0.6.6

new iptables function
0.6.5
2021-11-07 10:31:15 +08:00 · 2021-11-07 10:30:56 +08:00 · 2021-11-07 10:29:12 +08:00 · 2021-11-07 10:28:36 +08:00
2 changed files with 253 additions and 282 deletions
--- a/README.md
+++ b/README.md
@ -1,10 +1,10 @@
 # Linux-router
-Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
+Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
 It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
-[More tools and projects](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
+[More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
 ## Features
@ -12,16 +12,19 @@ Basic features:
 - Create a NATed sub-network
 - Provide Internet
- DHCP server and RA
+- DHCP server (and RA)
  - Specify what DNS the DHCP server assigns to clients
 - DNS server
  - Specify upstream DNS (kind of a plain DNS proxy)
 - IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot:
+- Creating WiFi hotspot:
  - Channel selecting
  - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
-  - Create AP on the same interface you are getting Internet (require same channel)
+  - Create AP on the same interface you are getting Internet (usually require same channel)
 - Transparent proxy (redsocks)
- DNS proxy
+- Transparent DNS proxy (hijack port 53 packets)
 - Compatible with NetworkManager (automatically set interface as unmanaged)
 - You can run many instances, to create many different networks. Has instances managing feature.
 **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -35,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP
 ```
                                    Internet
-Wifi AP(no DHCP)                        |
+WiFi AP(no DHCP)                        |
    |----(wlan1)-Linux-(eth0/wlan0)------
    |           (DHCP)
    |--client
@ -62,21 +65,19 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
 ### Provide Internet to an interface
 No matter which interface (other than `eth1`) you're getting Internet from 
 ```
 sudo lnxrouter -i eth1
 ```
-### Create Wifi hotspot
+no matter which interface (other than `eth1`) you're getting Internet from.
-No matter which interface you're getting Internet from (even from `wlan0`)
+### Create WiFi hotspot
 ```
 sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
 ```
-It will create virtual Interface `x0wlan0` for hotspot.
+no matter which interface you're getting Internet from (even from `wlan0`). Will create virtual Interface `x0wlan0` for hotspot.
 ### Provide an interface's Internet to another interface
@ -88,10 +89,10 @@ Clients access Internet through only `isp5`
 sudo lnxrouter -i eth1 -o isp5  --no-dns  --dhcp-dns 1.1.1.1  -6 --dhcp-dns6 [2606:4700:4700::1111]
 ```
-It's recommended to:
+> In this case of usage, it's recommended to:
-
+> 
-1. Stop serving local DNS to clients on our Linux host
+> 1. Stop serving local DNS
-2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
+> 2. Tell clients which DNS to use (ISP5's DNS. Or, a safe public DNS, like above example)
 > Also, read *Notice 1*
@ -254,9 +255,13 @@ sudo brctl addbr firejail5
 ```
 sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 
-firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd  # nscd is cache service, which shouldn't be accessed in jail here
+firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
 ```
 Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
 nscd is domain name cache service, which shouldn't be accessed from in jail here.
 </details>
 ### CLI usage and other features
@ -272,8 +277,9 @@ Options:
    -i <interface>          Interface to make NATed sub-network,
                            and to provide Internet to
-                            (To create Wifi hotspot use '--ap' instead)
+                            (To create WiFi hotspot use '--ap' instead)
    -o <interface>          Specify an inteface to provide Internet from.
                            (See Notice 1)
                            (Note using this with default DNS option may leak
                            queries to other interfaces)
    -n                      Do not provide Internet (See Notice 1)
@ -298,15 +304,14 @@ Options:
    --no-dnsmasq            Disable dnsmasq server (DHCP, DNS, RA)
    --catch-dns             Transparent DNS proxy, redirect packets(TCP/UDP) 
                            whose destination port is 53 to this host
-    --log-dns               Show DNS query log
+    --log-dns               Show DNS query log (dnsmasq)
    --dhcp-dns <IP1[,IP2]>|no
                            Set IPv4 DNS offered by DHCP (default: this host).
