interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: interesting:3d3a63d53b54672fb775714397e3497bccba899f
Branches Tags
interesting:master
interesting:workaround-31
interesting:dev-12
interesting:history
interesting:0.8.1
interesting:0.7.6
interesting:0.7.3
interesting:0.7.1
interesting:0.7.1b
interesting:0.6.7
interesting:0.6.6
interesting:0.6.5
interesting:0.6.2
interesting:0.6.0
..
compare: interesting:d39b4381613e6fd76aa7fcb8d86f076a029c41ce
Branches Tags
interesting:master
interesting:workaround-31
interesting:dev-12
interesting:history
interesting:0.8.1
interesting:0.7.6
interesting:0.7.3
interesting:0.7.1
interesting:0.7.1b
interesting:0.6.7
interesting:0.6.6
interesting:0.6.5
interesting:0.6.2
interesting:0.6.0

18 Commits
3d3a63d53b ... d39b438161

Author SHA1 Message Date
garywill d39b438161 0.7.6b 2024-02-25 10:00:00 +08:00
garywill 6aabef278b Detect firewalld and make sure it won't interfere 2024-02-25 10:00:00 +08:00
garywill 8b57dcef1a judge netns 2024-02-25 10:00:00 +08:00
garywill 1def3deb96 improve nm running judgement. use dbus also 2024-02-25 10:00:00 +08:00
garywill 04f473dc64 call disable_unwanted_forward() early 2024-02-25 10:00:00 +08:00
garywill c1bb2668dd 0.7.5b 2024-02-25 10:00:00 +08:00
garywill a4e3089e69 disable unwanted forwarding 2024-02-25 10:00:00 +08:00
garywill 8c9e16dd17 explictly ban unwanted forwardings in start_nat() 2024-02-25 10:00:00 +08:00
garywill 40872ebb9e exclude 6 if not enabled 2024-02-25 10:00:00 +08:00
garywill 97b1ef5bd0 merge for start_redsocks() 2024-02-25 10:00:00 +08:00
garywill 9fc74d4bdb add missing local vars 2024-02-25 10:00:00 +08:00
garywill 8759ee43f1 merge for start_catch_dns() 2024-02-25 10:00:00 +08:00
garywill 5f24246e85 merge for allow_dns_port() 2024-02-25 10:00:00 +08:00
garywill 508fefa48f rename GATEWAY to GATEWAY4 2024-02-25 10:00:00 +08:00
garywill 791f6c314b merge for start_ban_lan() 2024-02-25 10:00:00 +08:00
garywill 4db9dcbdb0 merge iptables operation 4 and 6 for start_nat() 2024-02-25 10:00:00 +08:00
garywill 97269da898 use var SUBNET_NET4 , SUBNET_NET6 2024-02-25 10:00:00 +08:00
garywill 9c9b3afde6 use array for iptables custom chain 2024-02-25 10:00:00 +08:00
2 changed files with 263 additions and 177 deletions
Show Stats Expand all files Collapse all files

41
README.md
View File

@ -25,6 +25,7 @@ Basic features:
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets) - Transparent DNS proxy (hijack port 53 packets)
- Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status) - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
- Detect firewalld and make sure it won't interfere our (by using `trusted` zone)
- You can run many instances, to create many different networks. Has instances managing feature. - You can run many instances, to create many different networks. Has instances managing feature.
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -120,8 +121,6 @@ sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [26
> 1. Stop serving local DNS > 1. Stop serving local DNS
> 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example) > 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
> Also, read *Notice 1*
</details> </details>
### Create LAN without providing Internet ### Create LAN without providing Internet
@ -136,8 +135,6 @@ sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
``` ```
> Read _Notice 1_
</details> </details>
### Internet for LXC ### Internet for LXC
@ -312,17 +309,16 @@ Options:
and to provide Internet to and to provide Internet to
(To create WiFi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly) (example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4).
(See Notice 1). Usually used with '-6' Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly) (example: 'fd00:0:0:5::' or '5' shortly)
@ -419,11 +415,10 @@ Options:
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
Notice 1: This script assume your host's default policy won't forward Examples:
packets, so the script won't explictly ban forwarding in any lnxrouter -i eth1
mode. In some unexpected case (eg. mistaken configurations) may lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
cause unwanted packets leakage between 2 networks, which you lnxrouter -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
should be aware of if you want isolated network
``` ```
</details> </details>
@ -455,30 +450,10 @@ Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and
- 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) - 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement)
- 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer
## Notice
<details>
```
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
```
</details>
## TODO ## TODO
Sooner is better:
- Detect firewalld and make sure it won't interfere our interface
Future:
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed
- Bring bridging method back
## License ## License

381
lnxrouter Executable file → Normal file
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=0.7.3 VERSION=0.7.6b
PROGNAME="$(basename "$0")" PROGNAME="$(basename "$0")"
export LC_ALL=C export LC_ALL=C
@ -29,17 +29,16 @@ Options:
and to provide Internet to and to provide Internet to
(To create WiFi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
queries to other interfaces) queries to other interfaces)
-n Do not provide Internet (See Notice 1) -n Do not provide Internet
--ban-priv Disallow clients to access my private network --ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24) -g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly) (example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT) -6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4) --no4 Disable IPv4 Internet (not forwarding IPv4).
(See Notice 1). Usually used with '-6' Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64) --p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly) (example: 'fd00:0:0:5::' or '5' shortly)
@ -136,12 +135,6 @@ Options:
For <id> you can use PID or subnet interface name. For <id> you can use PID or subnet interface name.
You can get them with '--list-running' You can get them with '--list-running'
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
$PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
@ -159,7 +152,7 @@ check_empty_option(){
define_global_variables(){ define_global_variables(){
# user options # user options
GATEWAY= # IPv4 address for this host GATEWAY4= # IPv4 address for this host
PREFIX6= # IPv6 LAN address prefix for this host PREFIX6= # IPv6 LAN address prefix for this host
IID6=1 # IPv6 LAN ID for this host IID6=1 # IPv6 LAN ID for this host
IPV6=0 # enable ipv6 IPV6=0 # enable ipv6
@ -187,6 +180,8 @@ define_global_variables(){
SUBNET_IFACE= # which interface to create network SUBNET_IFACE= # which interface to create network
SHARE_METHOD=nat SHARE_METHOD=nat
OLD_MACADDR= OLD_MACADDR=
SUBNET_NET4=
SUBNET_NET6=
##### wifi hotspot ##### wifi hotspot
@ -222,7 +217,6 @@ define_global_variables(){
VIRT_NAME= # name to use for virtual interface if --virt-name is used VIRT_NAME= # name to use for virtual interface if --virt-name is used
AP_IFACE= # can be VWIFI_IFACE or WIFI_IFACE AP_IFACE= # can be VWIFI_IFACE or WIFI_IFACE
USE_IWCONFIG=0 # some device can't use iw USE_IWCONFIG=0 # some device can't use iw
####### #######
#-- to deal with info of a running instance. then will exit #-- to deal with info of a running instance. then will exit
@ -232,8 +226,11 @@ define_global_variables(){
# -- variables for running # -- variables for running
CONFDIR= CONFDIR=
NM_RUNNING=0 IP_VERs=
NM_UNM_LIST= # it's called "list" but for now one interface NM_UNM_LIST= # it's called "list" but for now one interface
NM_PID=
FIREWALLD_PID=
TMP_FIREWALLD_ZONE=
} }
parse_user_options(){ parse_user_options(){
@ -275,7 +272,7 @@ parse_user_options(){
-g) -g)
shift shift
GATEWAY="$1" GATEWAY4="$1"
shift shift
;; ;;
-6) -6)
@ -859,15 +856,39 @@ pid_watchdog() {
} }
#======== #========
get_pid_by_dbus_name() {
local DBUS_NAME="$1"
local pid r
which dbus-send >/dev/null 2>&1 || return 1
pid="$( dbus-send --system --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetConnectionUnixProcessID string:$DBUS_NAME | grep " uint32 " | awk '{print $2}' )" 2>/dev/null
r=$?
