#!/bin/bash VERSION=0.7.0b PROGNAME="$(basename $0)" export LC_ALL=C SCRIPT_UMASK=0122 umask $SCRIPT_UMASK phead() { echo "linux-router $VERSION (https://github.com/garywill/linux-router)" } phead2() { echo "Released under LGPL, with no warranty. Use on your own risk." } usage() { phead phead2 cat << EOF Usage: $PROGNAME Options: -h, --help Show this help --version Print version number -i Interface to make NATed sub-network, and to provide Internet to (To create WiFi hotspot use '--ap' instead) -o Specify an inteface to provide Internet from. (See Notice 1) (Note using this with default DNS option may leak queries to other interfaces) -n Do not provide Internet (See Notice 1) --ban-priv Disallow clients to access my private network -g This host's IPv4 address in subnet (mask is /24) (example: '192.168.5.1' or '5' shortly) -6 Enable IPv6 (NAT) --no4 Disable IPv4 Internet (not forwarding IPv4) (See Notice 1). Usually used with '-6' --p6 Set IPv6 LAN address prefix (length 64) (example: 'fd00:0:0:5::' or '5' shortly) Using this enables '-6' --dns || DNS server's upstream DNS. Use ',' to seperate multiple servers (default: use /etc/resolve.conf) (Note IPv6 addresses need '[]' around) --no-dns Do not serve DNS --no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA) --catch-dns Transparent DNS proxy, redirect packets(TCP/UDP) whose destination port is 53 to this host --log-dns Show DNS query log (dnsmasq) --dhcp-dns |no Set IPv4 DNS offered by DHCP (default: this host). --dhcp-dns6 |no Set IPv6 DNS offered by DHCP (RA) (default: this host) (Note IPv6 addresses need '[]' around) Using both above two will enable '--no-dns' --hostname DNS server associate this name with this host. Use '-' to read name from /etc/hostname -d DNS server will take into account /etc/hosts -e DNS server will take into account additional hosts file --dns-nocache DNS server no cache --mac Set MAC address --random-mac Use random MAC address --tp Transparent proxy, redirect non-LAN TCP and UDP(not tested) traffic to port. (usually used with '--dns') WiFi hotspot options: --ap Create WiFi access point -p, --password WiFi password --qr Show WiFi QR code in terminal (need qrencode) --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface Using this you can't use same wlan interface for both Internet and AP --virt-name Set name of virtual interface -c Specify channel (default: use current one, or 1 / 36) --country Set two-letter country code for regularity (example: US) --freq-band Set frequency band: 2.4 or 5 (default: 2.4) --driver Choose your WiFi adapter driver (default: nl80211) -w '2' for WPA2, '1' for WPA, '1+2' for both (default: 2) --psk Use 64 hex digits pre-shared-key instead of passphrase --mac-filter Enable WiFi hotspot MAC address filtering --mac-filter-accept Location of WiFi hotspot MAC address filter list (defaults to /etc/hostapd/hostapd.accept) --hostapd-debug 1 or 2. Passes -d or -dd to hostapd --isolate-clients Disable wifi communication between clients --no-haveged Do not run haveged automatically when needed --hs20 Enable Hotspot 2.0 (Make sure your hostapd build supports it) WiFi 4 (802.11n) configs: --ieee80211n Enable IEEE 802.11n (HT) --require-ht Require station HT (High Throughput) mode --ht-capab HT capabilities (default: [HT40+]) WiFi 5 (802.11ac) configs: --ieee80211ac Enable IEEE 802.11ac (VHT) --require-vht Require station VHT (Very High Thoughtput) mode --vht-capab VHT capabilities --vht-channel-width Index of VHT channel width: 0 for 20MHz or 40MHz (default) 1 for 80MHz 2 for 160MHz 3 for 80+80MHz (Non-contigous 160MHz) --vht-seg0-channel Channel index of VHT center frequency for primary segment, use with --vht-channel-width --vht-seg1-channel Channel index of VHT center frequency for secondary (second 80MHz) segment, use with '--vht-channel-width 3' . Instance managing: --daemon Run in background -l, --list-running Show running instances --lc, --list-clients List clients of an instance. Or list neighbors of an interface, even if it isn't handled by us. (passive mode) --stop Stop a running instance For you can use PID or subnet interface name. You can get them with '--list-running' Notice 1: This script assume your host's default policy won't forward packets, so the script won't explictly ban forwarding in any mode. In some unexpected case (eg. mistaken configurations) may cause unwanted packets leakage between 2 networks, which you should be aware of if you want isolated network Examples: $PROGNAME -i eth1 $PROGNAME --ap wlan0 MyAccessPoint -p MyPassPhrase $PROGNAME -i eth1 --tp --dns EOF } check_empty_option(){ if [[ "$1" == "" ]]; then usage exit 0 fi } define_global_variables(){ # user options GATEWAY= # IPv4 address for this host PREFIX6= # IPv6 LAN address prefix for this host IID6=1 # IPv6 LAN ID for this host IPV6=0 # enable ipv6 NO4=0 # no IPv4 Internet BANLAN=0 # ban clients from accessing private addresses DHCP_DNS=gateway # which ipv4 DNS the DHCP gives clients DHCP_DNS6=gateway # which ipv6 DNS the DHCP gives clients dnsmasq_NO_DNS=0 # disable dns server NO_DNSMASQ=0 # disable dnsmasq (dns and dhcp) CATCH_DNS=0 # catch clients 53 port packets SHOW_DNS_QUERY=0 # log dns ETC_HOSTS=0 ADDN_HOSTS= DNS_NOCACHE= CONN_IFACE= # which interface user choose to use to create network INTERNET_IFACE= # which interface to get Internet from THISHOSTNAME= # this host's name the DNS tells clients TP_PORT= # transparent proxy port DNS= # upstream DNS MAC_USE_RANDOM=0 NEW_MACADDR= DAEMONIZE=0 # script variables SUBNET_IFACE= # which interface to create network SHARE_METHOD=nat OLD_MACADDR= ##### wifi hotspot # user options HIDDEN=0 # hidden wifi hotspot WIFI_IFACE= CHANNEL=default HOTSPOT20=0 # For enabling Hotspot 2.0 WPA_VERSION=2 MAC_FILTER=0 MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept IEEE80211N=0 REQUIREHT=0 IEEE80211AC=0 REQUIREVHT=0 HT_CAPAB='[HT40+]' VHT_CAPAB= VHTCHANNELWIDTH=0 VHTSEG0CHINDEX=0 VHTSEG1CHINDEX=0 DRIVER=nl80211 NO_VIRT=0 # not use virtual interface COUNTRY= FREQ_BAND=2.4 NO_HAVEGED=0 HOSTAPD_DEBUG_ARGS= USE_PSK=0 ISOLATE_CLIENTS=0 QR=0 # show wifi qr # script variables VWIFI_IFACE= # virtual wifi interface name, if created VIRT_NAME= # name to use for virtual interface if --virt-name is used AP_IFACE= # can be VWIFI_IFACE or WIFI_IFACE USE_IWCONFIG=0 # some device can't use iw ####### #-- to deal with info of a running instance. then will exit LIST_RUNNING=0 STOP_ID= LIST_CLIENTS_ID= # -- variables for running CONFDIR= NM_RUNNING=0 NM_UNM_LIST= # it's called "list" but for now one interface } parse_user_options(){ while [[ -n "$1" ]]; do case "$1" in -h|--help) usage exit 0 ;; --version) echo "$VERSION" exit 0 ;; -i) shift CONN_IFACE="$1" shift ;; -o) shift INTERNET_IFACE="$1" shift ;; -n) shift SHARE_METHOD=none ;; --ban-priv) shift BANLAN=1 ;; --tp) shift