interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

0.6.6

This commit is contained in:
garywill 2021-11-07 10:31:15 +08:00
parent 083cd42afd
commit 15a2e0ce53
2 changed files with 54 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
README.md
View File

@ -1,6 +1,6 @@
# Linux-router
Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
@ -12,17 +12,19 @@ Basic features:
- Create a NATed sub-network
- Provide Internet
- DHCP server (and RA) + DNS server
- Configuring what DNS the DHCP server offers to clients
- Configuring upstream DNS for local DNS server (kind of a DNS proxy)
- DHCP server (and RA)
- Specify what DNS the DHCP server assigns to clients
- DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot:
- Creating WiFi hotspot:
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (usually require same channel)
- Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets)
- Compatible with NetworkManager (automatically set interface as unmanaged)
- You can run many instances, to create many different networks. Has instances managing feature.
**For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -36,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP
```
Internet
Wifi AP(no DHCP) |
WiFi AP(no DHCP) |
|----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP)
|--client
@ -69,7 +71,7 @@ sudo lnxrouter -i eth1
no matter which interface (other than `eth1`) you're getting Internet from.
### Create Wifi hotspot
### Create WiFi hotspot
```
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
@ -253,9 +255,13 @@ sudo brctl addbr firejail5
```
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd # nscd is cache service, which shouldn't be accessed in jail here
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
```
Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
</details>
### CLI usage and other features
@ -271,7 +277,7 @@ Options:
-i <interface> Interface to make NATed sub-network,
and to provide Internet to
(To create Wifi hotspot use '--ap' instead)
(To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak
@ -319,12 +325,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns')
Wifi hotspot options:
WiFi hotspot options:
--ap <wifi interface> <SSID>
Create Wifi access point
Create WiFi access point
-p, --password <password>
Wifi password
--qr Show Wifi QR code in terminal
WiFi password
--qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface
@ -339,8 +345,8 @@ Options:
(default: 2)
--psk Use 64 hex digits pre-shared-key instead of
passphrase
--mac-filter Enable Wifi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list
--mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients
@ -373,9 +379,9 @@ Options:
```
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets
leakage between 2 networks, which you should be aware of if you
want isolated network
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
```
</details>
@ -389,7 +395,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
3. hostapd (if used) in Apparmor complain mode
4. Kernel module `nf_nat_pptp` loaded
5. The wifi device which is used to create hotspot is `rfkill unblock`ed
6. Wifi country code, if user specified
6. WiFi country code, if user assigns
## Dependencies
@ -409,6 +415,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
<details>
- Compatibility with firewalld
- WPA3
- Global IPv6
- Explictly ban forwarding if not needed
@ -479,10 +486,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫个码打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
>
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here!
👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here!

53
lnxrouter Normal file → Executable file
View File

@ -1,6 +1,6 @@
#!/bin/bash
VERSION=0.6.5
VERSION=0.6.6
PROGNAME="$(basename $0)"
export LC_ALL=C
@ -27,7 +27,7 @@ Options:
-i <interface> Interface to make NATed sub-network,
and to provide Internet to
(To create Wifi hotspot use '--ap' instead)
(To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak
@ -75,12 +75,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns')
Wifi hotspot options:
WiFi hotspot options:
--ap <wifi interface> <SSID>
Create Wifi access point
Create WiFi access point
-p, --password <password>
Wifi password
--qr Show Wifi QR code in terminal
WiFi password
--qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface
@ -95,8 +95,8 @@ Options:
(default: 2)
--psk Use 64 hex digits pre-shared-key instead of
passphrase
--mac-filter Enable Wifi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list
--mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients
@ -121,9 +121,9 @@ Options:
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets
leakage between 2 networks, which you should be aware of if you
want isolated network
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
Examples:
$PROGNAME -i eth1
@ -231,16 +231,10 @@ parse_user_options(){
shift
INTERNET_IFACE="$1"
shift
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;;
-n)
shift
SHARE_METHOD=none
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;;
--ban-priv)
shift
@ -266,9 +260,6 @@ parse_user_options(){
--no4)
shift
NO4=1
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;;
--p6)
shift
@ -1097,7 +1088,7 @@ backup_interface_status() {
backup_ipv6_bits
# TODO : backup ip and others
# TODO : ? backup ip and others???
# nm managing status is saved when nm_set_unmanaged()
}
@ -1178,11 +1169,12 @@ cleanup() {
echo
echo "Doing cleanup.. "
kill_processes
echo "Cleanning up iptables .."
echo "Undoing iptables changes .."
clean_iptables > /dev/null
_cleanup 2> /dev/null
pgid=$(ps opgid= $$ |awk '{print $1}' )
echo "Killing PGID $pgid ..."
kill -15 -$pgid
sleep 1
echo "Cleaning up done"
@ -1446,7 +1438,7 @@ check_other_functions(){
##### root test ##### NOTE above don't require root ##########
if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2
echo "ERROR: Need root to continue" >&2
exit 1
fi
###### NOTE below require root ##########
@ -1730,7 +1722,7 @@ write_hostapd_conf() {
rsn_pairwise=CCMP
EOF
else
echo "WARN: Wifi is not protected by password" >&2
echo "WARN: WiFi is not protected by password" >&2
fi
chmod 600 "$CONFDIR/hostapd.conf"
}
@ -2016,26 +2008,33 @@ fi
check_iptables
echo "Not showing all iptables operations."
echo "NOTICE: Not showing all operations done to iptables rules"
[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
# enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing"
echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat
[[ "$BANLAN" -eq 1 ]] && start_ban_lan
echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding"
echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode
if [[ $IPV6 -eq 1 ]]; then
echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding"
echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits
fi
# to enable clients to establish PPTP connections we must