diff --git a/README.md b/README.md index 8ba529a..0643142 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Linux-router -Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. +Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). @@ -12,17 +12,19 @@ Basic features: - Create a NATed sub-network - Provide Internet -- DHCP server (and RA) + DNS server - - Configuring what DNS the DHCP server offers to clients - - Configuring upstream DNS for local DNS server (kind of a DNS proxy) +- DHCP server (and RA) + - Specify what DNS the DHCP server assigns to clients +- DNS server + - Specify upstream DNS (kind of a plain DNS proxy) - IPv6 (behind NATed LAN, like IPv4) -- Creating Wifi hotspot: +- Creating WiFi hotspot: - Channel selecting - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Create AP on the same interface you are getting Internet (usually require same channel) - Transparent proxy (redsocks) - Transparent DNS proxy (hijack port 53 packets) - Compatible with NetworkManager (automatically set interface as unmanaged) +- You can run many instances, to create many different networks. Has instances managing feature. **For many other features, see below [CLI usage](#cli-usage-and-other-features)** @@ -36,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP ``` Internet -Wifi AP(no DHCP) | +WiFi AP(no DHCP) | |----(wlan1)-Linux-(eth0/wlan0)------ | (DHCP) |--client @@ -69,7 +71,7 @@ sudo lnxrouter -i eth1 no matter which interface (other than `eth1`) you're getting Internet from. -### Create Wifi hotspot +### Create WiFi hotspot ``` sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase @@ -253,9 +255,13 @@ sudo brctl addbr firejail5 ``` sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 -firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd # nscd is cache service, which shouldn't be accessed in jail here +firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd ``` +Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign. + +nscd is domain name cache service, which shouldn't be accessed from in jail here. + ### CLI usage and other features @@ -271,7 +277,7 @@ Options: -i Interface to make NATed sub-network, and to provide Internet to - (To create Wifi hotspot use '--ap' instead) + (To create WiFi hotspot use '--ap' instead) -o Specify an inteface to provide Internet from. (See Notice 1) (Note using this with default DNS option may leak @@ -319,12 +325,12 @@ Options: redirect non-LAN TCP and UDP traffic to port. (usually used with '--dns') - Wifi hotspot options: + WiFi hotspot options: --ap - Create Wifi access point + Create WiFi access point -p, --password - Wifi password - --qr Show Wifi QR code in terminal + WiFi password + --qr Show WiFi QR code in terminal --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface @@ -339,8 +345,8 @@ Options: (default: 2) --psk Use 64 hex digits pre-shared-key instead of passphrase - --mac-filter Enable Wifi hotspot MAC address filtering - --mac-filter-accept Location of Wifi hotspot MAC address filter list + --mac-filter Enable WiFi hotspot MAC address filtering + --mac-filter-accept Location of WiFi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients @@ -373,9 +379,9 @@ Options: ``` Notice 1: This script assume your host's default policy won't forward packets, so the script won't explictly ban forwarding in any - mode. In some unexpected case may cause unwanted packets - leakage between 2 networks, which you should be aware of if you - want isolated network + mode. In some unexpected case (eg. mistaken configurations) may + cause unwanted packets leakage between 2 networks, which you + should be aware of if you want isolated network ``` @@ -389,7 +395,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c 3. hostapd (if used) in Apparmor complain mode 4. Kernel module `nf_nat_pptp` loaded 5. The wifi device which is used to create hotspot is `rfkill unblock`ed -6. Wifi country code, if user specified +6. WiFi country code, if user assigns ## Dependencies @@ -409,6 +415,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
