personal_interest_mirrors/linux-router
1
0
Fork 0
mirror of https://github.com/garywill/linux-router.git synced 2025-12-30 18:58:28 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: personal_interest_mirrors:0.6.5
Branches Tags
personal_interest_mirrors:master personal_interest_mirrors:workaround-31 personal_interest_mirrors:dev-12 personal_interest_mirrors:history
personal_interest_mirrors:0.8.1 personal_interest_mirrors:0.7.6 personal_interest_mirrors:0.7.3 personal_interest_mirrors:0.7.1 personal_interest_mirrors:0.7.1b personal_interest_mirrors:0.6.7 personal_interest_mirrors:0.6.6 personal_interest_mirrors:0.6.5 personal_interest_mirrors:0.6.2 personal_interest_mirrors:0.6.0
..
compare: personal_interest_mirrors:workaround-31
Branches Tags
personal_interest_mirrors:master personal_interest_mirrors:workaround-31 personal_interest_mirrors:dev-12 personal_interest_mirrors:history
personal_interest_mirrors:0.8.1 personal_interest_mirrors:0.7.6 personal_interest_mirrors:0.7.3 personal_interest_mirrors:0.7.1 personal_interest_mirrors:0.7.1b personal_interest_mirrors:0.6.7 personal_interest_mirrors:0.6.6 personal_interest_mirrors:0.6.5 personal_interest_mirrors:0.6.2 personal_interest_mirrors:0.6.0

5 Commits
0.6.5 ... workaround

Author SHA1 Message Date
garywill
cebea4a988 don't reset interface 2022-01-20 19:52:53 +08:00
garywill
f6995bc30c get device pci info 2022-01-05 20:01:38 +08:00
garywill
f8cbf5eded don't use PGID to do clean up 2021-11-20 20:32:38 +08:00
garywill
15a2e0ce53 0.6.6 2021-11-07 10:31:15 +08:00
garywill
083cd42afd new iptables function 2021-11-07 10:30:56 +08:00
2 changed files with 254 additions and 281 deletions
Expand all files Collapse all files

64
README.md
View File

@@ -1,10 +1,10 @@
# Linux-router # Linux-router
Set Linux as router in one command. Able to Provide Internet, or create Wifi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers. Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window). It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).
[More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md) [Linux-Router News & Developer Notes 📰](https://github.com/garywill/linux-router/issues/28) | [More tools and projects 🛠️](https://garywill.github.io) | [🍻 Buy me a coffee ❤️](https://github.com/garywill/receiving/blob/master/receiving_methods.md)
## Features ## Features
@@ -12,17 +12,19 @@ Basic features:
- Create a NATed sub-network - Create a NATed sub-network
- Provide Internet - Provide Internet
- DHCP server (and RA) + DNS server - DHCP server (and RA)
- Configuring what DNS the DHCP server offers to clients - Specify what DNS the DHCP server assigns to clients
- Configuring upstream DNS for local DNS server (kind of a DNS proxy) - DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4) - IPv6 (behind NATed LAN, like IPv4)
- Creating Wifi hotspot: - Creating WiFi hotspot:
- Channel selecting - Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
- Create AP on the same interface you are getting Internet (usually require same channel) - Create AP on the same interface you are getting Internet (usually require same channel)
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets) - Transparent DNS proxy (hijack port 53 packets)
- Compatible with NetworkManager (automatically set interface as unmanaged) - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
- You can run many instances, to create many different networks. Has instances managing feature.
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@@ -36,7 +38,7 @@ Internet----(eth0/wlan0)-Linux-(wlanX)AP
``` ```
Internet Internet
Wifi AP(no DHCP) | WiFi AP(no DHCP) |
|----(wlan1)-Linux-(eth0/wlan0)------ |----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP) | (DHCP)
|--client |--client
@@ -69,7 +71,7 @@ sudo lnxrouter -i eth1
no matter which interface (other than `eth1`) you're getting Internet from. no matter which interface (other than `eth1`) you're getting Internet from.
