Skip to content

Commit

Permalink
support short gateway ip expression
Browse files Browse the repository at this point in the history 
fix dnsmasq pid not get
watchdog zombie judgement
iptables nft and comment judgement
use fifo for dnsmasq log
  • Loading branch information
@garywill
garywill committed Apr 17, 2021
1 parent 1e3c500 commit e5fc9ef
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 26 deletions.
22 changes: 15 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@ Set Linux as router in one command. Able to Provide Internet, or create Wifi hot

It wraps `iptables`, `dnsmasq` etc. stuff. Use in one command, restore in one command or by `control-c` (or even by closing terminal window).

[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md) :)
[Buy me a coffee](https://github.com/garywill/receiving/blob/master/receiving_methods.md)

( ^\_^)o自自o(^_^ )

## Features

Expand Down Expand Up @@ -110,7 +112,9 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
sudo lnxrouter -i lxcbr5
```

### Transparent proxy with Tor
### Transparent proxy

For example through Tor

```
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7::
Expand All @@ -127,7 +131,7 @@ DNSPort [fd00:5:6:7::1]:9053

### Clients-in-sandbox network

To not give our infomation to clients:
To not give our infomation to clients. Clients can still access Internet.

```
sudo lnxrouter -i eth1 \
Expand Down Expand Up @@ -232,12 +236,14 @@ Options:
--ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6'
(example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port>
DNS server's upstream DNS.
Expand Down Expand Up @@ -333,13 +339,13 @@ Options:
- procps or procps-ng
- iproute2
- dnsmasq
- iptables
- iptables (legacy. nft not tested)
- WiFi hotspot dependencies
- hostapd
- iw
- iwconfig (you only need this if 'iw' can not recognize your adapter)
- haveged (optional)
- qrencode (opional)
- qrencode (optional)

## TODO

Expand All @@ -354,10 +360,12 @@ Options:

( ^\_^)o自自o(^_^ )

No? Okay, or just give me a star!
[打赏一个](https://github.com/garywill/receiving/blob/master/receiving_methods.md)

## For developers

**Many thanks to project [create_ap](https://github.com/oblique/create_ap)**.

This script was forked from create\_ap. Now it's quite different from it. (See `history` branch for how I modified create_ap)

There're some TO-DOs listed, at both above and in the code file. We'll appreciate your help.
88 changes: 69 additions & 19 deletions lnxrouter
100644 → 100755
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
#!/bin/bash

# TODO: showing version or git commit on running
# TODO: showing version (or git commit) on running
VERSION=0.6.0
PROGNAME="$(basename $0)"

Expand Down Expand Up @@ -30,12 +30,14 @@ Options:
--ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: fd00:1:2:3::) Using this enables '-6'
(example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port>
DNS server's upstream DNS.
Expand Down Expand Up @@ -201,6 +203,7 @@ define_global_variables(){
CONFDIR=
NM_RUNNING=0
NM_UNM_LIST= # it's called "list" but for now one interface
XT_COMMENT=1
}

parse_user_options(){
Expand Down Expand Up @@ -736,7 +739,7 @@ haveged_watchdog() {
echo "WARN: Low entropy detected. We recommend you to install \`haveged'" 1>&2
show_warn=0
fi
elif ! pidof haveged > /dev/null 2>&1; then
elif ! pidof haveged > /dev/null 2>&1; then # TODO judge zombie ?
echo "Low entropy detected, starting haveged" 1>&2
# boost low-entropy
haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
Expand All @@ -745,7 +748,24 @@ haveged_watchdog() {
sleep 2
done
}

pid_watchdog() {
local PID="$1"
local SLEEP="$2"
local ERR_MSG="$3"
local ST
while true
do
if [[ -e "/proc/$PID" ]]; then
ST="$(cat "/proc/$PID/status" | grep "^State:" | awk '{print $2}')"
if [[ "$ST" != 'Z' ]]; then
sleep $SLEEP
continue
fi
fi
die "$ERR_MSG"
done

}
#========


Expand Down Expand Up @@ -792,15 +812,22 @@ nm_restore_manage() {
fi
}
#=========

iptables_()
{
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
if [[ $XT_COMMENT -eq 1 ]]; then
iptables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
else
iptables -w $@
fi
return $?
}
ip6tables_()
{
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
if [[ $XT_COMMENT -eq 1 ]]; then
ip6tables -w $@ -m comment --comment "lnxrouter-$$-$SUBNET_IFACE"
else
ip6tables -w $@
fi
return $?
}

Expand Down Expand Up @@ -843,7 +870,7 @@ start_ban_lan() {