TP_PORT="$1" SHARE_METHOD=redsocks shift ;; -g) shift GATEWAY="$1" shift ;; -6) shift IPV6=1 ;; --no4) shift NO4=1 ;; --p6) shift PREFIX6="$1" IPV6=1 shift ;; --mac) shift NEW_MACADDR="$1" shift ;; --random-mac) shift MAC_USE_RANDOM=1 ;; --dns) shift DNS="$1" shift ;; --no-dns) shift dnsmasq_NO_DNS=1 ;; --no-dnsmasq) shift NO_DNSMASQ=1 ;; --dhcp-dns) shift DHCP_DNS="$1" shift ;; --dhcp-dns6) shift DHCP_DNS6="$1" shift ;; --catch-dns) shift CATCH_DNS=1 ;; --log-dns) shift SHOW_DNS_QUERY=1 ;; --hostname) shift THISHOSTNAME="$1" shift ;; -d) shift ETC_HOSTS=1 ;; -e) shift ADDN_HOSTS="$1" shift ;; --dns-nocache) shift DNS_NOCACHE=1 ;; --isolate-clients) shift ISOLATE_CLIENTS=1 ;; --ap) shift WIFI_IFACE="$1" shift SSID="$1" shift ;; -p|--password) shift PASSPHRASE="$1" shift ;; --qr) shift QR=1 ;; --hidden) shift HIDDEN=1 ;; --mac-filter) shift MAC_FILTER=1 ;; --mac-filter-accept) shift MAC_FILTER_ACCEPT="$1" shift ;; -c) shift CHANNEL="$1" shift ;; --hs20) shift HOTSPOT20=1 ;; -w) shift WPA_VERSION="$1" [[ "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=1+2 shift ;; --ieee80211n) shift IEEE80211N=1 ;; --require-ht) shift REQUIREHT=1 ;; --ieee80211ac) shift IEEE80211AC=1 ;; --require-vht) shift REQUIREVHT=1 ;; --ht-capab) shift HT_CAPAB="$1" shift ;; --vht-capab) shift VHT_CAPAB="$1" shift ;; --vht-channel-width) shift VHTCHANNELWIDTH="$1" shift ;; --vht-seg0-channel) shift VHTSEG0CHINDEX="$1" shift ;; --vht-seg1-channel) shift VHTSEG1CHINDEX="$1" shift ;; --driver) shift DRIVER="$1" shift ;; --no-virt) shift NO_VIRT=1 ;; --virt-name) shift VIRT_NAME="$1" shift ;; --country) shift COUNTRY="$1" shift ;; --freq-band) shift FREQ_BAND="$1" shift ;; --no-haveged) shift NO_HAVEGED=1 ;; --hostapd-debug) shift if [ "x$1" = "x1" ]; then HOSTAPD_DEBUG_ARGS="-d" elif [ "x$1" = "x2" ]; then HOSTAPD_DEBUG_ARGS="-dd" else printf "Error: argument for --hostapd-debug expected 1 or 2, got %s\n" "$1" exit 1 fi shift ;; --psk) shift USE_PSK=1 ;; --daemon) shift DAEMONIZE=1 ;; --stop) shift STOP_ID="$1" shift ;; -l|--list-running) shift LIST_RUNNING=1 ;; --lc|--list-clients) shift LIST_CLIENTS_ID="$1" shift ;; *) echo "Invalid parameter: $1" 1>&2 exit 1 ;; esac done } # seperate ip and port sep_ip_port() { # usage: sep_ip_port # input can be: # port (ip is 127.0.0.1) # ipv4 # [ipv6] # ipv4:port # [ipv6]:port local IP local PORT local INPUT INPUT="$1" if (echo "$INPUT" | grep '\.' >/dev/null 2>&1) ;then if (echo "$INPUT" | grep ':' >/dev/null 2>&1) ;then # ipv4 + port IP="$(echo $INPUT | cut -d: -f1)" PORT="$(echo $INPUT | cut -d: -f2)" else # ipv4 IP="$INPUT" fi elif (echo "$INPUT" | grep '\]' >/dev/null 2>&1) ;then if (echo "$INPUT" | grep '\]\:' >/dev/null 2>&1) ;then # ipv6 + port IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)" PORT="$(echo $INPUT | cut -d']' -f2 |cut -d: -f2)" else # ipv6 IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)" fi else # port IP='127.0.0.1' PORT="$INPUT" fi printf -v "$2" %s "$IP" printf -v "$3" %s "$PORT" } #========================= is_interface() { [[ -z "$1" ]] && return 1 [[ -d "/sys/class/net/${1}" ]] } is_vface_name_allocated(){ is_interface "$1" || [[ -f "$COMMON_CONFDIR/vfaces/${1}" ]] } get_interface_phy_device() { # only for wifi interface local x for x in /sys/class/ieee80211/*; do [[ ! -e "$x" ]] && continue if [[ "${x##*/}" = "$1" ]]; then echo "$1" return 0 elif [[ -e "$x/device/net/$1" ]]; then echo ${x##*/} return 0 elif [[ -e "$x/device/net:$1" ]]; then echo ${x##*/} return 0 fi done echo "Failed to get phy interface" >&2 return 1 } get_adapter_info() { # only for wifi interface local iPHY iPHY=$(get_interface_phy_device "$1") [[ $? -ne 0 ]] && return 1 iw phy $iPHY info } get_adapter_kernel_module() { local MODULE MODULE=$(readlink -f "/sys/class/net/$1/device/driver/module") echo ${MODULE##*/} } can_be_sta_and_ap() { # iwconfig does not provide this information, assume false [[ $USE_IWCONFIG -eq 1 ]] && return 1 if [[ "$(get_adapter_kernel_module "$1")" == "brcmfmac" ]]; then echo "WARN: brmfmac driver doesn't work properly with virtual interfaces and" >&2 echo " it can cause kernel panic. For this reason we disallow virtual" >&2 echo " interfaces for your adapter." >&2 echo " For more info: https://github.com/oblique/create_ap/issues/203" >&2 return 1 fi get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0 get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0 return 1 } can_be_ap() { # iwconfig does not provide this information, assume true [[ $USE_IWCONFIG -eq 1 ]] && return 0 get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0 return 1 } can_transmit_to_channel() { local IFACE CHANNEL_NUM CHANNEL_INFO IFACE=$1 CHANNEL_NUM=$2 if [[ $USE_IWCONFIG -eq 0 ]]; then if [[ $FREQ_BAND == 2.4 ]]; then CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " 24[0-9][0-9] MHz \[${CHANNEL_NUM}\]") else CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep " \(49[0-9][0-9]\|5[0-9]\{3\}\) MHz \[${CHANNEL_NUM}\]") fi [[ -z "${CHANNEL_INFO}" ]] && return 1 [[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1 [[ "${CHANNEL_INFO}" == *disabled* ]] && return 1 return 0 else CHANNEL_NUM=$(printf '%02d' ${CHANNEL_NUM}) CHANNEL_INFO=$(iwlist ${IFACE} channel | grep -E "Channel[[:blank:]]${CHANNEL_NUM}[[:blank:]]?:") [[ -z "${CHANNEL_INFO}" ]] && return 1 return 0 fi } # taken from iw/util.c ieee80211_frequency_to_channel() { local FREQ=$1 if [[ $FREQ -eq 2484 ]]; then echo 14 elif [[ $FREQ -lt 2484 ]]; then echo $(( ($FREQ - 2407) / 5 )) elif [[ $FREQ -ge 4910 && $FREQ -le 4980 ]]; then echo $(( ($FREQ - 4000) / 5 )) elif [[ $FREQ -le 45000 ]]; then echo $(( ($FREQ - 5000) / 5 )) elif [[ $FREQ -ge 58320 && $FREQ -le 64800 ]]; then echo $(( ($FREQ - 56160) / 2160 )) else echo 0 fi } is_5ghz_frequency() { [[ $1 =~ ^(49[0-9]{2})|(5[0-9]{3})$ ]] } is_interface_wifi_connected() { if [[ $USE_IWCONFIG -eq 0 ]]; then iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0 else iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0 fi return 1 } is_unicast_macaddr() { local x x=$(echo "$1" | cut -d: -f1) x=$(printf '%d' "0x${x}") [[ $(expr $x % 2) -eq 0 ]] } get_interface_mac() { is_interface "$1" || return cat "/sys/class/net/${1}/address" } get_interface_pci_info() { # pci id / model / virtual is_interface "$1" || return local device_path local pci_id local pci_full device_path="$(readlink -f /sys/class/net/$1)" if [[ "$device_path" == "/sys/devices/pci"* ]]; then pci_id="$(echo $device_path | sed 's/\//\n/g' | tail -n 3 |sed -n 1p)" if which lspci >/dev/null 2>&1 ; then pci_full="$( lspci -D -nn | grep -E "^$pci_id " )" echo " PCI: $pci_full" else echo " PCI: $pci_id" fi elif [[ "$device_path" == *"/virtual/"* ]]; then echo " virtual interface" fi # TODO usb # TODO current driver } alloc_new_vface_name() { # only for wifi local i=0 local