Linux-router
Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
Establezca Linux como enrutador en un solo comando. Capaz de proporcionar Internet o crear un punto de acceso WiFi. Soporte proxy transparente (redsocks). También es útil para enrutar VM/contenedores.
It wraps iptables, dnsmasq etc. stuff. Use in one command, restore in one command or by control-c (or even by closing terminal window).
Envuelve iptables , dnsmasq etc. embutir. Use en un comando, restaure en un comando o por control-c (o incluso cerrando la ventana del terminal).
Linux-Router News & Developer Notes 
Linux-Router Noticias y Notas para desarrolladores
Features
Basic features:
- Create a NATed sub-network Crear una subred NATed
- Provide Internet
- DHCP server (and RA)
Servidor DHCP (y RA)
- Specify what DNS the DHCP server assigns to clients
Especificar qué DNS asigna el servidor DHCP a los clientes
- Specify what DNS the DHCP server assigns to clients
- DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
Especificar DNS ascendente (tipo de proxy DNS sin formato)
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4)
IPv6 (detrás de NATed LAN, como IPv4) - Creating WiFi hotspot:
Creación de punto de acceso WiFi:
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
Elija cifrados: WPA2 / WPA, WPA2, WPA, Sin cifrado - Create AP on the same interface you are getting Internet (usually require same channel)
Cree AP en la misma interfaz que está recibiendo Internet (generalmente requiere el mismo canal)
- Transparent proxy (redsocks) Proxy transparente (redsocks)
- Transparent DNS proxy (hijack port 53 packets)
Proxy DNS transparente (puerto de secuestro 53 paquetes) - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
Detecte NetworkManager y asegúrese de que no interfiera (maneje el estado (no) administrado de la interfaz) - You can run many instances, to create many different networks. Has instances managing feature.
Puede ejecutar muchas instancias para crear muchas redes diferentes. Tiene la característica de administración de instancias.
For many other features, see below CLI usage
Para muchas otras características, consulte a continuación el uso de CLI
Useful in these situations Útil en estas situaciones
Internet----(eth0/wlan0)-Linux-(wlanX)AP
|--client
|--client
Internet
WiFi AP(no DHCP) |
|----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP)
|--client
|--client
Internet
Switch |
|---(eth1)-Linux-(eth0/wlan0)--------
|--client
|--client
Internet----(eth0/wlan0)-Linux-(eth1)------Another PC
Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
Install
1-file-script. Release on Linux-router repo on Github. Download and run the bash script (meet the dependencies).
1-file-script. Lanzamiento en repositorio de enrutador Linux en Github. Descargue y ejecute el script bash (cumpla con las dependencias).
I'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here:
Actualmente no estoy empaquetando para ninguna distribución. Si lo hace, abra un PR y agregue el enlace (puede ser con una insignia de versión) para enumerar aquí:
| Linux distro | |
|---|---|
| Any | download 1-file-script and run Descargue 1-file-script y ejecute |
Dependencies
- bash
- procps or procps-ng procps o procps-ng
- iproute2
- dnsmasq
- iptables (or nftables with
iptables-nfttranslation linked)
iptables (o nftables con traduccióniptables-nftvinculada) - WiFi hotspot dependencies
Dependencias de puntos de acceso WiFi
- hostapd
- iw
- iwconfig (you only need this if 'iw' can not recognize your adapter)
iwconfig (solo necesita esto si 'iw' no puede reconocer su adaptador) - haveged (optional) Haveged (opcional)
Usage
Provide Internet to an interface Proporcionar Internet a una interfaz
sudo lnxrouter -i eth1
no matter which interface (other than eth1) you're getting Internet from.
no importa de qué interfaz (que no sea eth1 ) de la que obtengas Internet.
Create WiFi hotspot Crear punto de acceso WiFi
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
no matter which interface you're getting Internet from (even from wlan0). Will create virtual Interface x0wlan0 for hotspot.
no importa de qué interfaz obtenga Internet (incluso desde wlan0 ). Creará una interfaz virtual x0wlan0 para hotspot.