                            This will enable '--no-dns' (Do not serve DNS)
    --dhcp-dns6 <IP1[,IP2]>|no
                            Set IPv6 DNS offered by DHCP (RA) 
                            (default: this host)
                            (Note IPv6 addresses need '[]' around)
-                            This will enable '--no-dns' (Do not serve DNS)
+                            Using both above two will enable '--no-dns' 
    --hostname <name>       DNS server associate this name with this host.
                            Use '-' to read name from /etc/hostname
    -d                      DNS server will take into account /etc/hosts
@ -320,12 +325,12 @@ Options:
                            redirect non-LAN TCP and UDP traffic to port.
                            (usually used with '--dns')
-  Wifi hotspot options:
+  WiFi hotspot options:
    --ap <wifi interface> <SSID>
-                            Create Wifi access point
+                            Create WiFi access point
    -p, --password <password>   
-                            Wifi password
+                            WiFi password
-    --qr                    Show Wifi QR code in terminal
+    --qr                    Show WiFi QR code in terminal
    --hidden                Hide access point (not broadcast SSID)
    --no-virt               Do not create virtual interface
@ -340,8 +345,8 @@ Options:
                            (default: 2)
    --psk                   Use 64 hex digits pre-shared-key instead of
                            passphrase
-    --mac-filter            Enable Wifi hotspot MAC address filtering
+    --mac-filter            Enable WiFi hotspot MAC address filtering
-    --mac-filter-accept     Location of Wifi hotspot MAC address filter list
+    --mac-filter-accept     Location of WiFi hotspot MAC address filter list
                            (defaults to /etc/hostapd/hostapd.accept)
    --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
    --isolate-clients       Disable wifi communication between clients
@ -374,9 +379,9 @@ Options:
 ```
    Notice 1:   This script assume your host's default policy won't forward
                packets, so the script won't explictly ban forwarding in any
-                mode. In some unexpected case may cause unwanted packets 
+                mode. In some unexpected case (eg. mistaken configurations) may
-                leakage between 2 networks, which you should be aware of if you
+                cause unwanted packets leakage between 2 networks, which you
-                want isolated network
+                should be aware of if you want isolated network
 ```
 </details>
@ -390,7 +395,7 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
 3. hostapd (if used) in Apparmor complain mode
 4. Kernel module `nf_nat_pptp` loaded
 5. The wifi device which is used to create hotspot is `rfkill unblock`ed
-6. Wifi country code, if user specified
+6. WiFi country code, if user assigns
 ## Dependencies
@ -400,16 +405,17 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
 - dnsmasq
 - iptables (or nftables with `iptables-nft` translation linked)
 - WiFi hotspot dependencies
-   - hostapd
+  - hostapd
-   - iw
+  - iw
-   - iwconfig (you only need this if 'iw' can not recognize your adapter)
+  - iwconfig (you only need this if 'iw' can not recognize your adapter)
-   - haveged (optional)
+  - haveged (optional)
-   - qrencode (optional)
+  - qrencode (optional)
 ## TODO
 <details>
 - Compatibility with firewalld
 - WPA3
 - Global IPv6
 - Explictly ban forwarding if not needed
@ -478,12 +484,12 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ## Meet developer(s) and become one of them
-Visit [**my homepage**](https://garywill.github.io) to see **more tools and projects**.
+Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
-> [Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
+> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫个码打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
 > 
 > 🥂 ( ^\_^) o自自o (^_^ ) 🍻
 🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
-🤝 You can be contributor, too! There're some TO-DOs listed, at both above and in the code file. Your name can be here!
+👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here!
--- a/423
+++ b/423
@ -1,6 +1,6 @@
 #!/bin/bash
-VERSION=0.6.3
+VERSION=0.6.6
 PROGNAME="$(basename $0)"
 export LC_ALL=C
@ -11,10 +11,13 @@ umask $SCRIPT_UMASK
 phead() {
    echo "linux-router $VERSION (https://github.com/garywill/linux-router)"
 }
 phead2() {
    echo "Released under LGPL, with no warranty. Use on your own risk."
 }
 usage() {
    phead
    phead2
    cat << EOF
 Released under LGPL, with no warranty. Use on your own risk.
 Usage: $PROGNAME <options>
@ -24,8 +27,9 @@ Options:
    -i <interface>          Interface to make NATed sub-network,
                            and to provide Internet to
-                            (To create Wifi hotspot use '--ap' instead)
+                            (To create WiFi hotspot use '--ap' instead)
    -o <interface>          Specify an inteface to provide Internet from.