### Create Wifi hotspot ### Create WiFi hotspot
``` ```
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
@@ -253,9 +255,13 @@ sudo brctl addbr firejail5
``` ```
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd # nscd is cache service, which shouldn't be accessed in jail here firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
``` ```
Firejail's `/etc/resolv.conf` doesn't obtain DNS from DHCP, so we need to assign.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
</details> </details>
### CLI usage and other features ### CLI usage and other features
@@ -271,7 +277,7 @@ Options:
-i <interface> Interface to make NATed sub-network, -i <interface> Interface to make NATed sub-network,
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1) (See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
@@ -319,12 +325,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port. redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns') (usually used with '--dns')
Wifi hotspot options: WiFi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create WiFi access point
-p, --password <password> -p, --password <password>
Wifi password WiFi password
--qr Show Wifi QR code in terminal --qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
@@ -339,8 +345,8 @@ Options:
(default: 2) (default: 2)
--psk Use 64 hex digits pre-shared-key instead of --psk Use 64 hex digits pre-shared-key instead of
passphrase passphrase
--mac-filter Enable Wifi hotspot MAC address filtering --mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list --mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
@@ -373,23 +379,23 @@ Options:
``` ```
Notice 1: This script assume your host's default policy won't forward Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets mode. In some unexpected case (eg. mistaken configurations) may
leakage between 2 networks, which you should be aware of if you cause unwanted packets leakage between 2 networks, which you
want isolated network should be aware of if you want isolated network
``` ```
</details> </details>
## What changes are done to Linux system ## What changes are done to Linux system
On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes will **not** be undone, which are: On exit of a linux-router instance, script **will do cleanup**, i.e. undo most changes to system. Though, **some** changes (if needed) will **not** be undone, which are:
1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1` 1. `/proc/sys/net/ipv4/ip_forward = 1` and `/proc/sys/net/ipv6/conf/all/forwarding = 1`
2. dnsmasq (if used) in Apparmor complain mode 2. dnsmasq in Apparmor complain mode
3. hostapd (if used) in Apparmor complain mode 3. hostapd in Apparmor complain mode
4. Kernel module `nf_nat_pptp` loaded 4. Kernel module `nf_nat_pptp` loaded
5. The wifi device which is used to create hotspot is `rfkill unblock`ed 5. The wifi device which is used to create hotspot is `rfkill unblock`ed
6. Wifi country code, if user specified 6. WiFi country code, if user assigns
## Dependencies ## Dependencies
@@ -407,15 +413,15 @@ On exit of a linux-router instance, script **will do cleanup**, i.e. undo most c
## TODO ## TODO
<details> Sooner is better:
- Detect firewalld and make sure it won't interfere our interface
Future:
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed
- Bring bridging method back - Bring bridging method back
</details>
## License ## License
linux-router is LGPL licensed linux-router is LGPL licensed
@@ -479,10 +485,10 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️. Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and projects** 🛠️.
> [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md)) > [❤️ Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) , this project took me lots of time! ([❤️ 扫码领红包并打赏一个!](https://github.com/garywill/receiving/blob/master/receiving_methods.md))
> >
> 🥂 ( ^\_^) o自自o (^_^ ) 🍻 > 🥂 ( ^\_^) o自自o (^_^ ) 🍻
🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project. 🤝 Bisides, thank [create_ap](https://github.com/oblique/create_ap) by [oblique](https://github.com/oblique). This script was forked from create\_ap. Now they are quite different. (See `history` branch for how I modified create_ap). 🤝 Also thank those who contributed to that project.
👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both above and in the code file. Also some unfulfilled enhancements in the Issues. Your name can be here! 👨‍💻 You can be contributor, too! 🍃 There're some TO-DOs listed, at both [above](#todo) and [in the code file](https://github.com/garywill/linux-router/search?q=TODO&type=code). 🍃 Also some [unfulfilled enhancements in the Issues](https://github.com/garywill/linux-router/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement). Your name can be here!

465
lnxrouter Normal file → Executable file
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
VERSION=0.6.5 VERSION=0.6.6
PROGNAME="$(basename $0)" PROGNAME="$(basename $0)"
export LC_ALL=C export LC_ALL=C
@@ -27,7 +27,7 @@ Options:
-i <interface> Interface to make NATed sub-network, -i <interface> Interface to make NATed sub-network,
and to provide Internet to and to provide Internet to
(To create Wifi hotspot use '--ap' instead) (To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from. -o <interface> Specify an inteface to provide Internet from.
