DNS proxy: use dnsmasq forward
This commit is contained in:
garywill
garywill
parent
c75ca0ce81
commit
3a55f526c2
78
README.md
78
README.md
|
|
@ -164,60 +164,72 @@ Options:
|
||||||
-h, --help Show this help
|
-h, --help Show this help
|
||||||
--version Print version number
|
--version Print version number
|
||||||
|
|
||||||
-i <interface> Interface to share Internet to. An NATed subnet is made upon it.
|
-i <interface> Interface to share Internet to.
|
||||||
|
An NATed subnet is made upon it.
|
||||||
To create Wifi hotspot use '--ap' instead
|
To create Wifi hotspot use '--ap' instead
|
||||||
-n Disable Internet sharing
|
-n Disable Internet sharing
|
||||||
--tp <port> Transparent proxy, redirect non-LAN tcp and udp traffic to port.
|
--tp <port> Transparent proxy.
|
||||||
Usually use with --dns-proxy
|
redirect non-LAN tcp and udp traffic to port.
|
||||||
|
Usually used with '--dns-proxy'
|
||||||
|
|
||||||
-g <gateway> Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1)
|
-g <gateway> Set gateway IPv4 address, netmask is /24 .
|
||||||
-6 Enable IPv6
|
(default: 192.168.18.1)
|
||||||
--p6 <prefix> Set IPv6 prefix (length 64) (default: fd00:1:1:1:: )
|
-6 Enable IPv6 (NAT)
|
||||||
--dns-proxy <port> Redirect incoming port 53 to DNS proxy port. DNS server is disabled
|
--p6 <prefix> Set IPv6 prefix (length 64)
|
||||||
|
(default: fd00:1:1:1:: )
|
||||||
|
--dns-proxy <port> DNS server redirect queries to port
|
||||||
--no-serve-dns Disable DNS server
|
--no-serve-dns Disable DNS server
|
||||||
--no-dnsmasq Disable dnsmasq server completely (DHCP and DNS)
|
--no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA)
|
||||||
--log-dns Show DNS server query log
|
--log-dns Show DNS server query log
|
||||||
--dhcp-dns <IP1[,IP2]>|no
|
--dhcp-dns <IP1[,IP2]>|no
|
||||||
Set IPv4 DNS offered by DHCP (default: gateway as DNS)
|
Set IPv4 DNS offered by DHCP
|
||||||
|
(default: gateway as DNS)
|
||||||
|
--dhcp-dns6 <IP1[,IP2]>|no
|
||||||
|
Set IPv6 DNS offered by DHCP(RA)
|
||||||
|
(default: gateway as DNS)
|
||||||
|
Note IPv6 addresses need '[]' around
|
||||||
-d DNS server will take into account /etc/hosts
|
-d DNS server will take into account /etc/hosts
|
||||||
-e <hosts_file> DNS server will take into account additional hosts file
|
-e <hosts_file> DNS server will take into account additional
|
||||||
|
hosts file
|
||||||
|
|
||||||
--mac <MAC> Set MAC address
|
--mac <MAC> Set MAC address
|
||||||
|
|
||||||
Wifi hotspot options:
|
Wifi hotspot options:
|
||||||
--ap <wlan card interface> <access point name>
|
--ap <wifi interface> <SSID>
|
||||||
Create Wifi access point using wlan card, and set SSID
|
Create Wifi access point
|
||||||
--password <passphrase> Wifi password
|
--password <password> Wifi password
|
||||||
|
|
||||||
--hidden Make the Access Point hidden (do not broadcast the SSID)
|
--hidden Hide access point (not broadcast SSID)
|
||||||
--no-virt Do not create virtual interface.
|
--no-virt Do not create virtual interface
|
||||||
Using this you can't use same wlan card as Internet and AP
|
Using this you can't use same wlan interface
|
||||||
|
for both Internet and AP
|
||||||
-c <channel> Channel number (default: 1)
|
-c <channel> Channel number (default: 1)
|
||||||
--country <code> Set two-letter country code for regularity (example: US)
|
--country <code> Set two-letter country code for regularity
|
||||||
--freq-band <GHz> Set frequency band. Valid inputs: 2.4, 5 (default: 2.4)
|
(example: US)
|
||||||
|
--freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4)
|
||||||
--driver Choose your WiFi adapter driver (default: nl80211)
|
--driver Choose your WiFi adapter driver (default: nl80211)
|
||||||
-w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)
|
-w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both
|
||||||
--psk Use 64 hex digits pre-shared-key instead of passphrase
|
(default: 1+2)
|
||||||
|
--psk Use 64 hex digits pre-shared-key instead of
|
||||||
|
passphrase
|
||||||
--mac-filter Enable Wifi hotspot MAC address filtering
|
--mac-filter Enable Wifi hotspot MAC address filtering
|
||||||
--mac-filter-accept Location of Wifi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept)
|
--mac-filter-accept Location of Wifi hotspot MAC address filter list
|
||||||
--hostapd-debug <level> With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging.
|
(defaults to /etc/hostapd/hostapd.accept)
|
||||||
--isolate-clients Disable communication between clients
|
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
|
||||||
|
--isolate-clients Disable wifi communication between clients
|
||||||
--ieee80211n Enable IEEE 802.11n (HT)
|
--ieee80211n Enable IEEE 802.11n (HT)
|
||||||
--ieee80211ac Enable IEEE 802.11ac (VHT)
|
--ieee80211ac Enable IEEE 802.11ac (VHT)
|
||||||
--ht_capab <HT> HT capabilities (default: [HT40+])
|
--ht_capab <HT> HT capabilities (default: [HT40+])
|
||||||
--vht_capab <VHT> VHT capabilities
|
--vht_capab <VHT> VHT capabilities
|
||||||
--no-haveged Do not run 'haveged' automatically when needed
|
--no-haveged Do not run haveged automatically when needed
|
||||||
|
|
||||||
Instance managing:
|
Instance managing:
|
||||||
--daemon Run lnxrouter in the background
|
--daemon Run in background
|
||||||
--list-running Show the lnxrouter processes that are already running
|
--list-running Show running instances
|
||||||
--stop <id> Send stop command to an already running lnxrouter. For an <id>
|
--list-clients <id> List clients of an instance
|
||||||
you can put the PID of lnxrouter or interface. You can
|
--stop <id> Stop a running instance
|
||||||
get them with --list-running
|
For <id> you can use PID or subnet interface name.
|
||||||
--list-clients <id> List the clients connected to lnxrouter instance associated with <id>.
|
You can get them with '--list-running'
|
||||||
For an <id> you can put the PID of lnxrouter or interface.
|
|
||||||
If virtual WiFi interface was created, then use that one.
|
|
||||||
You can get them with --list-running
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
56
lnxrouter
56
lnxrouter
|
|
@ -31,8 +31,7 @@ Options:
|
||||||
-6 Enable IPv6 (NAT)
|
-6 Enable IPv6 (NAT)
|
||||||
--p6 <prefix> Set IPv6 prefix (length 64)
|
--p6 <prefix> Set IPv6 prefix (length 64)
|
||||||
(default: fd00:1:1:1:: )
|
(default: fd00:1:1:1:: )
|
||||||
--dns-proxy <port> Redirect incoming port 53 to DNS proxy port.
|
--dns-proxy <port> DNS server redirect queries to port
|
||||||
DNS server is disabled
|
|
||||||
--no-serve-dns Disable DNS server
|
--no-serve-dns Disable DNS server
|
||||||
--no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA)
|
--no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA)
|
||||||
--log-dns Show DNS server query log
|
--log-dns Show DNS server query log
|
||||||
|
|
@ -671,42 +670,6 @@ stop_dhcp() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
redirect_dns() {
|
|
||||||
echo
|
|
||||||
echo "iptables: redirect port 53 to ${TP_DNS_PORT}"
|
|
||||||
# allow input to dns proxy port
|
|
||||||
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die
|
|
||||||
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die
|
|
||||||
# redirect 53 to dns proxy
|
|
||||||
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
|
|
||||||
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
|
|
||||||
|
|
||||||
if [[ $IPV6 -eq 1 ]]; then
|
|
||||||
# allow input to dns proxy port
|
|
||||||
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die
|
|
||||||
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die
|
|
||||||
# redirect 53 to dns proxy
|
|
||||||
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
|
|
||||||
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
unredirect_dns() {
|
|
||||||
echo "iptables: stop dns proxy "
|
|
||||||
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT
|
|
||||||
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT
|
|
||||||
|
|
||||||
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
|
|
||||||
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
|
|
||||||
|
|
||||||
if [[ $IPV6 -eq 1 ]]; then
|
|
||||||
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT
|
|
||||||
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT
|
|
||||||
|
|
||||||
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
|
|
||||||
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
start_redsocks() {
|
start_redsocks() {
|
||||||
echo
|
echo
|
||||||
echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
|
echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
|
||||||
|
|
@ -829,9 +792,6 @@ clean_iptables() {
|
||||||
unallow_dns_port
|
unallow_dns_port
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$TP_DNS_PORT" ]]; then
|
|
||||||
unredirect_dns
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $NO_DNSMASQ -eq 0 ]]; then
|
if [[ $NO_DNSMASQ -eq 0 ]]; then
|
||||||
stop_dhcp
|
stop_dhcp
|
||||||
|
|
@ -1026,9 +986,6 @@ if [[ $TP_PORT ]]; then
|
||||||
SHARE_METHOD=redsocks
|
SHARE_METHOD=redsocks
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $TP_DNS_PORT ]]; then
|
|
||||||
dnsmasq_NO_DNS=1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $SHARE_METHOD == 'none' ]]; then
|
if [[ $SHARE_METHOD == 'none' ]]; then
|
||||||
dnsmasq_NO_DNS=1
|
dnsmasq_NO_DNS=1
|
||||||
|
|
@ -1398,6 +1355,14 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then
|
||||||
if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then
|
if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then
|
||||||
echo log-queries=extra >> $CONFDIR/dnsmasq.conf
|
echo log-queries=extra >> $CONFDIR/dnsmasq.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ $TP_DNS_PORT ]]; then
|
||||||
|
cat <<- EOF >> $CONFDIR/dnsmasq.conf
|
||||||
|
no-resolv
|
||||||
|
no-poll
|
||||||
|
server=127.0.0.1#${TP_DNS_PORT}
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
if [[ $IPV6 -eq 1 ]];then
|
if [[ $IPV6 -eq 1 ]];then
|
||||||
cat <<- EOF >> $CONFDIR/dnsmasq.conf
|
cat <<- EOF >> $CONFDIR/dnsmasq.conf
|
||||||
listen-address=${GATEWAY6}
|
listen-address=${GATEWAY6}
|
||||||
|
|
@ -1506,9 +1471,6 @@ if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
|
||||||
allow_dns_port
|
allow_dns_port
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$TP_DNS_PORT" ]]; then
|
|
||||||
redirect_dns
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [[ $NO_DNSMASQ -eq 0 ]]; then
|
if [[ $NO_DNSMASQ -eq 0 ]]; then
|
||||||
start_dhcp
|
start_dhcp
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue