interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

support short gateway ip expression 

fix dnsmasq pid not get
watchdog zombie judgement
iptables nft and comment judgement
use fifo for dnsmasq log
This commit is contained in:
garywill 2021-04-17 12:29:53 +08:00
parent 1e3c5004c3
commit e5fc9efe48
2 changed files with 84 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -4,7 +4,9 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) :) [Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
^\_^o自自o^_^
## Features ## Features
@ -110,7 +112,9 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
sudo lnxrouter -i lxcbr5 sudo lnxrouter -i lxcbr5
``` ```
### Transparent proxy with Tor ### Transparent proxy
For example through Tor
``` ```
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7:: sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7::
@ -127,7 +131,7 @@ DNSPort [fd00:5:6:7::1]:9053
### Clients-in-sandbox network ### Clients-in-sandbox network
To not give our infomation to clients: To not give our infomation to clients. Clients can still access Internet.
``` ```
sudo lnxrouter -i eth1 \ sudo lnxrouter -i eth1 \
@ -232,12 +236,14 @@ Options:
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6' (See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6' (example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
@ -333,13 +339,13 @@ Options:
- procps or procps-ng - procps or procps-ng
- iproute2 - iproute2
- dnsmasq - dnsmasq
- iptables - iptables (legacy. nft not tested)
- WiFi hotspot dependencies - WiFi hotspot dependencies
- hostapd - hostapd
- iw - iw
- iwconfig (you only need this if 'iw' can not recognize your adapter) - iwconfig (you only need this if 'iw' can not recognize your adapter)
- haveged (optional) - haveged (optional)
- qrencode (opional) - qrencode (optional)
## TODO ## TODO
@ -354,10 +360,12 @@ Options:
^\_^o自自o^_^ ^\_^o自自o^_^
No? Okay, or just give me a star! [打赏一个](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## For developers ## For developers
**Many thanks to project [create_ap](https://github.com/oblique/create_ap)**. **Many thanks to project [create_ap](https://github.com/oblique/create_ap)**.
This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap) This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap)
There're some TO-DOs listed, at both above and in the code file. We'll appreciate your help.

86
lnxrouter Normal file → Executable file
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# TODO: showing version or git commit on running # TODO: showing version (or git commit) on running
VERSION=0.6.0 VERSION=0.6.0
PROGNAME="$(basename $0)" PROGNAME="$(basename $0)"
@ -30,12 +30,14 @@ Options:
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6' (See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6' (example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port> --dns <ip>|<port>|<ip:port>
DNS server's upstream DNS. DNS server's upstream DNS.
@ -201,6 +203,7 @@ define_global_variables(){
CONFDIR= CONFDIR=
NM_RUNNING=0 NM_RUNNING=0
NM_UNM_LIST= # it's called "list" but for now one interface NM_UNM_LIST= # it's called "list" but for now one interface
XT_COMMENT=1
} }
parse_user_options(){ parse_user_options(){
@ -736,7 +739,7 @@ haveged_watchdog() {
echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2
show_warn=0 show_warn=0
fi fi
elif ! pidof haveged > /dev/null 2>&1; then elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ?
echo "Low entropy detected, starting haveged" 1>&2 echo "Low entropy detected, starting haveged" 1>&2
# boost low-entropy # boost low-entropy
haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
@ -745,7 +748,24 @@ haveged_watchdog() {
sleep 2 sleep 2
done done
} }
pid_watchdog() {
local PID="$1"
local SLEEP="$2"
local ERR_MSG="$3"
local ST
while true
do
if [[ -e "/proc/$PID" ]]; then
ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')"
if [[ "$ST" != 'Z' ]]; then
sleep $SLEEP
continue
fi
fi
die "$ERR_MSG"
done
}
#======== #========
@ -792,15 +812,22 @@ nm_restore_manage() {
fi fi
} }
#========= #=========
iptables_() iptables_()
{ {
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" if [[ $XT_COMMENT -eq 1 ]]; then
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
else
iptables -w $@
fi
return $? return $?
} }
ip6tables_() ip6tables_()
{ {
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" if [[ $XT_COMMENT -eq 1 ]]; then
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
else
ip6tables -w $@
fi
return $? return $?
