commit d1c8e7b260f7ea7385f4bc7094220704133d3d9f Author: garywill Date: Fri Aug 31 18:41:06 2018 +0800 Truncate history diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4362b49 --- /dev/null +++ b/LICENSE @@ -0,0 +1,502 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! diff --git a/NOTICE b/NOTICE new file mode 100644 index 0000000..f98a325 --- /dev/null +++ b/NOTICE @@ -0,0 +1,42 @@ +Copyright (c) 2013, oblique +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +================================================================================ + +linux-router +Copyright (C) 2018 garywill + +This library is free software; you can redistribute it and/or +modify it under the terms of the GNU Lesser General Public +License as published by the Free Software Foundation; either +version 2.1 of the License, or (at your option) any later version. + +This library is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public +License along with this library; if not, write to the Free Software +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/README.md b/README.md new file mode 100644 index 0000000..46ef0f6 --- /dev/null +++ b/README.md @@ -0,0 +1,319 @@ +# Linux-router + +Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. + +It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. + +[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) + +## Features + +Basic features: + +- Create a NATed sub-network +- Provide Internet +- DHCP server and RA +- DNS server +- IPv6 (NAT only for now) +- Creating Wifi hotspot: + - Channel selecting + - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption + - Hidden SSID + - Create AP on the same interface you are getting Internet (require same channel) +- Transparent proxy (redsocks) +- DNS proxy +- Compatible with NetworkManager (automatically set interface as unmanaged) + +**For many other features, see below [CLI usage](#cli-usage-and-other-features)** + +### Useful in these situations + +``` +Internet----(eth0/wlan0)-Linux-(wlanX)AP + |--client + |--client +``` + +``` + Internet +Wifi AP(no DHCP) | + |----(wlan1)-Linux-(eth0/wlan0)------ + | (DHCP) + |--client + |--client +``` + +``` + Internet + Switch | + |---(eth1)-Linux-(eth0/wlan0)-------- + |--client + |--client +``` + +``` +Internet----(eth0/wlan0)-Linux-(eth1)------Another PC +``` + +``` +Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container +``` + +## Usage + +### Provide Internet to an interface + +``` +# lnxrouter -i eth1 +``` + +### Provide an interface's Internet to another interface + +``` +# lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 +``` + +### Create Wifi hotspot + +``` +# lnxrouter --ap wlan0 MyAccessPoint --password MyPassPhrase +``` + +### LAN without Internet + +``` +# lnxrouter -n -i eth1 +# lnxrouter -n --ap wlan0 MyAccessPoint --password MyPassPhrase +``` + +### Transparent proxy with Tor + +``` +# lnxrouter -i eth1 --tp 9040 --dns 9053 +``` + +In `torrc` + +``` +TransPort 0.0.0.0:9040 +DNSPort 0.0.0.0:9053 +TransPort [::]:9040 +DNSPort [::]:9053 +``` + +### Internet for LXC + +Create a bridge + +``` +# brctl addbr lxcbr5 +``` + +In LXC container `config` + +``` +lxc.network.type = veth +lxc.network.flags = up +lxc.network.link = lxcbr5 +lxc.network.hwaddr = xx:xx:xx:xx:xx:xx +``` + +``` +# lnxrouter -i lxcbr5 +``` + +### Use as transparent proxy for LXD + +Create a bridge + +``` +# brctl addbr lxdbr5 +``` + +Create and add LXD profile + +``` +$ lxc profile create profile5 +$ lxc profile edit profile5 + +### profile content ### +config: {} +description: "" +devices: + eth0: + name: eth0 + nictype: bridged + parent: lxdbr5 + type: nic +name: profile5 + +$ lxc profile add profile5 +``` + +That should make one container have 2 profiles. `profile5` will override `eth0`. + +``` +# lnxrouter -i lxdbr5 --tp 9040 --dns 9053 +``` + +To remove that new profile from container + +``` +$ lxc profile remove profile5 +``` + +#### To not use profile + +Add device `eth0` to container overriding default `eth0` + +``` +$ lxc config device add eth0 nic name=eth0 nictype=bridged parent=lxdbr5 +``` + +To remove the customized `eth0` to restore default `eth0` + +``` +$ lxc config device remove eth0 +``` + +### Use as transparent proxy for VirtualBox + +On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. + +``` +# lnxrouter -i vboxnet5 --tp 9040 --dns 9053 +``` + +### Use as transparent proxy for firejail + +Create a bridge + +``` +# brctl addbr firejail5 +``` + +``` +# lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 +$ firejail --net=firejail5 --dns=192.168.55.1 +``` + +### CLI usage and other features + +``` +Usage: lnxrouter + +Options: + -h, --help Show this help + --version Print version number + + -i Interface to make NATed sub-network, + and to provide Internet to + (To create Wifi hotspot use '--ap' instead) + -o Specify an inteface to provide Internet from. + (Note using this with default DNS option may leak + queries to other interfaces) + -n Do not provide Internet + + -g Set this host's IPv4 address, netmask is 24 + -6 Enable IPv6 (NAT) + --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) + + --dns || + DNS server's upstream DNS. + Use ',' to seperate multiple servers + (default: use /etc/resolve.conf) + (Note IPv6 addresses need '[]' around) + --no-dns Do not serve DNS + --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) + --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) + that destination port is 53 to this host + --log-dns Show DNS query log + --dhcp-dns |no + Set IPv4 DNS offered by DHCP (default: this host) + --dhcp-dns6 |no + Set IPv6 DNS offered by DHCP (RA) + (default: this host) + (Note IPv6 addresses need '[]' around) + --hostname DNS server associate this name with this host. + Use '-' to read name from /etc/hostname + -d DNS server will take into account /etc/hosts + -e DNS server will take into account