interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

random IP 

firejail
This commit is contained in:
garywill 2018-08-31 18:41:06 +08:00 committed by garywill
parent e551d6e412
commit 0f498e043d
2 changed files with 119 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
README.md
View File

@ -1,11 +1,10 @@
# Linux-router # Linux-router
Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`.
## Features
## Features
Basic features: Basic features:
@ -26,6 +25,7 @@ Basic features:
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
### Useful in these situations ### Useful in these situations
``` ```
Internet----(eth0/wlan0)-Linux-(wlanX)AP Internet----(eth0/wlan0)-Linux-(wlanX)AP
|--client |--client
@ -56,7 +56,7 @@ Internet----(eth0/wlan0)-Linux-(eth1)------Another PC
``` ```
Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
``` ```
## Usage ## Usage
### Provide Internet to an interface ### Provide Internet to an interface
@ -66,6 +66,7 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
``` ```
### Provide an interface's Internet to another interface ### Provide an interface's Internet to another interface
``` ```
# lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 # lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1
``` ```
@ -97,28 +98,38 @@ DNSPort 0.0.0.0:9053
TransPort [::]:9040 TransPort [::]:9040
DNSPort [::]:9053 DNSPort [::]:9053
``` ```
### Internet for LXC ### Internet for LXC
Create a bridge Create a bridge
``` ```
# brctl addbr lxcbr5 # brctl addbr lxcbr5
``` ```
In LXC container `config` In LXC container `config`
``` ```
lxc.network.type = veth lxc.network.type = veth
lxc.network.flags = up lxc.network.flags = up
lxc.network.link = lxcbr5 lxc.network.link = lxcbr5
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
``` ```
``` ```
# lnxrouter -i lxcbr5 # lnxrouter -i lxcbr5
``` ```
### Use as transparent proxy for LXD ### Use as transparent proxy for LXD
Create a bridge Create a bridge
``` ```
# brctl addbr lxdbr5 # brctl addbr lxdbr5
``` ```
Create and add LXD profile Create and add LXD profile
``` ```
$ lxc profile create profile5 $ lxc profile create profile5
$ lxc profile edit profile5 $ lxc profile edit profile5
@ -136,30 +147,54 @@ name: profile5
$ lxc profile add <container> profile5 $ lxc profile add <container> profile5
``` ```
That should make one container have 2 profiles. `profile5` will override `eth0`. That should make one container have 2 profiles. `profile5` will override `eth0`.
``` ```
# lnxrouter -i lxdbr5 --tp 9040 --dns 9053 # lnxrouter -i lxdbr5 --tp 9040 --dns 9053
``` ```
To remove that new profile from container To remove that new profile from container
``` ```
$ lxc profile remove <container> profile5 $ lxc profile remove <container> profile5
``` ```
#### To not use profile #### To not use profile
Add device `eth0` to container overriding default `eth0` Add device `eth0` to container overriding default `eth0`
``` ```
$ lxc config device add <container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5 $ lxc config device add <container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5
``` ```
To remove the customized `eth0` to restore default `eth0` To remove the customized `eth0` to restore default `eth0`
``` ```
$ lxc config device remove <container> eth0 $ lxc config device remove <container> eth0
``` ```
### Use as transparent proxy for VirtualBox ### Use as transparent proxy for VirtualBox
On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled.
``` ```
# lnxrouter -i vboxnet5 --tp 9040 --dns 9053 # lnxrouter -i vboxnet5 --tp 9040 --dns 9053
``` ```
### Use as transparent proxy for firejail
Create a bridge
```
# brctl addbr firejail5
```
```
# lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
$ firejail --net=firejail5 --dns=192.168.55.1
```
### CLI usage and other features ### CLI usage and other features
``` ```
@ -176,13 +211,11 @@ Options:
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet -n Do not provide Internet
-g <ip> Set this host's IPv4 address, netmask is 24 -g <ip> Set this host's IPv4 address, netmask is 24
(default: 192.168.18.1)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--p6 <prefix> Set IPv6 prefix (length 64) --p6 <prefix> Set IPv6 prefix (length 64)
(default: fd00:1:1:1:: )
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
Use ',' to seperate multiple servers Use ',' to seperate multiple servers
@ -202,18 +235,18 @@ Options:
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional -e <hosts_file> DNS server will take into account additional
hosts file hosts file
--mac <MAC> Set MAC address --mac <MAC> Set MAC address
--tp <port> Transparent proxy, --tp <port> Transparent proxy,
redirect non-LAN tcp and udp traffic to port. redirect non-LAN tcp and udp traffic to port.
Usually used with '--dns' Usually used with '--dns'
Wifi hotspot options: Wifi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create Wifi access point
--password <password> Wifi password --password <password> Wifi password
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
Using this you can't use same wlan interface Using this you can't use same wlan interface
@ -232,12 +265,12 @@ Options:
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
--ieee80211n Enable IEEE 802.11n (HT) --ieee80211n Enable IEEE 802.11n (HT)
--ieee80211ac Enable IEEE 802.11ac (VHT) --ieee80211ac Enable IEEE 802.11ac (VHT)
