interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

0.6.6

This commit is contained in:
garywill 2021-11-07 10:31:15 +08:00
parent 083cd42afd
commit 15a2e0ce53
2 changed files with 54 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
README.md
View File

@ -1,6 +1,6 @@
# Linux-router # Linux-router
Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
@ -12,17 +12,19 @@ Basic features:
- Create a NATed sub-network - Create a NATed sub-network
- Provide Internet - Provide Internet
- DHCP server (and RA) + DNS server - DHCP server (and RA)
- Configuring what DNS the DHCP server offers to clients - Specify what DNS the DHCP server assigns to clients
- Configuring upstream DNS for local DNS server (kind of a DNS proxy) - DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4) - IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot: - Creating WiFi hotspot:
- Channel selecting - Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (usually require same channel) - Create AP on the same interface you are getting Internet (usually require same channel)
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets) - Transparent DNS proxy (hijack port 53 packets)
- Compatible with NetworkManager (automatically set interface as unmanaged) - Compatible with NetworkManager (automatically set interface as unmanaged)
- You can run many instances, to create many different networks. Has instances managing feature.
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -36,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP
``` ```
Internet Internet
Wifi AP(no DHCP) | WiFi AP(no DHCP) |
|----(wlan1)-Linux-(eth0/wlan0)------ |----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP) | (DHCP)
|--client |--client
@ -69,7 +71,7 @@ sudo lnxrouter -i eth1
no matter which interface (other than `eth1`) you're getting Internet from. no matter which interface (other than `eth1`) you're getting Internet from.
### Create Wifi hotspot ### Create WiFi hotspot
``` ```
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
@ -253,9 +255,13 @@ sudo brctl addbr firejail5
``` ```
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd # nscd is cache service, which shouldn't be accessed in jail here firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
``` ```
Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
</details> </details>
### CLI usage and other features ### CLI usage and other features
@ -271,7 +277,7 @@ Options:
-i <interface> Interface to make NATed sub-network, -i <interface> Interface to make NATed sub-network,
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1) (See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
@ -319,12 +325,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port. redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns') (usually used with '--dns')
Wifi hotspot options: WiFi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create WiFi access point
-p, --password <password> -p, --password <password>
Wifi password WiFi password
--qr Show Wifi QR code in terminal --qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
@ -339,8 +345,8 @@ Options:
(default: 2) (default: 2)
--psk Use 64 hex digits pre-shared-key instead of --psk Use 64 hex digits pre-shared-key instead of
passphrase passphrase
--mac-filter Enable Wifi hotspot MAC address filtering --mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list --mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
@ -373,9 +379,9 @@ Options:
``` ```
Notice 1: This script assume your host's default policy won't forward Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets mode. In some unexpected case (eg. mistaken configurations) may
leakage between 2 networks, which you should be aware of if you cause unwanted packets leakage between 2 networks, which you
want isolated network should be aware of if you want isolated network
``` ```
</details> </details>
@ -389,7 +395,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
3. hostapd (if used) in Apparmor complain mode 3. hostapd (if used) in Apparmor complain mode
4. Kernel module `nf_nat_pptp` loaded 4. Kernel module `nf_nat_pptp` loaded
5. The wifi device which is used to create hotspot is `rfkill unblock`ed 5. The wifi device which is used to create hotspot is `rfkill unblock`ed
6. Wifi country code, if user specified 6. WiFi country code, if user assigns
## Dependencies ## Dependencies
@ -409,6 +415,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
<details> <details>
- Compatibility with firewalld
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed
@ -479,10 +486,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️. Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) > [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫个码打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
> >
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻 > 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project. 🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here! 👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here!

53
lnxrouter Normal file → Executable file
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=0.6.5 VERSION=0.6.6
PROGNAME="$(basename $0)" PROGNAME="$(basename $0)"
export LC_ALL=C export LC_ALL=C
@ -27,7 +27,7 @@ Options:
-i <interface> Interface to make NATed sub-network, -i <interface> Interface to make NATed sub-network,
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1) (See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
@ -75,12 +75,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port. redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns') (usually used with '--dns')
Wifi hotspot options: WiFi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create WiFi access point
-p, --password <password> -p, --password <password>
Wifi password WiFi password
--qr Show Wifi QR code in terminal --qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
@ -95,8 +95,8 @@ Options:
(default: 2) (default: 2)
--psk Use 64 hex digits pre-shared-key instead of --psk Use 64 hex digits pre-shared-key instead of
passphrase passphrase
--mac-filter Enable Wifi hotspot MAC address filtering --mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list --mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
@ -121,9 +121,9 @@ Options:
Notice 1: This script assume your host's default policy won't forward Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets mode. In some unexpected case (eg. mistaken configurations) may
leakage between 2 networks, which you should be aware of if you cause unwanted packets leakage between 2 networks, which you
want isolated network should be aware of if you want isolated network
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
@ -231,16 +231,10 @@ parse_user_options(){
shift shift
INTERNET_IFACE="$1" INTERNET_IFACE="$1"
shift shift
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
-n) -n)
shift shift
SHARE_METHOD=none SHARE_METHOD=none
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
--ban-priv) --ban-priv)
shift shift
@ -266,9 +260,6 @@ parse_user_options(){
--no4) --no4)
shift shift
NO4=1 NO4=1
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
--p6) --p6)
shift shift
@ -1097,7 +1088,7 @@ backup_interface_status() {
backup_ipv6_bits backup_ipv6_bits
# TODO : backup ip and others # TODO : ? backup ip and others???
# nm managing status is saved when nm_set_unmanaged() # nm managing status is saved when nm_set_unmanaged()
} }
@ -1178,11 +1169,12 @@ cleanup() {
echo echo
echo "Doing cleanup.. " echo "Doing cleanup.. "
kill_processes kill_processes
echo "Cleanning up iptables .." echo "Undoing iptables changes .."
clean_iptables > /dev/null clean_iptables > /dev/null
_cleanup 2> /dev/null _cleanup 2> /dev/null
pgid=$(ps opgid= $$ |awk '{print $1}' ) pgid=$(ps opgid= $$ |awk '{print $1}' )
echo "Killing PGID $pgid ..."
kill -15 -$pgid kill -15 -$pgid
sleep 1 sleep 1
echo "Cleaning up done" echo "Cleaning up done"
@ -1446,7 +1438,7 @@ check_other_functions(){
##### root test ##### NOTE above don't require root ########## ##### root test ##### NOTE above don't require root ##########
if [[ $(id -u) -ne 0 ]]; then if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2 echo "ERROR: Need root to continue" >&2
exit 1 exit 1
fi fi
###### NOTE below require root ########## ###### NOTE below require root ##########
@ -1730,7 +1722,7 @@ write_hostapd_conf() {
rsn_pairwise=CCMP rsn_pairwise=CCMP
EOF EOF
else else
echo "WARN: Wifi is not protected by password" >&2 echo "WARN: WiFi is not protected by password" >&2
fi fi
chmod 600 "$CONFDIR/hostapd.conf" chmod 600 "$CONFDIR/hostapd.conf"
} }
@ -2016,26 +2008,33 @@ fi
check_iptables check_iptables
echo "Not showing all iptables operations." echo "NOTICE: Not showing all operations done to iptables rules"
[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing" echo "No Internet sharing"
echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits
fi fi
# to enable clients to establish PPTP connections we must # to enable clients to establish PPTP connections we must