echo
echo "iptables: Disallow clients to access LAN"
iptables_ -N BANLAN-f-${SUBNET_IFACE} || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 0.0.0.0/8 -j REJECT || die # TODO: use array
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 10.0.0.0/8 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 100.64.0.0/10 -j REJECT || die
iptables_ -v -I BANLAN-f-${SUBNET_IFACE} -d 127.0.0.0/8 -j REJECT || die
Expand All @@ -858,6 +885,7 @@ start_ban_lan() {
iptables_ -N BANLAN-i-${SUBNET_IFACE}
#iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} -j REJECT || die
iptables_ -v -I BANLAN-i-${SUBNET_IFACE} -i ${SUBNET_IFACE} ! -p icmp -j REJECT || die
# TODO: ipv6 need icmp to function. maybe we can block some unneeded icmp to improve security

iptables_ -I INPUT -i ${SUBNET_IFACE} -j BANLAN-i-${SUBNET_IFACE} || die

Expand Down Expand Up @@ -1465,12 +1493,13 @@ daemonizing_check(){
check_wifi_settings() {

if ! ( which iw > /dev/null 2>&1 && iw dev $WIFI_IFACE info > /dev/null 2>&1 ); then
echo "WARN: Can't use 'iw' to operation this WiFi interface, trying 'iwconfig' ..." >&2
if which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1; then
USE_IWCONFIG=1
echo "WARN: Using 'iwconfig', not as good as 'iw'" >&2
else
echo "ERROR: Can't use 'iwconfig' to operation this WiFi interface neither" >&2
echo "WARN: Can't use 'iw' to operate interfce '$WIFI_IFACE', trying 'iwconfig' (not as good as 'iw') ..." >&2
USE_IWCONFIG=1
fi

if [[ $USE_IWCONFIG -eq 1 ]]; then
if ! (which iwconfig > /dev/null 2>&1 && iwconfig $WIFI_IFACE > /dev/null 2>&1); then
echo "ERROR: Can't use 'iwconfig' to operate interfce '$WIFI_IFACE'" >&2
exit 1
fi
fi
Expand Down Expand Up @@ -1572,11 +1601,15 @@ decide_ip_addresses() {
if [[ ! -n $GATEWAY ]]; then
GATEWAY="$(generate_random_ip4)"
echo "Use random LAN IPv4 address $GATEWAY"
elif [[ ! "$GATEWAY" =~ "." ]]; then
GATEWAY="192.168.${GATEWAY}.1"
fi

if [[ $IPV6 -eq 1 && ! -n $PREFIX6 ]]; then
PREFIX6="$(generate_random_lan_ip6_prefix)"
echo "Use random LAN IPv6 address ${PREFIX6}${IID6}"
elif [[ ! "$PREFIX6" =~ ":" ]]; then
PREFIX6="fd00:0:0:${PREFIX6}::"
fi
if [[ $IPV6 -eq 1 ]]; then
GATEWAY6="${PREFIX6}${IID6}"
Expand Down Expand Up @@ -1729,6 +1762,11 @@ write_dnsmasq_conf() {
else
NOBODY_GROUP="nogroup"
fi

mkfifo "$CONFDIR/dnsmasq.log" || die "Failed creating pipe file for dnsmasq"
chown nobody "$CONFDIR/dnsmasq.log" || die "Failed changing dnsmasq log file owner"
cat "$CONFDIR/dnsmasq.log" &

cat <<- EOF > "$CONFDIR/dnsmasq.conf"
user=nobody
group=$NOBODY_GROUP
Expand All @@ -1740,7 +1778,7 @@ write_dnsmasq_conf() {
dhcp-range=${GATEWAY%.*}.10,${GATEWAY%.*}.250,255.255.255.0
dhcp-option-force=option:router,${GATEWAY}
#log-dhcp
log-facility=/dev/stdout
log-facility=$CONFDIR/dnsmasq.log
bogus-priv
domain-needed
EOF
Expand Down Expand Up @@ -1831,8 +1869,7 @@ run_wifi_ap_processes() {
# sleep 1
#done
#echo -n "hostapd PID: " ; cat $CONFDIR/hostapd.pid
( while [ -e /proc/$HOSTAPD_PID ]; do sleep 10; done ; die "hostapd exited" ) &

pid_watchdog $HOSTAPD_PID 10 "hostapd failed" &
sleep 3
}

Expand All @@ -1855,9 +1892,10 @@ start_dnsmasq() {
i=$((i + 1))
if [[ $i -gt 10 ]]; then die "Couldn't get dnsmasq PID" ; fi
done
echo -n "dnsmasq PID: " ; cat "$CONFDIR/dnsmasq.pid"
DNSMASQ_PID="$(cat "$CONFDIR/dnsmasq.pid" )"
echo "dnsmasq PID: $DNSMASQ_PID"
######(wait $DNSMASQ_PID ; die "dnsmasq failed") & # wait can't deal with non-child
( while [ -e "/proc/$DNSMASQ_PID" ]; do sleep 10; done ; die "dnsmasq exited" ) &
pid_watchdog $DNSMASQ_PID 9 "dnsmasq failed" &
sleep 2
}

Expand Down Expand Up @@ -1986,6 +2024,18 @@ if [[ $IPV6 -eq 1 ]] ; then
ip -6 addr add ${GATEWAY6}/64 dev ${SUBNET_IFACE} || die "Failed setting ${SUBNET_IFACE} IPv6 address"
fi

function check_iptables() {
if iptables --version | grep "nf_tables" >/dev/null 2>&1 ; then
echo -e "\nWARN: Your system is using nftables. This script is tested with iptables legacy only. If you encounter problems, visit following URL for infomation:\n https://github.com/oblique/create_ap/issues/373\n https://github.com/oblique/create_ap/issues/433\n https://github.com/garywill/linux-router/issues/18\n" >&2
fi

if ! lsmod | grep -E "\bxt_comment\b" >/dev/null 2>&1 ; then
XT_COMMENT=0
fi
}

check_iptables

# enable Internet sharing
if [[ "$SHARE_METHOD" == "none" ]]; then

Expand Down

0 comments on commit e5fc9ef

Please sign in to comment.