additional + hosts file + + --mac Set MAC address + + --tp Transparent proxy, + redirect non-LAN TCP and UDP traffic to port. + Usually used with '--dns' + + Wifi hotspot options: + --ap + Create Wifi access point + --password Wifi password + + --hidden Hide access point (not broadcast SSID) + --no-virt Do not create virtual interface + Using this you can't use same wlan interface + for both Internet and AP + -c Channel number (default: 1) + --country Set two-letter country code for regularity + (example: US) + --freq-band Set frequency band: 2.4 or 5 (default: 2.4) + --driver Choose your WiFi adapter driver (default: nl80211) + -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both + (default: 1+2) + --psk Use 64 hex digits pre-shared-key instead of + passphrase + --mac-filter Enable Wifi hotspot MAC address filtering + --mac-filter-accept Location of Wifi hotspot MAC address filter list + (defaults to /etc/hostapd/hostapd.accept) + --hostapd-debug 1 or 2. Passes -d or -dd to hostapd + --isolate-clients Disable wifi communication between clients + + --ieee80211n Enable IEEE 802.11n (HT) + --ieee80211ac Enable IEEE 802.11ac (VHT) + --ht_capab HT capabilities (default: [HT40+]) + --vht_capab VHT capabilities + + --no-haveged Do not run haveged automatically when needed + + Instance managing: + --daemon Run in background + --list-running Show running instances + --list-clients List clients of an instance + --stop Stop a running instance + For you can use PID or subnet interface name. + You can get them with '--list-running' +``` + +> These changes to system will not be restored by script's cleanup: +> 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`, needed by NAT Internet sharing. +> 2. dnsmasq in Apparmor complain mode + +## Dependencies + +- bash +- procps or procps-ng +- iproute2 +- dnsmasq +- iptables + +Wifi hotspot: + +- hostapd +- iw +- iwconfig (you only need this if 'iw' can not recognize your adapter) +- haveged (optional) + +## TODO + +- Option to ban private network access +- Option to randomize MAC + +## Donate + +[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) + +## Thanks + +Many thanks to project [create_ap](https://github.com/oblique/create_ap). diff --git a/lnxrouter b/lnxrouter new file mode 100755 index 0000000..7556ffe --- /dev/null +++ b/lnxrouter @@ -0,0 +1,1660 @@ +#!/bin/bash + +VERSION=0.5.4 +PROGNAME="$(basename $0)" + +export LC_ALL=C + +SCRIPT_UMASK=0122 +umask $SCRIPT_UMASK + +usage() { + cat << EOF +linux-router $VERSION (https://github.com/garywill/linux-router) + +Usage: $PROGNAME + +Options: + -h, --help Show this help + --version Print version number + + -i Interface to make NATed sub-network, + and to provide Internet to + (To create Wifi hotspot use '--ap' instead) + -o Specify an inteface to provide Internet from. + (Note using this with default DNS option may leak + queries to other interfaces) + -n Do not provide Internet + + -g Set this host's IPv4 address, netmask is 24 + -6 Enable IPv6 (NAT) + --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) + + --dns || + DNS server's upstream DNS. + Use ',' to seperate multiple servers + (default: use /etc/resolve.conf) + (Note IPv6 addresses need '[]' around) + --no-dns Do not serve DNS + --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) + --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) + that destination port is 53 to this host + --log-dns Show DNS query log + --dhcp-dns |no + Set IPv4 DNS offered by DHCP (default: this host) + --dhcp-dns6 |no + Set IPv6 DNS offered by DHCP (RA) + (default: this host) + (Note IPv6 addresses need '[]' around) + --hostname DNS server associate this name with this host. + Use '-' to read name from /etc/hostname + -d DNS server will take into account /etc/hosts + -e DNS server will take into account additional + hosts file + + --mac Set MAC address + + --tp Transparent proxy, + redirect non-LAN TCP and UDP traffic to port. + Usually used with '--dns' + + Wifi hotspot options: + --ap + Create Wifi access point + --password Wifi password + + --hidden Hide access point (not broadcast SSID) + --no-virt Do not create virtual interface + Using this you can't use same wlan interface + for both Internet and AP + -c Channel number (default: 1) + --country Set two-letter country code for regularity + (example: US) + --freq-band Set frequency band: 2.4 or 5 (default: 2.4) + --driver Choose your WiFi adapter driver (default: nl80211) + -w Use 1 for WPA, use 2 for WPA2, use 1+2 for both + (default: 1+2) + --psk Use 64 hex digits pre-shared-key instead of + passphrase + --mac-filter Enable Wifi hotspot MAC address filtering + --mac-filter-accept Location of Wifi hotspot MAC address filter list + (defaults to /etc/hostapd/hostapd.accept) + --hostapd-debug 1 or 2. Passes -d or -dd to hostapd + --isolate-clients Disable wifi communication between clients + + --ieee80211n Enable IEEE 802.11n (HT) + --ieee80211ac Enable IEEE 802.11ac (VHT) + --ht_capab HT capabilities (default: [HT40+]) + --vht_capab VHT capabilities + + --no-haveged Do not run haveged automatically when needed + + Instance managing: + --daemon Run in background + --list-running Show running instances + --list-clients List clients of an instance + --stop Stop a running instance + For you can use PID or subnet interface name. + You can get them with '--list-running' + +Examples: + $PROGNAME -i eth1 + $PROGNAME --ap wlan0 MyAccessPoint + $PROGNAME --ap wlan0 MyAccessPoint --password MyPassPhrase + $PROGNAME -n --ap wlan0 MyAccessPoint --password MyPassPhrase + $PROGNAME -i eth1 --tp --dns +EOF +} + +if [[ "$1" == "" ]]; then + usage + exit 0 +fi + +GATEWAY= +PREFIX6= +IID6=1 +IPV6=0 +ROUTE_ADDRS= +DHCP_DNS=gateway +DHCP_DNS6=gateway +dnsmasq_NO_DNS=0 +NO_DNSMASQ=0 +CATCH_DNS=0 +SHOW_DNS_QUERY=0 +ETC_HOSTS=0 +ADDN_HOSTS= +SUBNET_IFACE= +CONN_IFACE= +INTERNET_IFACE= +THISHOSTNAME= + +SHARE_METHOD=nat +TP_PORT= +DNS= + +NEW_MACADDR= +OLD_MACADDR= +DAEMONIZE=0 + +HIDDEN=0 +WIFI_IFACE= +VWIFI_IFACE= +AP_IFACE= +CHANNEL=default +WPA_VERSION=1+2 +MAC_FILTER=0 +MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept +IEEE80211N=0 +IEEE80211AC=0 +HT_CAPAB='[HT40+]' +VHT_CAPAB= +DRIVER=nl80211 +NO_VIRT=0 +COUNTRY= +FREQ_BAND=2.4 +NO_HAVEGED=0 +HOSTAPD_DEBUG_ARGS= +USE_PSK=0 +ISOLATE_CLIENTS=0 + +LIST_RUNNING=0 +STOP_ID= +LIST_CLIENTS_ID= +CONFDIR= + +ARGS=( "$@" ) + +while [[ -n "$1" ]]; do + case "$1" in + -h|--help) + usage + exit 0 + ;; + --version) + echo $VERSION + exit 0 + ;; + -i) + shift + CONN_IFACE="$1" + shift + ;; + -o) + shift + INTERNET_IFACE="$1" + shift + ;; + -n) + shift + SHARE_METHOD=none + ;; + --tp) + shift + TP_PORT="$1" + shift + ;; + + + -g) + shift + GATEWAY="$1" + shift + ;; + -6) + shift + IPV6=1 + ;; + --p6) + shift + PREFIX6="$1" + shift + ;; + --mac) + shift + NEW_MACADDR="$1" + shift + ;; + + --dns) + shift + DNS="$1" + shift + ;; + --no-dns) + shift + dnsmasq_NO_DNS=1 + ;; + --no-dnsmasq) + shift + NO_DNSMASQ=1 + ;; + --dhcp-dns) + shift + DHCP_DNS="$1" + shift + ;; + --dhcp-dns6) + shift + DHCP_DNS6="$1" + shift + ;; + --catch-dns) + shift + CATCH_DNS=1 + ;; + --log-dns) + shift + SHOW_DNS_QUERY=1 + ;; + --hostname) + shift + THISHOSTNAME="$1" + shift + ;; + -d) + shift + ETC_HOSTS=1 + ;; + -e) + shift + ADDN_HOSTS="$1" + shift + ;; + + --isolate-clients) + shift + ISOLATE_CLIENTS=1 + ;; + + --ap) + shift + WIFI_IFACE="$1" + shift + SSID="$1" + shift + ;; + --password) + shift + PASSPHRASE="$1" + shift + ;; + + + --hidden) + shift + HIDDEN=1 + ;; + --mac-filter) + shift + MAC_FILTER=1 + ;; + --mac-filter-accept) + shift + MAC_FILTER_ACCEPT="$1" + shift + ;; + + -c) + shift + CHANNEL="$1" + shift + ;; + -w) + shift + WPA_VERSION="$1" + [[ "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=1+2 + shift + ;; + + + + --ieee80211n) + shift + IEEE80211N=1 + ;; + --ieee80211ac) + shift + IEEE80211AC=1 + ;; + --ht_capab) + shift + HT_CAPAB="$1" + shift + ;; + --vht_capab) + shift + VHT_CAPAB="$1" + shift + ;; + --driver) + shift + DRIVER="$1" + shift + ;; + --no-virt) + shift + NO_VIRT=1 + ;; + + --country) + shift + COUNTRY="$1" + shift + ;; + --freq-band) + shift + FREQ_BAND="$1" + shift + ;; + --no-haveged) + shift + NO_HAVEGED=1 + ;; + --hostapd-debug) + shift + if [ "x$1" = "x1" ]; then + HOSTAPD_DEBUG_ARGS="-d" + elif [ "x$1" = "x2" ]; then + HOSTAPD_DEBUG_ARGS="-dd" + else + printf "Error: argument for --hostapd-debug expected 1 or 2, got %s\n" "$1" + exit 1 + fi + shift + ;; + --psk) + shift + USE_PSK=1 + ;; + + --daemon) + shift + DAEMONIZE=1 + ;; + --stop) + shift + STOP_ID="$1" + shift + ;; + --list-running) + shift + LIST_RUNNING=1 + ;; + --list-clients) + shift + LIST_CLIENTS_ID="$1" + shift + ;; + + + + *) + echo "Invalid parameter: $1" 1>&2 + exit 1 + ;; + esac +done + +sep_ip_port() { + local IP + local PORT + local INPUT + INPUT="$1" + if (echo $INPUT | grep '\.' >/dev/null 2>&1) ;then + if (echo $INPUT | grep ':' >/dev/null 2>&1) ;then + # ipv4 + port + IP="$(echo $INPUT | cut -d: -f1)" + PORT="$(echo $INPUT | cut -d: -f2)" + else + # ipv4 + IP="$INPUT" + fi + elif (echo $INPUT | grep '\]' >/dev/null 2>&1) ;then + if (echo $INPUT | grep '\]\:' >/dev/null 2>&1) ;then + # ipv6 + port + IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)" + PORT="$(echo $INPUT | cut -d']' -f2 |cut -d: -f2)" + else + # ipv6 + IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)" + fi + else + # port + IP='127.0.0.1' + PORT="$INPUT" + fi + printf -v "$2" %s "$IP" + printf -v "$3" %s "$PORT" +} + +USE_IWCONFIG=0 + +is_interface() { + [[ -z "$1" ]] && return 1 + [[ -d "/sys/class/net/${1}" ]] +} + +get_phy_device() { # only for wifi interface + local x + for x in /sys/class/ieee80211/*; do + [[ ! -e "$x" ]] && continue + if [[ "${x##*/}" = "$1" ]]; then + echo $1 + return 0 + elif [[ -e "$x/device/net/$1" ]]; then + echo ${x##*/} + return 0 + elif [[ -e "$x/device/net:$1" ]]; then + echo ${x##*/} + return 0 + fi + done + echo "Failed to get phy interface" >&2 + return 1 +} + +get_adapter_info() { # only for wifi interface + local PHY + PHY=$(get_phy_device "$1") + [[ $? -ne 0 ]] && return 1 + iw phy $PHY info +} + +get_adapter_kernel_module() { + local MODULE + MODULE=$(readlink -f "/sys/class/net/$1/device/driver/module") + echo ${MODULE##*/} +} + +can_be_sta_and_ap() { + # iwconfig does not provide this information, assume false + [[ $USE_IWCONFIG -eq 1 ]] && return 1 + if [[ "$(get_adapter_kernel_module "$1")" == "brcmfmac" ]]; then + echo "WARN: brmfmac driver doesn't work properly with virtual interfaces and" >&2 + echo " it can cause kernel panic. For this reason we disallow virtual" >&2 + echo " interfaces for your adapter." >&2 + echo " For more info: https://github.com/oblique/create_ap/issues/203" >&2 + return 1 + fi + get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0 + get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0 + return 1 +} + +can_be_ap() { + # iwconfig does not provide this information, assume true + [[ $USE_IWCONFIG -eq 1 ]] && return 0 + get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0 + return 1 +} + +can_transmit_to_channel() { + local IFACE CHANNEL_NUM CHANNEL_INFO + IFACE=$1 + CHANNEL_NUM=$2 + + if [[ $USE_IWCONFIG -eq 0 ]]; then + if [[ $FREQ_BAND == 2.4 ]]; then + CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " 24[0-9][0-9] MHz \[${CHANNEL_NUM}\]") + else + CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " \(49[0-9][0-9]\|5[0-9]\{3\}\) MHz \[${CHANNEL_NUM}\]") + fi + [[ -z "${CHANNEL_INFO}" ]] && return 1 + [[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1 + [[ "${CHANNEL_INFO}" == *disabled* ]] && return 1 + return 0 + else + CHANNEL_NUM=$(printf '%02d' ${CHANNEL_NUM}) + CHANNEL_INFO=$(iwlist ${IFACE} channel | grep -E "Channel[[:blank:]]${CHANNEL_NUM}[[:blank:]]?:") + [[ -z "${CHANNEL_INFO}" ]] && return 1 + return 0 + fi +} + +# taken from iw/util.c +ieee80211_frequency_to_channel() { + local FREQ=$1 + if [[ $FREQ -eq 2484 ]]; then + echo 14 + elif [[ $FREQ -lt 2484 ]]; then + echo $(( ($FREQ - 2407) / 5 )) + elif [[ $FREQ -ge 4910 && $FREQ -le 4980 ]]; then + echo $(( ($FREQ - 4000) / 5 )) + elif [[ $FREQ -le 45000 ]]; then + echo $(( ($FREQ - 5000) / 5 )) + elif [[ $FREQ -ge 58320 && $FREQ -le 64800 ]]; then + echo $(( ($FREQ - 56160) / 2160 )) + else + echo 0 + fi +} + +is_5ghz_frequency() { + [[ $1 =~ ^(49[0-9]{2})|(5[0-9]{3})$ ]] +} + +is_wifi_connected() { + if [[ $USE_IWCONFIG -eq 0 ]]; then + iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0 + else + iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0 + fi + return 1 +} + + +is_unicast_macaddr() { + local x + x=$(echo "$1" | cut -d: -f1) + x=$(printf '%d' "0x${x}") + [[ $(expr $x % 2) -eq 0 ]] +} + +get_macaddr() { + is_interface "$1" || return + cat "/sys/class/net/${1}/address" +} + + +alloc_new_iface() { # only for wifi + local i=0 + local v_iface_name= + while :; do + v_iface_name="x$i${WIFI_IFACE}" + if ! is_interface ${v_iface_name} && [[ ! -f $COMMON_CONFDIR/ifaces/${v_iface_name} ]]; then + mkdir -p $COMMON_CONFDIR/ifaces + touch $COMMON_CONFDIR/ifaces/${v_iface_name} + echo ${v_iface_name} + return + fi + i=$((i + 1)) + done +} + +dealloc_iface() { + rm -f $COMMON_CONFDIR/ifaces/$1 +} + +#====== + +get_all_macaddrs() { + cat /sys/class/net/*/address +} + +get_new_macaddr() { + local OLDMAC NEWMAC LAST_BYTE i + OLDMAC=$(get_macaddr "$1") + LAST_BYTE=$(printf %d 0x${OLDMAC##*:}) + for i in {10..240}; do + NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))" + (get_all_macaddrs | grep "$NEWMAC" > /dev/null 2>&1) || break + done + echo $NEWMAC +} + +is_ip4_range_available() { + ( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1 + ( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1 + ( ip -4 route get 192.168.$1.0 | grep "\bvia\b" > /dev/null 2>&1 ) && \ + ( ip -4 route get 192.168.$1.255 | grep "\bvia\b" > /dev/null 2>&1 ) && return 0 + return 1 +} +is_ip6_range_available() { + ( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 + ( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 + ( ip -6 route get fd$1:$2$3:$4$5:$6$7:: | grep "\bvia\b" > /dev/null 2>&1 ) && \ + ( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff | grep "\bvia\b" > /dev/null 2>&1 ) && return 0 + return 1 +} + +generate_random_ip4() { + local random_ip4 + while :; do + random_ip4=$(($RANDOM%256)) + is_ip4_range_available $random_ip4 && break + done + GATEWAY="192.168.$random_ip4.1" +} +generate_random_ip6() { + local r1 r2 r3 r4 r5 r6 r7 + while :; do + r1=$( printf "%x" $(($RANDOM%240+16)) ) + r2=$( printf "%x" $(($RANDOM%240+16)) ) + r3=$( printf "%x" $(($RANDOM%240+16)) ) + r4=$( printf "%x" $(($RANDOM%240+16)) ) + r5=$( printf "%x" $(($RANDOM%240+16)) ) + r6=$( printf "%x" $(($RANDOM%240+16)) ) + r7=$( printf "%x" $(($RANDOM%240+16)) ) + is_ip6_range_available $r1 $r2 $r3 $r4 $r5 $r6 $r7 && break + done + PREFIX6="fd$r1:$r2$r3:$r4$r5:$r6$r7::" +} + +# start haveged when needed +haveged_watchdog() { + local show_warn=1 + while :; do + if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then + if ! which haveged > /dev/null 2>&1; then + if [[ $show_warn -eq 1 ]]; then + echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 + show_warn=0 + fi + elif ! pidof haveged > /dev/null 2>&1; then + echo "Low entropy detected, starting haveged" 1>&2 + # boost low-entropy + haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid + fi + fi + sleep 2 + done +} + +#======== + + +# only support NetworkManager >= 0.9.9 +NM_RUNNING=0 +NM_UNM_LIST= +if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then + NM_RUNNING=1 +fi + +nm_knows() { + (nmcli dev show $1 | grep -E "^GENERAL.STATE:" >/dev/null 2>&1 ) && return 0 # nm sees + return 1 # nm doesn't see this interface +} +nm_get_manage() { # get an interface's managed state + local s + s=$(nmcli dev show $1 | grep -E "^GENERAL.STATE:") || return 2 # no such interface + (echo $s | grep "unmanaged" >/dev/null 2>&1) && return 1 # unmanaged + return 0 # managed +} +nm_set_unmanaged() { + while ! nm_knows $1 ; do # wait for virtual wifi interface seen by NM + sleep 0.5 + done + if nm_get_manage $1 ;then + echo "Set $1 unmanaged by NetworkManager" + nmcli dev set $1 managed no || die "Failed to set $1 unmanaged by NetworkManager" + NM_UNM_LIST=$1 + sleep 1 + fi +} + +nm_set_managed() { + nmcli dev set $1 managed yes + NM_UNM_LIST= +} +nm_restore_manage() { + if [[ $NM_UNM_LIST ]]; then + echo "Restore $NM_UNM_LIST managed by NetworkManager" + nm_set_managed $NM_UNM_LIST + sleep 0.5 + fi +} + + +#========= + +iptables_() +{ + iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + return $? +} +ip6tables_() +{ + ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + return $? +} + +start_nat() { + if [[ $INTERNET_IFACE ]]; then + IPTABLES_NAT_OUT="-o ${INTERNET_IFACE}" + IPTABLES_NAT_IN="-i ${INTERNET_IFACE}" + MASQUERADE_NOTOUT="" + else + MASQUERADE_NOTOUT="! -o ${SUBNET_IFACE}" + fi + echo + echo "iptables: NAT " + iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE || die + iptables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die + iptables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE || die + ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die + ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT || die + fi +} +stop_nat() { + echo "iptables: stop NAT" + iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE + iptables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT + iptables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE + ip6tables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT + ip6tables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT + fi +} + +allow_dns_port() { + echo + echo "iptables: allow DNS port access" + iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die + iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die + fi +} +unallow_dns_port() { + echo "iptables: stop allowing DNS" + iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT + iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT + fi +} + +start_catch_dns() { + echo + echo "iptables: redirect all TCP/UDP packet that destination port is 53" + iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die + iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die + fi +} +stop_catch_dns() { + echo "iptables: stop redirecting DNS queries" + iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 + iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 + fi +} + +start_dhcp() { + echo + echo "iptables: allow DHCP port access" + iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die + fi +} +stop_dhcp() { + echo "iptables: stop dhcp" + iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT + fi +} + +start_redsocks() { + echo + echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}" + iptables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 100.64.0.0/10 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die + iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 255.255.255.255 -j RETURN || die + + iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die + iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die + + iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die + + iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die + iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die + + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die + ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die + + ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die + ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die + + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die + + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die + ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die + fi +} +stop_redsocks() { + echo "iptables: stop transparent proxy" + iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} + iptables_ -t nat -F REDSOCKS-${SUBNET_IFACE} + iptables_ -t nat -X REDSOCKS-${SUBNET_IFACE} + + iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT + iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT + + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} + ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE} + ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE} + + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT + ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT + fi +} + +kill_processes() { + #echo "Killing processes" + local x pid + for x in $CONFDIR/*.pid; do + # even if the $CONFDIR is empty, the for loop will assign + # a value in $x. so we need to check if the value is a file + if [[ -f $x ]] && sleep 0.3 && [[ -f $x ]]; then + pid=$(cat $x) + pn=$( ps -p $pid -o comm= ) + #echo "Killing $pid $pn ... " + kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited" + fi + done + +} +_cleanup() { + local x + + ip addr flush ${SUBNET_IFACE} + + if [[ -d $CONFDIR/sys_6_conf_iface ]]; then + cp -f $CONFDIR/sys_6_conf_iface/* /proc/sys/net/ipv6/conf/$SUBNET_IFACE/ + fi + rm -rf $CONFDIR + + if [[ $WIFI_IFACE && $NO_VIRT -eq 0 ]]; then + ip link set down dev ${AP_IFACE} + iw dev ${VWIFI_IFACE} del + dealloc_iface $VWIFI_IFACE + else + if [[ -n "$NEW_MACADDR" ]]; then + ip link set dev ${TARGET_IFACE} address ${OLD_MACADDR} && echo "Restore ${TARGET_IFACE} to old MAC address ${OLD_MACADDR}" + fi + fi + + + if ! has_running_instance; then + echo "Exiting: This is the only running instance" + # kill common processes + for x in $COMMON_CONFDIR/*.pid; do + [[ -f $x ]] && kill -9 $(cat $x) && rm $x + done + + rm -d $COMMON_CONFDIR/ifaces + rm -d $COMMON_CONFDIR + rm -d $TMPDIR + else + echo "Exiting: This is NOT the only running instance" + fi + + nm_restore_manage +} + +clean_iptables() { + + if [[ "$SHARE_METHOD" == "nat" ]]; then + stop_nat + elif [[ "$SHARE_METHOD" == "redsocks" ]]; then + stop_redsocks + fi + + if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then + unallow_dns_port + fi + + [[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns + + + if [[ $NO_DNSMASQ -eq 0 ]]; then + stop_dhcp + fi +} + +cleanup() { + trap "" SIGINT SIGUSR1 SIGUSR2 EXIT SIGTERM + echo + echo + echo "Doing cleanup.. " + kill_processes + clean_iptables 2> /dev/null + _cleanup 2> /dev/null + + pgid=$(ps opgid= $$ |awk '{print $1}' ) + kill -15 -$pgid + sleep 1 + echo "Cleaning up done" + kill -9 -$pgid +} + +die() { # SIGUSR2 + echo "Error occured" + [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2 + # send die signal to the main process + [[ $BASHPID -ne $$ ]] && kill -USR2 $$ || cleanup + exit 1 +} + +clean_exit() { # SIGUSR1 + # send clean_exit signal to the main process + [[ $BASHPID -ne $$ ]] && kill -USR1 $$ || cleanup + exit 0 +} + +#======== + +list_running_conf() { + local x + for x in $TMPDIR/lnxrouter.*; do + if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then + echo $x + fi + done +} + +list_running() { + local IFACE subn_iface x + for x in $(list_running_conf); do + IFACE=${x#*.} + IFACE=${IFACE%%.