--ht_capab <HT> HT capabilities (default: [HT40+]) --ht_capab <HT> HT capabilities (default: [HT40+])
--vht_capab <VHT> VHT capabilities --vht_capab <VHT> VHT capabilities
--no-haveged Do not run haveged automatically when needed --no-haveged Do not run haveged automatically when needed
Instance managing: Instance managing:
@ -248,11 +281,13 @@ Options:
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
``` ```
> These changes to system will not be restored by script's cleanup: > These changes to system will not be restored by script's cleanup:
1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`, needed by NAT Internet sharing. > 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`, needed by NAT Internet sharing.
2. dnsmasq in Apparmor complain mode > 2. dnsmasq in Apparmor complain mode
## Dependencies ## Dependencies
- bash - bash
- procps or procps-ng - procps or procps-ng
- iproute2 - iproute2
@ -269,9 +304,13 @@ Wifi hotspot:
## TODO ## TODO
- Option to ban private network access - Option to ban private network access
- Option to randomize MAC, IP, SSID, password - Option to randomize MAC
- Option to redirect all DNS traffic - Option to redirect all DNS traffic
## Donate
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## Thanks ## Thanks
Many thanks to project [create_ap](https://github.com/oblique/create_ap). Many thanks to project [create_ap](https://github.com/oblique/create_ap).

82
lnxrouter
View File

@ -27,10 +27,8 @@ Options:
-n Do not provide Internet -n Do not provide Internet
-g <ip> Set this host's IPv4 address, netmask is 24 -g <ip> Set this host's IPv4 address, netmask is 24
(default: 192.168.18.1)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--p6 <prefix> Set IPv6 prefix (length 64) --p6 <prefix> Set IPv6 prefix (length 64) (example: fd00:1:2:3::)
(default: fd00:1:1:1:: )
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
@ -111,8 +109,8 @@ if [[ "$1" == "" ]]; then
exit 0 exit 0
fi fi
GATEWAY=192.168.18.1 GATEWAY=
PREFIX6=fd00:1:1:1:: PREFIX6=
IID6=1 IID6=1
IPV6=0 IPV6=0
ROUTE_ADDRS= ROUTE_ADDRS=
@ -588,6 +586,44 @@ get_new_macaddr() {
echo $NEWMAC echo $NEWMAC
} }
is_ip4_range_available() {
( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1
( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1
( ip -4 route get 192.168.$1.0 | grep "\bvia\b" > /dev/null 2>&1 ) && \
( ip -4 route get 192.168.$1.255 | grep "\bvia\b" > /dev/null 2>&1 ) && return 0
return 1
}
is_ip6_range_available() {
( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1
( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1
( ip -6 route get fd$1:$2$3:$4$5:$6$7:: | grep "\bvia\b" > /dev/null 2>&1 ) && \
( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff | grep "\bvia\b" > /dev/null 2>&1 ) && return 0
return 1
}
generate_random_ip4() {
local random_ip4
while :; do
random_ip4=$(($RANDOM%256))
is_ip4_range_available $random_ip4 && break
done
GATEWAY="192.168.$random_ip4.1"
}
generate_random_ip6() {
local r1 r2 r3 r4 r5 r6 r7
while :; do
r1=$( printf "%x" $(($RANDOM%240+16)) )
r2=$( printf "%x" $(($RANDOM%240+16)) )
r3=$( printf "%x" $(($RANDOM%240+16)) )
r4=$( printf "%x" $(($RANDOM%240+16)) )
r5=$( printf "%x" $(($RANDOM%240+16)) )
r6=$( printf "%x" $(($RANDOM%240+16)) )
r7=$( printf "%x" $(($RANDOM%240+16)) )
is_ip6_range_available $r1 $r2 $r3 $r4 $r5 $r6 $r7 && break
done
PREFIX6="fd$r1:$r2$r3:$r4$r5:$r6$r7::"
}
# start haveged when needed # start haveged when needed
haveged_watchdog() { haveged_watchdog() {
local show_warn=1 local show_warn=1
@ -1046,19 +1082,6 @@ send_stop() {
## ======================================================== ## ========================================================
## ======================================================== ## ========================================================
if [[ $TP_PORT ]]; then
SHARE_METHOD=redsocks
fi
if [[ $IPV6 -eq 1 ]]; then
GATEWAY6=${PREFIX6}${IID6}
fi
if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then
dnsmasq_NO_DNS=1
fi
if [[ -d /dev/shm ]]; then if [[ -d /dev/shm ]]; then
TMPD=/dev/shm TMPD=/dev/shm
elif [[ -d /run/shm ]]; then elif [[ -d /run/shm ]]; then
@ -1203,6 +1226,27 @@ else
fi fi
echo "Target interface is ${TARGET_IFACE}" echo "Target interface is ${TARGET_IFACE}"
if [[ ! -n $GATEWAY ]]; then
generate_random_ip4
echo "Use random IPv4 address $GATEWAY"
fi
if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
generate_random_ip6
echo "Use random IPv6 address ${PREFIX6}${IID6}"
fi
if [[ $IPV6 -eq 1 ]]; then
GATEWAY6=${PREFIX6}${IID6}
fi
if [[ $TP_PORT ]]; then
SHARE_METHOD=redsocks
fi
if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then
dnsmasq_NO_DNS=1
fi
#================= #=================
# begin to do some change on config files and system # begin to do some change on config files and system
@ -1567,7 +1611,7 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then
#while [[ ! -f $CONFDIR/dnsmasq.pid ]]; do #while [[ ! -f $CONFDIR/dnsmasq.pid ]]; do
# sleep 1 # sleep 1
#done #done
#echo -n "dnsmasq PID: " ; cat $CONFDIR/dnsmasq.pid echo -n "dnsmasq PID: " ; cat $CONFDIR/dnsmasq.pid
#(wait $DNSMASQ_PID ; die "dnsmasq failed") & #(wait $DNSMASQ_PID ; die "dnsmasq failed") &
( while [ -e /proc/$DNSMASQ_PID ]; do sleep 10; done ; die "dnsmasq exited" ) & ( while [ -e /proc/$DNSMASQ_PID ]; do sleep 10; done ; die "dnsmasq exited" ) &
sleep 2 sleep 2