interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

option to protect private network

This commit is contained in:
garywill 2020-12-24 20:36:09 +08:00 committed by garywill
parent a67c19d8f5
commit a4aa2f52db
2 changed files with 83 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -194,7 +194,7 @@ Create a bridge
``` ```
# lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 # lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
$ firejail --net=firejail5 --dns=192.168.55.1 $ firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
``` ```
### CLI usage and other features ### CLI usage and other features
@ -213,6 +213,7 @@ Options:
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet -n Do not provide Internet
--ban-priv Disallow clients to access my private network
-g <ip> Set this host's IPv4 address, netmask is 24 -g <ip> Set this host's IPv4 address, netmask is 24
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
@ -307,7 +308,6 @@ Wifi hotspot:
## TODO ## TODO
- Option to ban private network access
- Option to randomize MAC - Option to randomize MAC
## Donate ## Donate

83
lnxrouter
View File

@ -11,6 +11,7 @@ umask $SCRIPT_UMASK
usage() { usage() {
cat << EOF cat << EOF
linux-router $VERSION (https://github.com/garywill/linux-router) linux-router $VERSION (https://github.com/garywill/linux-router)
Released under LGPL, with no warranty. Use on your own risk.
Usage: $PROGNAME <options> Usage: $PROGNAME <options>
@ -25,6 +26,7 @@ Options:
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet -n Do not provide Internet
--ban-priv Disallow clients to access my private network
-g <ip> Set this host's IPv4 address, netmask is 24 -g <ip> Set this host's IPv4 address, netmask is 24
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
@ -38,7 +40,7 @@ Options:
--no-dns Do not serve DNS --no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
that destination port is 53 to this host whose destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host) Set IPv4 DNS offered by DHCP (default: this host)
@ -115,7 +117,7 @@ GATEWAY=
PREFIX6= PREFIX6=
IID6=1 IID6=1
IPV6=0 IPV6=0
ROUTE_ADDRS= BANLAN=0
DHCP_DNS=gateway DHCP_DNS=gateway
DHCP_DNS6=gateway DHCP_DNS6=gateway
dnsmasq_NO_DNS=0 dnsmasq_NO_DNS=0
@ -189,6 +191,10 @@ while [[ -n "$1" ]]; do
shift shift
SHARE_METHOD=none SHARE_METHOD=none
;; ;;
--ban-priv)
shift
BANLAN=1
;;
--tp) --tp)
shift shift
TP_PORT="$1" TP_PORT="$1"
@ -740,6 +746,72 @@ stop_nat() {
fi fi
} }
start_ban_lan() {
echo
echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 169.254.0.0/16 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 172.16.0.0/12 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 192.168.0.0/16 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 224.0.0.0/4 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 255.255.255.255 -j REJECT || die
iptables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
iptables_ -N BANLAN-i-${SUBNET_IFACE}
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -N BANLAN-f-${SUBNET_IFACE} || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fc00::/7 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fe80::/10 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ff00::/8 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::1 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::/128 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0/96 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0:0/96 -j REJECT || die
ip6tables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
ip6tables_ -N BANLAN-i-${SUBNET_IFACE} || die
#ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
ip6tables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
fi
}
stop_ban_lan() {
echo "iptables: Unban clients' LAN access"
iptables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE}
iptables_ -F BANLAN-f-${SUBNET_IFACE}
iptables_ -X BANLAN-f-${SUBNET_IFACE}
iptables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
iptables_ -F BANLAN-i-${SUBNET_IFACE}
iptables_ -X BANLAN-i-${SUBNET_IFACE}
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE}
ip6tables_ -F BANLAN-f-${SUBNET_IFACE}
ip6tables_ -X BANLAN-f-${SUBNET_IFACE}
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
ip6tables_ -F BANLAN-i-${SUBNET_IFACE}
ip6tables_ -X BANLAN-i-${SUBNET_IFACE}
fi
}
allow_dns_port() { allow_dns_port() {
echo echo
echo "iptables: allow DNS port access" echo "iptables: allow DNS port access"
@ -926,6 +998,8 @@ clean_iptables() {
if [[ $NO_DNSMASQ -eq 0 ]]; then if [[ $NO_DNSMASQ -eq 0 ]]; then
stop_dhcp stop_dhcp
fi fi
[[ "$BANLAN" -eq 1 ]] && stop_ban_lan
} }
cleanup() { cleanup() {
@ -1598,12 +1672,16 @@ else
echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6 echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6
fi fi
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing" echo "No Internet sharing"
[[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2
start_nat start_nat
[[ "$BANLAN" -eq 1 ]] && start_ban_lan
echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding"
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding || die "Failed enabling system ipv6 forwarding" echo 1 > /proc/sys/net/ipv6/conf/all/forwarding || die "Failed enabling system ipv6 forwarding"
@ -1617,6 +1695,7 @@ elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
fi fi
[[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using transparent proxy but this host is providing local DNS, this may cause privacy leak !!!\n" >&2 [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using transparent proxy but this host is providing local DNS, this may cause privacy leak !!!\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan
start_redsocks start_redsocks
fi fi