                            (See Notice 1)
                            (Note using this with default DNS option may leak
                            queries to other interfaces)
    -n                      Do not provide Internet (See Notice 1)
@ -50,15 +54,14 @@ Options:
    --no-dnsmasq            Disable dnsmasq server (DHCP, DNS, RA)
    --catch-dns             Transparent DNS proxy, redirect packets(TCP/UDP) 
                            whose destination port is 53 to this host
-    --log-dns               Show DNS query log
+    --log-dns               Show DNS query log (dnsmasq)
    --dhcp-dns <IP1[,IP2]>|no
                            Set IPv4 DNS offered by DHCP (default: this host).
                            This will enable '--no-dns' (Do not serve DNS)
    --dhcp-dns6 <IP1[,IP2]>|no
                            Set IPv6 DNS offered by DHCP (RA) 
                            (default: this host)
                            (Note IPv6 addresses need '[]' around)
-                            This will enable '--no-dns' (Do not serve DNS)
+                            Using both above two will enable '--no-dns' 
    --hostname <name>       DNS server associate this name with this host.
                            Use '-' to read name from /etc/hostname
    -d                      DNS server will take into account /etc/hosts
@ -72,12 +75,12 @@ Options:
                            redirect non-LAN TCP and UDP traffic to port.
                            (usually used with '--dns')
-  Wifi hotspot options:
+  WiFi hotspot options:
    --ap <wifi interface> <SSID>
-                            Create Wifi access point
+                            Create WiFi access point
    -p, --password <password>   
-                            Wifi password
+                            WiFi password
-    --qr                    Show Wifi QR code in terminal
+    --qr                    Show WiFi QR code in terminal
    --hidden                Hide access point (not broadcast SSID)
    --no-virt               Do not create virtual interface
@ -92,8 +95,8 @@ Options:
                            (default: 2)
    --psk                   Use 64 hex digits pre-shared-key instead of
                            passphrase
-    --mac-filter            Enable Wifi hotspot MAC address filtering
+    --mac-filter            Enable WiFi hotspot MAC address filtering
-    --mac-filter-accept     Location of Wifi hotspot MAC address filter list
+    --mac-filter-accept     Location of WiFi hotspot MAC address filter list
                            (defaults to /etc/hostapd/hostapd.accept)
    --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
    --isolate-clients       Disable wifi communication between clients
@ -118,13 +121,12 @@ Options:
    Notice 1:   This script assume your host's default policy won't forward
                packets, so the script won't explictly ban forwarding in any
-                mode. In some unexpected case may cause unwanted packets 
+                mode. In some unexpected case (eg. mistaken configurations) may
-                leakage between 2 networks, which you should be aware of if you
+                cause unwanted packets leakage between 2 networks, which you
-                want isolated network
+                should be aware of if you want isolated network
 Examples:
    $PROGNAME -i eth1
    $PROGNAME --ap wlan0 MyAccessPoint
    $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase
    $PROGNAME -i eth1 --tp <transparent-proxy> --dns <dns-proxy>
 EOF
@ -229,16 +231,10 @@ parse_user_options(){
                shift
                INTERNET_IFACE="$1"
                shift
                echo ""
                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
                echo ""
                ;;
            -n)
                shift
                SHARE_METHOD=none
                echo ""
                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
                echo ""
                ;;
            --ban-priv)
                shift
@ -264,9 +260,6 @@ parse_user_options(){
            --no4)
                shift
                NO4=1
                echo ""
                echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
                echo ""
                ;;
            --p6)
                shift
@ -821,30 +814,90 @@ check_iptables()
    iptables --version
    if which firewall-cmd > /dev/null 2>&1; then
-        if [[ "$(firewall-cmd --state)" == "running" ]]; then
+        if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
            echo "firewalld is running ($(firewall-cmd --version))"
            echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN:     1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN:     2) disable firewalld\n" >&2 
            # TODO
        fi
    fi
 }
-iptables_()
+
 CUSTOM_CHAINS_4_filter=
 CUSTOM_CHAINS_4_nat=
 CUSTOM_CHAINS_6_filter=
 CUSTOM_CHAINS_6_nat=
 iptb() 
 {
-    # NETFILTER_XT_MATCH_COMMENT would be a env variable if user wants to disable '-m comment'
+    local FoS=$1 # 4 | 6
-    if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
+    shift
-        iptables -w $@ 
+    local Vis=$1 # 'v' | 'n'
-    else
+    shift
-        iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
+    local T=$1 # table
    shift
    local ACT=$1 # action: I | A | N  .  On undo: I or A -> D , N -> F+X
    shift
    local CH=$1 # chain
    shift
    [[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return
    local CMD_HEAD=""
    local MOUTH=""
    local NECK=""
    local HAND_UN_NC=0
    local TAIL=""
    local FULL=""
    local ADD_TO_UNDO=1
    for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat
    do
        local arr_content
        eval arr_content=\"\${$arr_name}\"
        #echo $arr_content
        for w in  $arr_content
        do
            if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then
                ADD_TO_UNDO=0
            fi
        done
    done
    [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w "
    [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w "
    [[ "$Vis" == 'v' ]] && MOUTH="-v"
    NECK="-t ${T}"
    if [[ "$ACT" == "N" ]]; then
        eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\"
