPv6 DNS offered by DHCP (RA)
(default: this host) (default: this host)
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
This will enable '--no-dns' (Do not serve DNS) Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host. --hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
@ -400,11 +399,11 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
- dnsmasq - dnsmasq
- iptables (or nftables with `iptables-nft` translation linked) - iptables (or nftables with `iptables-nft` translation linked)
- WiFi hotspot dependencies - WiFi hotspot dependencies
- hostapd - hostapd
- iw - iw
- iwconfig (you only need this if 'iw' can not recognize your adapter) - iwconfig (you only need this if 'iw' can not recognize your adapter)
- haveged (optional) - haveged (optional)
- qrencode (optional) - qrencode (optional)
## TODO ## TODO
@ -478,12 +477,12 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## Meet developer(s) and become one of them ## Meet developer(s) and become one of them
Visit [**my homepage**](https://garywill.github.io) to see **more tools and projects**. Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) > [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
> >
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻 > 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project. 🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
🤝 You can be contributor, too! There're some TO-DOs listed, at both above and in the code file. Your name can be here! 👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here!

26
lnxrouter Executable file → Normal file
View File

@ -11,10 +11,13 @@ umask $SCRIPT_UMASK
phead() { phead() {
echo "linux-router $VERSION (https://github.com/garywill/linux-router)" echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
} }
phead2() {
echo "Released under LGPL, with no warranty. Use on your own risk."
}
usage() { usage() {
phead phead
phead2
cat << EOF cat << EOF
Released under LGPL, with no warranty. Use on your own risk.
Usage: $PROGNAME <options> Usage: $PROGNAME <options>
@ -26,6 +29,7 @@ Options:
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create Wifi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet (See Notice 1)
@ -50,15 +54,14 @@ Options:
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host whose destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host). Set IPv4 DNS offered by DHCP (default: this host).
This will enable '--no-dns' (Do not serve DNS)
--dhcp-dns6 <IP1[,IP2]>|no --dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA) Set IPv6 DNS offered by DHCP (RA)
(default: this host) (default: this host)
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
This will enable '--no-dns' (Do not serve DNS) Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host. --hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
@ -124,7 +127,6 @@ Options:
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
$PROGNAME --ap wlan0 MyAccessPoint
$PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
$PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy> $PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
EOF EOF
@ -821,7 +823,7 @@ check_iptables()
iptables --version iptables --version
if which firewall-cmd > /dev/null 2>&1; then if which firewall-cmd > /dev/null 2>&1; then
if [[ "$(firewall-cmd --state)" == "running" ]]; then if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
echo "firewalld is running ($(firewall-cmd --version))" echo "firewalld is running ($(firewall-cmd --version))"
echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN: 2) disable firewalld\n" >&2 echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN: 2) disable firewalld\n" >&2
# TODO # TODO
@ -887,6 +889,7 @@ start_ban_lan() {
echo echo
echo "iptables: Disallow clients to access LAN" echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die iptables_ -N BANLAN-f-${SUBNET_IFACE} || die
# TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
@ -902,7 +905,7 @@ start_ban_lan() {
iptables_ -N BANLAN-i-${SUBNET_IFACE} iptables_ -N BANLAN-i-${SUBNET_IFACE}
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
# TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
@ -1153,7 +1156,7 @@ kill_processes() { # for this instance
pn=$( ps -p $pid -o comm= ) pn=$( ps -p $pid -o comm= )
#echo "Killing $pid $pn ... " #echo "Killing $pid $pn ... "
pkill -P $pid pkill -P $pid
kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited" kill $pid 2>/dev/null && ( echo "Killed $(basename $x) $pid $pn" && rm $x ) || echo "Failed to kill $(basename $x) $pid $pn, it may have exited"
fi fi
done done
} }
@ -1968,6 +1971,9 @@ daemonizing_check
## ===== Above don't echo anything if no warning or error==================== ## ===== Above don't echo anything if no warning or error====================
## ======================================================== ## ========================================================
phead phead
phead2
echo
echo "PID: $$" echo "PID: $$"
TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE) TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
@ -2060,7 +2066,7 @@ if [[ "$SHARE_METHOD" == "none" ]]; then
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat
@ -2082,7 +2088,7 @@ elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit
fi fi
[[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS, this may cause privacy leak !!!\n" >&2 [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan