From a4e3089e6906b45f1d076d8fcfe2d912d44b9f1d Mon Sep 17 00:00:00 2001 From: garywill Date: Sun, 25 Feb 2024 10:00:00 +0800 Subject: [PATCH] disable unwanted forwarding --- README.md | 37 ++++++++----------------------------- lnxrouter | 49 ++++++++++++++++++++++++------------------------- 2 files changed, 32 insertions(+), 54 deletions(-) mode change 100644 => 100755 lnxrouter diff --git a/README.md b/README.md index 2b469ad..ea55ebb 100644 --- a/README.md +++ b/README.md @@ -120,8 +120,6 @@ sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [26 > 1. Stop serving local DNS > 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example) -> Also, read *Notice 1* - ### Create LAN without providing Internet @@ -136,8 +134,6 @@ sudo lnxrouter -n -i eth1 sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase ``` -> Read _Notice 1_ - ### Internet for LXC @@ -312,17 +308,16 @@ Options: and to provide Internet to (To create WiFi hotspot use '--ap' instead) -o Specify an inteface to provide Internet from. - (See Notice 1) (Note using this with default DNS option may leak queries to other interfaces) - -n Do not provide Internet (See Notice 1) + -n Do not provide Internet --ban-priv Disallow clients to access my private network -g This host's IPv4 address in subnet (mask is /24) (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) - --no4 Disable IPv4 Internet (not forwarding IPv4) - (See Notice 1). Usually used with '-6' + --no4 Disable IPv4 Internet (not forwarding IPv4). + Usually used with '-6' --p6 Set IPv6 LAN address prefix (length 64) (example: 'fd00:0:0:5::' or '5' shortly) @@ -418,12 +413,11 @@ Options: --stop Stop a running instance For you can use PID or subnet interface name. You can get them with '--list-running' - - Notice 1: This script assume your host's default policy won't forward - packets, so the script won't explictly ban forwarding in any - mode. In some unexpected case (eg. mistaken configurations) may - cause unwanted packets leakage between 2 networks, which you - should be aware of if you want isolated network + +Examples: + lnxrouter -i eth1 + lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase + lnxrouter -i eth1 --tp --dns ``` @@ -455,20 +449,6 @@ Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and - 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer -## Notice - -
- -``` - Notice 1: This script assume your host's default policy won't forward - packets, so the script won't explictly ban forwarding in any - mode. In some unexpected case (eg. mistaken configurations) may - cause unwanted packets leakage between 2 networks, which you - should be aware of if you want isolated network -``` - -
- ## TODO Sooner is better: @@ -478,7 +458,6 @@ Future: - WPA3 - Global IPv6 - Explictly ban forwarding if not needed -- Bring bridging method back ## License diff --git a/lnxrouter b/lnxrouter old mode 100644 new mode 100755 index 51418bb..26f7110 --- a/lnxrouter +++ b/lnxrouter @@ -29,17 +29,16 @@ Options: and to provide Internet to (To create WiFi hotspot use '--ap' instead) -o Specify an inteface to provide Internet from. - (See Notice 1) (Note using this with default DNS option may leak queries to other interfaces) - -n Do not provide Internet (See Notice 1) + -n Do not provide Internet --ban-priv Disallow clients to access my private network -g This host's IPv4 address in subnet (mask is /24) (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) - --no4 Disable IPv4 Internet (not forwarding IPv4) - (See Notice 1). Usually used with '-6' + --no4 Disable IPv4 Internet (not forwarding IPv4). + Usually used with '-6' --p6 Set IPv6 LAN address prefix (length 64) (example: 'fd00:0:0:5::' or '5' shortly) @@ -135,12 +134,6 @@ Options: --stop Stop a running instance For you can use PID or subnet interface name. You can get them with '--list-running' - - Notice 1: This script assume your host's default policy won't forward - packets, so the script won't explictly ban forwarding in any - mode. In some unexpected case (eg. mistaken configurations) may - cause unwanted packets leakage between 2 networks, which you - should be aware of if you want isolated network Examples: $PROGNAME -i eth1 @@ -1001,7 +994,25 @@ iptb() return $? } - +disable_unwanted_forwarding() { + for iv in "${IP_VERs[@]}"; do + if [[ "$INTERNET_IFACE" ]]; then + iptb "$iv" n filter I FORWARD \ + -i "$SUBNET_IFACE" ! -o "$INTERNET_IFACE" \ + -j REJECT || die + iptb "$iv" n filter I FORWARD \ + ! -i "$INTERNET_IFACE" -o "$SUBNET_IFACE" \ + -j REJECT || die + fi + + if [[ "$SHARE_METHOD" == 'redsocks' || "$SHARE_METHOD" == 'none' \ + || ( "$iv" -eq "4" && "$NO4" -eq 1 ) ]];then + iptb "$iv" n filter I FORWARD -i "$SUBNET_IFACE" -j REJECT || die + iptb "$iv" n filter I FORWARD -o "$SUBNET_IFACE" -j REJECT || die + fi + done + +} start_nat() { local SUBNET_NET @@ -1026,18 +1037,11 @@ start_nat() { iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \ -o $INTERNET_IFACE \ -j ACCEPT || die - iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" \ - ! -o $INTERNET_IFACE \ - -j REJECT || die # forward any -> subnet iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \ -i "$INTERNET_IFACE" \ -j ACCEPT || die - iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" \ - ! -i "$INTERNET_IFACE" \ - -j REJECT || die - else # any interface can be Internet # masquerade subnet -> any(!subnet) iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \ @@ -2215,27 +2219,22 @@ check_iptables echo "NOTICE: Not showing all operations done to iptables rules" -[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2 - if [[ "$IPV6" -eq 0 ]]; then IP_VERs=("4") else IP_VERs=("4" "6") fi +disable_unwanted_forwarding + # enable Internet sharing if [[ "$SHARE_METHOD" == "none" ]]; then echo "No Internet sharing" - echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2 - [[ "$BANLAN" -eq 1 ]] && start_ban_lan elif [[ "$SHARE_METHOD" == "nat" ]]; then - - [[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2 - [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 start_nat