        HAND_UN_NC=1
    fi
-    return $?
+    
-}
+    
-ip6tables_()
+    
-{
+    [[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}"
-    if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then
+    
-        ip6tables -w $@
+    if [[ "$ADD_TO_UNDO" -eq 1 ]]; then
-    else
+        if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then
-        ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
+            echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh 
        fi
        if [[ "$HAND_UN_NC" -eq 1 ]]; then
            echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
            echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
        fi
    fi
    FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL"
    #echo $FULL
    $FULL
    return $?
 }
@ -859,151 +912,84 @@ start_nat() {
    echo
    echo "iptables: NAT "
    if [[ $NO4 -eq 0 ]]; then
-        iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
+        iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE || die
-        iptables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
+        iptb 4 v filter I FORWARD  -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
-        iptables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
+        iptb 4 v filter I FORWARD  -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
    fi
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE || die
        ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
        ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN   -d ${PREFIX6}/64 -j ACCEPT || die
    fi
 }
 stop_nat() {
    echo "iptables: stop NAT"
    if [[ $NO4 -eq 0 ]]; then
        iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24  -j MASQUERADE
        iptables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT
        iptables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${GATEWAY%.*}.0/24 -j ACCEPT
    fi
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE
        ip6tables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT
        ip6tables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN  -d ${PREFIX6}/64 -j ACCEPT
    fi
        iptb 6 v nat I POSTROUTING  -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64  -j MASQUERADE || die
        iptb 6 v filter I FORWARD   -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
        iptb 6 v filter I FORWARD   -o ${SUBNET_IFACE} $IPTABLES_NAT_IN   -d ${PREFIX6}/64 -j ACCEPT || die
 }
 start_ban_lan() {
    echo
    echo "iptables: Disallow clients to access LAN"
-    iptables_ -N BANLAN-f-${SUBNET_IFACE}  || die
+    iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
+    # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 0.0.0.0/8 -j REJECT || die # TODO: use array
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 10.0.0.0/8 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 100.64.0.0/10 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 169.254.0.0/16 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 127.0.0.0/8 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 172.16.0.0/12 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 169.254.0.0/16 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 192.168.0.0/16 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 172.16.0.0/12 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 224.0.0.0/4 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 192.168.0.0/16 -j REJECT || die
-    iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 255.255.255.255 -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 224.0.0.0/4 -j REJECT || die
    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 255.255.255.255 -j REJECT || die
-    iptables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
+    iptb 4 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
-    iptables_ -N BANLAN-i-${SUBNET_IFACE}
+    iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLI || die
-    #iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
+    iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
    iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
    # TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security
-    iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
+    iptb 4 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -N BANLAN-f-${SUBNET_IFACE}  || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fc00::/7 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fe80::/10 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ff00::/8 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::1 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::/128 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0/96 -j REJECT || die
        ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0:0/96 -j REJECT || die
-        ip6tables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die
+    iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLF  || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fc00::/7 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fe80::/10 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ff00::/8 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::1 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::/128 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0/96 -j REJECT || die
    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0:0/96 -j REJECT || die
-        ip6tables_ -N BANLAN-i-${SUBNET_IFACE}  || die
+    iptb 6 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
        #ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
        ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
-        ip6tables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die
+    iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLI  || die
-    fi
+    iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
 }
 stop_ban_lan() {
    echo "iptables: Unban clients' LAN access"
-    iptables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
+    iptb 6 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
    iptables_ -F BANLAN-f-${SUBNET_IFACE}
    iptables_ -X BANLAN-f-${SUBNET_IFACE}
    iptables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
    iptables_ -F BANLAN-i-${SUBNET_IFACE}