(See Notice 1) (See Notice 1)
(Note using this with default DNS option may leak (Note using this with default DNS option may leak
@@ -75,12 +75,12 @@ Options:
redirect non-LAN TCP and UDP traffic to port. redirect non-LAN TCP and UDP traffic to port.
(usually used with '--dns') (usually used with '--dns')
Wifi hotspot options: WiFi hotspot options:
--ap <wifi interface> <SSID> --ap <wifi interface> <SSID>
Create Wifi access point Create WiFi access point
-p, --password <password> -p, --password <password>
Wifi password WiFi password
--qr Show Wifi QR code in terminal --qr Show WiFi QR code in terminal
--hidden Hide access point (not broadcast SSID) --hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface --no-virt Do not create virtual interface
@@ -95,8 +95,8 @@ Options:
(default: 2) (default: 2)
--psk Use 64 hex digits pre-shared-key instead of --psk Use 64 hex digits pre-shared-key instead of
passphrase passphrase
--mac-filter Enable Wifi hotspot MAC address filtering --mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of Wifi hotspot MAC address filter list --mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept) (defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd --hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients --isolate-clients Disable wifi communication between clients
@@ -121,9 +121,9 @@ Options:
Notice 1: This script assume your host's default policy won't forward Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case may cause unwanted packets mode. In some unexpected case (eg. mistaken configurations) may
leakage between 2 networks, which you should be aware of if you cause unwanted packets leakage between 2 networks, which you
want isolated network should be aware of if you want isolated network
Examples: Examples:
$PROGNAME -i eth1 $PROGNAME -i eth1
@@ -231,16 +231,10 @@ parse_user_options(){
shift shift
INTERNET_IFACE="$1" INTERNET_IFACE="$1"
shift shift
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
-n) -n)
shift shift
SHARE_METHOD=none SHARE_METHOD=none
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
--ban-priv) --ban-priv)
shift shift
@@ -266,9 +260,6 @@ parse_user_options(){
--no4) --no4)
shift shift
NO4=1 NO4=1
echo ""
echo "WARN: Since you're using in this mode, make sure you've read Notice 1" >&2
echo ""
;; ;;
--p6) --p6)
shift shift
@@ -635,6 +626,32 @@ get_interface_mac() {
cat "/sys/class/net/${1}/address" cat "/sys/class/net/${1}/address"
} }
get_interface_pci_info() { # pci id / model / virtual
is_interface "$1" || return
local device_path
local pci_id
local pci_full
device_path="$(readlink -f /sys/class/net/$1)"
if [[ "$device_path" == "/sys/devices/pci"* ]]; then
pci_id="$(echo $device_path | sed 's/\//\n/g' | tail -n 3 |sed -n 1p)"
if which lspci >/dev/null 2>&1 ; then
pci_full="$( lspci -D -nn | grep -E "^$pci_id " )"
echo " PCI: $pci_full"
else
echo " PCI: $pci_id"
fi
elif [[ "$device_path" == *"/virtual/"* ]]; then
echo " virtual interface"
fi
# TODO usb
# TODO current driver
}
alloc_new_vface_name() { # only for wifi alloc_new_vface_name() { # only for wifi
local i=0 local i=0
local v_iface_name= local v_iface_name=
@@ -830,23 +847,83 @@ check_iptables()
fi fi
fi fi
} }
iptables_()
CUSTOM_CHAINS_4_filter=
CUSTOM_CHAINS_4_nat=
CUSTOM_CHAINS_6_filter=
CUSTOM_CHAINS_6_nat=
iptb()
{ {
# NETFILTER_XT_MATCH_COMMENT would be a env variable if user wants to disable '-m comment' local FoS=$1 # 4 | 6
if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then shift
iptables -w $@ local Vis=$1 # 'v' | 'n'
else shift
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" local T=$1 # table
shift
local ACT=$1 # action: I | A | N . On undo: I or A -> D , N -> F+X
shift
local CH=$1 # chain
shift
[[ "$IPV6" -ne 1 && "$FoS" == "6" ]] && return
local CMD_HEAD=""
local MOUTH=""
local NECK=""
local HAND_UN_NC=0
local TAIL=""
local FULL=""
local ADD_TO_UNDO=1
for arr_name in CUSTOM_CHAINS_4_filter CUSTOM_CHAINS_4_nat CUSTOM_CHAINS_6_filter CUSTOM_CHAINS_6_nat
do
local arr_content
eval arr_content=\"\${$arr_name}\"
#echo $arr_content
for w in $arr_content
do
if [[ "$arr_name" =~ "$FoS" && "$arr_name" =~ "$T" && "$w" == "$CH" ]]; then
ADD_TO_UNDO=0
fi fi
return $? done
} done
ip6tables_()
{
if [[ "$NETFILTER_XT_MATCH_COMMENT" == "0" ]]; then [[ "$FoS" == "4" ]] && CMD_HEAD="iptables -w "
ip6tables -w $@ [[ "$FoS" == "6" ]] && CMD_HEAD="ip6tables -w "
else
