interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

transparent DNS proxy

This commit is contained in:
garywill 2018-08-31 18:41:06 +08:00 committed by garywill
parent 0f498e043d
commit e5e1c96a53
2 changed files with 46 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -4,6 +4,8 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`. It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c`.
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## Features ## Features
Basic features: Basic features:
@ -211,11 +213,11 @@ Options:
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet -n Do not provide Internet
-g <ip> Set this host's IPv4 address, netmask is 24 -g <ip> Set this host's IPv4 address, netmask is 24
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--p6 <prefix> Set IPv6 prefix (length 64) --p6 <prefix> Set IPv6 prefix (length 64) (example: fd00:1:2:3::)
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
Use ',' to seperate multiple servers Use ',' to seperate multiple servers
@ -223,6 +225,8 @@ Options:
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
--no-dns Do not serve DNS --no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
that destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host) Set IPv4 DNS offered by DHCP (default: this host)
@ -235,18 +239,18 @@ Options:
-d DNS server will take into account /etc/hosts -d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional -e <hosts_file> DNS server will take into account additional
hosts file hosts file
--mac <MAC> Set MAC address --mac <MAC> Set MAC address
--tp <port> Transparent proxy, --tp <port> Transparent proxy,
redirect non-LAN tcp and udp traffic to port. redirect non-LAN TCP and UDP traffic to port.
Usually used with '--dns' Usually used with '--dns'
Wifi hotspot options: Wifi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create Wifi access point
--password <password> Wifi password --password <password> Wifi password
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
Using this you can't use same wlan interface Using this you can't use same wlan interface
@ -265,12 +269,12 @@ Options:
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
--ieee80211n Enable IEEE 802.11n (HT) --ieee80211n Enable IEEE 802.11n (HT)
--ieee80211ac Enable IEEE 802.11ac (VHT) --ieee80211ac Enable IEEE 802.11ac (VHT)
--ht_capab <HT> HT capabilities (default: [HT40+]) --ht_capab <HT> HT capabilities (default: [HT40+])
--vht_capab <VHT> VHT capabilities --vht_capab <VHT> VHT capabilities
--no-haveged Do not run haveged automatically when needed --no-haveged Do not run haveged automatically when needed
Instance managing: Instance managing:

33
lnxrouter
View File

@ -37,6 +37,8 @@ Options:
(Note IPv6 addresses need '[]' around) (Note IPv6 addresses need '[]' around)
--no-dns Do not serve DNS --no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
that destination port is 53 to this host
--log-dns Show DNS query log --log-dns Show DNS query log
--dhcp-dns <IP1[,IP2]>|no --dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host) Set IPv4 DNS offered by DHCP (default: this host)
@ -53,7 +55,7 @@ Options:
--mac <MAC> Set MAC address --mac <MAC> Set MAC address
--tp <port> Transparent proxy, --tp <port> Transparent proxy,
redirect non-LAN tcp and udp traffic to port. redirect non-LAN TCP and UDP traffic to port.
Usually used with '--dns' Usually used with '--dns'
Wifi hotspot options: Wifi hotspot options:
@ -118,6 +120,7 @@ DHCP_DNS=gateway
DHCP_DNS6=gateway DHCP_DNS6=gateway
dnsmasq_NO_DNS=0 dnsmasq_NO_DNS=0
NO_DNSMASQ=0 NO_DNSMASQ=0
CATCH_DNS=0
SHOW_DNS_QUERY=0 SHOW_DNS_QUERY=0
ETC_HOSTS=0 ETC_HOSTS=0
ADDN_HOSTS= ADDN_HOSTS=
@ -236,6 +239,10 @@ while [[ -n "$1" ]]; do
DHCP_DNS6="$1" DHCP_DNS6="$1"
shift shift
;; ;;
--catch-dns)
shift
CATCH_DNS=1
;;
--log-dns) --log-dns)
shift shift
SHOW_DNS_QUERY=1 SHOW_DNS_QUERY=1
@ -753,6 +760,26 @@ unallow_dns_port() {
fi fi
} }
start_catch_dns() {
echo
echo "iptables: redirect all TCP/UDP packet that destination port is 53"
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
fi
}
stop_catch_dns() {
echo "iptables: stop redirecting DNS queries"
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
fi
}
start_dhcp() { start_dhcp() {
echo echo
echo "iptables: allow DHCP port access" echo "iptables: allow DHCP port access"
@ -892,6 +919,8 @@ clean_iptables() {
unallow_dns_port unallow_dns_port
fi fi
[[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns
if [[ $NO_DNSMASQ -eq 0 ]]; then if [[ $NO_DNSMASQ -eq 0 ]]; then
stop_dhcp stop_dhcp
@ -1591,6 +1620,8 @@ if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
allow_dns_port allow_dns_port
fi fi
[[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns
if [[ $NO_DNSMASQ -eq 0 ]]; then if [[ $NO_DNSMASQ -eq 0 ]]; then
start_dhcp start_dhcp