    iptables_ -X BANLAN-i-${SUBNET_IFACE}
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} 
        ip6tables_ -F BANLAN-f-${SUBNET_IFACE}
        ip6tables_ -X BANLAN-f-${SUBNET_IFACE} 
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
        ip6tables_ -F BANLAN-i-${SUBNET_IFACE}
        ip6tables_ -X BANLAN-i-${SUBNET_IFACE} 
    fi
 }
 allow_dns_port() {
    echo
    echo "iptables: allow DNS"
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
-    if [[ $IPV6 -eq 1 ]]; then
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
    fi
 }
 unallow_dns_port() {
    echo "iptables: unallow DNS"
    iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
    iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY}  -p udp -m udp --dport 53 -j ACCEPT
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT
    fi
 }
 start_catch_dns() {
    echo
-    echo "iptables: redirect all TCP/UDP packet that destination port is 53"
+    echo "iptables: redirect DNS queries to this host"
-    iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
-    iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
-    if [[ $IPV6 -eq 1 ]]; then
+
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
+    iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
    fi
 }
 stop_catch_dns() {
    echo "iptables: stop redirecting DNS queries"
    iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
    iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 
        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 
    fi
 }
 allow_dhcp() {
    echo 
    echo "iptables: allow dhcp"
-    iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
+    
-    if [[ $IPV6 -eq 1 ]]; then
+    iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
-        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
+    iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
    fi
 }
 unallow_dhcp() {
    echo "iptables: unallow dhcp"
    iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT
    fi
 }
 # TODO: use 'DNAT' instead of '--to-ports' to support other IP
@ -1011,61 +997,43 @@ start_redsocks() {
    echo
    echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
    if [[ $NO4 -eq 0 ]]; then
-        iptables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
+        iptb 4 n nat N lrt${$}${SUBNET_IFACE}-TP || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 0.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 10.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 100.64.0.0/10  -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 100.64.0.0/10  -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 127.0.0.0/8 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 169.254.0.0/16 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 172.16.0.0/12 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 192.168.0.0/16 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 224.0.0.0/4 -j RETURN || die
-        iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 255.255.255.255 -j RETURN || die
+        iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 255.255.255.255 -j RETURN || die
-        iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
-        iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
-        iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die
+        iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j lrt${$}${SUBNET_IFACE}-TP || die
-        iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
+        iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
-        iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
+        iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die
    fi
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die
        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die
        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die
        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die
        ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die
-        ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 6 n nat N lrt${$}${SUBNET_IFACE}-TP || die
-        ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die
+        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fc00::/7 -j RETURN || die
        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fe80::/10 -j RETURN || die
        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ff00::/8 -j RETURN || die
        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ::1 -j RETURN || die
        iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d :: -j RETURN || die
-        ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die
+        iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
        iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
        iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j lrt${$}${SUBNET_IFACE}-TP || die
        iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
        iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die   
        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT || die
        ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT || die   
    fi
 }
 stop_redsocks() {
    echo "iptables: stop transparent proxy"
    if [[ $NO4 -eq 0 ]]; then
        iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24  -j REDSOCKS-${SUBNET_IFACE}
        iptables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
        iptables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
        iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
        iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
    fi
    if [[ $IPV6 -eq 1 ]]; then
        ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64  -j REDSOCKS-${SUBNET_IFACE}
        ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
        ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT}  -j ACCEPT
        ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT}  -j ACCEPT
    fi
 }
 #---------------------------------------
 backup_ipv6_bits() {
    mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status"
@ -1120,7 +1088,7 @@ backup_interface_status() {
    backup_ipv6_bits
-    # TODO : backup ip and others
+    # TODO : ? backup ip and others???