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE" [[ "$Vis" == 'v' ]] && MOUTH="-v"
NECK="-t ${T}"
if [[ "$ACT" == "N" ]]; then
eval CUSTOM_CHAINS_${FoS}_${T}=\"\${CUSTOM_CHAINS_${FoS}_${T}} ${CH}\"
HAND_UN_NC=1
fi fi
[[ ! "$NETFILTER_XT_MATCH_COMMENT" == "0" ]] && TAIL="-m comment --comment lrt${$}${SUBNET_IFACE}"
if [[ "$ADD_TO_UNDO" -eq 1 ]]; then
if [[ "$ACT" == "I" || "$ACT" == "A" ]]; then
echo "$CMD_HEAD $NECK -D ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables.sh
fi
if [[ "$HAND_UN_NC" -eq 1 ]]; then
echo "$CMD_HEAD $NECK -F ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
echo "$CMD_HEAD $NECK -X ${CH} $@ $TAIL" >> $CONFDIR/undo_iptables_2.sh
fi
fi
FULL="$CMD_HEAD $MOUTH $NECK -${ACT} ${CH} $@ $TAIL"
#echo $FULL
$FULL
return $? return $?
} }
@@ -861,152 +938,84 @@ start_nat() {
echo echo
echo "iptables: NAT " echo "iptables: NAT "
if [[ $NO4 -eq 0 ]]; then if [[ $NO4 -eq 0 ]]; then
iptables_ -v -t nat -I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE || die iptb 4 v nat I POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE || die
iptables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die iptb 4 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT || die iptb 4 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
fi
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -t nat -I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE || die
ip6tables_ -v -I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
ip6tables_ -v -I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT || die
fi
}
stop_nat() {
echo "iptables: stop NAT"
if [[ $NO4 -eq 0 ]]; then
iptables_ -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${GATEWAY%.*}.0/24 -j MASQUERADE
iptables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${GATEWAY%.*}.0/24 -j ACCEPT
iptables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${GATEWAY%.*}.0/24 -j ACCEPT
fi
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE
ip6tables_ -D FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT
ip6tables_ -D FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT
fi fi
iptb 6 v nat I POSTROUTING -s ${PREFIX6}/64 $IPTABLES_NAT_OUT $MASQUERADE_NOTOUT ! -d ${PREFIX6}/64 -j MASQUERADE || die
iptb 6 v filter I FORWARD -i ${SUBNET_IFACE} $IPTABLES_NAT_OUT -s ${PREFIX6}/64 -j ACCEPT || die
iptb 6 v filter I FORWARD -o ${SUBNET_IFACE} $IPTABLES_NAT_IN -d ${PREFIX6}/64 -j ACCEPT || die
} }
start_ban_lan() { start_ban_lan() {
echo echo
echo "iptables: Disallow clients to access LAN" echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
# TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP # TODO: allow '--dhcp-dns(6)' address port 53, which can be something needed, e.g. a VPN's internal private IP
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 0.0.0.0/8 -j REJECT || die # TODO: use array
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 100.64.0.0/10 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 127.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 169.254.0.0/16 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 169.254.0.0/16 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 172.16.0.0/12 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 172.16.0.0/12 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 192.168.0.0/16 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 192.168.0.0/16 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 224.0.0.0/4 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 224.0.0.0/4 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 255.255.255.255 -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLF -d 255.255.255.255 -j REJECT || die
iptables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die iptb 4 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
iptables_ -N BANLAN-i-${SUBNET_IFACE} iptb 4 n filter N lrt${$}${SUBNET_IFACE}-BLI || die
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die iptb 4 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die # ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
# ipv6 need icmp to function. TODO: maybe we can block some unneeded icmp to improve security
iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die iptb 4 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -N BANLAN-f-${SUBNET_IFACE} || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fc00::/7 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d fe80::/10 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ff00::/8 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::1 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::/128 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0/96 -j REJECT || die
