diff --git a/README.md b/README.md index 655abc5..0c69750 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,10 @@ -# Linux-router +# Linux-router Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. - -## Features +## Features Basic features: @@ -26,6 +25,7 @@ Basic features: **For many other features, see below [CLI usage](#cli-usage-and-other-features)** ### Useful in these situations + ``` Internet----(eth0/wlan0)-Linux-(wlanX)AP |--client @@ -56,7 +56,7 @@ Internet----(eth0/wlan0)-Linux-(eth1)------Another PC ``` Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container ``` - + ## Usage ### Provide Internet to an interface @@ -66,6 +66,7 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container ``` ### Provide an interface's Internet to another interface + ``` # lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 ``` @@ -97,28 +98,38 @@ DNSPort 0.0.0.0:9053 TransPort [::]:9040 DNSPort [::]:9053 ``` + ### Internet for LXC + Create a bridge + ``` # brctl addbr lxcbr5 ``` + In LXC container `config` + ``` lxc.network.type = veth lxc.network.flags = up lxc.network.link = lxcbr5 lxc.network.hwaddr = xx:xx:xx:xx:xx:xx ``` + ``` # lnxrouter -i lxcbr5 ``` ### Use as transparent proxy for LXD + Create a bridge + ``` # brctl addbr lxdbr5 ``` + Create and add LXD profile + ``` $ lxc profile create profile5 $ lxc profile edit profile5 @@ -136,30 +147,54 @@ name: profile5 $ lxc profile add profile5 ``` + That should make one container have 2 profiles. `profile5` will override `eth0`. + ``` # lnxrouter -i lxdbr5 --tp 9040 --dns 9053 ``` + To remove that new profile from container + ``` $ lxc profile remove profile5 ``` #### To not use profile + Add device `eth0` to container overriding default `eth0` + ``` $ lxc config device add eth0 nic name=eth0 nictype=bridged parent=lxdbr5 ``` + To remove the customized `eth0` to restore default `eth0` + ``` $ lxc config device remove eth0 ``` ### Use as transparent proxy for VirtualBox + On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. + ``` # lnxrouter -i vboxnet5 --tp 9040 --dns 9053 ``` + +### Use as transparent proxy for firejail + +Create a bridge + +``` +# brctl addbr firejail5 +``` + +``` +# lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 +$ firejail --net=firejail5 --dns=192.168.55.1 +``` + ### CLI usage and other features ``` @@ -176,13 +211,11 @@ Options: (Note using this with default DNS option may leak queries to other interfaces) -n Do not provide Internet - + -g Set this host's IPv4 address, netmask is 24 - (default: 192.168.18.1) -6 Enable IPv6 (NAT) --p6 Set IPv6 prefix (length 64) - (default: fd00:1:1:1:: ) - + --dns || DNS server's upstream DNS. Use ',' to seperate multiple servers @@ -202,18 +235,18 @@ Options: -d DNS server will take into account /etc/hosts -e DNS server will take into account additional hosts file - + --mac Set MAC address - + --tp Transparent proxy, redirect non-LAN tcp and udp traffic to port. Usually used with '--dns' - + Wifi hotspot options: --ap Create Wifi access point --password Wifi password - + --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface Using this you can't use same wlan interface @@ -232,12 +265,12 @@ Options: (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients - + --ieee80211n Enable IEEE 802.11n (HT) --ieee80211ac Enable IEEE 802.11ac (VHT) --ht_capab HT capabilities (default: [HT40+]) --vht_capab VHT capabilities - + --no-haveged Do not run haveged automatically when needed Instance managing: @@ -248,11 +281,13 @@ Options: For you can use PID or subnet interface name. You can get them with '--list-running' ``` + > These changes to system will not be restored by script's cleanup: -1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`, needed by NAT Internet sharing. -2. dnsmasq in Apparmor complain mode +> 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`, needed