From e5fc9efe48d4d08dd1d2f3a73284317b036e6fed Mon Sep 17 00:00:00 2001 From: garywill Date: Sat, 17 Apr 2021 12:29:53 +0800 Subject: [PATCH] support short gateway ip expression fix dnsmasq pid not get watchdog zombie judgement iptables nft and comment judgement use fifo for dnsmasq log --- README.md | 22 +++++++++----- lnxrouter | 88 +++++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 84 insertions(+), 26 deletions(-) mode change 100644 => 100755 lnxrouter diff --git a/README.md b/README.md index 4763c46..04b3a41 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). -[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) :) +[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) + +( ^\_^)o自自o(^_^ ) ## Features @@ -110,7 +112,9 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx sudo lnxrouter -i lxcbr5 ``` -### Transparent proxy with Tor +### Transparent proxy + +For example through Tor ``` sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7:: @@ -127,7 +131,7 @@ DNSPort [fd00:5:6:7::1]:9053 ### Clients-in-sandbox network -To not give our infomation to clients: +To not give our infomation to clients. Clients can still access Internet. ``` sudo lnxrouter -i eth1 \ @@ -232,12 +236,14 @@ Options: --ban-priv Disallow clients to access my private network -g This host's IPv4 address in subnet (mask is /24) + (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) --no4 Disable IPv4 Internet (not forwarding IPv4) (See Notice 1). Usually used with '-6' --p6 Set IPv6 LAN address prefix (length 64) - (example: fd00:1:2:3::) Using this enables '-6' + (example: 'fd00:0:0:5::' or '5' shortly) + Using this enables '-6' --dns || DNS server's upstream DNS. @@ -333,13 +339,13 @@ Options: - procps or procps-ng - iproute2 - dnsmasq -- iptables +- iptables (legacy. nft not tested) - WiFi hotspot dependencies - hostapd - iw - iwconfig (you only need this if 'iw' can not recognize your adapter) - haveged (optional) - - qrencode (opional) + - qrencode (optional) ## TODO @@ -354,10 +360,12 @@ Options: ( ^\_^)o自自o(^_^ ) -No? Okay, or just give me a star! +[打赏一个](https://github.com/garywill/receiving/blob/master/receiving_methods.md) ## For developers **Many thanks to project [create_ap](https://github.com/oblique/create_ap)**. This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap) + +There're some TO-DOs listed, at both above and in the code file. We'll appreciate your help. diff --git a/lnxrouter b/lnxrouter old mode 100644 new mode 100755 index 25ee017..064c1d3 --- a/lnxrouter +++ b/lnxrouter @@ -1,6 +1,6 @@ #!/bin/bash -# TODO: showing version or git commit on running +# TODO: showing version (or git commit) on running VERSION=0.6.0 PROGNAME="$(basename $0)" @@ -30,12 +30,14 @@ Options: --ban-priv Disallow clients to access my private network -g This host's IPv4 address in subnet (mask is /24) + (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) --no4 Disable IPv4 Internet (not forwarding IPv4) (See Notice 1). Usually used with '-6' --p6 Set IPv6 LAN address prefix (length 64) - (example: fd00:1:2:3::) Using this enables '-6' + (example: 'fd00:0:0:5::' or '5' shortly) + Using this enables '-6' --dns || DNS server's upstream DNS. @@ -201,6 +203,7 @@ define_global_variables(){ CONFDIR= NM_RUNNING=0 NM_UNM_LIST= # it's called "list" but for now one interface + XT_COMMENT=1 } parse_user_options(){ @@ -736,7 +739,7 @@ haveged_watchdog() { echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 show_warn=0 fi - elif ! pidof haveged > /dev/null 2>&1; then + elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ? echo "Low entropy detected, starting haveged" 1>&2 # boost low-entropy haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid @@ -745,7 +748,24 @@ haveged_watchdog() { sleep 2 done } - +pid_watchdog() { + local PID="$1" + local SLEEP="$2" + local ERR_MSG="$3" + local ST + while true + do + if [[ -e "/proc/$PID" ]]; then + ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')" + if [[ "$ST" != 'Z' ]]; then + sleep $SLEEP + continue + fi + fi + die "$ERR_MSG" + done + +} #======== @@ -792,15 +812,22 @@ nm_restore_manage() { fi } #========= - iptables_() { - iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + if [[ $XT_COMMENT -eq 1 ]]; then + iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + else + iptables -w $@ + fi return $? } ip6tables_() { - ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + if [[ $XT_COMMENT -eq 1 ]]; then + ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" + else + ip6tables -w $@ + fi return $? } @@ -843,7 +870,7 @@ start_ban_lan() { echo echo "iptables: Disallow clients to access LAN" iptables_ -N BANLAN-f-${SUBNET_IFACE} || die - iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die + iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die @@ -858,6 +885,7 @@ start_ban_lan() { iptables_ -N BANLAN-i-${SUBNET_IFACE} #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die + # TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die @@ -1465,12 +1493,13 @@ daemonizing_check(){ check_wifi_settings() { if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then - echo "WARN: Can't use 'iw' to operation this WiFi interface, trying 'iwconfig' ..." >&2 - if which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1; then - USE_IWCONFIG=1 - echo "WARN: Using 'iwconfig', not as good as 'iw'" >&2 - else - echo "ERROR: Can't use 'iwconfig' to operation this WiFi interface neither" >&2 + echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ..." >&2 + USE_IWCONFIG=1 + fi + + if [[ $USE_IWCONFIG -eq 1 ]]; then + if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then + echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2 exit 1 fi fi @@ -1572,11 +1601,15 @@ decide_ip_addresses() { if [[ ! -n $GATEWAY ]]; then GATEWAY="$(generate_random_ip4)" echo "Use random LAN IPv4 address $GATEWAY" + elif [[ ! "$GATEWAY" =~ "." ]]; then + GATEWAY="192.168.${GATEWAY}.1" fi if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then PREFIX6="$(generate_random_lan_ip6_prefix)" echo "Use random LAN IPv6 address ${PREFIX6}${IID6}" + elif [[ ! "$PREFIX6" =~ ":" ]]; then + PREFIX6="fd00:0:0:${PREFIX6}::" fi if [[ $IPV6 -eq 1 ]]; then GATEWAY6="${PREFIX6}${IID6}" @@ -1729,6 +1762,11 @@ write_dnsmasq_conf() { else NOBODY_GROUP="nogroup" fi + + mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq" + chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner" + cat "$CONFDIR/dnsmasq.log" & + cat <<- EOF > "$CONFDIR/dnsmasq.conf" user=nobody group=$NOBODY_GROUP @@ -1740,7 +1778,7 @@ write_dnsmasq_conf() { dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-option-force=option:router,${GATEWAY} #log-dhcp - log-facility=/dev/stdout + log-facility=$CONFDIR/dnsmasq.log bogus-priv domain-needed EOF @@ -1831,8 +1869,7 @@ run_wifi_ap_processes() { # sleep 1 #done #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid - ( while [ -e /proc/$HOSTAPD_PID ]; do sleep 10; done ; die "hostapd exited" ) & - + pid_watchdog $HOSTAPD_PID 10 "hostapd failed" & sleep 3 } @@ -1855,9 +1892,10 @@ start_dnsmasq() { i=$((i + 1)) if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi done - echo -n "dnsmasq PID: " ; cat "$CONFDIR/dnsmasq.pid" + DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )" + echo "dnsmasq PID: $DNSMASQ_PID" ######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child - ( while [ -e "/proc/$DNSMASQ_PID" ]; do sleep 10; done ; die "dnsmasq exited" ) & + pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" & sleep 2 } @@ -1986,6 +2024,18 @@ if [[ $IPV6 -eq 1 ]] ; then ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" fi +function check_iptables() { + if iptables --version | grep "nf_tables" >/dev/null 2>&1 ; then + echo -e "\nWARN: Your system is using nftables. This script is tested with iptables legacy only. If you encounter problems, visit following URL for infomation:\n https://github.com/oblique/create_ap/issues/373\n https://github.com/oblique/create_ap/issues/433\n https://github.com/garywill/linux-router/issues/18\n" >&2 + fi + + if ! lsmod | grep -E "\bxt_comment\b" >/dev/null 2>&1 ; then + XT_COMMENT=0 + fi +} + +check_iptables + # enable Internet sharing if [[ "$SHARE_METHOD" == "none" ]]; then