ip6tables_ -v -I BANLAN-f-${SUBNET_IFACE} -d ::ffff:0:0:0/96 -j REJECT || die
ip6tables_ -I FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} || die iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLF || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fc00::/7 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d fe80::/10 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ff00::/8 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::1 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::/128 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0/96 -j REJECT || die
iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLF -d ::ffff:0:0:0/96 -j REJECT || die
ip6tables_ -N BANLAN-i-${SUBNET_IFACE} || die iptb 6 n filter I FORWARD -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLF || die
#ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
ip6tables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
ip6tables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die iptb 6 n filter N lrt${$}${SUBNET_IFACE}-BLI || die
fi iptb 6 v filter I lrt${$}${SUBNET_IFACE}-BLI -i ${SUBNET_IFACE} ! -p icmpv6 -j REJECT || die
}
stop_ban_lan() {
echo "iptables: Unban clients' LAN access"
iptables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE} iptb 6 n filter I INPUT -i ${SUBNET_IFACE} -j lrt${$}${SUBNET_IFACE}-BLI || die
iptables_ -F BANLAN-f-${SUBNET_IFACE}
iptables_ -X BANLAN-f-${SUBNET_IFACE}
iptables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
iptables_ -F BANLAN-i-${SUBNET_IFACE}
iptables_ -X BANLAN-i-${SUBNET_IFACE}
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D FORWARD -i ${SUBNET_IFACE} -j BANLAN-f-${SUBNET_IFACE}
ip6tables_ -F BANLAN-f-${SUBNET_IFACE}
ip6tables_ -X BANLAN-f-${SUBNET_IFACE}
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE}
ip6tables_ -F BANLAN-i-${SUBNET_IFACE}
ip6tables_ -X BANLAN-i-${SUBNET_IFACE}
fi
} }
allow_dns_port() { allow_dns_port() {
echo echo
echo "iptables: allow DNS" echo "iptables: allow DNS"
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT || die
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT || die
fi
}
unallow_dns_port() {
echo "iptables: unallow DNS"
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p tcp -m tcp --dport 53 -j ACCEPT
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -d ${GATEWAY} -p udp -m udp --dport 53 -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j ACCEPT
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -d ${GATEWAY6} -p udp -m udp --dport 53 -j ACCEPT
fi
} }
start_catch_dns() { start_catch_dns() {
echo echo
echo "iptables: redirect all TCP/UDP packet that destination port is 53" echo "iptables: redirect DNS queries to this host"
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 || die
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 || die
fi
}
stop_catch_dns() {
echo "iptables: stop redirecting DNS queries"
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p udp -m udp --dport 53 -j REDIRECT --to-ports 53
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} ! -d ${GATEWAY6} -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53
fi
} }
allow_dhcp() { allow_dhcp() {
echo echo
echo "iptables: allow dhcp" echo "iptables: allow dhcp"
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
if [[ $IPV6 -eq 1 ]]; then iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT || die
fi
}
unallow_dhcp() {
echo "iptables: unallow dhcp"
iptables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 67 -j ACCEPT
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -p udp -m udp --dport 547 -j ACCEPT
fi
} }
# TODO: use 'DNAT' instead of '--to-ports' to support other IP # TODO: use 'DNAT' instead of '--to-ports' to support other IP
@@ -1014,61 +1023,43 @@ start_redsocks() {
echo echo
echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}" echo "iptables: transparent proxy non-LAN TCP/UDP traffic to port ${TP_PORT}"
if [[ $NO4 -eq 0 ]]; then if [[ $NO4 -eq 0 ]]; then
iptables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die iptb 4 n nat N lrt${$}${SUBNET_IFACE}-TP || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 0.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 0.0.0.0/8 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 10.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 10.0.0.0/8 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 100.64.0.0/10 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 100.64.0.0/10 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 127.0.0.0/8 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 127.0.0.0/8 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 169.254.0.0/16 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 169.254.0.0/16 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 172.16.0.0/12 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 172.16.0.0/12 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 192.168.0.0/16 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 192.168.0.0/16 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 224.0.0.0/4 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 224.0.0.0/4 -j RETURN || die
iptables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d 255.255.255.255 -j RETURN || die iptb 4 n nat A lrt${$}${SUBNET_IFACE}-TP -d 255.255.255.255 -j RETURN || die
iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
iptables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptb 4 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
iptables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE} || die iptb 4 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j lrt${$}${SUBNET_IFACE}-TP || die
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die iptb 4 v filter I INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
fi fi
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -N REDSOCKS-${SUBNET_IFACE} || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fc00::/7 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d fe80::/10 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ff00::/8 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d ::1 -j RETURN || die
ip6tables_ -t nat -A REDSOCKS-${SUBNET_IFACE} -d :: -j RETURN || die
ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p tcp -j REDIRECT --to-ports ${TP_PORT} || die iptb 6 n nat N lrt${$}${SUBNET_IFACE}-TP || die
ip6tables_ -v -t nat -A REDSOCKS-${SUBNET_IFACE} -p udp -j REDIRECT --to-ports ${TP_PORT} || die iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fc00::/7 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d fe80::/10 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ff00::/8 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d ::1 -j RETURN || die
iptb 6 n nat A lrt${$}${SUBNET_IFACE}-TP -d :: -j RETURN || die
ip6tables_ -v -t nat -I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE} || die iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p tcp -j REDIRECT --to-ports ${TP_PORT} || die
iptb 6 v nat A lrt${$}${SUBNET_IFACE}-TP -p udp -j REDIRECT --to-ports ${TP_PORT} || die
iptb 6 v nat I PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j lrt${$}${SUBNET_IFACE}-TP || die
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
iptb 6 v filter I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT || die
ip6tables_ -v -I INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT || die
fi
} }
stop_redsocks() {
echo "iptables: stop transparent proxy"
if [[ $NO4 -eq 0 ]]; then
iptables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -j REDSOCKS-${SUBNET_IFACE}
iptables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
iptables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT
iptables_ -D INPUT -i ${SUBNET_IFACE} -s ${GATEWAY%.*}.0/24 -p udp -m udp --dport ${TP_PORT} -j ACCEPT
fi
if [[ $IPV6 -eq 1 ]]; then
ip6tables_ -t nat -D PREROUTING -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -j REDSOCKS-${SUBNET_IFACE}
ip6tables_ -t nat -F REDSOCKS-${SUBNET_IFACE}
ip6tables_ -t nat -X REDSOCKS-${SUBNET_IFACE}
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p tcp -m tcp --dport ${TP_PORT} -j ACCEPT
ip6tables_ -D INPUT -i ${SUBNET_IFACE} -s ${PREFIX6}/64 -p udp -m udp --dport ${TP_PORT} -j ACCEPT
fi
}
#--------------------------------------- #---------------------------------------
backup_ipv6_bits() { backup_ipv6_bits() {
mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status" mkdir "$CONFDIR/sys_6_conf_iface" || die "Failed making dir to save interface IPv6 status"
