interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

support IPv6 

nat method sets global forwarding and don't restore when exit

use <<-
This commit is contained in:
garywill 2018-08-31 18:41:06 +08:00 committed by garywill
parent 8970ba2607
commit c75ca0ce81
2 changed files with 294 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -1,19 +1,19 @@
# Linux-router # Linux-router
Share your Linux's Internet access to other devices. Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
The goal is to easily set/unset your Linux PC/embedded device as a gateway/hotspot/transparent proxy. It wraps the complicated `iptables`, `dnsmasq` etc. stuff. Use in one command, restore by `control-c`. It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`.
It works on wired, wireless and virtual networks.
## Features ## Features
Basic features: Basic features:
- Create a NATed sub-network - Create a NATed sub-network
- Share Internet to the sub-network - Provide Internet
- DHCP server - DHCP server and RA
- DNS server - DNS server
- IPv6 (NAT only for now)
- Creating Wifi hotspot: - Creating Wifi hotspot:
- Channel selecting - Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
@ -89,8 +89,10 @@ In `torrc`
``` ```
TransPort 0.0.0.0:9040 TransPort 0.0.0.0:9040
DNSPort 0.0.0.0:9053 DNSPort 0.0.0.0:9053
TransPort [::]:9040
DNSPort [::]:9053
``` ```
### Use for LXC ### Internet for LXC
Create a bridge Create a bridge
``` ```
# brctl addbr lxcbr5 # brctl addbr lxcbr5
@ -165,16 +167,18 @@ Options:
-i <interface> Interface to share Internet to. An NATed subnet is made upon it. -i <interface> Interface to share Internet to. An NATed subnet is made upon it.
To create Wifi hotspot use '--ap' instead To create Wifi hotspot use '--ap' instead
-n Disable Internet sharing -n Disable Internet sharing
--tp <port> Transparent proxy (redsocks), redirect tcp and udp traffic to port. --tp <port> Transparent proxy, redirect non-LAN tcp and udp traffic to port.
Usually use with --dns-proxy Usually use with --dns-proxy
-g <gateway> Set Gateway IPv4 address, netmask is /24 (default: 192.168.18.1) -g <gateway> Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1)
-6 Enable IPv6
--p6 <prefix> Set IPv6 prefix (length 64) (default: fd00:1:1:1:: )
--dns-proxy <port> Redirect incoming port 53 to DNS proxy port. DNS server is disabled --dns-proxy <port> Redirect incoming port 53 to DNS proxy port. DNS server is disabled
--no-serve-dns Disable DNS server --no-serve-dns Disable DNS server
--no-dnsmasq Disable dnsmasq server completely (DHCP and DNS) --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS)
--log-dns Show DNS server query log --log-dns Show DNS server query log
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS) Set IPv4 DNS offered by DHCP (default: gateway as DNS)
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional hosts file -e <hosts_file> DNS server will take into account additional hosts file
@ -234,10 +238,8 @@ Wifi hotspot:
## TODO ## TODO
- Option to ban private network access - Option to ban private network access
- IPv6 support - Option to randomize MAC, IP, SSID, password
- Option to random MAC, IP, SSID, password - Option to redirect all DNS traffic
- Option to specify out-going interface
- Option to catch and redirect all dns connections
## Thanks ## Thanks

418
lnxrouter Normal file → Executable file
View File

@ -9,76 +9,90 @@ SCRIPT_UMASK=0122
umask $SCRIPT_UMASK umask $SCRIPT_UMASK
usage() { usage() {
echo "linux-router $VERSION (https://github.com/garywill/linux-router)" cat << EOF
echo " Share your Linux's Internet access to other devices. " linux-router $VERSION (https://github.com/garywill/linux-router)
echo " Works on wired, wireless and virtual networks."
echo Usage: $PROGNAME [options]
echo "Usage: "$PROGNAME" [options] "
echo Options:
echo "Options:" -h, --help Show this help
echo " -h, --help Show this help" --version Print version number
echo " --version Print version number"
echo -i <interface> Interface to share Internet to.
echo " -i <interface> Interface to share Internet to. An NATed subnet is made upon it." An NATed subnet is made upon it.
echo " To create Wifi hotspot use '--ap' instead" To create Wifi hotspot use '--ap' instead
echo " -n Disable Internet sharing" -n Disable Internet sharing
echo " --tp <port> Transparent proxy, redirect non-LAN tcp and udp traffic to port." --tp <port> Transparent proxy.
