interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

iptables NAT rule: do not masquerade client to client connections

This commit is contained in:
garywill 2018-08-31 18:41:06 +08:00 committed by garywill
parent 4022d798b0
commit 7815bce574
2 changed files with 51 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
Readme.md → README.md
View File

@ -1,7 +1,10 @@
# Linux-router
Share your Linux's Internet access to other devices. Works on wired, wireless and virtual networks.
Share your Linux's Internet access to other devices.
The goal is to easily set/unset your Linux PC/embedded device as a gateway/hotspot/transparent proxy. It wraps the complicated `iptables`, `dnsmasq` etc. stuff. Use in one command, restore by `control-c`.
It works on wired, wireless and virtual networks.
## Features
@ -11,58 +14,46 @@ Basic features:
- Share Internet to the sub-network
- DHCP server
- DNS server
- Transparent proxy (redsocks) (with DNS proxy)
- Creating Wifi hotspot:
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Hidden SSID
- Create AP on the same interface you are getting Internet (require same channel)
- Transparent proxy (redsocks)
- DNS proxy
Creating Wifi hotspot:
**For many other features, see below [CLI usage](#cli-usage-and-other-features)**
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Hidden SSID
- Create AP on the same interface you are getting Internet (require same channel)
For many other features, see below CLI usage.
Useful in these situations:
### Useful in these situations
```
Internet ----(eth0/wlan0)-Linux-(wlanX)AP
|
|----client
|
|----client
Internet----(eth0/wlan0)-Linux-(wlanX)AP
|--client
|--client
```
```
Internet
Wifi AP(no DHCP) |
| |
|----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP)
|
|----client
|
|----client
|--client
|--client
```
```
Internet
Switch |
| |
|---(eth1)-Linux-(eth0/wlan0)--------
|
|----client
|
|----client
|--client
|--client
```
```
Internet ----(eth0/wlan0)-Linux-(eth1)--------Another PC
Internet----(eth0/wlan0)-Linux-(eth1)------Another PC
```
```
Internet ----(eth0/wlan0)-Linux-(virtual interface)-----VM guests/container guests
Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM guests/container guests
```
## Usage
@ -79,12 +70,10 @@ Internet ----(eth0/wlan0)-Linux-(virtual interface)-----VM guests/container gues
# lnxrouter --ap wlan0 MyAccessPoint --password MyPassPhrase
```
### Make a LAN without Internet
### LAN without Internet
```
# lnxrouter -i eth1 -n
```
```
# lnxrouter --ap wlan0 MyAccessPoint --password MyPassPhrase -n
```
@ -100,12 +89,12 @@ In `torrc`
TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053
```
### Using with LXC
### Use with LXC
Create a bridge
```
# brctl addbr lxcbr1
```
In LXC container's `config`
In LXC container `config`
```
lxc.network.type = veth
lxc.network.flags = up
@ -115,7 +104,7 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
```
# lnxrouter -i lxcbr1
```
### Using with VirtualBox
### Use with VirtualBox
On VirtualBox's global settings, create a host-only network `vboxnet1` with DHCP disabled.
```
# lnxrouter -i vboxnet1
@ -136,7 +125,7 @@ Options:
Usually use with --dns-proxy
-g <gateway> Set Gateway IPv4 address, netmask is /24 (default: 192.168.18.1)
--dns-proxy <port> Redirect 53 port to DNS proxy port. dnsmasq DNS is disabled
--dns-proxy <port> Redirect incoming 53 port to DNS proxy port. dnsmasq DNS is disabled
--no-serve-dns dnsmasq DNS disabled
--no-dnsmasq Disable dnsmasq server completely (dhcp and dns)
--log-dns Show dnsmasq DNS server query log
@ -189,7 +178,7 @@ Options:
```
### Ddependencies
## Dependencies
- bash
- procps or procps-ng
- iproute2
@ -208,6 +197,8 @@ Wifi hotspot:
- Option to ban private network access
- IPv6 support
- Option to random MAC, IP, SSID, password
- Option to specify out-going interface
- Option to catch and redirect all dns connections
## Thanks

60
lnxrouter
View File

@ -1,23 +1,8 @@
#!/bin/bash
# general dependencies:
# bash (to run this script)
# procps or procps-ng
# iproute2
# dnsmasq
# iptables
# wifi ap:
# hostapd
# iw
# iwconfig (you only need this if 'iw' can not recognize your adapter)
# haveged (optional)
VERSION=0.5.0
PROGNAME="$(basename $0)"
# make sure that all command outputs are in english
# so we can parse them correctly
export LC_ALL=C
# all new files and directories must be readable only by root.
@ -26,9 +11,9 @@ SCRIPT_UMASK=0077
umask $SCRIPT_UMASK
usage() {
echo "$PROGNAME $VERSION (https://github.com/garywill/linux-router)"
echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
echo "Share your Linux's Internet access to other devices. "
echo "Work on wired, wireless and virtual networks."
echo "Works on wired, wireless and virtual networks."
echo
echo "Usage: "$PROGNAME" [options] "
echo
@ -36,23 +21,17 @@ usage() {
echo " -h, --help Show this help"
echo " --version Print version number"