@@ -1123,15 +1114,11 @@ backup_interface_status() {
backup_ipv6_bits backup_ipv6_bits
# TODO : backup ip and others # TODO : ? backup ip and others???
# nm managing status is saved when nm_set_unmanaged() # nm managing status is saved when nm_set_unmanaged()
} }
restore_interface_status() { restore_interface_status() {
# virtual wifi interface will be destroyed, so no need to restore status
# don't use [[ $VWIFI_IFACE ]] to judge, if creating virtual wifi failed, VWIFI_IFACE is empty
[[ "$WIFI_IFACE" && "$NO_VIRT" -eq 0 ]] && return
restore_ipv6_bits restore_ipv6_bits
if [[ -n "$OLD_MACADDR" && "$(get_interface_mac $SUBNET_IFACE)" != "$OLD_MACADDR" ]] ; then if [[ -n "$OLD_MACADDR" && "$(get_interface_mac $SUBNET_IFACE)" != "$OLD_MACADDR" ]] ; then
@@ -1141,7 +1128,6 @@ restore_interface_status() {
nm_restore_manage nm_restore_manage
[[ $SUBNET_IFACE_ORIGINAL_UP_STATUS -eq 1 ]] && ip link set up dev ${SUBNET_IFACE} && echo "Restore ${SUBNET_IFACE} to link up"
} }
#--------------------------------------- #---------------------------------------
@@ -1164,12 +1150,7 @@ kill_processes() { # for this instance
_cleanup() { _cleanup() {
local x local x
ip addr flush ${SUBNET_IFACE}
rm -rf $CONFDIR rm -rf $CONFDIR
ip link set down dev ${SUBNET_IFACE}
if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed
iw dev ${VWIFI_IFACE} del iw dev ${VWIFI_IFACE} del
dealloc_vface_name $VWIFI_IFACE dealloc_vface_name $VWIFI_IFACE
@@ -1193,25 +1174,9 @@ _cleanup() {
} }
clean_iptables() { clean_iptables() {
[[ -f $CONFDIR/undo_iptables.sh ]] && bash $CONFDIR/undo_iptables.sh
if [[ "$SHARE_METHOD" == "nat" ]]; then [[ -f $CONFDIR/undo_iptables_2.sh ]] && bash $CONFDIR/undo_iptables_2.sh
stop_nat
elif [[ "$SHARE_METHOD" == "redsocks" ]]; then
stop_redsocks
fi
if [[ "$DHCP_DNS" == "gateway" || "$DHCP_DNS6" == "gateway" ]]; then
unallow_dns_port
fi
[[ "$CATCH_DNS" -eq 1 ]] && stop_catch_dns
if [[ $NO_DNSMASQ -eq 0 ]]; then
unallow_dhcp
fi
[[ "$BANLAN" -eq 1 ]] && stop_ban_lan
} }
cleanup() { cleanup() {
@@ -1220,12 +1185,14 @@ cleanup() {
echo echo
echo "Doing cleanup.. " echo "Doing cleanup.. "
kill_processes kill_processes
clean_iptables 2> /dev/null echo "Undoing iptables changes .."
clean_iptables > /dev/null
_cleanup 2> /dev/null _cleanup 2> /dev/null
pgid=$(ps opgid= $$ |awk '{print $1}' ) #pgid=$(ps opgid= $$ |awk '{print $1}' )
kill -15 -$pgid #echo "Killing PGID $pgid ..."
sleep 1 #kill -15 -$pgid
#sleep 1
echo "Cleaning up done" echo "Cleaning up done"
#kill -9 -$pgid #kill -9 -$pgid
} }
@@ -1487,7 +1454,7 @@ check_other_functions(){
##### root test ##### NOTE above don't require root ########## ##### root test ##### NOTE above don't require root ##########
if [[ $(id -u) -ne 0 ]]; then if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2 echo "ERROR: Need root to continue" >&2
exit 1 exit 1
fi fi
###### NOTE below require root ########## ###### NOTE below require root ##########
@@ -1619,15 +1586,13 @@ decide_target_interface() {
decide_ip_addresses() { decide_ip_addresses() {
if [[ ! -n $GATEWAY ]]; then if [[ ! -n $GATEWAY ]]; then
GATEWAY="$(generate_random_ip4)" echo
echo "Use random LAN IPv4 address $GATEWAY"
elif [[ ! "$GATEWAY" =~ "." ]]; then elif [[ ! "$GATEWAY" =~ "." ]]; then
GATEWAY="192.168.${GATEWAY}.1" GATEWAY="192.168.${GATEWAY}.1"
fi fi
if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
PREFIX6="$(generate_random_lan_ip6_prefix)" echo
echo "Use random LAN IPv6 address ${PREFIX6}${IID6}"
elif [[ ! "$PREFIX6" =~ ":" ]]; then elif [[ ! "$PREFIX6" =~ ":" ]]; then
PREFIX6="fd00:0:0:${PREFIX6}::" PREFIX6="fd00:0:0:${PREFIX6}::"
fi fi
@@ -1771,7 +1736,7 @@ write_hostapd_conf() {
rsn_pairwise=CCMP rsn_pairwise=CCMP
EOF EOF
else else
echo "WARN: Wifi is not protected by password" >&2 echo "WARN: WiFi is not protected by password" >&2
fi fi
chmod 600 "$CONFDIR/hostapd.conf" chmod 600 "$CONFDIR/hostapd.conf"
} }
@@ -1974,11 +1939,14 @@ phead
phead2 phead2
echo echo
echo
echo "This is workaround for #31. Must use with '-g' and for wired interface !"
