From 3a55f526c2efff7fa529a096c004daab4baa2341 Mon Sep 17 00:00:00 2001 From: garywill <32130780+garywill@users.noreply.github.com> Date: Fri, 31 Aug 2018 18:41:06 +0800 Subject: [PATCH] DNS proxy: use dnsmasq forward --- README.md | 122 ++++++++++++++++++++++++++++++------------------------ lnxrouter | 56 ++++--------------------- 2 files changed, 76 insertions(+), 102 deletions(-) diff --git a/README.md b/README.md index 291f8f7..1997212 100644 --- a/README.md +++ b/README.md @@ -161,63 +161,75 @@ On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP Usage: lnxrouter [options] Options: - -h, --help Show this help - --version Print version number + -h, --help Show this help + --version Print version number - -i Interface to share Internet to. An NATed subnet is made upon it. - To create Wifi hotspot use '--ap' instead - -n Disable Internet sharing - --tp Transparent proxy, redirect non-LAN tcp and udp traffic to port. - Usually use with --dns-proxy + -i Interface to share Internet to. + An NATed subnet is made upon it. + To create Wifi hotspot use '--ap' instead + -n Disable Internet sharing + --tp Transparent proxy. + redirect non-LAN tcp and udp traffic to port. + Usually used with '--dns-proxy' + + -g Set gateway IPv4 address, netmask is /24 . + (default: 192.168.18.1) + -6 Enable IPv6 (NAT) + --p6 Set IPv6 prefix (length 64) + (default: fd00:1:1:1:: ) + --dns-proxy DNS server redirect queries to port + --no-serve-dns Disable DNS server + --no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA) + --log-dns Show DNS server query log + --dhcp-dns |no + Set IPv4 DNS offered by DHCP + (default: gateway as DNS) + --dhcp-dns6 |no + Set IPv6 DNS offered by DHCP(RA) + (default: gateway as DNS) + Note IPv6 addresses need '[]' around + -d DNS server will take into account /etc/hosts + -e DNS server will take into account additional + hosts file + + --mac Set MAC address + + Wifi hotspot options: + --ap + Create Wifi access point + --password Wifi password + + --hidden Hide access point (not broadcast SSID) + --no-virt Do not create virtual interface + Using this you can't use same wlan interface + for both Internet and AP + -c Channel number (default: 1) + --country Set two-letter country code for regularity + (example: US) + --freq-band Set frequency band: 2.4 or 5 (default: 2.4) + --driver Choose your WiFi adapter driver (default: nl80211) + -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both + (default: 1+2) + --psk Use 64 hex digits pre-shared-key instead of + passphrase + --mac-filter Enable Wifi hotspot MAC address filtering + --mac-filter-accept Location of Wifi hotspot MAC address filter list + (defaults to /etc/hostapd/hostapd.accept) + --hostapd-debug 1 or 2. Passes -d or -dd to hostapd + --isolate-clients Disable wifi communication between clients + --ieee80211n Enable IEEE 802.11n (HT) + --ieee80211ac Enable IEEE 802.11ac (VHT) + --ht_capab HT capabilities (default: [HT40+]) + --vht_capab VHT capabilities + --no-haveged Do not run haveged automatically when needed - -g Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1) - -6 Enable IPv6 - --p6 Set IPv6 prefix (length 64) (default: fd00:1:1:1:: ) - --dns-proxy Redirect incoming port 53 to DNS proxy port. DNS server is disabled - --no-serve-dns Disable DNS server - --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS) - --log-dns Show DNS server query log - --dhcp-dns |no - Set IPv4 DNS offered by DHCP (default: gateway as DNS) - -d DNS server will take into account /etc/hosts - -e DNS server will take into account additional hosts file - - --mac Set MAC address - - Wifi hotspot options: - --ap - Create Wifi access point using wlan card, and set SSID - --password Wifi password - - --hidden Make the Access Point hidden (do not broadcast the SSID) - --no-virt Do not create virtual interface. - Using this you can't use same wlan card as Internet and AP - -c Channel number (default: 1) - --country Set two-letter country code for regularity (example: US) - --freq-band Set frequency band. Valid inputs: 2.4, 5 (default: 2.4) - --driver Choose your WiFi adapter driver (default: nl80211) - -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2) - --psk Use 64 hex digits pre-shared-key instead of passphrase - --mac-filter Enable Wifi hotspot MAC address filtering - --mac-filter-accept Location of Wifi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept) - --hostapd-debug With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging. - --isolate-clients Disable communication between clients - --ieee80211n Enable IEEE 802.11n (HT) - --ieee80211ac Enable IEEE 802.11ac (VHT) - --ht_capab HT capabilities (default: [HT40+]) - --vht_capab VHT capabilities - --no-haveged Do not run 'haveged' automatically when needed - - Instance managing: - --daemon Run lnxrouter in the background - --list-running Show the lnxrouter processes that are already running - --stop Send stop command to an already running lnxrouter. For an - you can put the PID of lnxrouter or interface. You can - get them with --list-running - --list-clients List the clients connected to lnxrouter instance associated with . - For an you can put the PID of lnxrouter or interface. - If virtual WiFi interface was created, then use that one. - You can get them with --list-running + Instance managing: + --daemon Run in background + --list-running Show running instances + --list-clients List clients of an instance + --stop Stop a running instance + For you can use PID or subnet interface name. + You can get them with '--list-running' ``` diff --git a/lnxrouter b/lnxrouter index cd8af41..f8f44ce 100755 --- a/lnxrouter +++ b/lnxrouter @@ -31,8 +31,7 @@ Options: -6 Enable IPv6 (NAT) --p6 Set IPv6 prefix (length 64) (default: fd00:1:1:1:: ) - --dns-proxy Redirect incoming port 53 to DNS proxy port. - DNS server is disabled + --dns-proxy DNS server redirect queries to port --no-serve-dns Disable DNS server --no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA) --log-dns Show DNS server query log @@ -671,42 +670,6 @@ stop_dhcp() { fi } -redirect_dns() { - echo - echo "iptables: redirect port 53 to ${TP_DNS_PORT}" - # allow input to dns proxy port - iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die - iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die - # redirect 53 to dns proxy - iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die - iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die - - if [[ $IPV6 -eq 1 ]]; then - # allow input to dns proxy port - ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die - ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die - # redirect 53 to dns proxy - ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die - ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die - fi -} -unredirect_dns() { - echo "iptables: stop dns proxy " - iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT - iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT - - iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} - iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} - - if [[ $IPV6 -eq 1 ]]; then - ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT - ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT - - ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} - ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} - fi -} - start_redsocks() { echo echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}" @@ -829,9 +792,6 @@ clean_iptables() { unallow_dns_port fi - if [[ "$TP_DNS_PORT" ]]; then - unredirect_dns - fi if [[ $NO_DNSMASQ -eq 0 ]]; then stop_dhcp @@ -1026,9 +986,6 @@ if [[ $TP_PORT ]]; then SHARE_METHOD=redsocks fi -if [[ $TP_DNS_PORT ]]; then - dnsmasq_NO_DNS=1 -fi if [[ $SHARE_METHOD == 'none' ]]; then dnsmasq_NO_DNS=1 @@ -1398,6 +1355,14 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then echo log-queries=extra >> $CONFDIR/dnsmasq.conf fi + + if [[ $TP_DNS_PORT ]]; then + cat <<- EOF >> $CONFDIR/dnsmasq.conf + no-resolv + no-poll + server=127.0.0.1#${TP_DNS_PORT} + EOF + fi if [[ $IPV6 -eq 1 ]];then cat <<- EOF >> $CONFDIR/dnsmasq.conf listen-address=${GATEWAY6} @@ -1506,9 +1471,6 @@ if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then allow_dns_port fi -if [[ "$TP_DNS_PORT" ]]; then - redirect_dns -fi if [[ $NO_DNSMASQ -eq 0 ]]; then start_dhcp