v_iface_name="$VIRT_NAME" if [[ -z $VIRT_NAME ]]; then while :; do v_iface_name="x$i${WIFI_IFACE}" i=$((i + 1)) is_vface_name_allocated ${v_iface_name} || break done fi mkdir -p $COMMON_CONFDIR/vfaces touch $COMMON_CONFDIR/vfaces/${v_iface_name} echo "${v_iface_name}" } dealloc_vface_name() { rm -f $COMMON_CONFDIR/vfaces/$1 } #====== get_all_mac_in_system() { cat /sys/class/net/*/address } get_new_macaddr_according_to_existing() { local REALDEV OLDMAC NEWMAC LAST_BYTE i REALDEV=$1 OLDMAC=$(get_interface_mac "$REALDEV") NEWMAC="" LAST_BYTE=$(printf %d 0x${OLDMAC##*:}) for i in {10..240}; do NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))" (get_all_mac_in_system | grep "$NEWMAC" > /dev/null 2>&1) || break done echo "$NEWMAC" } generate_random_mac() { local r1 r2 r3 r4 r5 r6 local RAND_MAC while :; do r1=$( printf "%02x" $(($RANDOM%256/4*4)) ) r2=$( printf "%02x" $(($RANDOM%256)) ) r3=$( printf "%02x" $(($RANDOM%256)) ) r4=$( printf "%02x" $(($RANDOM%256)) ) r5=$( printf "%02x" $(($RANDOM%256)) ) r6=$( printf "%02x" $(($RANDOM%256)) ) RAND_MAC="$r1:$r2:$r3:$r4:$r5:$r6" ( ! ip link | grep "link" | grep $RAND_MAC > /dev/null 2>&1 ) && \ ( ! ip maddress | grep "link" | grep $RAND_MAC > /dev/null 2>&1 ) && \ ( ! ip neigh | grep "lladdr $RAND_MAC" > /dev/null 2>&1 ) && \ ( ! get_all_mac_in_system | grep $RAND_MAC ) && \ break done echo "$RAND_MAC" } is_ip4_lan_range_available() { # checks 192.168.x.x ( ip -4 address | grep "inet 192\.168\.$1\." > /dev/null 2>&1 ) && return 1 ( ip -4 route | grep "^192\.168\.$1\." > /dev/null 2>&1 ) && return 1 ( ip -4 route get 192.168.$1.0 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \ ( ip -4 route get 192.168.$1.255 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && return 0 return 1 } is_ip6_lan_range_available() { # checks fdxx:: ( ip -6 address | grep -i "inet6 fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 ( ip -6 route | grep -i "^fd$1:$2$3:$4$5:$6$7:" > /dev/null 2>&1 ) && return 1 ( ip -6 route get fd$1:$2$3:$4$5:$6$7:: 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && \ ( ip -6 route get fd$1:$2$3:$4$5:$6$7:ffff:ffff:ffff:ffff 2>&1 | grep -E "\bvia\b|\bunreachable\b" > /dev/null 2>&1 ) && return 0 return 1 } generate_random_ip4() { local random_ip4 while :; do random_ip4=$(($RANDOM%256)) is_ip4_lan_range_available $random_ip4 && break done echo "192.168.$random_ip4.1" } generate_random_lan_ip6_prefix() { local r1 r2 r3 r4 r5 r6 r7 while :; do r1=$( printf "%x" $(($RANDOM%240+16)) ) r2=$( printf "%x" $(($RANDOM%240+16)) ) r3=$( printf "%x" $(($RANDOM%240+16)) ) r4=$( printf "%x" $(($RANDOM%240+16)) ) r5=$( printf "%x" $(($RANDOM%240+16)) ) r6=$( printf "%x" $(($RANDOM%240+16)) ) r7=$( printf "%x" $(($RANDOM%240+16)) ) is_ip6_lan_range_available $r1 $r2 $r3 $r4 $r5 $r6 $r7 && break done echo "fd$r1:$r2$r3:$r4$r5:$r6$r7::" } # start haveged when needed haveged_watchdog() { local show_warn=1 while :; do if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then if ! which haveged > /dev/null 2>&1; then if [[ $show_warn -eq 1 ]]; then echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2 show_warn=0 fi elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ? echo "Low entropy detected, starting haveged" 1>&2 # boost low-entropy haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid fi fi sleep 2 done } pid_watchdog() { local PID="$1" local SLEEP="$2" local ERR_MSG="$3" local ST while true do if [[ -e "/proc/$PID" ]]; then ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')" if [[ "$ST" != 'Z' ]]; then sleep $SLEEP continue fi fi die "$ERR_MSG" done } #======== # only support NetworkManager >= 0.9.9 is_nm_running() { if (which nmcli >/dev/null 2>&1 ) && (nmcli -t -f RUNNING g 2>&1 | grep -E '^running$' >/dev/null 2>&1 ) ; then echo 1 else echo 0 fi } nm_knows() { (nmcli dev show $1 | grep -E "^GENERAL.STATE:" >/dev/null 2>&1 ) && return 0 # nm sees return 1 # nm doesn't see this interface } nm_get_manage() { # get an interface's managed state local s s=$(nmcli dev show $1 | grep -E "^GENERAL.STATE:") || return 2 # no such interface (echo $s | grep "unmanaged" >/dev/null 2>&1) && return 1 # unmanaged return 0 # managed } nm_set_unmanaged() { while ! nm_knows $1 ; do # wait for virtual wifi interface seen by NM sleep 0.5 done if nm_get_manage $1 ;then echo "Set $1 unmanaged by NetworkManager" nmcli dev set $1 managed no || die "Failed to set $1 unmanaged by NetworkManager" NM_UNM_LIST=$1 sleep 1 fi } nm_set_managed() { nmcli dev set $1 managed yes NM_UNM_LIST= } nm_restore_manage() { if [[ $NM_UNM_LIST ]]; then echo "Restore $NM_UNM_LIST managed by NetworkManager" nm_set_managed $NM_UNM_LIST sleep 0.5 fi } #========= check_iptables() { echo iptables --version if which firewall-cmd > /dev/null 2>&1; then if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then echo "firewalld is running ($(firewall-cmd --version))" echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface='\nWARN: 2) disable firewalld\n" >&2 # TODO fi fi } CUSTOM_CHAINS_4_filter= CUSTOM_CHAINS_4_nat= CUSTOM_CHAINS_6_filter= CUSTOM_CHAINS_6_nat= iptb() { local FoS=$1 # 4 | 6 shift local Vis=$1 # 'v' | 'n' shift local T=$1 # table shift local ACT=$1 # action: I | A | N . On undo: I or A -> D , N -> F+X shift local CH=$1 # chain shift [[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return local CMD_HEAD="" local MOUTH="" local NECK="" local HAND_UN_NC=0 local TAIL="" local FULL="" local ADD_TO_UNDO=1 for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat do local arr_content eval arr_content=\"\${$arr_name}\" #echo $arr_content for w in $arr_content do if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then ADD_TO_UNDO=0 fi done done [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w " [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w " [[ "$Vis" == 'v' ]] && MOUTH="-v" NECK="-t ${T}" if [[ "$ACT" == "N" ]]; then eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\" HAND_UN_NC=1 fi [[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}" if [[ "$ADD_TO_UNDO" -eq 1 ]]; then if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh fi if [[ "$HAND_UN_NC" -eq 1 ]]; then echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh fi fi FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL" #echo $FULL $FULL return $? } start_nat() { if [[ $INTERNET_IFACE ]]; then IPTABLES_NAT_OUT="-o ${INTERNET_IFACE}" IPTABLES_NAT_IN="-i ${INTERNET_IFACE}" MASQUERADE_NOTOUT="" else MASQUERADE_NOTOUT="! -o ${SUBNET_IFACE}" fi echo echo "iptables: NAT " if [[ $NO4 -eq 0 ]]; then iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE || die iptb 4 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die iptb 4 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT || die fi iptb 6 v nat I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE || die iptb 