Provide an interface's Internet to another interface
Proporcionar Internet de una interfaz a otra interfaz
Clients access Internet through only isp5
Los clientes acceden a Internet a través de solo isp5
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
In this case of usage, it's recommended to:
En este caso de uso, se recomienda:
- Stop serving local DNS Dejar de servir DNS local
- Tell clients which DNS to use ISP5's DNS. (Or, a safe public DNS, like above example)
Indique a los clientes qué DNS deben usar el DNS de ISP5. (O, un DNS público seguro, como el ejemplo anterior)
Also, read Notice 1 Lea también el Aviso 1
Create LAN without providing Internet
Crear LAN sin proporcionar Internet
sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
Read Notice 1 Leer el Aviso 1
Internet for LXC Internet para LXC
Create a bridge Crear un puente
sudo brctl addbr lxcbr5
In LXC container config
En contenedor LXC config
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr5
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
sudo lnxrouter -i lxcbr5
Transparent proxy
All clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use)
El tráfico de Internet de todos los clientes pasa, por ejemplo, por Tor (tenga en cuenta que este ejemplo NO es un uso de anonimato)
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
In torrc En torrc
TransPort 192.168.55.1:9040
DNSPort 192.168.55.1:9053
TransPort [fd00:5:6:7::1]:9040
DNSPort [fd00:5:6:7::1]:9053
Warn: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity.
Advertencia: el anonimato de Tor se basa en un navegador hecho a propósito. Usar Tor de esta manera (compartir la red de Tor con clientes LAN) NO garantizará el anonimato.Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity.
Aunque usamos Tor como ejemplo aquí, Linux-router NO asegura ni NO apunta al anonimato.
Clients-in-sandbox network Red de clientes en sandbox
To not give our infomation to clients. Clients can still access Internet.
No dar nuestra información a los clientes. Los clientes aún pueden acceder a Internet.
sudo lnxrouter -i eth1 \
--tp 9040 --dns 9053 \
--random-mac \
--ban-priv \
--catch-dns --log-dns # optional
Linux-router comes with no warranty. Use on your own risk
Linux-router viene sin garantía. Úselo bajo su propio riesgo
Use as transparent proxy for LXD
Usar como proxy transparente para LXD
Create a bridge Crear un puente
sudo brctl addbr lxdbr5
Create and add a new LXD profile overriding container's eth0
Crear y agregar un nuevo perfil LXD anulando eth0 del contenedor
lxc profile create profile5
lxc profile edit profile5
### profile content ###
config: {}
description: ""
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr5
type: nic
name: profile5
lxc profile add <container> profile5
sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053
To remove that new profile from container
Para quitar ese nuevo perfil del contenedor
lxc profile remove <container> profile5
To not use profile Para no usar el perfil
Add new eth0 to container overriding default eth0
Agregar nuevo eth0 al contenedor anulando el valor predeterminado eth0
lxc config device add <container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5
To remove the customized eth0 to restore default eth0
Para quitar el eth0 personalizado para restaurar el valor predeterminado eth0
lxc config device remove <container> eth0
Use as transparent proxy for VirtualBox
Uso como proxy transparente para VirtualBox
In VirtualBox's global settings, create a host-only network vboxnet5 with DHCP disabled.
En la configuración global de VirtualBox, cree una red solo de host vboxnet5 con DHCP deshabilitado.
sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
Use as transparent proxy for firejail
Uso como proxy transparente para firejail
Create a bridge Crear un puente
sudo brctl addbr firejail5
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
Firejail's /etc/resolv.conf doesn't obtain DNS from DHCP, so we need to assign.
/etc/resolv.conf de Firejail no obtiene DNS de DHCP, por lo que necesitamos asignar.
nscd is domain name cache service, which shouldn't be accessed from in jail here.
NSCD es un servicio de caché de nombres de dominio, al que no se debe acceder desde la cárcel aquí.
CLI usage and other features Uso de CLI y otras características
Usage: lnxrouter <options>
Options:
-h, --help Show this help
--version Print version number
-i <interface> Interface to make NATed sub-network,
and to provide Internet to
(To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak
queries to other interfaces)
-n Do not provide Internet (See Notice 1)
--ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port>
DNS server's upstream DNS.