echo "$pid"
return $r
}
is_same_netns() {
local pid2="$1"
[[ ! -f /proc/$$/ns/net ]] && return 0 # no netns feature. treat as same
[[ "$(readlink /proc/$$/ns/net)" == "$(readlink /proc/$pid2/ns/net)" ]] && return 0
return 1
}
#-----------------
# only support NetworkManager >= 0.9.9 # only support NetworkManager >= 0.9.9
is_nm_running() { is_nm_running() {
NM_PID="$(get_pid_by_dbus_name "org.freedesktop.NetworkManager")"
[[ ! -n "$NM_PID" ]] && return 1 # not running
if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then
echo 1 if is_same_netns "$NM_PID"; then
else return 0
echo 0
fi fi
fi
NM_PID= # cancel value if treat as not running
return 1 # not running
} }
nm_knows() { nm_knows() {
@ -903,21 +924,38 @@ nm_restore_manage() {
sleep 0.5 sleep 0.5
fi fi
} }
#========= #-------
check_iptables() is_firewalld_running() {
{ FIREWALLD_PID="$(get_pid_by_dbus_name "org.fedoraproject.FirewallD1")"
echo
iptables --version
if which firewall-cmd > /dev/null 2>&1; then [[ ! -n "$FIREWALLD_PID" ]] && return 1 # not running
if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
if (which firewall-cmd >/dev/null 2>&1 ) && [[ "$(firewall-cmd --state 2>&1)" == "running" ]] ; then
if is_same_netns "$FIREWALLD_PID"; then
echo "firewalld is running ($(firewall-cmd --version))" echo "firewalld is running ($(firewall-cmd --version))"
echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN: 2) disable firewalld\n" >&2 return 0
# TODO
fi fi
fi fi
FIREWALLD_PID= # cancel value if treat as not running
return 1 # not running
}
firewalld_add_tmpzone() {
# TMP_FIREWALLD_ZONE="lrt${$}${SUBNET_IFACE}"
TMP_FIREWALLD_ZONE="trusted"
# firewall-cmd --new-zone=$TMP_FIREWALLD_ZONE || die "Failed creating temporary firewalld zone"
echo "Adding $SUBNET_IFACE to firewalld '$TMP_FIREWALLD_ZONE' zone"
firewall-cmd --zone=$TMP_FIREWALLD_ZONE --add-interface=$SUBNET_IFACE >/dev/null || die "Failed adding interface to firewalld temporary zone"
}
firewalld_del_tmpzone() {
if [[ -n "$TMP_FIREWALLD_ZONE" ]];then
echo "Removing $SUBNET_IFACE from firewalld '$TMP_FIREWALLD_ZONE' zone"
firewall-cmd --zone=$TMP_FIREWALLD_ZONE --remove-interface=$SUBNET_IFACE >/dev/null
# firewall-cmd --delete-zone=$TMP_FIREWALLD_ZONE
fi
} }
#=========
CUSTOM_CHAINS_4_filter= CUSTOM_CHAINS_4_filter=
CUSTOM_CHAINS_4_nat= CUSTOM_CHAINS_4_nat=
CUSTOM_CHAINS_6_filter= CUSTOM_CHAINS_6_filter=
@ -946,6 +984,8 @@ iptb()
local FULL="" local FULL=""
local ADD_TO_UNDO=1 local ADD_TO_UNDO=1
local arr_name w
for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat
do do
local arr_content local arr_content
@ -997,86 +1037,146 @@ iptb()
return $? return $?
} }
start_nat() { disable_unwanted_forwarding() {
if [[ $INTERNET_IFACE ]]; then for iv in "${IP_VERs[@]}"; do
IPTABLES_NAT_OUT="-o ${INTERNET_IFACE}" if [[ "$INTERNET_IFACE" ]]; then
IPTABLES_NAT_IN="-i ${INTERNET_IFACE}" iptb "$iv" n filter I FORWARD \
MASQUERADE_NOTOUT="" -i "$SUBNET_IFACE" ! -o "$INTERNET_IFACE" \
else -j REJECT || die
MASQUERADE_NOTOUT="! -o ${SUBNET_IFACE}" iptb "$iv" n filter I FORWARD \
fi ! -i "$INTERNET_IFACE" -o "$SUBNET_IFACE" \
echo -j REJECT || die
echo "iptables: NAT "
if [[ $NO4 -eq 0 ]]; then
iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE || die
iptb 4 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptb 4 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
fi fi
iptb 6 v nat I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE || die if [[ "$SHARE_METHOD" == 'redsocks' || "$SHARE_METHOD" == 'none' \
iptb 6 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die || ( "$iv" -eq "4" && "$NO4" -eq 1 ) ]];then
iptb 6 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT || die iptb "$iv" n filter I FORWARD -i "$SUBNET_IFACE" -j REJECT || die
iptb "$iv" n filter I FORWARD -o "$SUBNET_IFACE" -j REJECT || die
fi
done
}
start_nat() {
local SUBNET_NET
local iv
echo
echo "iptables: NAT "
for iv in "${IP_VERs[@]}"; do
[[ "$iv" -eq "4" && ! $NO4 -eq 0 ]] && continue
[[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4"
[[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6"
if [[ -n "$INTERNET_IFACE" ]]; then # only one Internet interface
# masquerade subnet -> internet
iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \
-o "$INTERNET_IFACE" \
-j MASQUERADE || die
# forward subnet -> internet
iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \
-o $INTERNET_IFACE \
-j ACCEPT || die
# forward any -> subnet
iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \
-i "$INTERNET_IFACE" \
-j ACCEPT || die
else # any interface can be Internet
# masquerade subnet -> any(!subnet)
iptb "$iv" v nat I POSTROUTING -s "$SUBNET_NET" ! -d "$SUBNET_NET" \
! -o "$SUBNET_IFACE" \
-j MASQUERADE || die
# forward subnet -> any
iptb "$iv" v filter I FORWARD -i "$SUBNET_IFACE" -s "$SUBNET_NET" \
-j ACCEPT || die
# forward any -> subnet
iptb "$iv" v filter I FORWARD -o "$SUBNET_IFACE" -d "$SUBNET_NET" \
-j ACCEPT || die
fi
done
} }
start_ban_lan() { start_ban_lan() {
local arr_nets_to_protect
local ICMP_NAME
local iv s
echo echo
echo "iptables: Disallow clients to access LAN" echo "iptables: Disallow clients to access LAN"
iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
for iv in "${IP_VERs[@]}"; do
# ban forwarding for subnet
iptb "$iv" n filter N lrt${$}${SUBNET_IFACE}-BLF || die
# TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 0.0.0.0/8 -j REJECT || die # TODO: use array if [[ "$iv" -eq "4" ]]; then
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 10.0.0.0/8 -j REJECT || die arr_nets_to_protect=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "255.255.255.255")
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 100.64.0.0/10 -j REJECT || die ICMP_NAME="icmp"
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 127.0.0.0/8 -j REJECT || die elif [[ "$iv" -eq "6" ]]; then
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 169.254.0.0/16 -j REJECT || die arr_nets_to_protect=("fc00::/7" "fe80::/10" "ff00::/8" "::1" "::/128" "::ffff:0:0/96" "::ffff:0:0:0/96")
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 172.16.0.0/12 -j REJECT || die ICMP_NAME="icmpv6"
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 192.168.0.0/16 -j REJECT || die fi
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 224.0.0.0/4 -j REJECT || die for s in "${arr_nets_to_protect[@]}"; do
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 255.255.255.255 -j REJECT || die iptb "$iv" v filter I lrt${$}${SUBNET_IFACE}-BLF -d "$s" -j REJECT || die
done
iptb "$iv" n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
iptb 4 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die # ban input from subnet
iptb "$iv" n filter N lrt${$}${SUBNET_IFACE}-BLI || die
iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLI || die iptb "$iv" v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p "$ICMP_NAME" -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security iptb "$iv" n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
done
iptb 4 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fc00::/7 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fe80::/10 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ff00::/8 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::1 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::/128 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0/96 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0:0/96 -j REJECT || die
iptb 6 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLI || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
iptb 6 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
} }
allow_dns_port() { allow_dns_port() {
local SUBNET_NET
local GATEWAY
local PROTs
local iv pt
echo echo
echo "iptables: allow DNS" echo "iptables: allow DNS"
iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die for iv in "${IP_VERs[@]}"; do
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die [[ "$iv" -eq "4" ]] && GATEWAY="$GATEWAY4"
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die [[ "$iv" -eq "6" ]] && GATEWAY="$GATEWAY6"
[[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4"
[[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6"
PROTs=("tcp" "udp")
for pt in "${PROTs[@]}"; do
iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -d "$GATEWAY" -p "$pt" -m "$pt" --dport 53 -j ACCEPT || die
done
done
} }
start_catch_dns() { start_catch_dns() {
local GATEWAY