by NAT Internet sharing. +> 2. dnsmasq in Apparmor complain mode ## Dependencies + - bash - procps or procps-ng - iproute2 @@ -269,9 +304,13 @@ Wifi hotspot: ## TODO - Option to ban private network access -- Option to randomize MAC, IP, SSID, password +- Option to randomize MAC - Option to redirect all DNS traffic +## Donate + +[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) + ## Thanks Many thanks to project [create_ap](https://github.com/oblique/create_ap). diff --git a/lnxrouter b/lnxrouter index 9c40355..6301a9e 100755 --- a/lnxrouter +++ b/lnxrouter @@ -27,10 +27,8 @@ Options: -n Do not provide Internet -g Set this host's IPv4 address, netmask is 24 - (default: 192.168.18.1) -6 Enable IPv6 (NAT) - --p6 Set IPv6 prefix (length 64) - (default: fd00:1:1:1:: ) + --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) --dns || DNS server's upstream DNS. @@ -111,8 +109,8 @@ if [[ "$1" == "" ]]; then exit 0 fi -GATEWAY=192.168.18.1 -PREFIX6=fd00:1:1:1:: +GATEWAY= +PREFIX6= IID6=1 IPV6=0 ROUTE_ADDRS= @@ -588,6 +586,44 @@ get_new_macaddr() { echo $NEWMAC } +is_ip4_range_available() { + ( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1 + ( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1 + ( ip -4 route get 192.168.$1.0 | grep "\bvia\b" > /dev/null 2>&1 ) && \ + ( ip -4 route get 192.168.$1.255 | grep "\bvia\b" > /dev/null 2>&1 ) && return 0 + return 1 +} +is_ip6_range_available() { + ( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 + ( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 + ( ip -6 route get fd$1:$2$3:$4$5:$6$7:: | grep "\bvia\b" > /dev/null 2>&1 ) && \ + ( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff | grep "\bvia\b" > /dev/null 2>&1 ) && return 0 + return 1 +} + +generate_random_ip4() { + local random_ip4 + while :; do + random_ip4=$(($RANDOM%256)) + is_ip4_range_available $random_ip4 && break + done + GATEWAY="192.168.$random_ip4.1" +} +generate_random_ip6() { + local r1 r2 r3 r4 r5 r6 r7 + while :; do + r1=$( printf "%x" $(($RANDOM%240+16)) ) + r2=$( printf "%x" $(($RANDOM%240+16)) ) + r3=$( printf "%x" $(($RANDOM%240+16)) ) + r4=$( printf "%x" $(($RANDOM%240+16)) ) + r5=$( printf "%x" $(($RANDOM%240+16)) ) + r6=$( printf "%x" $(($RANDOM%240+16)) ) + r7=$( printf "%x" $(($RANDOM%240+16)) ) + is_ip6_range_available $r1 $r2 $r3 $r4 $r5 $r6 $r7 && break + done + PREFIX6="fd$r1:$r2$r3:$r4$r5:$r6$r7::" +} + # start haveged when needed haveged_watchdog() { local show_warn=1 @@ -1046,19 +1082,6 @@ send_stop() { ## ======================================================== ## ======================================================== -if [[ $TP_PORT ]]; then - SHARE_METHOD=redsocks -fi - - -if [[ $IPV6 -eq 1 ]]; then - GATEWAY6=${PREFIX6}${IID6} -fi - -if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then - dnsmasq_NO_DNS=1 -fi - if [[ -d /dev/shm ]]; then TMPD=/dev/shm elif [[ -d /run/shm ]]; then @@ -1203,6 +1226,27 @@ else fi echo "Target interface is ${TARGET_IFACE}" + +if [[ ! -n $GATEWAY ]]; then + generate_random_ip4 + echo "Use random IPv4 address $GATEWAY" +fi +if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then + generate_random_ip6 + echo "Use random IPv6 address ${PREFIX6}${IID6}" +fi +if [[ $IPV6 -eq 1 ]]; then + GATEWAY6=${PREFIX6}${IID6} +fi + +if [[ $TP_PORT ]]; then + SHARE_METHOD=redsocks +fi + +if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then + dnsmasq_NO_DNS=1 +fi + #================= # begin to do some change on config files and system @@ -1567,7 +1611,7 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then #while [[ ! -f $CONFDIR/dnsmasq.pid ]]; do # sleep 1 #done - #echo -n "dnsmasq PID: " ; cat $CONFDIR/dnsmasq.pid + echo -n "dnsmasq PID: " ; cat $CONFDIR/dnsmasq.pid #(wait $DNSMASQ_PID ; die "dnsmasq failed") & ( while [ -e /proc/$DNSMASQ_PID ]; do sleep 10; done ; die "dnsmasq exited" ) & sleep 2