interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

disable unwanted forwarding

This commit is contained in:
garywill 2024-02-25 10:00:00 +08:00
parent 8c9e16dd17
commit a4e3089e69
2 changed files with 32 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@ -120,8 +120,6 @@ sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [26
> 1. Stop serving local DNS > 1. Stop serving local DNS
> 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example) > 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
> Also, read *Notice 1*
</details> </details>
### Create LAN without providing Internet ### Create LAN without providing Internet
@ -136,8 +134,6 @@ sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
``` ```
> Read _Notice 1_
</details> </details>
### Internet for LXC ### Internet for LXC
@ -312,17 +308,16 @@ Options:
and to provide Internet to and to provide Internet to
(To create WiFi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly) (example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4).
(See Notice 1). Usually used with '-6' Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly) (example: 'fd00:0:0:5::' or '5' shortly)
@ -419,11 +414,10 @@ Options:
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
Notice 1: This script assume your host's default policy won't forward Examples:
packets, so the script won't explictly ban forwarding in any lnxrouter -i eth1
mode. In some unexpected case (eg. mistaken configurations) may lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
cause unwanted packets leakage between 2 networks, which you lnxrouter -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
should be aware of if you want isolated network
``` ```
</details> </details>
@ -455,20 +449,6 @@ Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and
- 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) - 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement)
- 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer
## Notice
<details>
```
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
```
</details>
## TODO ## TODO
Sooner is better: Sooner is better:
@ -478,7 +458,6 @@ Future:
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed
- Bring bridging method back
## License ## License

47
lnxrouter Normal file → Executable file
View File

@ -29,17 +29,16 @@ Options:
and to provide Internet to and to provide Internet to
(To create WiFi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly) (example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4).
(See Notice 1). Usually used with '-6' Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly) (example: 'fd00:0:0:5::' or '5' shortly)
@ -136,12 +135,6 @@ Options:
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
$PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
@ -1001,7 +994,25 @@ iptb()
return $? return $?
} }
disable_unwanted_forwarding() {
for iv in "${IP_VERs[@]}"; do
if [[ "$INTERNET_IFACE" ]]; then
iptb "$iv" n filter I FORWARD \
-i "$SUBNET_IFACE" ! -o "$INTERNET_IFACE" \
-j REJECT || die
iptb "$iv" n filter I FORWARD \
! -i "$INTERNET_IFACE" -o "$SUBNET_IFACE" \
-j REJECT || die
fi
if [[ "$SHARE_METHOD" == 'redsocks' || "$SHARE_METHOD" == 'none' \
|| ( "$iv" -eq "4" && "$NO4" -eq 1 ) ]];then
iptb "$iv" n filter I FORWARD -i "$SUBNET_IFACE" -j REJECT || die
iptb "$iv" n filter I FORWARD -o "$SUBNET_IFACE" -j REJECT || die
fi
done
}
start_nat() { start_nat() {
local SUBNET_NET local SUBNET_NET
@ -1026,18 +1037,11 @@ start_nat() {
iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \ iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \
-o $INTERNET_IFACE \ -o $INTERNET_IFACE \
-j ACCEPT || die -j ACCEPT || die
iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" \
! -o $INTERNET_IFACE \
-j REJECT || die
# forward any -> subnet # forward any -> subnet
iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \ iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \
-i "$INTERNET_IFACE" \ -i "$INTERNET_IFACE" \
-j ACCEPT || die -j ACCEPT || die
iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" \
! -i "$INTERNET_IFACE" \
-j REJECT || die
else # any interface can be Internet else # any interface can be Internet
# masquerade subnet -> any(!subnet) # masquerade subnet -> any(!subnet)
iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \ iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \
@ -2215,27 +2219,22 @@ check_iptables
echo "NOTICE: Not showing all operations done to iptables rules" echo "NOTICE: Not showing all operations done to iptables rules"
[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
if [[ "$IPV6" -eq 0 ]]; then if [[ "$IPV6" -eq 0 ]]; then
IP_VERs=("4") IP_VERs=("4")
else else
IP_VERs=("4" "6") IP_VERs=("4" "6")
fi fi
disable_unwanted_forwarding
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing" echo "No Internet sharing"
echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat