From c75ca0ce811ed7e31888d2cdd3db1bce1b861248 Mon Sep 17 00:00:00 2001 From: garywill <32130780+garywill@users.noreply.github.com> Date: Fri, 31 Aug 2018 18:41:06 +0800 Subject: [PATCH] support IPv6 nat method sets global forwarding and don't restore when exit use <<- --- README.md | 28 ++-- lnxrouter | 418 ++++++++++++++++++++++++++++++++++++------------------ 2 files changed, 294 insertions(+), 152 deletions(-) mode change 100644 => 100755 lnxrouter diff --git a/README.md b/README.md index f389ccb..291f8f7 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,19 @@ # Linux-router -Share your Linux's Internet access to other devices. +Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. -The goal is to easily set/unset your Linux PC/embedded device as a gateway/hotspot/transparent proxy. It wraps the complicated `iptables`, `dnsmasq` etc. stuff. Use in one command, restore by `control-c`. +It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. -It works on wired, wireless and virtual networks. ## Features Basic features: - Create a NATed sub-network -- Share Internet to the sub-network -- DHCP server +- Provide Internet +- DHCP server and RA - DNS server +- IPv6 (NAT only for now) - Creating Wifi hotspot: - Channel selecting - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption @@ -89,8 +89,10 @@ In `torrc` ``` TransPort 0.0.0.0:9040 DNSPort 0.0.0.0:9053 +TransPort [::]:9040 +DNSPort [::]:9053 ``` -### Use for LXC +### Internet for LXC Create a bridge ``` # brctl addbr lxcbr5 @@ -165,16 +167,18 @@ Options: -i Interface to share Internet to. An NATed subnet is made upon it. To create Wifi hotspot use '--ap' instead -n Disable Internet sharing - --tp Transparent proxy (redsocks), redirect tcp and udp traffic to port. + --tp Transparent proxy, redirect non-LAN tcp and udp traffic to port. Usually use with --dns-proxy - -g Set Gateway IPv4 address, netmask is /24 (default: 192.168.18.1) + -g Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1) + -6 Enable IPv6 + --p6 Set IPv6 prefix (length 64) (default: fd00:1:1:1:: ) --dns-proxy Redirect incoming port 53 to DNS proxy port. DNS server is disabled --no-serve-dns Disable DNS server --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS) --log-dns Show DNS server query log --dhcp-dns |no - Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS) + Set IPv4 DNS offered by DHCP (default: gateway as DNS) -d DNS server will take into account /etc/hosts -e DNS server will take into account additional hosts file @@ -234,10 +238,8 @@ Wifi hotspot: ## TODO - Option to ban private network access -- IPv6 support -- Option to random MAC, IP, SSID, password -- Option to specify out-going interface -- Option to catch and redirect all dns connections +- Option to randomize MAC, IP, SSID, password +- Option to redirect all DNS traffic ## Thanks diff --git a/lnxrouter b/lnxrouter old mode 100644 new mode 100755 index f703523..cd8af41 --- a/lnxrouter +++ b/lnxrouter @@ -9,76 +9,90 @@ SCRIPT_UMASK=0122 umask $SCRIPT_UMASK usage() { - echo "linux-router $VERSION (https://github.com/garywill/linux-router)" - echo " Share your Linux's Internet access to other devices. " - echo " Works on wired, wireless and virtual networks." - echo - echo "Usage: "$PROGNAME" [options] " - echo - echo "Options:" - echo " -h, --help Show this help" - echo " --version Print version number" - echo - echo " -i Interface to share Internet to. An NATed subnet is made upon it." - echo " To create Wifi hotspot use '--ap' instead" - echo " -n Disable Internet sharing" - echo " --tp Transparent proxy, redirect non-LAN tcp and udp traffic to port." - echo " Usually use with --dns-proxy" - echo - echo " -g Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1)" - echo " --dns-proxy Redirect incoming port 53 to DNS proxy port. DNS server is disabled" - echo " --no-serve-dns Disable DNS server" - echo " --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS)" - echo " --log-dns Show DNS server query log" - echo " --dhcp-dns |no" - echo " Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS)" - echo " -d DNS server will take into account /etc/hosts" - echo " -e DNS server will take into account additional hosts file" - echo - echo " --mac Set MAC address" - echo - echo " Wifi hotspot options:" - echo " --ap " - echo " Create Wifi access point using wlan card, and set SSID" - echo " --password Wifi password" - echo - echo " --hidden Make the Access Point hidden (do not broadcast the SSID)" - echo " --no-virt Do not create virtual interface. " - echo " Using this you can't use same wlan card as Internet and AP" - echo " -c Channel number (default: 1)" - echo " --country Set two-letter country code for regularity (example: US)" - echo " --freq-band Set frequency band. Valid inputs: 2.4, 5 (default: 2.4)" - echo " --driver Choose your WiFi adapter driver (default: nl80211)" - echo " -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)" - echo " --psk Use 64 hex digits pre-shared-key instead of passphrase" - echo " --mac-filter Enable Wifi hotspot MAC address filtering" - echo " --mac-filter-accept Location of Wifi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept)" - echo " --hostapd-debug With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging." - echo " --isolate-clients Disable communication between clients" - echo " --ieee80211n Enable IEEE 802.11n (HT)" - echo " --ieee80211ac Enable IEEE 802.11ac (VHT)" - echo " --ht_capab HT capabilities (default: [HT40+])" - echo " --vht_capab VHT capabilities" - echo " --no-haveged Do not run 'haveged' automatically when needed" - echo - echo " Instance managing:" - echo " --daemon Run lnxrouter in the background" - echo " --list-running Show the lnxrouter processes that are already running" - echo " --stop Send stop command to an already running lnxrouter. For an " - echo " you can put the PID of lnxrouter or interface. You can" - echo " get them with --list-running" - echo " --list-clients List the clients connected to lnxrouter instance associated with ." - echo " For an you can put the PID of lnxrouter or interface." - echo " If virtual WiFi interface was created, then use that one." - echo " You can get them with --list-running" - echo - echo "Examples:" - echo " "$PROGNAME" -i eth1" - echo " "$PROGNAME" --ap wlan0 MyAccessPoint --password MyPassPhrase" - echo " "$PROGNAME" --ap wlan0 MyAccessPoint" - echo " "$PROGNAME" -n --ap wlan0 MyAccessPoint --password MyPassPhrase" - echo " "$PROGNAME" --driver rtl871xdrv --ap wlan0 MyAccessPoint --password MyPassPhrase" - echo " "$PROGNAME" -i eth1 --tp --dns-proxy " + cat << EOF +linux-router $VERSION (https://github.com/garywill/linux-router) + +Usage: $PROGNAME [options] + +Options: + -h, --help Show this help + --version Print version number + + -i Interface to share Internet to. + An NATed subnet is made upon it. + To create Wifi hotspot use '--ap' instead + -n Disable Internet sharing + --tp Transparent proxy. + redirect non-LAN tcp and udp traffic to port. + Usually used with '--dns-proxy' + + -g Set gateway IPv4 address, netmask is /24 . + (default: 192.168.18.1) + -6 Enable IPv6 (NAT) + --p6 Set IPv6 prefix (length 64) + (default: fd00:1:1:1:: ) + --dns-proxy Redirect incoming port 53 to DNS proxy port. + DNS server is disabled + --no-serve-dns Disable DNS server + --no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA) + --log-dns Show DNS server query log + --dhcp-dns |no + Set IPv4 DNS offered by DHCP + (default: gateway as DNS) + --dhcp-dns6 |no + Set IPv6 DNS offered by DHCP(RA) + (default: gateway as DNS) + Note IPv6 addresses need '[]' around + -d DNS server will take into account /etc/hosts + -e DNS server will take into account additional + hosts file + + --mac Set MAC address + + Wifi hotspot options: + --ap + Create Wifi access point + --password Wifi password + + --hidden Hide access point (not broadcast SSID) + --no-virt Do not create virtual interface + Using this you can't use same wlan interface + for both Internet and AP + -c Channel number (default: 1) + --country Set two-letter country code for regularity + (example: US) + --freq-band Set frequency band: 2.4 or 5 (default: 2.4) + --driver Choose your WiFi adapter driver (default: nl80211) + -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both + (default: 1+2) + --psk Use 64 hex digits pre-shared-key instead of + passphrase + --mac-filter Enable Wifi hotspot MAC address filtering + --mac-filter-accept Location of Wifi hotspot MAC address filter list + (defaults to /etc/hostapd/hostapd.accept) + --hostapd-debug 1 or 2. Passes -d or -dd to hostapd + --isolate-clients Disable wifi communication between clients + --ieee80211n Enable IEEE 802.11n (HT) + --ieee80211ac Enable IEEE 802.11ac (VHT) + --ht_capab HT capabilities (default: [HT40+]) + --vht_capab VHT capabilities + --no-haveged Do not run haveged automatically when needed + + Instance managing: + --daemon Run in background + --list-running Show running instances + --list-clients List clients of an instance + --stop Stop a running instance + For you can use PID or subnet interface name. + You can get them with '--list-running' + +Examples: + $PROGNAME -i eth1 + $PROGNAME --ap wlan0 MyAccessPoint + $PROGNAME --ap wlan0 MyAccessPoint --password MyPassPhrase + $PROGNAME -n --ap wlan0 MyAccessPoint --password MyPassPhrase + $PROGNAME -i eth1 --tp --dns-proxy +EOF } if [[ "$1" == "" ]]; then @@ -87,8 +101,12 @@ if [[ "$1" == "" ]]; then fi GATEWAY=192.168.18.1 +PREFIX6=fd00:1:1:1:: +IID6=1 +IPV6=0 ROUTE_ADDRS= DHCP_DNS=gateway +DHCP_DNS6=gateway dnsmasq_NO_DNS=0 NO_DNSMASQ=0 SHOW_DNS_QUERY=0 @@ -164,6 +182,15 @@ while [[ -n "$1" ]]; do GATEWAY="$1" shift ;; + -6) + shift + IPV6=1 + ;; + --p6) + shift + PREFIX6="$1" + shift + ;; --mac) shift NEW_MACADDR="$1" @@ -188,6 +215,11 @@ while [[ -n "$1" ]]; do DHCP_DNS="$1" shift ;; + --dhcp-dns6) + shift + DHCP_DNS6="$1" + shift + ;; --log-dns) shift SHOW_DNS_QUERY=1 @@ -568,10 +600,15 @@ nm_restore_manage() { #========= -alias iptables="iptables -w" iptables_() { - iptables $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + return $? +} +ip6tables_() +{ + ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + return $? } start_nat() { @@ -580,12 +617,22 @@ start_nat() { iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE || die iptables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die iptables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 ! -d ${PREFIX6}/64 ! -o ${SUBNET_IFACE} -j MASQUERADE || die + ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j ACCEPT || die + ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${PREFIX6}/64 -j ACCEPT || die + fi } stop_nat() { echo "iptables: stop NAT" iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE iptables_ -D FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT iptables_ -D FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 ! -d ${PREFIX6}/64 ! -o ${SUBNET_IFACE} -j MASQUERADE + ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j ACCEPT + ip6tables_ -D FORWARD -o ${SUBNET_IFACE} -d ${PREFIX6}/64 -j ACCEPT + fi } allow_dns_port() { @@ -593,21 +640,35 @@ allow_dns_port() { echo "iptables: allow DNS port access" iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die + fi } unallow_dns_port() { echo "iptables: stop allowing DNS" iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT + fi } start_dhcp() { echo echo "iptables: allow DHCP port access" iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die + fi } stop_dhcp() { echo "iptables: stop dhcp" iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT + fi } redirect_dns() { @@ -619,6 +680,15 @@ redirect_dns() { # redirect 53 to dns proxy iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die + + if [[ $IPV6 -eq 1 ]]; then + # allow input to dns proxy port + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die + # redirect 53 to dns proxy + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die + fi } unredirect_dns() { echo "iptables: stop dns proxy " @@ -627,6 +697,14 @@ unredirect_dns() { iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} + + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT + + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} + fi } start_redsocks() { @@ -640,6 +718,7 @@ start_redsocks() { iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die + iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die @@ -647,6 +726,24 @@ start_redsocks() { iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die + + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0100::/64 -j RETURN || die + + ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die + ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die + + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die + + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die + fi } stop_redsocks() { echo "iptables: stop transparent proxy" @@ -656,6 +753,15 @@ stop_redsocks() { iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT + + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} + ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE} + ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE} + + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT + fi } kill_processes() { @@ -676,11 +782,13 @@ kill_processes() { _cleanup() { local x - nm_restore_manage - - rm -rf $CONFDIR - ip addr flush ${SUBNET_IFACE} + + if [[ $IPV6 -eq 1 ]]; then + cp -f $CONFDIR/sys_6_conf_iface/* /proc/sys/net/ipv6/conf/$SUBNET_IFACE/ + fi + rm -rf $CONFDIR + if [[ $WIFI_IFACE && $NO_VIRT -eq 0 ]]; then ip link set down dev ${AP_IFACE} iw dev ${VWIFI_IFACE} del @@ -691,21 +799,14 @@ _cleanup() { fi fi - # if we are the last lnxrouter instance then set back the common values + if ! has_running_instance; then echo "Exiting: This is the only running instance" # kill common processes for x in $COMMON_CONFDIR/*.pid; do [[ -f $x ]] && kill -9 $(cat $x) && rm $x done - - # set old ip_forward - if [[ -f $COMMON_CONFDIR/ip_forward ]]; then - echo "Set to old value: /proc/sys/net/ipv4/ip_forward=$(cat $COMMON_CONFDIR/ip_forward)" - cp -f $COMMON_CONFDIR/ip_forward /proc/sys/net/ipv4 - rm -f $COMMON_CONFDIR/ip_forward - fi - + rm -d $COMMON_CONFDIR/ifaces rm -d $COMMON_CONFDIR rm -d $TMPDIR @@ -713,7 +814,7 @@ _cleanup() { echo "Exiting: This is NOT the only running instance" fi - + nm_restore_manage } clean_iptables() { @@ -724,7 +825,7 @@ clean_iptables() { stop_redsocks fi - if [[ "$DHCP_DNS" == "gateway" ]]; then + if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then unallow_dns_port fi @@ -933,6 +1034,14 @@ if [[ $SHARE_METHOD == 'none' ]]; then dnsmasq_NO_DNS=1 fi +if [[ $IPV6 -eq 1 ]]; then + GATEWAY6=${PREFIX6}${IID6} +fi + +if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then + dnsmasq_NO_DNS=1 +fi + if [[ -d /dev/shm ]]; then TMPD=/dev/shm elif [[ -d /run/shm ]]; then @@ -1098,7 +1207,6 @@ echo $$ > $CONFDIR/pid COMMON_CONFDIR=$TMPDIR/lnxrouter_common.conf mkdir -p $COMMON_CONFDIR -cp -n /proc/sys/net/ipv4/ip_forward $COMMON_CONFDIR if [[ $WIFI_IFACE ]]; then @@ -1176,23 +1284,23 @@ if [[ $WIFI_IFACE ]]; then [[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!" # hostapd config - cat << EOF > $CONFDIR/hostapd.conf -beacon_int=100 -ssid=${SSID} -interface=${AP_IFACE} -driver=${DRIVER} -channel=${CHANNEL} -ctrl_interface=$CONFDIR/hostapd_ctrl -ctrl_interface_group=0 -ignore_broadcast_ssid=$HIDDEN -ap_isolate=$ISOLATE_CLIENTS -EOF + cat <<- EOF > $CONFDIR/hostapd.conf + beacon_int=100 + ssid=${SSID} + interface=${AP_IFACE} + driver=${DRIVER} + channel=${CHANNEL} + ctrl_interface=$CONFDIR/hostapd_ctrl + ctrl_interface_group=0 + ignore_broadcast_ssid=$HIDDEN + ap_isolate=$ISOLATE_CLIENTS + EOF if [[ -n "$COUNTRY" ]]; then - cat << EOF >> $CONFDIR/hostapd.conf -country_code=${COUNTRY} -ieee80211d=1 -EOF + cat <<- EOF >> $CONFDIR/hostapd.conf + country_code=${COUNTRY} + ieee80211d=1 + EOF fi if [[ $FREQ_BAND == 2.4 ]]; then @@ -1202,17 +1310,17 @@ EOF fi if [[ $MAC_FILTER -eq 1 ]]; then - cat << EOF >> $CONFDIR/hostapd.conf -macaddr_acl=${MAC_FILTER} -accept_mac_file=${MAC_FILTER_ACCEPT} -EOF + cat <<- EOF >> $CONFDIR/hostapd.conf + macaddr_acl=${MAC_FILTER} + accept_mac_file=${MAC_FILTER_ACCEPT} + EOF fi if [[ $IEEE80211N -eq 1 ]]; then - cat << EOF >> $CONFDIR/hostapd.conf -ieee80211n=1 -ht_capab=${HT_CAPAB} -EOF + cat <<- EOF >> $CONFDIR/hostapd.conf + ieee80211n=1 + ht_capab=${HT_CAPAB} + EOF fi if [[ $IEEE80211AC -eq 1 ]]; then @@ -1234,17 +1342,17 @@ EOF else WPA_KEY_TYPE=psk fi - cat << EOF >> $CONFDIR/hostapd.conf -wpa=${WPA_VERSION} -wpa_${WPA_KEY_TYPE}=${PASSPHRASE} -wpa_key_mgmt=WPA-PSK -wpa_pairwise=TKIP CCMP -rsn_pairwise=CCMP -EOF + cat <<- EOF >> $CONFDIR/hostapd.conf + wpa=${WPA_VERSION} + wpa_${WPA_KEY_TYPE}=${PASSPHRASE} + wpa_key_mgmt=WPA-PSK + wpa_pairwise=TKIP CCMP + rsn_pairwise=CCMP + EOF else echo "WARN: Wifi is not protected by password" >&2 fi -chmod 600 $CONFDIR/hostapd.conf + chmod 600 $CONFDIR/hostapd.conf fi #=================================================== @@ -1255,32 +1363,29 @@ if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE ; then fi if [[ $NO_DNSMASQ -eq 0 ]]; then - # dnsmasq config (dhcp + dns) - cat << EOF > $CONFDIR/dnsmasq.conf -user=nobody -group=nobody -bind-dynamic -listen-address=${GATEWAY} -interface=$SUBNET_IFACE -except-interface=lo -no-dhcp-interface=lo -dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 -dhcp-option-force=option:router,${GATEWAY} -#log-dhcp -log-facility=/dev/null -EOF -# 'log-dhcp' show too much logs. Using '-d' in dnsmasq command shows a proper dhcp log -# if use '-d', 'log-facility' should = /dev/null + cat <<- EOF > $CONFDIR/dnsmasq.conf + user=nobody + group=nobody + bind-dynamic + listen-address=${GATEWAY} + interface=$SUBNET_IFACE + except-interface=lo + no-dhcp-interface=lo + dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 + dhcp-option-force=option:router,${GATEWAY} + #log-dhcp + log-facility=/dev/null + bogus-priv + EOF + # 'log-dhcp' show too much logs. Using '-d' in dnsmasq command shows a proper dhcp log + # if use '-d', 'log-facility' should = /dev/null if [[ "$DHCP_DNS" != "no" ]]; then if [[ "$DHCP_DNS" == "gateway" ]]; then dns_offer="$GATEWAY" else dns_offer="$DHCP_DNS" - dnsmasq_NO_DNS=1 fi echo "dhcp-option-force=option:dns-server,${dns_offer}" >> $CONFDIR/dnsmasq.conf - else - dnsmasq_NO_DNS=1 fi if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then @@ -1293,6 +1398,22 @@ EOF if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then echo log-queries=extra >> $CONFDIR/dnsmasq.conf fi + if [[ $IPV6 -eq 1 ]];then + cat <<- EOF >> $CONFDIR/dnsmasq.conf + listen-address=${GATEWAY6} + enable-ra + #quiet-ra + dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64 + EOF + if [[ "$DHCP_DNS6" != "no" ]]; then + if [[ "$DHCP_DNS6" == "gateway" ]]; then + dns_offer6="[$GATEWAY6]" + else + dns_offer6="$DHCP_DNS6" + fi + echo "dhcp-option=option6:dns-server,${dns_offer6}" >> $CONFDIR/dnsmasq.conf + fi + fi fi #=========================== @@ -1341,6 +1462,19 @@ if [[ $WIFI_IFACE ]]; then fi ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IP" +if [[ $IPV6 -eq 1 ]]; then + mkdir $CONFDIR/sys_6_conf_iface + cp /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra \ + /proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr \ + /proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode \ + $CONFDIR/sys_6_conf_iface/ + + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode + + ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6" +fi # enable Internet sharing if [[ "$SHARE_METHOD" == "none" ]]; then @@ -1348,10 +1482,16 @@ if [[ "$SHARE_METHOD" == "none" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then start_nat echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding" + if [[ $IPV6 -eq 1 ]]; then + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding || die "Failed enabling system ipv6 forwarding" + fi # to enable clients to establish PPTP connections we must # load nf_nat_pptp module modprobe nf_nat_pptp > /dev/null 2>&1 elif [[ "$SHARE_METHOD" == "redsocks" ]]; then + if [[ $IPV6 -eq 1 ]]; then + echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" + fi if [[ "$dnsmasq_NO_DNS" -eq 0 ]]; then echo echo "WARN: You are using transparent proxy but gateway is providing local DNS, this may cause privacy leak !!!" >&2 @@ -1362,7 +1502,7 @@ fi # start dhcp + dns (optional) -if [[ "$DHCP_DNS" == "gateway" ]]; then +if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then allow_dns_port fi