Linux-router
Set Linux as router in one command. Able to provide Internet, or create WiFi hotspot. Support transparent proxy (redsocks). Also useful for routing VM/containers.
在一个命令中将 Linux 设置为路由器。能够提供互联网,或创建WiFi热点。支持透明代理(红袜)。对于路由虚拟机/容器也很有用。
It wraps iptables, dnsmasq etc. stuff. Use in one command, restore in one command or by control-c (or even by closing terminal window).
它包装 iptables 、 dnsmasq 等。东西。在一个命令中使用,在一个命令中或通过 control-c 恢复(甚至通过关闭终端窗口)。
Linux-Router News & Developer Notes 
Linux-Router News & Developer Notes
Features
Basic features:
- Create a NATed sub-network 创建 NAT 子网
- Provide Internet
- DHCP server (and RA)
DHCP 服务器(和 RA)
- Specify what DNS the DHCP server assigns to clients
指定 DHCP 服务器分配给客户端的 DNS
- Specify what DNS the DHCP server assigns to clients
- DNS server
- Specify upstream DNS (kind of a plain DNS proxy)
指定上游 DNS(一种普通 DNS 代理)
- Specify upstream DNS (kind of a plain DNS proxy)
- IPv6 (behind NATed LAN, like IPv4)
IPv6(在 NAT LAN 后面,如 IPv4) - Creating WiFi hotspot:
创建无线网络热点:
- Channel selecting
- Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption
选择加密:WPA2/WPA、WPA2、WPA、无加密 - Create AP on the same interface you are getting Internet (usually require same channel)
在您获得互联网的同一接口上创建 AP(通常需要相同的信道)
- Transparent proxy (redsocks) 透明代理(红袜子)
- Transparent DNS proxy (hijack port 53 packets)
透明 DNS 代理(劫持端口 53 数据包) - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
检测网络管理器并确保它不会干扰(处理接口(未)托管状态) - You can run many instances, to create many different networks. Has instances managing feature.
您可以运行许多实例来创建许多不同的网络。具有实例管理功能。
For many other features, see below CLI usage
有关许多其他功能,请参阅下面的 CLI 用法
Useful in these situations 在这些情况下很有用
Internet----(eth0/wlan0)-Linux-(wlanX)AP
|--client
|--client
Internet
WiFi AP(no DHCP) |
|----(wlan1)-Linux-(eth0/wlan0)------
| (DHCP)
|--client
|--client
Internet
Switch |
|---(eth1)-Linux-(eth0/wlan0)--------
|--client
|--client
Internet----(eth0/wlan0)-Linux-(eth1)------Another PC
Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container
Install
1-file-script. Release on Linux-router repo on Github. Download and run the bash script (meet the dependencies).
1 文件脚本。在 Github 上的 Linux 路由器存储库上发布。下载并运行 bash 脚本(满足依赖项)。
I'm currently not packaging for any distro. If you do, open a PR and add the link (can be with a version badge) to list here:
我目前没有打包任何发行版。如果这样做,请打开 PR 并添加链接(可以带有版本徽章)以在此处列出:
| Linux distro | |
|---|---|
| Any | download 1-file-script and run 下载 1 个文件脚本并运行 |
Dependencies
- bash
- procps or procps-ng procps 或 procps-ng
- iproute2
- dnsmasq
- iptables (or nftables with
iptables-nfttranslation linked)
iptables(或链接了iptables-nft翻译的 NFTABLE) - WiFi hotspot dependencies
WiFi 热点依赖关系
- hostapd
- iw
- iwconfig (you only need this if 'iw' can not recognize your adapter)
iwconfig(只有当“iw”无法识别您的适配器时,您才需要它) - haveged (optional) 哈夫德(可选)
Usage
Provide Internet to an interface 为接口提供互联网
sudo lnxrouter -i eth1
no matter which interface (other than eth1) you're getting Internet from.
无论您从哪个接口( eth1 除外)获取互联网。
Create WiFi hotspot 创建无线网络热点
sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase
no matter which interface you're getting Internet from (even from wlan0). Will create virtual Interface x0wlan0 for hotspot.
无论您从哪个接口获取互联网(甚至从 wlan0 )。将为热点创建虚拟接口 x0wlan0 。
Provide an interface's Internet to another interface
将一个接口的互联网提供给另一个接口
Clients access Internet through only isp5
客户端仅通过 isp5 访问互联网
sudo lnxrouter -i eth1 -o isp5 --no-dns --dhcp-dns 1.1.1.1 -6 --dhcp-dns6 [2606:4700:4700::1111]
In this case of usage, it's recommended to:
在这种情况下,建议:
- Stop serving local DNS 停止提供本地 DNS 服务
- Tell clients which DNS to use ISP5's DNS. (Or, a safe public DNS, like above example)
告诉客户端哪个 DNS 使用 ISP5 的 DNS。(或者,一个安全的公共 DNS,如上例所示)
Also, read Notice 1 另请阅读通知 1
Create LAN without providing Internet
在不提供互联网的情况下创建局域网
sudo lnxrouter -n -i eth1
sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase
Read Notice 1 阅读通知 1
Internet for LXC LXC的互联网
Create a bridge 创建网桥
sudo brctl addbr lxcbr5
In LXC container config
在 LXC 容器中 config
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr5
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx
sudo lnxrouter -i lxcbr5
Transparent proxy
All clients' Internet traffic go through, for example, Tor (notice this example is NOT an anonymity use)
例如,所有客户端的互联网流量都通过Tor(请注意,此示例不是匿名使用)
sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 -6 --p6 fd00:5:6:7::
In torrc 在 @0 中#
TransPort 192.168.55.1:9040
DNSPort 192.168.55.1:9053
TransPort [fd00:5:6:7::1]:9040
DNSPort [fd00:5:6:7::1]:9053
Warn: Tor's anonymity relies on a purpose-made browser. Using Tor like this (sharing Tor's network to LAN clients) will NOT ensure anonymity.