*} + subn_iface=$(cat $x/subn_iface) + + if [[ $IFACE == $subn_iface ]]; then + echo $(cat $x/pid) $IFACE + else + echo $(cat $x/pid) $IFACE '('$(cat $x/subn_iface)')' + fi + done +} + +get_subn_iface_from_pid() { + list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E "^${1} " | cut -d' ' -f2 +} + +get_pid_from_subn_iface() { + list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E " ${1}$" | cut -d' ' -f1 +} + +get_confdir_from_pid() { + local IFACE x + for x in $(list_running_conf); do + if [[ $(cat $x/pid) == "$1" ]]; then + echo $x + break + fi + done +} + +print_client_by_mac() { + local line ipaddr hostname + local mac="$1" + + if [[ -f $CONFDIR/dnsmasq.leases ]]; then + line=$(grep " $mac " $CONFDIR/dnsmasq.leases | tail -n 1) + ipaddr=$(echo $line | cut -d' ' -f3) + hostname=$(echo $line | cut -d' ' -f4) + fi + + [[ -z "$ipaddr" ]] && ipaddr="*" + [[ -z "$hostname" ]] && hostname="*" + + printf "%-20s %-18s %s\n" "$mac" "$ipaddr" "$hostname" +} + +print_clients_in_leases() { + local line ipaddr hostname + local mac + + if [[ -f $CONFDIR/dnsmasq.leases ]]; then + while read line + do + mac=$(echo $line | cut -d' ' -f2) + ipaddr=$(echo $line | cut -d' ' -f3) + hostname=$(echo $line | cut -d' ' -f4) + + printf "%-20s %-18s %s\n" "MAC" "IP" "Hostname" + printf "%-20s %-18s %s\n" "$mac" "$ipaddr" "$hostname" + done < $CONFDIR/dnsmasq.leases + fi +} + +list_clients() { + local subn_iface pid + + # If PID is given, get the associated wifi iface + if [[ "$1" =~ ^[1-9][0-9]*$ ]]; then + pid="$1" + subn_iface=$(get_subn_iface_from_pid "$pid") + [[ -z "$subn_iface" ]] && die "'$pid' is not the pid of a running $PROGNAME instance." + fi + + [[ -z "$subn_iface" ]] && subn_iface="$1" + + [[ -z "$pid" ]] && pid=$(get_pid_from_subn_iface "$subn_iface") + [[ -z "$pid" ]] && die "'$subn_iface' is not used from $PROGNAME instance.\n\ + Maybe you need to pass the virtual interface instead.\n\ + Use --list-running to find it out." + [[ -z "$CONFDIR" ]] && CONFDIR=$(get_confdir_from_pid "$pid") + + if [[ -f $CONFDIR/hostapd.conf && $USE_IWCONFIG -eq 0 ]]; then + local awk_cmd='($1 ~ /Station$/) {print $2}' + local client_list=$(iw dev "$subn_iface" station dump | awk "$awk_cmd") + + if [[ -z "$client_list" ]]; then + echo "No clients connected" + return + fi + + printf "%-20s %-18s %s\n" "MAC" "IP" "Hostname" + + local mac + for mac in $client_list; do + print_client_by_mac $mac + done + else + echo "Listing clients via DNS lease file. non-DHCPed clients won't be showed" + print_clients_in_leases + fi +} + +has_running_instance() { + local PID x + + for x in $TMPDIR/lnxrouter.*; do + if [[ -f $x/pid ]]; then + PID=$(cat $x/pid) + if [[ -d /proc/$PID ]]; then + return 0 + fi + fi + done + + return 1 +} + +is_running_pid() { + list_running | grep -E "^${1} " > /dev/null 2>&1 +} + +send_stop() { + local x + + # send stop signal to specific pid + if is_running_pid $1; then + kill -USR1 $1 + return + fi + + # send stop signal to specific interface + for x in $(list_running | grep -E " \(?${1}( |\)?\$)" | cut -f1 -d' '); do + kill -USR1 $x + done +} + + +## ======================================================== +## ======================================================== + +if [[ -d /dev/shm ]]; then + TMPD=/dev/shm +elif [[ -d /run/shm ]]; then + TMPD=/run/shm +else + TMPD=/tmp +fi +TMPDIR=$TMPD/lnxrouter_tmp + +#====== + +if [[ $LIST_RUNNING -eq 1 ]]; then + echo -e "List of running $PROGNAME instances:\n" + list_running + exit 0 +fi + +if [[ -n "$LIST_CLIENTS_ID" ]]; then + list_clients "$LIST_CLIENTS_ID" + exit 0 +fi + +if [[ $(id -u) -ne 0 ]]; then + echo "You must run it as root." >&2 + exit 1 +fi + +if [[ -n "$STOP_ID" ]]; then + echo "Trying to kill $PROGNAME instance associated with $STOP_ID..." + send_stop "$STOP_ID" + exit 0 +fi + +#============================================= +#============================================= + +if [[ $DAEMONIZE -eq 1 && $RUNNING_AS_DAEMON -eq 0 ]]; then + echo "Running as Daemon..." + # run a detached lnxrouter + RUNNING_AS_DAEMON=1 setsid "$0" "${ARGS[@]}" & + exit 0 +fi + +if [[ $WIFI_IFACE ]]; then + + if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then + echo "ERROR: Invalid frequency band" >&2 + exit 1 + fi + + if [[ $CHANNEL == default ]]; then + if [[ $FREQ_BAND == 2.4 ]]; then + CHANNEL=1 + else + CHANNEL=36 + fi + fi + + if [[ $FREQ_BAND != 5 && $CHANNEL -gt 14 ]]; then + echo "Channel number is greater than 14, assuming 5GHz frequency band" + FREQ_BAND=5 + fi + + if ! can_be_ap ${WIFI_IFACE}; then + echo "ERROR: Your adapter does not support AP (master) mode" >&2 + exit 1 + fi + + if ! can_be_sta_and_ap ${WIFI_IFACE}; then + if is_wifi_connected ${WIFI_IFACE}; then + echo "ERROR: Your adapter can not be a station (i.e. be connected) and an AP at the same time" >&2 + exit 1 + elif [[ $NO_VIRT -eq 0 ]]; then + echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2 + NO_VIRT=1 + fi + fi + + HOSTAPD=$(which hostapd) + + if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^(8192[cd][ue]|8723a[sue])$ ]]; then + if ! strings "$HOSTAPD" | grep -m1 rtl871xdrv > /dev/null 2>&1; then + echo "ERROR: You need to patch your hostapd with rtl871xdrv patches." >&2 + exit 1 + fi + + if [[ $DRIVER != "rtl871xdrv" ]]; then + echo "WARN: Your adapter needs rtl871xdrv, enabling --driver=rtl871xdrv" >&2 + DRIVER=rtl871xdrv + fi + fi + + if [[ ${#SSID} -lt 1 || ${#SSID} -gt 32 ]]; then + echo "ERROR: Invalid SSID length ${#SSID} (expected 1..32)" >&2 + exit 1 + fi + + if [[ $USE_PSK -eq 0 ]]; then + if [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -lt 8 ]] || [[ ${#PASSPHRASE} -gt 63 ]]; then + echo "ERROR: Invalid passphrase length ${#PASSPHRASE} (expected 8..63)" >&2 + exit 1 + fi + elif [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -ne 64 ]]; then + echo "ERROR: Invalid pre-shared-key length ${#PASSPHRASE} (expected 64)" >&2 + exit 1 + fi + + if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^rtl[0-9].