    # nm managing status is saved when nm_set_unmanaged()
 }
@ -1153,7 +1121,7 @@ kill_processes() { # for this instance
            pn=$( ps -p $pid -o comm= ) 
            #echo "Killing $pid $pn ... "
            pkill -P $pid
-            kill $pid 2>/dev/null && ( echo "Killed $pid $pn" && rm $x ) || echo "Failed to kill $pid $pn, it may have exited"
+            kill $pid 2>/dev/null && ( echo "Killed $(basename $x) $pid $pn" && rm $x ) || echo "Failed to kill $(basename $x) $pid $pn, it may have exited"
        fi
    done
 }
@ -1190,25 +1158,9 @@ _cleanup() {
 }
 clean_iptables() {
    bash $CONFDIR/undo_iptables.sh
-    if [[ "$SHARE_METHOD" == "nat" ]]; then
+    [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh
        stop_nat
    elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
        stop_redsocks
    fi
    if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
        unallow_dns_port
    fi
    [[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns
    if [[ $NO_DNSMASQ -eq 0 ]]; then
        unallow_dhcp
    fi
    [[ "$BANLAN" -eq 1 ]] && stop_ban_lan
 }
 cleanup() {
@ -1217,10 +1169,12 @@ cleanup() {
    echo
    echo "Doing cleanup.. "
    kill_processes
-    clean_iptables  2> /dev/null
+    echo "Undoing iptables changes .."
    clean_iptables > /dev/null
    _cleanup 2> /dev/null
    pgid=$(ps opgid= $$ |awk '{print $1}' )
    echo "Killing PGID $pgid ..."
    kill -15 -$pgid
    sleep 1 
    echo "Cleaning up done"
@ -1484,7 +1438,7 @@ check_other_functions(){
    ##### root test ##### NOTE above don't require root ##########
    if [[ $(id -u) -ne 0 ]]; then
-        echo "You must run it as root." >&2
+        echo "ERROR: Need root to continue" >&2
        exit 1
    fi
    ###### NOTE below require root ##########
@ -1768,7 +1722,7 @@ write_hostapd_conf() {
 			rsn_pairwise=CCMP
 		EOF
    else
-        echo "WARN: Wifi is not protected by password" >&2
+        echo "WARN: WiFi is not protected by password" >&2
    fi
    chmod 600 "$CONFDIR/hostapd.conf"
 }
@ -1968,6 +1922,9 @@ daemonizing_check
 ## ===== Above don't echo anything if no warning or error====================
 ## ========================================================
 phead
 phead2
 echo
 echo "PID: $$"
 TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
@ -2051,25 +2008,33 @@ fi
 check_iptables
 echo "NOTICE: Not showing all operations done to iptables rules"
 [[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
 # enable Internet sharing
 if [[ "$SHARE_METHOD" == "none" ]]; then
    echo "No Internet sharing"
    echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
    [[ "$BANLAN" -eq 1 ]] && start_ban_lan
 elif [[ "$SHARE_METHOD" == "nat" ]]; then
-    [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS, queries may leak to other interfaces!!!\n" >&2
+    [[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
    [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
    start_nat
    [[ "$BANLAN" -eq 1 ]] && start_ban_lan
-    echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding"
+    echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode
    if [[ $IPV6 -eq 1 ]]; then
-        echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding"
+        echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits
    fi
    # to enable clients to establish PPTP connections we must
@ -2082,7 +2047,7 @@ elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
        echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit
    fi
-    [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] &&  echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS, this may cause privacy leak !!!\n" >&2
+    [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] &&  echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
    [[ "$BANLAN" -eq 1 ]] && start_ban_lan
Author	SHA1	Message	Date
garywill	15a2e0ce53	0.6.6	2021-11-07 10:31:15 +08:00
garywill	083cd42afd	new iptables function	2021-11-07 10:30:56 +08:00
garywill	7c6113f1d2	0.6.5	2021-11-07 10:29:12 +08:00
garywill	0ccdcf647a	correct description about '--dhcp-dns(6)'	2021-11-07 10:28:36 +08:00