6 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die iptb 6 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT || die } start_ban_lan() { echo echo "iptables: Disallow clients to access LAN" iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLF || die # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 0.0.0.0/8 -j REJECT || die # TODO: use array iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 10.0.0.0/8 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 100.64.0.0/10 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 127.0.0.0/8 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 169.254.0.0/16 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 172.16.0.0/12 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 192.168.0.0/16 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 224.0.0.0/4 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 255.255.255.255 -j REJECT || die iptb 4 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLI || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security iptb 4 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLF || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fc00::/7 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fe80::/10 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ff00::/8 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::1 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::/128 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0/96 -j REJECT || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0:0/96 -j REJECT || die iptb 6 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLI || die iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die iptb 6 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die } allow_dns_port() { echo echo "iptables: allow DNS" iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die } start_catch_dns() { echo echo "iptables: redirect DNS queries to this host" iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die } allow_dhcp() { echo echo "iptables: allow dhcp" iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die } # TODO: use 'DNAT' instead of '--to-ports' to support other IP start_redsocks() { echo echo "iptables: transparent proxy non-LAN TCP and UDP(not tested) traffic to port ${TP_PORT}" if [[ $NO4 -eq 0 ]]; then iptb 4 n nat N lrt${$}${SUBNET_IFACE}-TP || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 0.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 10.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 100.64.0.0/10 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 127.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 169.254.0.0/16 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 172.16.0.0/12 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 192.168.0.0/16 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 224.0.0.0/4 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 255.255.255.255 -j RETURN || die iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j lrt${$}${SUBNET_IFACE}-TP || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die fi iptb 6 n nat N lrt${$}${SUBNET_IFACE}-TP || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fc00::/7 -j RETURN || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fe80::/10 -j RETURN || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ff00::/8 -j RETURN || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ::1 -j RETURN || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d :: -j RETURN || die iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j lrt${$}${SUBNET_IFACE}-TP || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die } #--------------------------------------- backup_ipv6_bits() { mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status" cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" \ "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" \ "$CONFDIR/sys_6_conf_iface/" || die "Failed backing up interface ipv6 bits" if [[ "$SHARE_METHOD" == 'redsocks' ]] ; then cp "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" \ "$CONFDIR/sys_6_conf_iface/" || die "Failed backking up interface ipv6 bits" fi } set_ipv6_bits() { if [[ $IPV6 -eq 1 ]]; then echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/accept_ra" echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/use_tempaddr" echo 0 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/addr_gen_mode" else echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/disable_ipv6" fi } restore_ipv6_bits() { if [[ -d "$CONFDIR/sys_6_conf_iface" ]]; then cp -f "$CONFDIR/sys_6_conf_iface/*" "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/" fi } set_interface_mac() { local INTERFACE local MAC INTERFACE=$1 MAC=$2 ip link set dev ${INTERFACE} address ${MAC} } backup_interface_status() { # virtual wifi interface will be destroyed, so no need to save status # backup interface up or down status (ip link show ${SUBNET_IFACE} |grep -q "state UP") && SUBNET_IFACE_ORIGINAL_UP_STATUS=1 # save interface old mac #if [[ -n "$NEW_MACADDR" ]]; then OLD_MACADDR=$(get_interface_mac $SUBNET_IFACE) #echo "Saved ${SUBNET_IFACE} old MAC address ${OLD_MACADDR} into RAM" #fi backup_ipv6_bits # TODO : ? backup ip and others??? # nm managing status is saved when nm_set_unmanaged() } restore_interface_status() { # virtual wifi interface will be destroyed, so no need to restore status # don't use [[ $VWIFI_IFACE ]] to judge, if creating virtual wifi failed, VWIFI_IFACE is empty [[ "$WIFI_IFACE" && "$NO_VIRT" -eq 0 ]] && return restore_ipv6_bits if [[ -n "$OLD_MACADDR" && "$(get_interface_mac $SUBNET_IFACE)" != "$OLD_MACADDR" ]] ; then echo "Restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR} ..." set_interface_mac ${SUBNET_IFACE} ${OLD_MACADDR} || echo "Failed restoring ${SUBNET_IFACE} to old MAC address ${OLD_MACADDR}" >&2 fi nm_restore_manage [[ $SUBNET_IFACE_ORIGINAL_UP_STATUS -eq 1 ]] && ip link set up dev ${SUBNET_IFACE} && echo "Restore ${SUBNET_IFACE} to link up" } #--------------------------------------- kill_processes() { # for this instance #echo "Killing processes" local x pid for x in $CONFDIR/*.pid; do # even if the $CONFDIR is empty, the for loop will assign # a value in $x. so we need to check if the value is a file if [[ -f $x ]] && sleep 0.3 && [[ -f $x ]]; then pid=$(cat $x) pn=$( ps -p $pid -o comm= ) #echo "Killing $pid $pn ... " pkill -P $pid kill $pid 2>/dev/null && ( echo "Killed $(basename $x) $pid $pn" && rm $x ) || echo "Failed to kill $(basename $x) $pid $pn, it may have exited" fi done } _cleanup() { local x ip addr flush ${SUBNET_IFACE} rm -rf $CONFDIR ip link set down dev ${SUBNET_IFACE} if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed iw dev ${VWIFI_IFACE} del dealloc_vface_name $VWIFI_IFACE fi restore_interface_status if ! has_running_instance; then echo "Exiting: This is the only running instance" # kill common processes for x in $COMMON_CONFDIR/*.pid; do [[ -f $x ]] && kill -9 $(cat $x) && rm $x done rm -d $COMMON_CONFDIR/vfaces rm -d $COMMON_CONFDIR rm -d $TMPDIR else echo "Exiting: This is NOT the only running instance" fi } clean_iptables() { [[ -f $CONFDIR/undo_iptables.sh ]] && bash $CONFDIR/undo_iptables.sh [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh } cleanup() { trap "" SIGINT SIGUSR1 SIGUSR2 EXIT SIGTERM echo echo echo "Doing cleanup.. " kill_processes echo "Undoing iptables changes .." clean_iptables > /dev/null _cleanup 2> /dev/null #pgid=$(ps opgid= $$ |awk '{print $1}' ) #echo "Killing PGID $pgid ..." #kill -15 -$pgid #sleep 1 echo "Cleaning up done" #kill -9 -$pgid } # NOTE function die() is designed NOT to be used before init_trap() executed die() { # SIGUSR2 echo "Error occured" [[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2 # send die signal to the main process [[ $BASHPID -ne $$ ]] && kill -USR2 $$ || cleanup exit 1 } clean_exit() { # SIGUSR1 # send clean_exit signal to the main process [[ $BASHPID -ne $$ ]] && kill -USR1 $$ || cleanup exit 0 } init_trap(){ trap "cleanup" EXIT trap "clean_exit" SIGINT SIGUSR1 SIGTERM trap "die" SIGUSR2 } init_conf_dirs() { mkdir -p "$TMPDIR" || die "Couldn't make linux-router's temporary dir" chmod 755 "$TMPDIR" 2>/dev/null cd "$TMPDIR" || die "Couldn't change directory to linux-router's temporary path" CONFDIR="$(mktemp -d $TMPDIR/lnxrouter.${TARGET_IFACE}.conf.XXXXXX)" || die "Instance couldn't make config dir" # config dir for one instance chmod 755 "$CONFDIR" #echo "Config dir: $CONFDIR" echo $$ > "$CONFDIR/pid" COMMON_CONFDIR="$TMPDIR/lnxrouter_common.conf" # config dir for all instances mkdir -p "$COMMON_CONFDIR" } #== functions to deal with running instances list_running_conf() { local x for x in $TMPDIR/lnxrouter.*; do if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then echo "$x" fi done } list_running() { local IFACE subn_iface x for x in $(list_running_conf); do IFACE=${x#*.} IFACE=${IFACE%%.*} subn_iface=$(cat $x/subn_iface) if [[ $IFACE == $subn_iface ]]; then echo $(cat $x/pid) $IFACE else echo $(cat $x/pid) $IFACE '('$(cat $x/subn_iface)')' fi done } get_subn_iface_from_pid() { list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E "^${1} " | cut -d' ' -f2 } get_pid_from_subn_iface() { list_running | awk '{print $1 " " $NF}' | tr -d '\(\)' | grep -E " ${1}$" | cut -d' ' -f1 } get_confdir_from_pid() { local IFACE x for x in $(list_running_conf); do if [[ $(cat $x/pid) == "$1" ]]; then echo "$x" break fi done } #====================================================== print_clients_from_leases() { # MAC|IP|HOST|lease local LEASE_FILE="$1" local FILEC local line local LEASEstr LEASEstamp FILEC="$(cat "$LEASE_FILE" | grep -v -E "^duid\b" | sed -r '/^\s*$/d' )" # TODO: duid is somewhat related to ipv6. I don't know about it. Not sure excluding it miss some info or not echo "$FILEC" | while read line do #echo aa$line LEASEstamp="$(echo "$line" | awk '{print $1}')" MAC="$(echo "$line" | awk '{print $2}')" IP="$(echo "$line" | awk '{print $3}' | sed 's/\[//g' | sed 's/\]//g')" HOST="$(echo "$line" | awk '{print $4}' | sed 's/*/?/g' | sed 's/|/_/g' | sed 's/ /_/g' )" if [[ -n "$MAC" ]]; then LEASEstr="$(date -d @${LEASEstamp} +%m-%d_%X)" echo "$MAC|$IP|$HOST|lease_$LEASEstr" fi done } print_interface_neighbors_via_iproute() { # MAC|IP|_|STATUS local IFACE=$1 local line ip n | grep -E "\bdev $IFACE\b" | sed 's/ /|/g' | while read line do local MAC IP STATUS IP="$(echo $line | awk -F'|' '{print $1}')" if [[ "$(echo $line | awk -F'|' '{print $4}')" == "lladdr" ]]; then # has mac # if has mac, $4="lladdr" and $5=macaddress and $6+=status MAC="$(echo $line | awk -F'|' '{print $5}')" STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";$5="";{print}' | awk '{$1=$1;print}'| sed 's/ /,/g')" else # no mac # if no mac, $4="" and $5+=status MAC="?" STATUS="$(echo $line | awk -F'|' '$1="";$2="";$3="";$4="";{print}' | awk '{$1=$1;print}' | sed 's/ /,/g')" fi if [[ -n "$IP" && ( "$MAC" != "?" || "$STATUS" != "FAILED" ) ]]; then echo "$MAC|$IP|?|$STATUS" fi done } print_interface_neighbors_via_iw() { # MAC|_|_|signal local IFACE=$1 local MAC SIGNAL iw dev $IFACE station dump | awk '($1 ~ /Station$/) {print $2}' | while read MAC do if [[ -n "$MAC" ]]; then SIGNAL="$(iw dev $IFACE station get $MAC | grep "signal:" | awk '{print $2}')" echo "${MAC}|?|?|${SIGNAL}_dBm" fi done } list_clients() { # passive mode. (use 'arp-scan' or 'netdiscover' if want active mode) local IFACE pid local CONFDIR local output="" # If number (PID) is given, get the associated wifi iface if [[ "$1" =~ ^[1-9][0-9]*$ ]]; then pid="$1" IFACE=$(get_subn_iface_from_pid "$pid") if [[ -z "$IFACE" ]] ; then echo "'$pid' is not the pid of a running $PROGNAME instance." >&2 exit 1 fi else # non-number given IFACE="$1" if ( ! is_interface $IFACE ) ; then echo "'$IFACE' is not an interface or PID" >&2 exit 1 fi pid=$(get_pid_from_subn_iface "$IFACE") if [[ -n "$pid" ]] ; then # if this interface is hosted by us CONFDIR=$(get_confdir_from_pid "$pid") output="$(print_clients_from_leases "$CONFDIR/dnsmasq.leases" )" else # this interface NOT hosted by us echo "Tip: '$IFACE' is not an interface hosted by $PROGNAME" >&2 fi fi output="$(echo "$output" ; print_interface_neighbors_via_iw $IFACE) " output="$(echo "$output" ; print_interface_neighbors_via_iproute $IFACE)" output="$(echo "$output" | sort -k 1 -k 2 -t '|' | uniq | sed -r '/^\s*$/d')" echo "$IFACE ($(get_interface_mac $IFACE)) neighbors:" local fmt="%-19s%-41s%-20s%s" # string length: MAC 17, ipv4 15, ipv6 39, hostname ? printf "$fmt\n" "MAC" "IP" "HOSTNAME" "INFO" local line echo "$output"| while read line do if [[ -n "$line" ]]; then echo "$line" | awk -F'|' "{printf \"$fmt\n\",\$1,\$2,\$3,\$4}" fi done # TODO : merge same mac and same ip line } has_running_instance() { local PID x for x in $TMPDIR/lnxrouter.*; do if [[ -f $x/pid ]]; then PID=$(cat $x/pid) if [[ -d /proc/$PID ]]; then return 0 fi fi done return 1 } is_running_pid() { list_running | grep -E "^${1} " > /dev/null 2>&1 } send_stop() { local x # send stop signal to specific pid if is_running_pid $1; then kill -USR1 $1 return fi # send stop signal to specific interface for x in $(list_running | grep -E " \(?${1}( |\)?