Use ',' to seperate multiple servers
(default: use /etc/resolve.conf)
(Note IPv6 addresses need '[]' around)
--no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host
--log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host).
--dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA)
(default: this host)
(Note IPv6 addresses need '[]' around)
Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional
hosts file
--dns-nocache DNS server no cache
--mac <MAC> Set MAC address
--random-mac Use random MAC address
--tp <port> Transparent proxy,
redirect non-LAN TCP and UDP(not tested) traffic to
port. (usually used with '--dns')
WiFi hotspot options:
--ap <wifi interface> <SSID>
Create WiFi access point
-p, --password <password>
WiFi password
--qr Show WiFi QR code in terminal (need qrencode)
--hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface
Using this you can't use same wlan interface
for both Internet and AP
--virt-name <name> Set name of virtual interface
-c <channel> Channel number (default: 1)
--country <code> Set two-letter country code for regularity
(example: US)
--freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4)
--driver Choose your WiFi adapter driver (default: nl80211)
-w <WPA version> '2' for WPA2, '1' for WPA, '1+2' for both
(default: 2)
--psk Use 64 hex digits pre-shared-key instead of
passphrase
--mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients
--ieee80211n Enable IEEE 802.11n (HT)
--ieee80211ac Enable IEEE 802.11ac (VHT)
--ht_capab <HT> HT capabilities (default: [HT40+])
--vht_capab <VHT> VHT capabilities
--no-haveged Do not run haveged automatically when needed
Instance managing:
--daemon Run in background
-l, --list-running Show running instances
--lc, --list-clients <id|interface>
List clients of an instance. Or list neighbors of
an interface, even if it isn't handled by us.
(passive mode)
--stop <id> Stop a running instance
For <id> you can use PID or subnet interface name.
You can get them with '--list-running'
Notice
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
What changes are done to Linux system
Qué cambios se realizan en el sistema Linux
On exit of a linux-router instance, script will do cleanup, i.e. undo most changes to system. Though, some changes (if needed) will not be undone, which are:
Al salir de una instancia de enrutador Linux, el script limpiará, es decir, deshará la mayoría de los cambios en el sistema. Sin embargo, algunos cambios (si es necesario) no se desharán, que son:
/proc/sys/net/ipv4/ip_forward = 1and/proc/sys/net/ipv6/conf/all/forwarding = 1
/proc/sys/net/ipv4/ip_forward = 1y/proc/sys/net/ipv6/conf/all/forwarding = 1- dnsmasq in Apparmor complain mode
dnsmasq en modo de queja Apparmor - hostapd in Apparmor complain mode
hostapd en modo de queja Apparmor - Kernel module
nf_nat_pptploaded
Módulo del kernelnf_nat_pptpcargado - The wifi device which is used to create hotspot is
rfkill unblocked
El dispositivo wifi que se utiliza para crear un punto de acceso es @0 # ed - WiFi country code, if user assigns
Código de país WiFi, si el usuario asigna
Meet contributor(s) and become one of them
Conoce a los colaboradores y conviértete en uno de ellos
Visit my homepage 
Visita mi página de inicio
Buy me a coffee , this project took me lots of time! ( 扫码领红包并打赏一个!)
¡Cómprame un café, este proyecto me tomó mucho tiempo! ( 扫码领红包并打赏一个!)
( ^_^) o自自o (^_^ )
( ) o自o ( ^_^ ^_^ )
history branch for how I modified create_ap).
history para ver cómo modifiqué create_ap).
TODO
Sooner is better: Cuanto antes mejor:
- Detect firewalld and make sure it won't interfere our interface
Detectar firewalld y asegurarse de que no interferirá en nuestra interfaz
Future:
- WPA3
- Global IPv6
- Explictly ban forwarding if not needed
Prohibir explícitamente el reenvío si no es necesario - Bring bridging method back Recuperar el método de puente
License
linux-router is LGPL licensed linux-router tiene licencia LGPL
linux-router
Copyright (C) 2018 garywill
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Upstream create_ap was BSD licensed
Upstream create_ap fue licenciado BSD
Copyright (c) 2013, oblique
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.