echo " Usually use with --dns-proxy" redirect non-LAN tcp and udp traffic to port.
echo Usually used with '--dns-proxy'
echo " -g <gateway> Set gateway IPv4 address, netmask is /24 (default: 192.168.18.1)"
echo " --dns-proxy <port> Redirect incoming port 53 to DNS proxy port. DNS server is disabled" -g <gateway> Set gateway IPv4 address, netmask is /24 .
echo " --no-serve-dns Disable DNS server" (default: 192.168.18.1)
echo " --no-dnsmasq Disable dnsmasq server completely (DHCP and DNS)" -6 Enable IPv6 (NAT)
echo " --log-dns Show DNS server query log" --p6 <prefix> Set IPv6 prefix (length 64)
echo " --dhcp-dns <IP1[,IP2]>|no" (default: fd00:1:1:1:: )
echo " Set DNS offered by DHCP, or no DNS offered (default: gateway as DNS)" --dns-proxy <port> Redirect incoming port 53 to DNS proxy port.
echo " -d DNS server will take into account /etc/hosts" DNS server is disabled
echo " -e <hosts_file> DNS server will take into account additional hosts file" --no-serve-dns Disable DNS server
echo --no-dnsmasq Disable dnsmasq server completely (DHCP, DNS, RA)
echo " --mac <MAC> Set MAC address" --log-dns Show DNS server query log
echo --dhcp-dns <IP1[,IP2]>|no
echo " Wifi hotspot options:" Set IPv4 DNS offered by DHCP
echo " --ap <wlan card interface> <access point name>" (default: gateway as DNS)
echo " Create Wifi access point using wlan card, and set SSID" --dhcp-dns6 <IP1[,IP2]>|no
echo " --password <passphrase> Wifi password" Set IPv6 DNS offered by DHCP(RA)
echo (default: gateway as DNS)
echo " --hidden Make the Access Point hidden (do not broadcast the SSID)" Note IPv6 addresses need '[]' around
echo " --no-virt Do not create virtual interface. " -d DNS server will take into account /etc/hosts
echo " Using this you can't use same wlan card as Internet and AP" -e <hosts_file> DNS server will take into account additional
echo " -c <channel> Channel number (default: 1)" hosts file
echo " --country <code> Set two-letter country code for regularity (example: US)"
echo " --freq-band <GHz> Set frequency band. Valid inputs: 2.4, 5 (default: 2.4)" --mac <MAC> Set MAC address
echo " --driver Choose your WiFi adapter driver (default: nl80211)"
echo " -w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)" Wifi hotspot options:
echo " --psk Use 64 hex digits pre-shared-key instead of passphrase" --ap <wifi interface> <SSID>
echo " --mac-filter Enable Wifi hotspot MAC address filtering" Create Wifi access point
echo " --mac-filter-accept Location of Wifi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept)" --password <password> Wifi password
echo " --hostapd-debug <level> With level between 1 and 2, passes arguments -d or -dd to hostapd for debugging."
echo " --isolate-clients Disable communication between clients" --hidden Hide access point (not broadcast SSID)
echo " --ieee80211n Enable IEEE 802.11n (HT)" --no-virt Do not create virtual interface
echo " --ieee80211ac Enable IEEE 802.11ac (VHT)" Using this you can't use same wlan interface
echo " --ht_capab <HT> HT capabilities (default: [HT40+])" for both Internet and AP
echo " --vht_capab <VHT> VHT capabilities" -c <channel> Channel number (default: 1)
echo " --no-haveged Do not run 'haveged' automatically when needed" --country <code> Set two-letter country code for regularity
echo (example: US)
echo " Instance managing:" --freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4)
echo " --daemon Run lnxrouter in the background" --driver Choose your WiFi adapter driver (default: nl80211)
echo " --list-running Show the lnxrouter processes that are already running" -w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both
echo " --stop <id> Send stop command to an already running lnxrouter. For an <id>" (default: 1+2)
echo " you can put the PID of lnxrouter or interface. You can" --psk Use 64 hex digits pre-shared-key instead of
echo " get them with --list-running" passphrase
echo " --list-clients <id> List the clients connected to lnxrouter instance associated with <id>." --mac-filter Enable Wifi hotspot MAC address filtering
echo " For an <id> you can put the PID of lnxrouter or interface." --mac-filter-accept Location of Wifi hotspot MAC address filter list
echo " If virtual WiFi interface was created, then use that one." (defaults to /etc/hostapd/hostapd.accept)
echo " You can get them with --list-running" --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
echo --isolate-clients Disable wifi communication between clients
echo "Examples:" --ieee80211n Enable IEEE 802.11n (HT)
echo " "$PROGNAME" -i eth1" --ieee80211ac Enable IEEE 802.11ac (VHT)
echo " "$PROGNAME" --ap wlan0 MyAccessPoint --password MyPassPhrase" --ht_capab <HT> HT capabilities (default: [HT40+])
echo " "$PROGNAME" --ap wlan0 MyAccessPoint" --vht_capab <VHT> VHT capabilities
echo " "$PROGNAME" -n --ap wlan0 MyAccessPoint --password MyPassPhrase" --no-haveged Do not run haveged automatically when needed
echo " "$PROGNAME" --driver rtl871xdrv --ap wlan0 MyAccessPoint --password MyPassPhrase"
echo " "$PROGNAME" -i eth1 --tp <transparent-proxy> --dns-proxy <dns-proxy>" Instance managing:
--daemon Run in background
--list-running Show running instances
--list-clients <id> List clients of an instance
--stop <id> Stop a running instance
For <id> you can use PID or subnet interface name.