} }
@ -843,7 +870,7 @@ start_ban_lan() {
echo echo
echo "iptables: Disallow clients to access LAN" echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die iptables_ -N BANLAN-f-${SUBNET_IFACE} || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
@ -858,6 +885,7 @@ start_ban_lan() {
iptables_ -N BANLAN-i-${SUBNET_IFACE} iptables_ -N BANLAN-i-${SUBNET_IFACE}
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
# TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security
iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
@ -1465,12 +1493,13 @@ daemonizing_check(){
check_wifi_settings() { check_wifi_settings() {
if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then
echo "WARN: Can't use 'iw' to operation this WiFi interface, trying 'iwconfig' ..." >&2 echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ..." >&2
if which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1; then USE_IWCONFIG=1
USE_IWCONFIG=1 fi
echo "WARN: Using 'iwconfig', not as good as 'iw'" >&2
else if [[ $USE_IWCONFIG -eq 1 ]]; then
echo "ERROR: Can't use 'iwconfig' to operation this WiFi interface neither" >&2 if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then
echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2
exit 1 exit 1
fi fi
fi fi
@ -1572,11 +1601,15 @@ decide_ip_addresses() {
if [[ ! -n $GATEWAY ]]; then if [[ ! -n $GATEWAY ]]; then
GATEWAY="$(generate_random_ip4)" GATEWAY="$(generate_random_ip4)"
echo "Use random LAN IPv4 address $GATEWAY" echo "Use random LAN IPv4 address $GATEWAY"
elif [[ ! "$GATEWAY" =~ "." ]]; then
GATEWAY="192.168.${GATEWAY}.1"
fi fi
if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
PREFIX6="$(generate_random_lan_ip6_prefix)" PREFIX6="$(generate_random_lan_ip6_prefix)"
echo "Use random LAN IPv6 address ${PREFIX6}${IID6}" echo "Use random LAN IPv6 address ${PREFIX6}${IID6}"
elif [[ ! "$PREFIX6" =~ ":" ]]; then
PREFIX6="fd00:0:0:${PREFIX6}::"
fi fi
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
GATEWAY6="${PREFIX6}${IID6}" GATEWAY6="${PREFIX6}${IID6}"
@ -1729,6 +1762,11 @@ write_dnsmasq_conf() {
else else
NOBODY_GROUP="nogroup" NOBODY_GROUP="nogroup"
fi fi
mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq"
chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner"
cat "$CONFDIR/dnsmasq.log" &
cat <<- EOF > "$CONFDIR/dnsmasq.conf" cat <<- EOF > "$CONFDIR/dnsmasq.conf"
user=nobody user=nobody
group=$NOBODY_GROUP group=$NOBODY_GROUP
@ -1740,7 +1778,7 @@ write_dnsmasq_conf() {
dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0
dhcp-option-force=option:router,${GATEWAY} dhcp-option-force=option:router,${GATEWAY}
#log-dhcp #log-dhcp
log-facility=/dev/stdout log-facility=$CONFDIR/dnsmasq.log
bogus-priv bogus-priv
domain-needed domain-needed
EOF EOF
@ -1831,8 +1869,7 @@ run_wifi_ap_processes() {
# sleep 1 # sleep 1
#done #done
#echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid
( while [ -e /proc/$HOSTAPD_PID ]; do sleep 10; done ; die "hostapd exited" ) & pid_watchdog $HOSTAPD_PID 10 "hostapd failed" &
sleep 3 sleep 3
} }
@ -1855,9 +1892,10 @@ start_dnsmasq() {
i=$((i + 1)) i=$((i + 1))
if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi
done done
echo -n "dnsmasq PID: " ; cat "$CONFDIR/dnsmasq.pid" DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )"
echo "dnsmasq PID: $DNSMASQ_PID"
######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child ######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child
( while [ -e "/proc/$DNSMASQ_PID" ]; do sleep 10; done ; die "dnsmasq exited" ) & pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" &
sleep 2 sleep 2
} }
@ -1986,6 +2024,18 @@ if [[ $IPV6 -eq 1 ]] ; then
ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
fi fi
function check_iptables() {
if iptables --version | grep "nf_tables" >/dev/null 2>&1 ; then
echo -e "\nWARN: Your system is using nftables. This script is tested with iptables legacy only. If you encounter problems, visit following URL for infomation:\n https://github.com/oblique/create_ap/issues/373\n https://github.com/oblique/create_ap/issues/433\n https://github.com/garywill/linux-router/issues/18\n" >&2
fi
if ! lsmod | grep -E "\bxt_comment\b" >/dev/null 2>&1 ; then
XT_COMMENT=0
fi
}
check_iptables
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then