*$ ]]; then + if [[ $WPA_VERSION == '1' || $WPA_VERSION == '1+2' ]]; then + echo "WARN: Realtek drivers usually have problems with WPA1, WPA2 is recommended" >&2 + fi + echo "WARN: If AP doesn't work, read https://github.com/oblique/create_ap/blob/master/howto/realtek.md" >&2 + fi + +fi + +if [[ -n "$NEW_MACADDR" ]]; then + if ! is_unicast_macaddr "$NEW_MACADDR"; then + echo "ERROR: The first byte of MAC address (${NEW_MACADDR}) must be even" >&2 + exit 1 + fi + + if [[ $(get_all_macaddrs | grep -c ${NEW_MACADDR}) -ne 0 ]]; then + echo "WARN: MAC address '${NEW_MACADDR}' already exists" >&2 + fi +fi + +# checks finished + +## ======================================================== +## ======================================================== +echo "PID: $$" + +TARGET_IFACE= # This is the existing physical interface to use +if [[ $CONN_IFACE ]]; then + TARGET_IFACE=$CONN_IFACE +elif [[ $WIFI_IFACE ]]; then + TARGET_IFACE=$WIFI_IFACE +else + echo "No target interface specified" 1>&2 + exit 1 +fi +echo "Target interface is ${TARGET_IFACE}" + + +if [[ ! -n $GATEWAY ]]; then + generate_random_ip4 + echo "Use random IPv4 address $GATEWAY" +fi +if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then + generate_random_ip6 + echo "Use random IPv6 address ${PREFIX6}${IID6}" +fi +if [[ $IPV6 -eq 1 ]]; then + GATEWAY6=${PREFIX6}${IID6} +fi + +if [[ $TP_PORT ]]; then + SHARE_METHOD=redsocks +fi + +if [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]]; then + dnsmasq_NO_DNS=1 +fi + +#================= +# begin to do some change on config files and system + +trap "cleanup" EXIT +trap "clean_exit" SIGINT SIGUSR1 SIGTERM +trap "die" SIGUSR2 + +mkdir -p $TMPDIR +chmod 755 $TMPDIR 2>/dev/null +cd $TMPDIR + +CONFDIR=$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXX) +chmod 755 $CONFDIR +#echo "Config dir: $CONFDIR" +echo $$ > $CONFDIR/pid + + +COMMON_CONFDIR=$TMPDIR/lnxrouter_common.conf +mkdir -p $COMMON_CONFDIR + + + +if [[ $WIFI_IFACE ]]; then + + if [[ $USE_IWCONFIG -eq 0 ]]; then + iw dev ${WIFI_IFACE} set power_save off + fi + + if [[ $NO_VIRT -eq 0 ]]; then + ## Generate virtual wifi interface + + VWIFI_IFACE=$(alloc_new_iface) + + if is_wifi_connected ${WIFI_IFACE}; then + WIFI_IFACE_FREQ=$(iw dev ${WIFI_IFACE} link | grep -i freq | awk '{print $2}') + WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel ${WIFI_IFACE_FREQ}) + echo "${WIFI_IFACE} already in channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)" + if is_5ghz_frequency $WIFI_IFACE_FREQ; then + FREQ_BAND=5 + else + FREQ_BAND=2.4 + fi + if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then + echo "Channel fallback to ${WIFI_IFACE_CHANNEL}" + CHANNEL=$WIFI_IFACE_CHANNEL + else + echo + fi + fi + + VIRTDIEMSG="Maybe your WiFi adapter does not fully support virtual interfaces. + Try again with --no-virt." + echo "Creating a virtual WiFi interface... " + + if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then + echo "${VWIFI_IFACE} created." + sleep 2 + else + VWIFI_IFACE= + die "$VIRTDIEMSG" + fi + OLD_MACADDR=$(get_macaddr ${VWIFI_IFACE}) + if [[ -z "$NEW_MACADDR" && $(get_all_macaddrs | grep -c ${OLD_MACADDR}) -ne 1 ]]; then + NEW_MACADDR=$(get_new_macaddr ${VWIFI_IFACE}) + fi + AP_IFACE=${VWIFI_IFACE} + else + OLD_MACADDR=$(get_macaddr ${WIFI_IFACE}) + AP_IFACE=${WIFI_IFACE} + fi + +fi + +if [[ $WIFI_IFACE ]]; then + SUBNET_IFACE=${AP_IFACE} +else + SUBNET_IFACE=${TARGET_IFACE} +fi + +echo $SUBNET_IFACE > $CONFDIR/subn_iface + +if [[ $WIFI_IFACE ]]; then + + if [[ -n "$COUNTRY" && $USE_IWCONFIG -eq 0 ]]; then + iw reg set "$COUNTRY" + fi + + can_transmit_to_channel ${AP_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}, frequency band ${FREQ_BAND}GHz." + + + [[ $HIDDEN -eq 1 ]] && echo "Access Point's SSID is hidden!" + + [[ $MAC_FILTER -eq 1 ]] && echo "MAC address filtering is enabled!" + + [[ $ISOLATE_CLIENTS -eq 1 ]] && echo "Access Point's clients will be isolated!" + + # hostapd config + cat <<- EOF > $CONFDIR/hostapd.conf + beacon_int=100 + ssid=${SSID} + interface=${AP_IFACE} + driver=${DRIVER} + channel=${CHANNEL} + ctrl_interface=$CONFDIR/hostapd_ctrl + ctrl_interface_group=0 + ignore_broadcast_ssid=$HIDDEN + ap_isolate=$ISOLATE_CLIENTS + EOF + + if [[ -n "$COUNTRY" ]]; then + cat <<- EOF >> $CONFDIR/hostapd.conf + country_code=${COUNTRY} + ieee80211d=1 + EOF + fi + + if [[ $FREQ_BAND == 2.4 ]]; then + echo "hw_mode=g" >> $CONFDIR/hostapd.conf + else + echo "hw_mode=a" >> $CONFDIR/hostapd.conf + fi + + if [[ $MAC_FILTER -eq 1 ]]; then + cat <<- EOF >> $CONFDIR/hostapd.conf + macaddr_acl=${MAC_FILTER} + accept_mac_file=${MAC_FILTER_ACCEPT} + EOF + fi + + if [[ $IEEE80211N -eq 1 ]]; then + cat <<- EOF >> $CONFDIR/hostapd.conf + ieee80211n=1 + ht_capab=${HT_CAPAB} + EOF + fi + + if [[ $IEEE80211AC -eq 1 ]]; then + echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf + fi + + if [[ -n "$VHT_CAPAB" ]]; then + echo "vht_capab=${VHT_CAPAB}" >> $CONFDIR/hostapd.conf + fi + + if [[ $IEEE80211N -eq 1 ]] || [[ $IEEE80211AC -eq 1 ]]; then + echo "wmm_enabled=1" >> $CONFDIR/hostapd.conf + fi + + if [[ -n "$PASSPHRASE" ]]; then + [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 + if [[ $USE_PSK -eq 0 ]]; then + WPA_KEY_TYPE=passphrase + else + WPA_KEY_TYPE=psk + fi + cat <<- EOF >> $CONFDIR/hostapd.conf + wpa=${WPA_VERSION} + wpa_${WPA_KEY_TYPE}=${PASSPHRASE} + wpa_key_mgmt=WPA-PSK + wpa_pairwise=CCMP + rsn_pairwise=CCMP + EOF + else + echo "WARN: Wifi is not protected by password" >&2 + fi + chmod 600 $CONFDIR/hostapd.conf +fi + +#=================================================== +#=================================================== + +if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE ; then + nm_set_unmanaged ${SUBNET_IFACE} +fi + +if [[ $NO_DNSMASQ -eq 0 ]]; then + cat <<- EOF > $CONFDIR/dnsmasq.conf + user=nobody + group=nobody + bind-dynamic + listen-address=${GATEWAY} + interface=$SUBNET_IFACE + except-interface=lo + no-dhcp-interface=lo + dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 + dhcp-option-force=option:router,${GATEWAY} + #log-dhcp + log-facility=/dev/null + bogus-priv + domain-needed + EOF + # 'log-dhcp' show too much logs. Using '-d' in dnsmasq command shows a proper dhcp log + # if use '-d', 'log-facility' should = /dev/null + if [[ $SHARE_METHOD == "none" ]]; then + echo "no-resolv" >> $CONFDIR/dnsmasq.conf + echo "no-poll" >> $CONFDIR/dnsmasq.conf + fi + if [[ "$DHCP_DNS" != "no" ]]; then + if [[ "$DHCP_DNS" == "gateway" ]]; then + dns_offer="$GATEWAY" + else + dns_offer="$DHCP_DNS" + fi + echo "dhcp-option-force=option:dns-server,${dns_offer}" >> $CONFDIR/dnsmasq.conf + fi + + if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then + echo "port=0" >> $CONFDIR/dnsmasq.conf + fi + + [[ -n "$MTU" ]] && echo "dhcp-option-force=option:mtu,${MTU}" >> $CONFDIR/dnsmasq.conf + [[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> $CONFDIR/dnsmasq.conf + [[ -n "$ADDN_HOSTS" ]] && echo "addn-hosts=${ADDN_HOSTS}" >> $CONFDIR/dnsmasq.conf + if [[ "$THISHOSTNAME" ]]; then + [[ "$THISHOSTNAME" == "-" ]] && THISHOSTNAME="$(cat /etc/hostname)" + echo "interface-name=$THISHOSTNAME,$SUBNET_IFACE" >> $CONFDIR/dnsmasq.conf + fi + if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then + echo log-queries=extra >> $CONFDIR/dnsmasq.conf + fi + + if [[ $DNS ]]; then + DNS_count=$(echo $DNS | awk -F, '{print NF}') + for (( i=1;i<=DNS_count;i++ )); do + sep_ip_port "$(echo $DNS | cut -d, -f$i)" DNS_IP DNS_PORT + [[ "$DNS_PORT" ]] && DNS_PORT_D="#$DNS_PORT" + echo "server=${DNS_IP}${DNS_PORT_D}" >> $CONFDIR/dnsmasq.conf + done + + cat <<- EOF >> $CONFDIR/dnsmasq.conf + no-resolv + no-poll + EOF + fi + if [[ $IPV6 -eq 1 ]];then + cat <<- EOF >> $CONFDIR/dnsmasq.conf + listen-address=${GATEWAY6} + enable-ra + #quiet-ra + dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64 + EOF + if [[ "$DHCP_DNS6" != "no" ]]; then + if [[ "$DHCP_DNS6" == "gateway" ]]; then + dns_offer6="[$GATEWAY6]" + else + dns_offer6="$DHCP_DNS6" + fi + echo "dhcp-option=option6:dns-server,${dns_offer6}" >> $CONFDIR/dnsmasq.conf + fi + fi +fi + +#=========================== + +# initialize subnet interface +if [[ -n "$NEW_MACADDR" ]]; then + ip link set dev ${SUBNET_IFACE} address ${NEW_MACADDR} || die "Failed setting new MAC address" +fi + +ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down" +ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP" + + +ip link set up dev ${SUBNET_IFACE} || die "Failed bringing ${SUBNET_IFACE} up" + +if [[ $WIFI_IFACE ]]; then + + if [[ $NO_HAVEGED -eq 0 ]]; then + haveged_watchdog & + HAVEGED_WATCHDOG_PID=$! + echo $HAVEGED_WATCHDOG_PID > $CONFDIR/haveged_watchdog.pid + echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" + fi + + # start access point + #echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl" + # start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout) + STDBUF_PATH=`which stdbuf` + if [ $? -eq 0 ]; then + STDBUF_PATH=$STDBUF_PATH" -oL" + fi + echo + echo "Starting hostapd" + # hostapd '-P' works only when use '-B' (run in background) + $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P $CONFDIR/hostapd.pid $CONFDIR/hostapd.conf & + HOSTAPD_PID=$! + echo $HOSTAPD_PID > $CONFDIR/hostapd.pid + echo "hostapd PID: $HOSTAPD_PID" + #while [[ ! -f $CONFDIR/hostapd.pid ]]; do + # sleep 1 + #done + #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid + ( while [ -e /proc/$HOSTAPD_PID ]; do sleep 10; done ; die "hostapd exited" ) & + + sleep 3 +fi + +ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IP" + +mkdir $CONFDIR/sys_6_conf_iface +if [[ $IPV6 -eq 1 ]]; then + cp /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra \ + /proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr \ + /proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode \ + $CONFDIR/sys_6_conf_iface/ + + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr + echo 0 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode + + ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6" +else + cp /proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6 $CONFDIR/sys_6_conf_iface/ + echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6 +fi + +# enable Internet sharing +if [[ "$SHARE_METHOD" == "none" ]]; then + echo "No Internet sharing" +elif [[ "$SHARE_METHOD" == "nat" ]]; then + [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2 + start_nat + echo 1 > /proc/sys/net/ipv4/ip_forward || die "Failed enabling system ipv4 forwarding" + if [[ $IPV6 -eq 1 ]]; then + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding || die "Failed enabling system ipv6 forwarding" + fi + # to enable clients to establish PPTP connections we must + # load nf_nat_pptp module + modprobe nf_nat_pptp > /dev/null 2>&1 +elif [[ "$SHARE_METHOD" == "redsocks" ]]; then + if [[ $IPV6 -eq 1 ]]; then + echo 1 > /proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" + fi + [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using transparent proxy but this host is providing local DNS, this may cause privacy leak !!!\n" >&2 + + start_redsocks +fi + +# start dhcp + dns (optional) + +if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then + allow_dns_port +fi + +[[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns + + +if [[ $NO_DNSMASQ -eq 0 ]]; then + start_dhcp + + if which complain > /dev/null 2>&1; then + # openSUSE's apparmor does not allow dnsmasq to read files. + # remove restriction. + complain dnsmasq + fi + + echo + echo "Starting dnsmasq" + # dnsmasq '-x' works only when no '-d' (run in foreground) + # Using '-d' dnsmasq will not turn into 'nobody' + dnsmasq -d -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid -l $CONFDIR/dnsmasq.leases & + DNSMASQ_PID=$! + echo "dnsmasq PID: $DNSMASQ_PID" + #while [[ ! -f $CONFDIR/dnsmasq.pid ]]; do + # sleep 1 + #done + echo -n "dnsmasq PID: " ; cat $CONFDIR/dnsmasq.pid + #(wait $DNSMASQ_PID ; die "dnsmasq failed") & + ( while [ -e /proc/$DNSMASQ_PID ]; do sleep 10; done ; die "dnsmasq exited" ) & + sleep 2 + +fi + +echo +echo "== Setting up completed, now linux-router is working ==" +# need loop to keep this script running +bash -c "while :; do sleep 8000 ; done " & +KEEP_RUNNING_PID=$! +echo $KEEP_RUNNING_PID > $CONFDIR/keep_running.pid +wait $KEEP_RUNNING_PID + +clean_exit