local PROTs
local iv pt
echo echo
echo "iptables: redirect DNS queries to this host" echo "iptables: redirect DNS queries to this host"
iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die for iv in "${IP_VERs[@]}"; do
iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die [[ "$iv" -eq "4" ]] && GATEWAY="$GATEWAY4"
[[ "$iv" -eq "6" ]] && GATEWAY="$GATEWAY6"
PROTs=("tcp" "udp")
for pt in "${PROTs[@]}"; do
iptb "$iv" v nat I PREROUTING -i "$SUBNET_IFACE" ! -d "$GATEWAY" -p "$pt" -m "$pt" --dport 53 -j REDIRECT --to-ports 53 || die
done
done
} }
@ -1090,44 +1190,41 @@ allow_dhcp() {
# TODO: use 'DNAT' instead of '--to-ports' to support other IP # TODO: use 'DNAT' instead of '--to-ports' to support other IP
start_redsocks() { start_redsocks() {
local SUBNET_NET
local arr_nets_to_ignore
local s iv
echo echo
echo "iptables: transparent proxy non-LAN TCP and UDP(not tested) traffic to port ${TP_PORT}" echo "iptables: transparent proxy non-LAN TCP and UDP(not tested) traffic to port ${TP_PORT}"
if [[ $NO4 -eq 0 ]]; then
iptb 4 n nat N lrt${$}${SUBNET_IFACE}-TP || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 0.0.0.0/8 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 10.0.0.0/8 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 100.64.0.0/10 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 127.0.0.0/8 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 169.254.0.0/16 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 172.16.0.0/12 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 192.168.0.0/16 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 224.0.0.0/4 -j RETURN || die
iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 255.255.255.255 -j RETURN || die
iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die for iv in "${IP_VERs[@]}"; do
iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die [[ "$iv" -eq "4" && ! $NO4 -eq 0 ]] && continue
iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j lrt${$}${SUBNET_IFACE}-TP || die [[ "$iv" -eq "4" ]] && SUBNET_NET="$SUBNET_NET4"
[[ "$iv" -eq "6" ]] && SUBNET_NET="$SUBNET_NET6"
iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die iptb "$iv" n nat N lrt${$}${SUBNET_IFACE}-TP || die
if [[ "$iv" -eq "4" ]]; then
arr_nets_to_ignore=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.168.0.0/16" "224.0.0.0/4" "255.255.255.255")
elif [[ "$iv" -eq "6" ]];then
arr_nets_to_ignore=("fc00::/7" "fe80::/10" "ff00::/8" "::1" "::")
fi fi
iptb 6 n nat N lrt${$}${SUBNET_IFACE}-TP || die for s in "${arr_nets_to_ignore[@]}"; do
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fc00::/7 -j RETURN || die iptb "$iv" n nat A lrt${$}${SUBNET_IFACE}-TP -d "$s" -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fe80::/10 -j RETURN || die done
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ff00::/8 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ::1 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d :: -j RETURN || die
iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptb "$iv" v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptb "$iv" v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j lrt${$}${SUBNET_IFACE}-TP || die iptb "$iv" v nat I PREROUTING -i "$SUBNET_IFACE" -s "$SUBNET_NET" -j lrt${$}${SUBNET_IFACE}-TP || die
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptb "$iv" v filter I INPUT -i "$SUBNET_IFACE" -s "$SUBNET_NET" -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
done
} }
#--------------------------------------- #---------------------------------------
@ -1231,6 +1328,8 @@ _cleanup() {
ip link set down dev "${SUBNET_IFACE}" ip link set down dev "${SUBNET_IFACE}"
firewalld_del_tmpzone
if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed
iw dev "${VWIFI_IFACE}" del iw dev "${VWIFI_IFACE}" del
dealloc_vface_name "$VWIFI_IFACE" dealloc_vface_name "$VWIFI_IFACE"
@ -1669,11 +1768,11 @@ decide_target_interface() {
} }
decide_ip_addresses() { decide_ip_addresses() {
if [[ ! -n $GATEWAY ]]; then if [[ ! -n $GATEWAY4 ]]; then
GATEWAY="$(generate_random_ip4)" GATEWAY4="$(generate_random_ip4)"
echo "Use random LAN IPv4 address $GATEWAY" echo "Use random LAN IPv4 address $GATEWAY4"
elif [[ ! "$GATEWAY" =~ "." ]]; then elif [[ ! "$GATEWAY4" =~ "." ]]; then
GATEWAY="192.168.${GATEWAY}.1" GATEWAY4="192.168.${GATEWAY4}.1"
fi fi
if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
@ -1685,6 +1784,10 @@ decide_ip_addresses() {
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
GATEWAY6="${PREFIX6}${IID6}" GATEWAY6="${PREFIX6}${IID6}"
fi fi
SUBNET_NET4="${GATEWAY4%.*}.0/24"
[[ $IPV6 -eq 1 ]] && SUBNET_NET6="${PREFIX6}/64"
} }
prepare_wifi_interface() { prepare_wifi_interface() {
@ -1874,6 +1977,7 @@ write_hostapd_conf() {
} }
write_dnsmasq_conf() { write_dnsmasq_conf() {
local i
if grep "^nobody:" /etc/group >/dev/null 2>&1 ; then if grep "^nobody:" /etc/group >/dev/null 2>&1 ; then
NOBODY_GROUP="nobody" NOBODY_GROUP="nobody"
else else
@ -1888,12 +1992,12 @@ write_dnsmasq_conf() {
user=nobody user=nobody
group=$NOBODY_GROUP group=$NOBODY_GROUP
bind-dynamic bind-dynamic
listen-address=${GATEWAY} listen-address=${GATEWAY4}
interface=$SUBNET_IFACE interface=$SUBNET_IFACE
except-interface=lo except-interface=lo
no-dhcp-interface=lo no-dhcp-interface=lo
dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-range=${GATEWAY4%.*}.10,${GATEWAY4%.*}.250,255.255.255.0
dhcp-option-force=option:router,${GATEWAY} dhcp-option-force=option:router,${GATEWAY4}
#log-dhcp #log-dhcp
log-facility=$CONFDIR/dnsmasq.log log-facility=$CONFDIR/dnsmasq.log
bogus-priv bogus-priv
@ -1907,7 +2011,7 @@ write_dnsmasq_conf() {
fi fi
if [[ "$DHCP_DNS" != "no" ]]; then if [[ "$DHCP_DNS" != "no" ]]; then
if [[ "$DHCP_DNS" == "gateway" ]]; then if [[ "$DHCP_DNS" == "gateway" ]]; then
dns_offer="$GATEWAY" dns_offer="$GATEWAY4"
else else
dns_offer="$DHCP_DNS" dns_offer="$DHCP_DNS"
fi fi
@ -2049,8 +2153,6 @@ ARGS=( "$@" )
parse_user_options "$@" parse_user_options "$@"
# TODO: detect user option conflict # TODO: detect user option conflict
# check if networkManager running
NM_RUNNING="$(is_nm_running)"
TMPDIR="$(decide_tmpdir)" TMPDIR="$(decide_tmpdir)"
@ -2123,7 +2225,7 @@ fi
#=================================================== #===================================================
# set interface unmanaged by networkManager # set interface unmanaged by networkManager
if [[ $NM_RUNNING -eq 1 ]] && nm_knows "$TARGET_IFACE"; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged() if is_nm_running && nm_knows "$TARGET_IFACE"; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged()
nm_set_unmanaged "${SUBNET_IFACE}" # will write NM_UNM_LIST nm_set_unmanaged "${SUBNET_IFACE}" # will write NM_UNM_LIST
fi fi
@ -2140,6 +2242,20 @@ dealwith_mac # setting MAC should be after setting NM unmanaged
[[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
echo
iptables --version
echo "Notice: Not showing all operations done to iptables rules"
if [[ "$IPV6" -eq 0 ]]; then
IP_VERs=("4")
else
IP_VERs=("4" "6")
fi
disable_unwanted_forwarding
# bring subnet interface up # bring subnet interface up
ip link set up dev "${SUBNET_IFACE}" || die "Failed bringing ${SUBNET_IFACE} up" ip link set up dev "${SUBNET_IFACE}" || die "Failed bringing ${SUBNET_IFACE} up"
@ -2147,7 +2263,7 @@ ip link set up dev "${SUBNET_IFACE}" || die "Failed bringing ${SUBNET_IFACE} up"
[[ $WIFI_IFACE ]] && run_wifi_ap_processes [[ $WIFI_IFACE ]] && run_wifi_ap_processes
# add ipv4 address to subnet interface # add ipv4 address to subnet interface
ip -4 addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address" ip -4 addr add ${GATEWAY4}/24 broadcast ${GATEWAY4%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address"
set_ipv6_bits set_ipv6_bits
@ -2156,25 +2272,15 @@ if [[ $IPV6 -eq 1 ]] ; then
ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
fi fi
check_iptables
echo "NOTICE: Not showing all operations done to iptables rules"
[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing" echo "No Internet sharing"
echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat
@ -2214,6 +2320,11 @@ fi
[[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq ) [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
echo ""
is_firewalld_running && firewalld_add_tmpzone
echo echo
echo "== Setting up completed, now linux-router should be working ==" echo "== Setting up completed, now linux-router should be working =="