You can get them with '--list-running'
Examples:
$PROGNAME -i eth1
$PROGNAME --ap wlan0 MyAccessPoint
$PROGNAME --ap wlan0 MyAccessPoint --password MyPassPhrase
$PROGNAME -n --ap wlan0 MyAccessPoint --password MyPassPhrase
$PROGNAME -i eth1 --tp <transparent-proxy> --dns-proxy <dns-proxy>
EOF
} }
if [[ "$1" == "" ]]; then if [[ "$1" == "" ]]; then
@ -87,8 +101,12 @@ if [[ "$1" == "" ]]; then
fi fi
GATEWAY=192.168.18.1 GATEWAY=192.168.18.1
PREFIX6=fd00:1:1:1::
IID6=1
IPV6=0
ROUTE_ADDRS= ROUTE_ADDRS=
DHCP_DNS=gateway DHCP_DNS=gateway
DHCP_DNS6=gateway
dnsmasq_NO_DNS=0 dnsmasq_NO_DNS=0
NO_DNSMASQ=0 NO_DNSMASQ=0
SHOW_DNS_QUERY=0 SHOW_DNS_QUERY=0
@ -164,6 +182,15 @@ while [[ -n "$1" ]]; do
GATEWAY="$1" GATEWAY="$1"
shift shift
;; ;;
-6)
shift
IPV6=1
;;
--p6)
shift
PREFIX6="$1"
shift
;;
--mac) --mac)
shift shift
NEW_MACADDR="$1" NEW_MACADDR="$1"
@ -188,6 +215,11 @@ while [[ -n "$1" ]]; do
DHCP_DNS="$1" DHCP_DNS="$1"
shift shift
;; ;;
--dhcp-dns6)
shift
DHCP_DNS6="$1"
shift
;;
--log-dns) --log-dns)
shift shift
SHOW_DNS_QUERY=1 SHOW_DNS_QUERY=1
@ -568,10 +600,15 @@ nm_restore_manage() {
#========= #=========
alias iptables="iptables -w"
iptables_() iptables_()
{ {
iptables $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
return $?
}
ip6tables_()
{
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
return $?