\$)" | cut -f1 -d' '); do kill -USR1 $x done } ## ======================================================== ## ======================================================== # decide linux-router's global temporary path for all instances # this is different and should be before config-saving dir. The latter is for one instance decide_tmpdir(){ local TMPD if [[ -d /dev/shm ]]; then TMPD=/dev/shm elif [[ -d /run/shm ]]; then TMPD=/run/shm else TMPD=/tmp fi #TMPDIR=$TMPD/lnxrouter_tmp echo "$TMPD/lnxrouter_tmp" } #====== check_other_functions(){ if [[ $LIST_RUNNING -eq 1 ]]; then echo -e "List of running $PROGNAME instances:\n" list_running exit 0 fi if [[ -n "$LIST_CLIENTS_ID" ]]; then list_clients "$LIST_CLIENTS_ID" exit 0 fi ##### root test ##### NOTE above don't require root ########## if [[ $(id -u) -ne 0 ]]; then echo "ERROR: Need root to continue" >&2 exit 1 fi ###### NOTE below require root ########## if [[ -n "$STOP_ID" ]]; then echo "Trying to kill $PROGNAME instance associated with $STOP_ID..." send_stop "$STOP_ID" exit 0 fi } daemonizing_check(){ if [[ $DAEMONIZE -eq 1 && $RUNNING_AS_DAEMON -eq 0 ]]; then echo "Running as Daemon..." # run a detached lnxrouter RUNNING_AS_DAEMON=1 setsid "$0" "${ARGS[@]}" & exit 0 fi } #============================ check_wifi_settings() { if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ... (Did you spell the interface name right?)" >&2 USE_IWCONFIG=1 fi if [[ $USE_IWCONFIG -eq 1 ]]; then if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2 exit 1 fi fi if [[ $FREQ_BAND != 2.4 && $FREQ_BAND != 5 ]]; then echo "ERROR: Invalid frequency band" >&2 exit 1 fi if [[ $FREQ_BAND != 5 && $CHANNEL -gt 14 ]]; then echo "Channel number is greater than 14, assuming 5GHz frequency band" FREQ_BAND=5 fi if ! can_be_ap ${WIFI_IFACE}; then echo "ERROR: Your adapter does not support AP (master) mode" >&2 exit 1 fi if ! can_be_sta_and_ap ${WIFI_IFACE}; then if is_interface_wifi_connected ${WIFI_IFACE}; then echo "ERROR: Your adapter can not be a station (i.e. be connected) and an AP at the same time" >&2 exit 1 elif [[ $NO_VIRT -eq 0 ]]; then echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2 NO_VIRT=1 fi fi HOSTAPD=$(which hostapd) if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^(8192[cd][ue]|8723a[sue])$ ]]; then if ! strings "$HOSTAPD" | grep -m1 rtl871xdrv > /dev/null 2>&1; then echo "ERROR: You need to patch your hostapd with rtl871xdrv patches." >&2 exit 1 fi if [[ $DRIVER != "rtl871xdrv" ]]; then echo "WARN: Your adapter needs rtl871xdrv, enabling --driver=rtl871xdrv" >&2 DRIVER=rtl871xdrv fi fi if [[ ${#SSID} -lt 1 || ${#SSID} -gt 32 ]]; then echo "ERROR: Invalid SSID length ${#SSID} (expected 1..32)" >&2 exit 1 fi if [[ $USE_PSK -eq 0 ]]; then if [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -lt 8 ]] || [[ ${#PASSPHRASE} -gt 63 ]]; then echo "ERROR: Invalid passphrase length ${#PASSPHRASE} (expected 8..63)" >&2 exit 1 fi elif [[ ${#PASSPHRASE} -gt 0 && ${#PASSPHRASE} -ne 64 ]]; then echo "ERROR: Invalid pre-shared-key length ${#PASSPHRASE} (expected 64)" >&2 exit 1 fi if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^rtl[0-9].*$ ]]; then if [[ $WPA_VERSION == '1' || $WPA_VERSION == '1+2' ]]; then echo "WARN: Realtek drivers usually have problems with WPA1, WPA2 is recommended" >&2 fi echo "WARN: If AP doesn't work, read https://github.com/oblique/create_ap/blob/master/howto/realtek.md" >&2 fi if [[ -z $VIRT_NAME ]]; then if [[ ${#WIFI_IFACE} -gt 13 ]]; then echo "WARN: $WIFI_IFACE has ${#WIFI_IFACE} characters which might be too long. If AP doesn't work, see --virt-name and https://github.com/garywill/linux-router/issues/44" >&2 fi elif [[ ${#VIRT_NAME} -gt 15 ]]; then echo "WARN: option --virt-name $VIRT_NAME has ${#VIRT_NAME} characters which might be too long, consider making it shorter in case of errors" >&2 fi if [[ ! -z $VIRT_NAME ]] && is_vface_name_allocated $VIRT_NAME; then echo "WARN: interface $VIRT_NAME aleady exists, this will cause an error" fi } check_if_new_mac_valid() { if ! is_unicast_macaddr "$NEW_MACADDR"; then echo "ERROR: The first byte of MAC address (${NEW_MACADDR}) must be even" >&2 exit 1 fi if [[ $(get_all_mac_in_system | grep -c ${NEW_MACADDR}) -ne 0 ]]; then echo "WARN: MAC address '${NEW_MACADDR}' already exists" >&2 fi } decide_target_interface() { # TARGET_IFACE is a existing physical interface if [[ "$CONN_IFACE" ]]; then echo "$CONN_IFACE" elif [[ "$WIFI_IFACE" ]]; then echo "$WIFI_IFACE" else echo "No target interface specified" >&2 return 1 fi } decide_ip_addresses() { if [[ ! -n $GATEWAY ]]; then GATEWAY="$(generate_random_ip4)" echo "Use random LAN IPv4 address $GATEWAY" elif [[ ! "$GATEWAY" =~ "." ]]; then GATEWAY="192.168.${GATEWAY}.1" fi if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then PREFIX6="$(generate_random_lan_ip6_prefix)" echo "Use random LAN IPv6 address ${PREFIX6}${IID6}" elif [[ ! "$PREFIX6" =~ ":" ]]; then PREFIX6="fd00:0:0:${PREFIX6}::" fi if [[ $IPV6 -eq 1 ]]; then GATEWAY6="${PREFIX6}${IID6}" fi } prepare_wifi_interface() { if [[ $USE_IWCONFIG -eq 0 ]]; then iw dev ${WIFI_IFACE} set power_save off fi if [[ $NO_VIRT -eq 0 ]]; then ## Will generate virtual wifi interface # TODO move this to check_wifi_settings() ? if is_interface_wifi_connected ${WIFI_IFACE}; then WIFI_IFACE_FREQ=$(iw dev ${WIFI_IFACE} link | grep -i freq | awk '{print $2}') WIFI_IFACE_CHANNEL=$(ieee80211_frequency_to_channel ${WIFI_IFACE_FREQ}) echo "${WIFI_IFACE} already working in channel ${WIFI_IFACE_CHANNEL} (${WIFI_IFACE_FREQ} MHz)" if [[ $CHANNEL == default ]]; then echo "Use wifi adapter current channel $WIFI_IFACE_CHANNEL as target channel" CHANNEL=$WIFI_IFACE_CHANNEL fi if [[ $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then echo "WARN: Wifi adapter already working in channel ${WIFI_IFACE_CHANNEL}, which is different than target channel $CHANNEL" >&2 fi fi echo "Creating a virtual WiFi interface... " VWIFI_IFACE=$(alloc_new_vface_name) if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then # Successfully created virtual wifi interface # if NM running, it will give the new virtual interface a random MAC. MAC will go back after setting NM unmanaged sleep 2 echo "${VWIFI_IFACE} created" else VWIFI_IFACE= if [[ ! -z ${VIRT_NAME} ]] && [[ ${#VIRT_NAME} -gt 15 ]]; then die "Failed creating virtual WiFi interface. This is likely because you have set a long name for your virtual interface using --virt-name, try making it shorter'" elif [[ -z ${VIRT_NAME} ]] && [[ ${#WIFI_IFACE} -gt 13 ]]; then die "Failed creating virtual WiFi interface. This is likely because your interface name is too long. Try using '--virt-name '" else die "Failed creating virtual WiFi interface. Maybe your WiFi adapter does not fully support virtual interfaces. Try again with '--no-virt'" fi fi AP_IFACE=${VWIFI_IFACE} else # no virtual wifi interface, use wifi device interface itself AP_IFACE=${WIFI_IFACE} fi if [[ $CHANNEL == default ]]; then echo "Channel not specified, use default" if [[ $FREQ_BAND == 2.4 ]]; then CHANNEL=1 else CHANNEL=36 fi fi } decide_subnet_interface() { if [[ $WIFI_IFACE ]]; then echo "${AP_IFACE}" else echo "${TARGET_IFACE}" fi } dealwith_mac() { local VMAC if [[ -n "$NEW_MACADDR" ]] ; then # user choose to set subnet mac echo "Setting ${SUBNET_IFACE} new MAC address ${NEW_MACADDR} ..." set_interface_mac ${SUBNET_IFACE} ${NEW_MACADDR} || die "Failed setting new MAC address" elif [[ $VWIFI_IFACE ]]; then # user didn't choose to set mac, but using virtual wifi interface VMAC=$(get_new_macaddr_according_to_existing ${WIFI_IFACE}) if [[ "$VMAC" ]]; then echo "Assigning MAC address $VMAC to virtual interface $VWIFI_IFACE according to $WIFI_IFACE ..." set_interface_mac $VWIFI_IFACE $VMAC fi fi } write_hostapd_conf() { cat <<- EOF > "$CONFDIR/hostapd.conf" beacon_int=100 ssid=${SSID} interface=${AP_IFACE} driver=${DRIVER} channel=${CHANNEL} ctrl_interface=$CONFDIR/hostapd_ctrl ctrl_interface_group=0 ignore_broadcast_ssid=$HIDDEN ap_isolate=$ISOLATE_CLIENTS EOF if [[ -n "$COUNTRY" ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" country_code=${COUNTRY} ieee80211d=1 EOF fi if [[ $FREQ_BAND == 2.4 ]]; then echo "hw_mode=g" >> "$CONFDIR/hostapd.conf" else echo "hw_mode=a" >> "$CONFDIR/hostapd.conf" fi if [[ $MAC_FILTER -eq 1 ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" macaddr_acl=${MAC_FILTER} accept_mac_file=${MAC_FILTER_ACCEPT} EOF fi if [[ $HOTSPOT20 -eq 1 ]]; then echo "hs20=1" >> "$CONFDIR/hostapd.conf" fi if [[ $IEEE80211N -eq 1 ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" ieee80211n=1 ht_capab=${HT_CAPAB} EOF fi if [[ $REQUIREHT -eq 1 ]]; then echo "require_ht=1" >> "$CONFDIR/hostapd.conf" fi if [[ $IEEE80211AC -eq 1 ]]; then echo "ieee80211ac=1" >> "$CONFDIR/hostapd.conf" fi if [[ $REQUIREVHT -eq 1 ]]; then echo "require_vht=1" >> "$CONFDIR/hostapd.conf" fi if [[ -n "$VHT_CAPAB" ]]; then echo "vht_capab=${VHT_CAPAB}" >> "$CONFDIR/hostapd.conf" fi if [[ $VHTCHANNELWIDTH -gt 0 ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" vht_oper_chwidth=${VHTCHANNELWIDTH} EOF fi if [[ $VHTSEG0CHINDEX -gt 0 ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" vht_oper_centr_freq_seg0_idx=${VHTSEG0CHINDEX} EOF fi if [[ $VHTSEG1CHINDEX -gt 0 ]]; then cat <<- EOF >> "$CONFDIR/hostapd.conf" vht_oper_centr_freq_seg1_idx=${VHTSEG1CHINDEX} EOF fi if [[ $IEEE80211N -eq 1 ]] || [[ $IEEE80211AC -eq 1 ]]; then echo "wmm_enabled=1" >> "$CONFDIR/hostapd.conf" fi if [[ -n "$PASSPHRASE" ]]; then [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 if [[ $USE_PSK -eq 0 ]]; then WPA_KEY_TYPE=passphrase else WPA_KEY_TYPE=psk fi cat <<- EOF >> "$CONFDIR/hostapd.conf" wpa=${WPA_VERSION} wpa_${WPA_KEY_TYPE}=${PASSPHRASE} wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP rsn_pairwise=CCMP EOF else echo "WARN: WiFi is not protected by password" >&2 fi chmod 600 "$CONFDIR/hostapd.conf" } write_dnsmasq_conf() { if grep "^nobody:" /etc/group >/dev/null 2>&1 ; then NOBODY_GROUP="nobody" else NOBODY_GROUP="nogroup" fi mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq" chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner" cat "$CONFDIR/dnsmasq.log" & cat <<- EOF > "$CONFDIR/dnsmasq.conf" user=nobody group=$NOBODY_GROUP bind-dynamic listen-address=${GATEWAY} interface=$SUBNET_IFACE except-interface=lo no-dhcp-interface=lo dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0 dhcp-option-force=option:router,${GATEWAY} #log-dhcp log-facility=$CONFDIR/dnsmasq.log bogus-priv domain-needed EOF # 'log-dhcp'(Extra logging for DHCP) shows too much logs. # if use '-d', 'log-facility' should = /dev/null if [[ $SHARE_METHOD == "none" ]]; then echo "no-resolv" >> "$CONFDIR/dnsmasq.conf" echo "no-poll" >> "$CONFDIR/dnsmasq.conf" fi if [[ "$DHCP_DNS" != "no" ]]; then if [[ "$DHCP_DNS" == "gateway" ]]; then dns_offer="$GATEWAY" else dns_offer="$DHCP_DNS" fi echo "dhcp-option-force=option:dns-server,${dns_offer}" >> "$CONFDIR/dnsmasq.conf" fi if [[ ! "$dnsmasq_NO_DNS" -eq 0 ]]; then echo "port=0" >> "$CONFDIR/dnsmasq.conf" fi [[ -n "$MTU" ]] && echo "dhcp-option-force=option:mtu,${MTU}" >> "$CONFDIR/dnsmasq.conf" [[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> "$CONFDIR/dnsmasq.conf" [[ -n "$ADDN_HOSTS" ]] && echo "addn-hosts=${ADDN_HOSTS}" >> "$CONFDIR/dnsmasq.conf" if [[ "$THISHOSTNAME" ]]; then [[ "$THISHOSTNAME" == "-" ]] && THISHOSTNAME="$(cat /etc/hostname)" echo "interface-name=$THISHOSTNAME,$SUBNET_IFACE" >> "$CONFDIR/dnsmasq.conf" fi if [[ ! "$SHOW_DNS_QUERY" -eq 0 ]]; then echo log-queries=extra >> "$CONFDIR/dnsmasq.conf" fi if [[ $DNS ]]; then DNS_count=$(echo "$DNS" | awk -F, '{print NF}') for (( i=1;i<=DNS_count;i++ )); do sep_ip_port "$(echo $DNS | cut -d, -f$i)" DNS_IP DNS_PORT [[ "$DNS_PORT" ]] && DNS_PORT_D="#$DNS_PORT" echo "server=${DNS_IP}${DNS_PORT_D}" >> "$CONFDIR/dnsmasq.conf" done cat <<- EOF >> "$CONFDIR/dnsmasq.conf" no-resolv no-poll EOF fi if [[ $DNS_NOCACHE -eq 1 ]]; then echo "cache-size=0" >> "$CONFDIR/dnsmasq.conf" echo "no-negcache" >> "$CONFDIR/dnsmasq.conf" fi if [[ $IPV6 -eq 1 ]];then cat <<- EOF >> "$CONFDIR/dnsmasq.conf" listen-address=${GATEWAY6} enable-ra #quiet-ra dhcp-range=interface:${SUBNET_IFACE},::,::ffff:ffff:ffff:ffff,constructor:${SUBNET_IFACE},ra-stateless,64 EOF if [[ "$DHCP_DNS6" != "no" ]]; then if [[ "$DHCP_DNS6" == "gateway" ]]; then dns_offer6="[$GATEWAY6]" else dns_offer6="$DHCP_DNS6" fi echo "dhcp-option=option6:dns-server,${dns_offer6}" >> "$CONFDIR/dnsmasq.conf" fi fi } run_wifi_ap_processes() { if [[ $NO_HAVEGED -eq 0 ]]; then haveged_watchdog & HAVEGED_WATCHDOG_PID=$! echo "$HAVEGED_WATCHDOG_PID" > "$CONFDIR/haveged_watchdog.pid" echo echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" fi # start access point #echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl" # start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout) STDBUF_PATH=`which stdbuf` if [ $? -eq 0 ]; then STDBUF_PATH=$STDBUF_PATH" -oL" fi echo echo "Starting hostapd" if which complain > /dev/null 2>&1; then complain hostapd fi # hostapd '-P' works only when use '-B' (run in background) $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P "$CONFDIR/hostapd.pid" "$CONFDIR/hostapd.conf" & HOSTAPD_PID=$! echo "$HOSTAPD_PID" > "$CONFDIR/hostapd.pid" echo "hostapd PID: $HOSTAPD_PID" #while [[ ! -f $CONFDIR/hostapd.pid ]]; do # sleep 1 #done #echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid pid_watchdog $HOSTAPD_PID 10 "hostapd failed" & sleep 3 } start_dnsmasq() { echo echo "Starting dnsmasq" if which complain > /dev/null 2>&1; then # openSUSE's apparmor does not allow dnsmasq to read files. # remove restriction. complain dnsmasq fi # Using '-d'(no daemon) dnsmasq will not turn into 'nobody' # '-x' works only when no '-d' dnsmasq -k -C "$CONFDIR/dnsmasq.conf" -x "$CONFDIR/dnsmasq.pid" -l "$CONFDIR/dnsmasq.leases" & #####DNSMASQ_PID=$! # only when with '-d' ######echo "dnsmasq PID: $DNSMASQ_PID" # only when with '-d' i=0; while [[ ! -f "$CONFDIR/dnsmasq.pid" ]]; do sleep 1 i=$((i + 1)) if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi done DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )" echo "dnsmasq PID: $DNSMASQ_PID" ######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" & sleep 2 } check_rfkill_unblock_wifi() { local PHY if which rfkill > /dev/null 2>&1 ; then PHY=$(get_interface_phy_device ${SUBNET_IFACE}) [[ -n $PHY ]] && rfkill unblock $(rfkill | grep $PHY | awk '{print $1}') >/dev/null 2>&1 fi } #=========== Above are functions ====================== #=========== Executing begin ============================== # if empty option, show usage and exit check_empty_option "$@" # TODO: are some global variables are still defined in those following code? define_global_variables ARGS=( "$@" ) parse_user_options "$@" # TODO: detect user option conflict # check if networkManager running NM_RUNNING="$(is_nm_running)" TMPDIR="$(decide_tmpdir)" # if user choose to deal with running instances, will output some info then exit after this # NOTE above don't require root check_other_functions # NOTE below require root # if user choose to daemonize, will start new background process and exit this daemonizing_check # check if wifi will work on this system and user settings [[ $WIFI_IFACE ]] && check_wifi_settings [[ -n "$NEW_MACADDR" ]] && check_if_new_mac_valid # check NEW_MACADDR. will exit if not valid # checks finished ## ===== Above don't echo anything if no warning or error==================== ## ======================================================== phead phead2 echo echo "PID: $$" TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE) echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE)) $(get_interface_pci_info $TARGET_IFACE)" if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then NEW_MACADDR="$(generate_random_mac)" echo "Use random MAC address $NEW_MACADDR" fi decide_ip_addresses # ip 4 & 6 lan addresses # if user choose to make DHCP to tell clients to use other DNS, we don't have to serve DNS [[ $DHCP_DNS != 'gateway' && $DHCP_DNS6 != 'gateway' ]] && dnsmasq_NO_DNS=1 #=========================================================== #==== begin to do some change on config files and system=== init_trap # NOTE function die() is designed not to be used before init_trap() executed init_conf_dirs # CONFDIR , COMMON_CONFDIR . make dir [[ $WIFI_IFACE ]] && prepare_wifi_interface # this will create virtual ap interface (if needed) and set VWIFI_IFACE and AP_IFACE (if success) SUBNET_IFACE="$(decide_subnet_interface)" # SUBNET_IFACE can be TARGET_IFACE (wired) or AP_IFACE (ap) .this is after prepare_wifi_interface() echo "$SUBNET_IFACE" > "$CONFDIR/subn_iface" # if virtual wifi interface, will be destroyed, so only need to save status when not [[ -z $VWIFI_IFACE ]] && backup_interface_status # TODO: should these 2 before calling prepare_wifi_interface ? in check_wifi_settings() ? # set iw country code if [[ $WIFI_IFACE && -n "$COUNTRY" && $USE_IWCONFIG -eq 0 ]]; then iw reg set "$COUNTRY" || die "Failed setting country code" fi # judge channel availability after changing country code if [[ $WIFI_IFACE ]] ; then can_transmit_to_channel ${AP_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}, frequency band ${FREQ_BAND}GHz." fi [[ $WIFI_IFACE ]] && write_hostapd_conf #=================================================== #=================================================== # set interface unmanaged by networkManager if [[ $NM_RUNNING -eq 1 ]] && nm_knows $TARGET_IFACE; then # if nm knows target iface, should know subnet iface too. but need to wait until nm finds subnet iface (waiting code is in nm_set_unmanaged() nm_set_unmanaged ${SUBNET_IFACE} # will write NM_UNM_LIST fi [[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf #=========================== # initialize subnet interface # take subnet interface down first ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down" # flush old IPs of subnet interface ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP" dealwith_mac # setting MAC should be after setting NM unmanaged [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi # bring subnet interface up ip link set up dev ${SUBNET_IFACE} || die "Failed bringing ${SUBNET_IFACE} up" # hostapd , haveged [[ $WIFI_IFACE ]] && run_wifi_ap_processes # add ipv4 address to subnet interface ip -4 addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address" set_ipv6_bits # add ipv6 address to subnet interface if [[ $IPV6 -eq 1 ]] ; then ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address" fi check_iptables echo "NOTICE: Not showing all operations done to iptables rules" [[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2 # enable Internet sharing if [[ "$SHARE_METHOD" == "none" ]]; then echo "No Internet sharing" echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2 [[ "$BANLAN" -eq 1 ]] && start_ban_lan elif [[ "$SHARE_METHOD" == "nat" ]]; then [[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 start_nat [[ "$BANLAN" -eq 1 ]] && start_ban_lan echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode if [[ $IPV6 -eq 1 ]]; then echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits fi # to enable clients to establish PPTP connections we must # load nf_nat_pptp module modprobe nf_nat_pptp > /dev/null 2>&1 && echo "Loaded kernel module nf_nat_pptp" elif [[ "$SHARE_METHOD" == "redsocks" ]]; then if [[ $IPV6 -eq 1 ]]; then echo 1 > "/proc/sys/net/ipv6/conf/$SUBNET_IFACE/forwarding" || die "Failed enabling $SUBNET_IFACE ipv6 forwarding" # to set NA router bit fi [[ "$dnsmasq_NO_DNS" -eq 0 && ! $DNS ]] && echo -e "\nWARN: You are using in transparent proxy mode but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 [[ "$BANLAN" -eq 1 ]] && start_ban_lan start_redsocks fi # start dhcp + dns (optional) # allow dns port input even if we don't run dnsmasq # user can serve their own dns server [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]] && allow_dns_port [[ "$CATCH_DNS" -eq 1 ]] && start_catch_dns [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq ) echo echo "== Setting up completed, now linux-router should be working ==" #============================================================ #============================================================ #============================================================ show_qr() { local T S P H S="$SSID" if [[ -n "$PASSPHRASE" ]]; then T="WPA" P="$PASSPHRASE" else T="nopass" fi [[ "$HIDDEN" -eq 1 ]] && H="true" echo "Scan QR code on phone to connect to WiFi" qrencode -m 2 -t ANSIUTF8 "WIFI:T:${T};S:${S};P:${P};H:${H};" echo "Use this command to save QR code to image file:" echo " qrencode -m 2 -o \"WIFI:T:${T};S:${S};P:${P};H:${H};\"" echo } [[ "$QR" -eq 1 ]] && show_qr # need loop to keep this script running bash -c "while :; do sleep 8000 ; done " & KEEP_RUNNING_PID=$! echo "$KEEP_RUNNING_PID" > "$CONFDIR/keep_running.pid" wait $KEEP_RUNNING_PID clean_exit