echo
#echo " -m <method> Method for Internet sharing."
#echo " Use: 'nat' for NAT (default)"
#echo " 'redsocks' for transparent proxy. Usually use with --dns-proxy"
#echo " 'none' for no Internet sharing (equivalent to -n)"
echo " -i <interface> Interface to share Internet to. An NATed subnet will be made on it."
echo " To create Wifi hotspot use --ap instead"
echo " -i <interface> Interface to share Internet to. An NATed subnet is made upon it."
echo " To create Wifi hotspot use '--ap' instead"
echo " -n Disable Internet sharing"
echo " --tp <port> Transparent proxy (redsocks), redirect tcp and udp traffic to port."
echo " Usually use with --dns-proxy"
echo
echo " -g <gateway> Set Gateway IPv4 address, netmask is /24 (default: 192.168.18.1)"
echo " --dns-proxy <port> Redirect 53 port to DNS proxy port. dnsmasq DNS is disabled"
echo " --no-serve-dns dnsmasq DNS disabled"
echo " --no-dnsmasq Disable dnsmasq server completely (dhcp and dns)"
echo " --log-dns Show dnsmasq DNS server query log"
echo " --dns-proxy <port> Redirect incoming port 53 to DNS proxy port. DNS server is disabled"
echo " --no-serve-dns Disable DNS server"
echo " --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS)"
echo " --log-dns Show DNS server query log"
echo " --dhcp-dns <IP1[,IP2]>|no"
echo " Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS)"
echo " -d DNS server will take into account /etc/hosts"
@ -883,12 +862,12 @@ iptables_()
start_nat() {
echo
echo "iptables: NAT "
iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 -j MASQUERADE || die
iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE || die
iptables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
}
stop_nat() {
iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 -j MASQUERADE
iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE
iptables_ -D FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT
iptables_ -D FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT
}
@ -1043,10 +1022,11 @@ clean_iptables() {
cleanup() {
echo
echo -n "Doing cleanup.. "
echo
echo "Doing cleanup.. "
clean_iptables
_cleanup 2> /dev/null
echo "done"
echo "Cleaning up done"
}
die() {
@ -1058,6 +1038,7 @@ die() {
}
clean_exit() {
echo "clean_exit()"
# send clean_exit signal to the main process
[[ $BASHPID -ne $$ ]] && kill -USR1 $$
# we don't need to call cleanup because it's traped on EXIT
@ -1432,7 +1413,7 @@ if [[ $WIFI_IFACE ]]; then
# in NetworkManager 0.9.9 and above we can set the interface as unmanaged without
# the need of MAC address, so we set it before we create the virtual interface.
if networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]]; then
echo -n "Network Manager found, set ${VWIFI_IFACE} as unmanaged device... "
echo "Network Manager found, set ${VWIFI_IFACE} as unmanaged device... "
networkmanager_add_unmanaged ${VWIFI_IFACE}
# do not call networkmanager_wait_until_unmanaged because interface does not
# exist yet
@ -1441,14 +1422,14 @@ if [[ $WIFI_IFACE ]]; then
if is_wifi_connected ${WIFI_IFACE}; then
WIFI_IFACE_FREQ=$(iw dev ${WIFI_IFACE} link | grep -i freq | awk '{print $2}')
WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel ${WIFI_IFACE_FREQ})
echo -n "${WIFI_IFACE} is already associated with channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)"
echo "${WIFI_IFACE} already in channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)"
if is_5ghz_frequency $WIFI_IFACE_FREQ; then
FREQ_BAND=5
else
FREQ_BAND=2.4
fi
if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then
echo ", fallback to channel ${WIFI_IFACE_CHANNEL}"
echo "Channel fallback to ${WIFI_IFACE_CHANNEL}"
CHANNEL=$WIFI_IFACE_CHANNEL
else
echo
@ -1457,7 +1438,7 @@ if [[ $WIFI_IFACE ]]; then
VIRTDIEMSG="Maybe your WiFi adapter does not fully support virtual interfaces.
Try again with --no-virt."
echo -n "Creating a virtual WiFi interface... "
echo "Creating a virtual WiFi interface... "
if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
# now we can call networkmanager_wait_until_unmanaged
@ -1581,7 +1562,7 @@ fi
#===================================================
if networkmanager_exists && ! networkmanager_iface_is_unmanaged ${SUBNET_IFACE}; then
echo -n "Network Manager found, set ${SUBNET_IFACE} as unmanaged device... "
echo "Network Manager found, set ${SUBNET_IFACE} as unmanaged device... "
networkmanager_add_unmanaged ${SUBNET_IFACE}
if networkmanager_is_running; then
@ -1699,10 +1680,11 @@ if [[ $WIFI_IFACE ]]; then
if [[ $NO_HAVEGED -eq 0 ]]; then
haveged_watchdog &
HAVEGED_WATCHDOG_PID=$!
echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID"
fi
# start access point
echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
#echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
# start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout)
STDBUF_PATH=`which stdbuf`
if [ $? -eq 0 ]; then