} }
start_nat() { start_nat() {
@ -580,12 +617,22 @@ start_nat() {
iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE || die iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE || die
iptables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die iptables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die iptables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 ! -d ${PREFIX6}/64 ! -o ${SUBNET_IFACE} -j MASQUERADE || die
ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j ACCEPT || die
ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} -d ${PREFIX6}/64 -j ACCEPT || die
fi
} }
stop_nat() { stop_nat() {
echo "iptables: stop NAT" echo "iptables: stop NAT"
iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -d ${GATEWAY%.*}.0/24 ! -o ${SUBNET_IFACE} -j MASQUERADE
iptables_ -D FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT iptables_ -D FORWARD -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT
iptables_ -D FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT iptables_ -D FORWARD -o ${SUBNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 ! -d ${PREFIX6}/64 ! -o ${SUBNET_IFACE} -j MASQUERADE
ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j ACCEPT
ip6tables_ -D FORWARD -o ${SUBNET_IFACE} -d ${PREFIX6}/64 -j ACCEPT
fi
} }
allow_dns_port() { allow_dns_port() {
@ -593,21 +640,35 @@ allow_dns_port() {
echo "iptables: allow DNS port access" echo "iptables: allow DNS port access"
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
fi
} }
unallow_dns_port() { unallow_dns_port() {
echo "iptables: stop allowing DNS" echo "iptables: stop allowing DNS"
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT
fi
} }
start_dhcp() { start_dhcp() {
echo echo
echo "iptables: allow DHCP port access" echo "iptables: allow DHCP port access"
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
fi
} }
stop_dhcp() { stop_dhcp() {
echo "iptables: stop dhcp" echo "iptables: stop dhcp"
iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT
fi
} }
redirect_dns() { redirect_dns() {
@ -619,6 +680,15 @@ redirect_dns() {
# redirect 53 to dns proxy # redirect 53 to dns proxy
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
if [[ $IPV6 -eq 1 ]]; then
# allow input to dns proxy port
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT || die
# redirect 53 to dns proxy
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} || die
fi
} }
unredirect_dns() { unredirect_dns() {
echo "iptables: stop dns proxy " echo "iptables: stop dns proxy "
@ -627,6 +697,14 @@ unredirect_dns() {
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT} iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport ${TP_DNS_PORT} -j ACCEPT
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport ${TP_DNS_PORT} -j ACCEPT
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports ${TP_DNS_PORT}
fi
} }
start_redsocks() { start_redsocks() {
@ -640,6 +718,7 @@ start_redsocks() {
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die
iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
@ -647,6 +726,24 @@ start_redsocks() {
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0100::/64 -j RETURN || die
ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
fi
} }
stop_redsocks() { stop_redsocks() {
echo "iptables: stop transparent proxy" echo "iptables: stop transparent proxy"
@ -656,6 +753,15 @@ stop_redsocks() {
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE}
ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT
fi
} }
kill_processes() { kill_processes() {
@ -676,11 +782,13 @@ kill_processes() {
_cleanup() { _cleanup() {
local x local x
nm_restore_manage
rm -rf $CONFDIR
ip addr flush ${SUBNET_IFACE} ip addr flush ${SUBNET_IFACE}
if [[ $IPV6 -eq 1 ]]; then
cp -f $CONFDIR/sys_6_conf_iface/* /proc/sys/net/ipv6/conf/$SUBNET_IFACE/
fi
rm -rf $CONFDIR
if [[ $WIFI_IFACE && $NO_VIRT -eq 0 ]]; then if [[ $WIFI_IFACE && $NO_VIRT -eq 0 ]]; then
ip link set down dev ${AP_IFACE} ip link set down dev ${AP_IFACE}
iw dev ${VWIFI_IFACE} del iw dev ${VWIFI_IFACE} del
@ -691,21 +799,14 @@ _cleanup() {
fi fi
fi fi
# if we are the last lnxrouter instance then set back the common values
if ! has_running_instance; then if ! has_running_instance; then
echo "Exiting: This is the only running instance" echo "Exiting: This is the only running instance"
# kill common processes # kill common processes
for x in $COMMON_CONFDIR/*.pid; do for x in $COMMON_CONFDIR/*.pid; do
[[ -f $x ]] && kill -9 $(cat $x) && rm $x [[ -f $x ]] && kill -9 $(cat $x) && rm $x
done done
# set old ip_forward
if [[ -f $COMMON_CONFDIR/ip_forward ]]; then
echo "Set to old value: /proc/sys/net/ipv4/ip_forward=$(cat $COMMON_CONFDIR/ip_forward)"
cp -f $COMMON_CONFDIR/ip_forward /proc/sys/net/ipv4
rm -f $COMMON_CONFDIR/ip_forward
fi
rm -d $COMMON_CONFDIR/ifaces rm -d $COMMON_CONFDIR/ifaces
rm -d $COMMON_CONFDIR rm -d $COMMON_CONFDIR
rm -d $TMPDIR rm -d $TMPDIR
@ -713,7 +814,7 @@ _cleanup() {
echo "Exiting: This is NOT the only running instance" echo "Exiting: This is NOT the only running instance"
fi fi
nm_restore_manage
} }
clean_iptables() { clean_iptables() {
@ -724,7 +825,7 @@ clean_iptables() {
stop_redsocks stop_redsocks
fi fi
if [[ "$DHCP_DNS" == "gateway" ]]; then if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
unallow_dns_port unallow_dns_port
fi fi
@ -933,6 +1034,14 @@ if [[ $SHARE_METHOD == 'none' ]]; then
dnsmasq_NO_DNS=1 dnsmasq_NO_DNS=1
fi fi
if [[ $IPV6 -eq 1 ]]; then
GATEWAY6=${PREFIX6}${IID6}
fi
if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then
dnsmasq_NO_DNS=1
fi
if [[ -d /dev/shm ]]; then if [[ -d /dev/shm ]]; then
TMPD=/dev/shm TMPD=/dev/shm
elif [[ -d /run/shm ]]; then elif [[ -d /run/shm ]]; then
@ -1098,7 +1207,6 @@ echo $$ > $CONFDIR/pid
COMMON_CONFDIR=$TMPDIR/lnxrouter_common.conf COMMON_CONFDIR=$TMPDIR/lnxrouter_common.conf
mkdir -p $COMMON_CONFDIR mkdir -p $COMMON_CONFDIR
cp -n /proc/sys/net/ipv4/ip_forward $COMMON_CONFDIR
if [[ $WIFI_IFACE ]]; then if [[ $WIFI_IFACE ]]; then
@ -1176,23 +1284,23 @@ if [[ $WIFI_IFACE ]]; then
[[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!" [[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!"
