From e5e1c96a535916326ee9fd04abe8efc1ddf803db Mon Sep 17 00:00:00 2001 From: garywill <32130780+garywill@users.noreply.github.com> Date: Fri, 31 Aug 2018 18:41:06 +0800 Subject: [PATCH] transparent DNS proxy --- README.md | 24 ++++++++++++++---------- lnxrouter | 33 ++++++++++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 0c69750..9966b50 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. +[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) + ## Features Basic features: @@ -211,11 +213,11 @@ Options: (Note using this with default DNS option may leak queries to other interfaces) -n Do not provide Internet - + -g Set this host's IPv4 address, netmask is 24 -6 Enable IPv6 (NAT) - --p6 Set IPv6 prefix (length 64) - + --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) + --dns || DNS server's upstream DNS. Use ',' to seperate multiple servers @@ -223,6 +225,8 @@ Options: (Note IPv6 addresses need '[]' around) --no-dns Do not serve DNS --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) + --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) + that destination port is 53 to this host --log-dns Show DNS query log --dhcp-dns |no Set IPv4 DNS offered by DHCP (default: this host) @@ -235,18 +239,18 @@ Options: -d DNS server will take into account /etc/hosts -e DNS server will take into account additional hosts file - + --mac Set MAC address - + --tp Transparent proxy, - redirect non-LAN tcp and udp traffic to port. + redirect non-LAN TCP and UDP traffic to port. Usually used with '--dns' - + Wifi hotspot options: --ap Create Wifi access point --password Wifi password - + --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface Using this you can't use same wlan interface @@ -265,12 +269,12 @@ Options: (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients - + --ieee80211n Enable IEEE 802.11n (HT) --ieee80211ac Enable IEEE 802.11ac (VHT) --ht_capab HT capabilities (default: [HT40+]) --vht_capab VHT capabilities - + --no-haveged Do not run haveged automatically when needed Instance managing: diff --git a/lnxrouter b/lnxrouter index 6301a9e..7c2b63e 100755 --- a/lnxrouter +++ b/lnxrouter @@ -37,6 +37,8 @@ Options: (Note IPv6 addresses need '[]' around) --no-dns Do not serve DNS --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) + --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) + that destination port is 53 to this host --log-dns Show DNS query log --dhcp-dns |no Set IPv4 DNS offered by DHCP (default: this host) @@ -53,7 +55,7 @@ Options: --mac Set MAC address --tp Transparent proxy, - redirect non-LAN tcp and udp traffic to port. + redirect non-LAN TCP and UDP traffic to port. Usually used with '--dns' Wifi hotspot options: @@ -118,6 +120,7 @@ DHCP_DNS=gateway DHCP_DNS6=gateway dnsmasq_NO_DNS=0 NO_DNSMASQ=0 +CATCH_DNS=0 SHOW_DNS_QUERY=0 ETC_HOSTS=0 ADDN_HOSTS= @@ -236,6 +239,10 @@ while [[ -n "$1" ]]; do DHCP_DNS6="$1" shift ;; + --catch-dns) + shift + CATCH_DNS=1 + ;; --log-dns) shift SHOW_DNS_QUERY=1 @@ -753,6 +760,26 @@ unallow_dns_port() { fi } +start_catch_dns() { + echo + echo "iptables: redirect all TCP/UDP packet that destination port is 53" + iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die + iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die + ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die + fi +} +stop_catch_dns() { + echo "iptables: stop redirecting DNS queries" + iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 + iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 + if [[ $IPV6 -eq 1 ]]; then + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 + ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 + fi +} + start_dhcp() { echo echo "iptables: allow DHCP port access" @@ -892,6 +919,8 @@ clean_iptables() { unallow_dns_port fi + [[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns + if [[ $NO_DNSMASQ -eq 0 ]]; then stop_dhcp @@ -1591,6 +1620,8 @@ if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then allow_dns_port fi +[[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns + if [[ $NO_DNSMASQ -eq 0 ]]; then start_dhcp