echo
echo "PID: $$" echo "PID: $$"
TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE) TARGET_IFACE="$(decide_target_interface)" || exit 1 # judge wired (-i CONN_IFACE) or wireless hotspot (--ap $WIFI_IFACE)
echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE))" echo "Target interface is ${TARGET_IFACE} ($(get_interface_mac $TARGET_IFACE)) $(get_interface_pci_info $TARGET_IFACE)"
# TODO: show interface type, device model and pci/usb id (hwdata pci.ids), current driver
if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then if [[ "$MAC_USE_RANDOM" -eq 1 ]] ; then
NEW_MACADDR="$(generate_random_mac)" NEW_MACADDR="$(generate_random_mac)"
@@ -2029,24 +1997,15 @@ fi
[[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf [[ $NO_DNSMASQ -eq 0 ]] && write_dnsmasq_conf
#=========================== #===========================
# initialize subnet interface
# take subnet interface down first
ip link set down dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} down"
# flush old IPs of subnet interface
ip addr flush ${SUBNET_IFACE} || die "Failed flush ${SUBNET_IFACE} IP"
dealwith_mac # setting MAC should be after setting NM unmanaged dealwith_mac # setting MAC should be after setting NM unmanaged
[[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
# bring subnet interface up
ip link set up dev ${SUBNET_IFACE} || die "Failed bringing ${SUBNET_IFACE} up"
# hostapd , haveged # hostapd , haveged
[[ $WIFI_IFACE ]] && run_wifi_ap_processes [[ $WIFI_IFACE ]] && run_wifi_ap_processes
# add ipv4 address to subnet interface
ip -4 addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv4 address"
set_ipv6_bits set_ipv6_bits
@@ -2057,25 +2016,33 @@ fi
check_iptables check_iptables
echo "NOTICE: Not showing all operations done to iptables rules"
[[ "$NO4" -eq 1 ]] && echo -e "\nWARN: Since you're using in this mode (no IPv4 Internet), make sure you've read Notice 1\n" >&2
# enable Internet sharing # enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then if [[ "$SHARE_METHOD" == "none" ]]; then
echo "No Internet sharing" echo "No Internet sharing"
echo -e "\nWARN: Since you're using in this mode (no Internet share), make sure you've read Notice 1\n" >&2
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
elif [[ "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nat" ]]; then
[[ "$INTERNET_IFACE" ]] && echo -e "\nWARN: Since you're using in this mode (specify Internet interface), make sure you've read Notice 1\n" >&2
[[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2 [[ "$INTERNET_IFACE" && "$dnsmasq_NO_DNS" -eq 0 ]] && echo -e "\nWARN: You specified Internet interface but this host is providing local DNS. In some unexpected case (eg. mistaken configurations), queries may leak to other interfaces, which you should be aware of.\n" >&2
start_nat start_nat
[[ "$BANLAN" -eq 1 ]] && start_ban_lan [[ "$BANLAN" -eq 1 ]] && start_ban_lan
echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" echo 1 > "/proc/sys/net/ipv4/ip_forward" || die "Failed enabling system ipv4 forwarding" # TODO maybe uneeded in '--no4' mode
if [[ $IPV6 -eq 1 ]]; then if [[ $IPV6 -eq 1 ]]; then
echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" echo 1 > "/proc/sys/net/ipv6/conf/all/forwarding" || die "Failed enabling system ipv6 forwarding" # TODO if '-o' used, set only 2 interfaces' bits
fi fi
# to enable clients to establish PPTP connections we must # to enable clients to establish PPTP connections we must
@@ -2106,7 +2073,7 @@ fi
[[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq ) [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
echo echo
echo "== Setting up completed, now linux-router is working ==" echo "== Setting up completed, now linux-router should be working =="
#============================================================ #============================================================
#============================================================ #============================================================