# hostapd config # hostapd config
cat << EOF > $CONFDIR/hostapd.conf cat <<- EOF > $CONFDIR/hostapd.conf
beacon_int=100 beacon_int=100
ssid=${SSID} ssid=${SSID}
interface=${AP_IFACE} interface=${AP_IFACE}
driver=${DRIVER} driver=${DRIVER}
channel=${CHANNEL} channel=${CHANNEL}
ctrl_interface=$CONFDIR/hostapd_ctrl ctrl_interface=$CONFDIR/hostapd_ctrl
ctrl_interface_group=0 ctrl_interface_group=0
ignore_broadcast_ssid=$HIDDEN ignore_broadcast_ssid=$HIDDEN
ap_isolate=$ISOLATE_CLIENTS ap_isolate=$ISOLATE_CLIENTS
EOF EOF
if [[ -n "$COUNTRY" ]]; then if [[ -n "$COUNTRY" ]]; then
cat << EOF >> $CONFDIR/hostapd.conf cat <<- EOF >> $CONFDIR/hostapd.conf
country_code=${COUNTRY} country_code=${COUNTRY}
ieee80211d=1 ieee80211d=1
EOF EOF
fi fi
if [[ $FREQ_BAND == 2.4 ]]; then if [[ $FREQ_BAND == 2.4 ]]; then
@ -1202,17 +1310,17 @@ EOF
fi fi
if [[ $MAC_FILTER -eq 1 ]]; then if [[ $MAC_FILTER -eq 1 ]]; then
cat << EOF >> $CONFDIR/hostapd.conf cat <<- EOF >> $CONFDIR/hostapd.conf
macaddr_acl=${MAC_FILTER} macaddr_acl=${MAC_FILTER}
accept_mac_file=${MAC_FILTER_ACCEPT} accept_mac_file=${MAC_FILTER_ACCEPT}
EOF EOF
fi fi
if [[ $IEEE80211N -eq 1 ]]; then if [[ $IEEE80211N -eq 1 ]]; then
cat << EOF >> $CONFDIR/hostapd.conf cat <<- EOF >> $CONFDIR/hostapd.conf
ieee80211n=1 ieee80211n=1
ht_capab=${HT_CAPAB} ht_capab=${HT_CAPAB}
EOF EOF
fi fi
if [[ $IEEE80211AC -eq 1 ]]; then if [[ $IEEE80211AC -eq 1 ]]; then
@ -1234,17 +1342,17 @@ EOF
else else
WPA_KEY_TYPE=psk WPA_KEY_TYPE=psk
fi fi
cat << EOF >> $CONFDIR/hostapd.conf cat <<- EOF >> $CONFDIR/hostapd.conf
wpa=${WPA_VERSION} wpa=${WPA_VERSION}
wpa_${WPA_KEY_TYPE}=${PASSPHRASE} wpa_${WPA_KEY_TYPE}=${PASSPHRASE}
wpa_key_mgmt=WPA-PSK wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP rsn_pairwise=CCMP
EOF EOF
else else
echo "WARN: Wifi is not protected by password" >&2 echo "WARN: Wifi is not protected by password" >&2
fi fi
chmod 600 $CONFDIR/hostapd.conf chmod 600 $CONFDIR/hostapd.conf
fi fi
#=================================================== #===================================================
@ -1255,32 +1363,29 @@ if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE ; then
fi fi
if [[ $NO_DNSMASQ -eq 0 ]]; then if [[ $NO_DNSMASQ -eq 0 ]]; then
# dnsmasq config (dhcp + dns) cat <<- EOF > $CONFDIR/dnsmasq.conf
cat << EOF > $CONFDIR/dnsmasq.conf user=nobody
user=nobody group=nobody
group=nobody bind-dynamic
bind-dynamic listen-address=${GATEWAY}
listen-address=${GATEWAY} interface=$SUBNET_IFACE
interface=$SUBNET_IFACE except-interface=lo
except-interface=lo no-dhcp-interface=lo
no-dhcp-interface=lo dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0
dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-option-force=option:router,${GATEWAY}
dhcp-option-force=option:router,${GATEWAY} #log-dhcp
#log-dhcp log-facility=/dev/null
log-facility=/dev/null bogus-priv
EOF EOF
# 'log-dhcp' show too much logs. Using '-d' in dnsmasq command shows a proper dhcp log # 'log-dhcp' show too much logs. Using '-d' in dnsmasq command shows a proper dhcp log
# if use '-d', 'log-facility' should = /dev/null # if use '-d', 'log-facility' should = /dev/null
if [[ "$DHCP_DNS" != "no" ]]; then if [[ "$DHCP_DNS" != "no" ]]; then