+- Compatibility with firewalld - WPA3 - Global IPv6 - Explictly ban forwarding if not needed @@ -479,10 +486,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Visit [**my homepage** 🏑](https://garywill.github.io) to see **more tools and projects** πŸ› οΈ. -> [❀️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❀️ 打衏一δΈͺ!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) +> [❀️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❀️ 扫δΈͺ码打衏一δΈͺ!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) > > πŸ₯‚ ( ^\_^) oθ‡ͺθ‡ͺo (^_^ ) 🍻 🀝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🀝 Also thank those who contributed to that project. -πŸ‘¨β€πŸ’» You can be contributor, too! πŸƒ There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here! +πŸ‘¨β€πŸ’» You can be contributor, too! πŸƒ There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). πŸƒ Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here! diff --git a/lnxrouter b/lnxrouter old mode 100644 new mode 100755 index aed9a7b..f5b81a1 --- a/lnxrouter +++ b/lnxrouter @@ -1,6 +1,6 @@ #!/bin/bash -VERSION=0.6.5 +VERSION=0.6.6 PROGNAME="$(basename $0)" export LC_ALL=C @@ -27,7 +27,7 @@ Options: -i Interface to make NATed sub-network, and to provide Internet to - (To create Wifi hotspot use '--ap' instead) + (To create WiFi hotspot use '--ap' instead) -o Specify an inteface to provide Internet from. (See Notice 1) (Note using this with default DNS option may leak @@ -75,12 +75,12 @@ Options: redirect non-LAN TCP and UDP traffic to port. (usually used with '--dns') - Wifi hotspot options: + WiFi hotspot options: --ap - Create Wifi access point + Create WiFi access point -p, --password - Wifi password - --qr Show Wifi QR code in terminal + WiFi password + --qr Show WiFi QR code in terminal --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface @@ -95,8 +95,8 @@ Options: (default: 2) --psk Use 64 hex digits pre-shared-key instead of passphrase - --mac-filter Enable Wifi hotspot MAC address filtering - --mac-filter-accept Location of Wifi hotspot MAC address filter list + --mac-filter Enable WiFi hotspot MAC address filtering + --mac-filter-accept Location of WiFi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients @@ -121,9 +121,9 @@ Options: Notice 1: This script assume your host's default policy won't forward packets, so the script won't explictly ban forwarding in any - mode. In some unexpected case may cause unwanted packets - leakage between 2 networks, which you should be aware of if you - want isolated network + mode. In some unexpected case (eg. mistaken configurations) may + cause unwanted packets leakage between 2 networks, which you + should be aware of if you want isolated network Examples: $PROGNAME -i eth1 @@ -231,16 +231,10 @@ parse_user_options(){ shift INTERNET_IFACE="$1" shift - echo "" - echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2 - echo "" ;; -n) shift SHARE_METHOD=none - echo "" - echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2 - echo "" ;; --ban-priv) shift @@ -266,9 +260,6 @@ parse_user_options(){ --no4) shift NO4=1 - echo "" - echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2 - echo "" ;; --p6) shift @@ -1097,7 +1088,7 @@ backup_interface_status() { backup_ipv6_bits - # TODO : backup ip and others + # TODO : ? backup ip and others??? # nm managing status is saved when nm_set_unmanaged() } @@ -1178,11 +1169,12 @@ cleanup() { echo echo "Doing cleanup.. " kill_processes - echo "Cleanning up iptables .." + echo "Undoing iptables changes .." clean_iptables > /dev/null _cleanup 2> /dev/null pgid=$(ps opgid= $$ |awk '{print $1}' ) + echo "Killing PGID $pgid ..." kill -15 -$pgid sleep 1 echo "Cleaning up done" @@ -1446,7 +1438,7 @@ check_other_functions(){ ##### root test ##### NOTE above don't require root ########## if [[ $(id -u) -ne 0 ]]; then - echo "You must run it as root." >&2 + echo "ERROR: Need root to continue" >&2 exit 1 fi ###### NOTE below require root ########## @@ -1730,7 +1722,7 @@ write_hostapd_conf() { rsn_pairwise=CCMP EOF else - echo "WARN: Wifi is not protected by password" >&2 + echo "WARN: WiFi is not protected by password" >&2 fi chmod 600 "$CONFDIR/hostapd.conf" } @@ -2016,26 +2008,33 @@ fi check_iptables -echo "Not showing all iptables operations." +echo "NOTICE: Not showing all operations done to iptables rules" + +[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2 + # enable Internet sharing if [[ "$SHARE_METHOD" == "none" ]]; then echo "No Internet sharing" + echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2 + [[ "$BANLAN" -eq 1 ]] && start_ban_lan elif [[ "$SHARE_METHOD" == "nat" ]]; then + [[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2 + [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 start_nat [[ "$BANLAN" -eq 1 ]] && start_ban_lan - echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" + echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode if [[ $IPV6 -eq 1 ]]; then - echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" + echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits fi # to enable clients to establish PPTP connections we must