if [[ "$DHCP_DNS" == "gateway" ]]; then if [[ "$DHCP_DNS" == "gateway" ]]; then
dns_offer="$GATEWAY" dns_offer="$GATEWAY"
else else
dns_offer="$DHCP_DNS" dns_offer="$DHCP_DNS"
dnsmasq_NO_DNS=1
fi fi
echo "dhcp-option-force=option:dns-server,${dns_offer}" >> $CONFDIR/dnsmasq.conf echo "dhcp-option-force=option:dns-server,${dns_offer}" >> $CONFDIR/dnsmasq.conf
else
dnsmasq_NO_DNS=1
fi fi
if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then
@ -1293,6 +1398,22 @@ EOF
if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then
echo log-queries=extra >> $CONFDIR/dnsmasq.conf echo log-queries=extra >> $CONFDIR/dnsmasq.conf
fi fi
if [[ $IPV6 -eq 1 ]];then
cat <<- EOF >> $CONFDIR/dnsmasq.conf
listen-address=${GATEWAY6}
enable-ra
#quiet-ra
dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64
EOF
if [[ "$DHCP_DNS6" != "no" ]]; then
if [[ "$DHCP_DNS6" == "gateway" ]]; then
dns_offer6="[$GATEWAY6]"
else
dns_offer6="$DHCP_DNS6"
fi
echo "dhcp-option=option6:dns-server,${dns_offer6}" >> $CONFDIR/dnsmasq.conf
fi
fi
fi fi
#=========================== #===========================
@ -1341,6 +1462,19 @@ if [[ $WIFI_IFACE ]]; then
fi fi
ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IP" ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IP"
if [[ $IPV6 -eq 1 ]]; then
mkdir $CONFDIR/sys_6_conf_iface
cp /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra \
/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr \
/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode \
$CONFDIR/sys_6_conf_iface/
echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr
echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode
ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6"
fi
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
@ -1348,10 +1482,16 @@ if [[ "$SHARE_METHOD" == "none" ]]; then
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
start_nat start_nat
echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding"
if [[ $IPV6 -eq 1 ]]; then
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding || die "Failed enabling system ipv6 forwarding"
fi
# to enable clients to establish PPTP connections we must # to enable clients to establish PPTP connections we must
# load nf_nat_pptp module # load nf_nat_pptp module
modprobe nf_nat_pptp > /dev/null 2>&1 modprobe nf_nat_pptp > /dev/null 2>&1
elif [[ "$SHARE_METHOD" == "redsocks" ]]; then elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
if [[ $IPV6 -eq 1 ]]; then
echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding || die "Failed enabling $SUBNET_IFACE ipv6 forwarding"
fi
if [[ "$dnsmasq_NO_DNS" -eq 0 ]]; then if [[ "$dnsmasq_NO_DNS" -eq 0 ]]; then
echo echo
echo "WARN: You are using transparent proxy but gateway is providing local DNS, this may cause privacy leak !!!" >&2 echo "WARN: You are using transparent proxy but gateway is providing local DNS, this may cause privacy leak !!!" >&2
@ -1362,7 +1502,7 @@ fi
# start dhcp + dns (optional) # start dhcp + dns (optional)
if [[ "$DHCP_DNS" == "gateway" ]]; then if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
allow_dns_port allow_dns_port
fi fi