警告:Tor的匿名性依赖于专用的浏览器。像这样使用 Tor(将 Tor 的网络共享给 LAN 客户端)并不能确保匿名性。Although we use Tor as example here, Linux-router does NOT ensure nor is NOT aiming at anonymity.
虽然我们在这里使用 Tor 作为示例,但 Linux 路由器并不能确保也不以匿名为目标。
Clients-in-sandbox network 沙盒中的客户端网络
To not give our infomation to clients. Clients can still access Internet.
不向客户提供我们的信息。客户端仍然可以访问互联网。
sudo lnxrouter -i eth1 \
--tp 9040 --dns 9053 \
--random-mac \
--ban-priv \
--catch-dns --log-dns # optional
Linux-router comes with no warranty. Use on your own risk
Linux路由器不提供任何保修。使用风险自负
Use as transparent proxy for LXD
用作 LXD 的透明代理
Create a bridge 创建网桥
sudo brctl addbr lxdbr5
Create and add a new LXD profile overriding container's eth0
创建并添加新的 LXD 配置文件,覆盖容器的 eth0
lxc profile create profile5
lxc profile edit profile5
### profile content ###
config: {}
description: ""
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr5
type: nic
name: profile5
lxc profile add <container> profile5
sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053
To remove that new profile from container
从容器中删除该新配置文件
lxc profile remove <container> profile5
To not use profile 不使用配置文件
Add new eth0 to container overriding default eth0
将新的 eth0 添加到容器覆盖默认 eth0
lxc config device add <container> eth0 nic name=eth0 nictype=bridged parent=lxdbr5
To remove the customized eth0 to restore default eth0
删除自定义 eth0 以恢复默认 eth0
lxc config device remove <container> eth0
Use as transparent proxy for VirtualBox
用作VirtualBox的透明代理
In VirtualBox's global settings, create a host-only network vboxnet5 with DHCP disabled.
在VirtualBox的全局设置中,创建一个禁用DHCP的仅主机模式网络 vboxnet5 。
sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053
Use as transparent proxy for firejail
用作消防监狱的透明代理
Create a bridge 创建网桥
sudo brctl addbr firejail5
sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053
firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd
Firejail's /etc/resolv.conf doesn't obtain DNS from DHCP, so we need to assign.
Firejail的 /etc/resolv.conf 不会从DHCP获取DNS,因此我们需要分配。
nscd is domain name cache service, which shouldn't be accessed from in jail here.
NSCD 是域名缓存服务,不应在此处从监狱访问。
CLI usage and other features CLI 使用和其他功能
Usage: lnxrouter <options>
Options:
-h, --help Show this help
--version Print version number
-i <interface> Interface to make NATed sub-network,
and to provide Internet to
(To create WiFi hotspot use '--ap' instead)
-o <interface> Specify an inteface to provide Internet from.
(See Notice 1)
(Note using this with default DNS option may leak
queries to other interfaces)
-n Do not provide Internet (See Notice 1)
--ban-priv Disallow clients to access my private network
-g <ip> This host's IPv4 address in subnet (mask is /24)
(example: '192.168.5.1' or '5' shortly)
-6 Enable IPv6 (NAT)
--no4 Disable IPv4 Internet (not forwarding IPv4)
(See Notice 1). Usually used with '-6'
--p6 <prefix> Set IPv6 LAN address prefix (length 64)
(example: 'fd00:0:0:5::' or '5' shortly)
Using this enables '-6'
--dns <ip>|<port>|<ip:port>
DNS server's upstream DNS.
Use ',' to seperate multiple servers
(default: use /etc/resolve.conf)
(Note IPv6 addresses need '[]' around)
--no-dns Do not serve DNS
--no-dnsmasq Disable dnsmasq server (DHCP, DNS, RA)
--catch-dns Transparent DNS proxy, redirect packets(TCP/UDP)
whose destination port is 53 to this host
--log-dns Show DNS query log (dnsmasq)
--dhcp-dns <IP1[,IP2]>|no
Set IPv4 DNS offered by DHCP (default: this host).
--dhcp-dns6 <IP1[,IP2]>|no
Set IPv6 DNS offered by DHCP (RA)
(default: this host)
(Note IPv6 addresses need '[]' around)
Using both above two will enable '--no-dns'
--hostname <name> DNS server associate this name with this host.
Use '-' to read name from /etc/hostname
-d DNS server will take into account /etc/hosts
-e <hosts_file> DNS server will take into account additional
hosts file
--dns-nocache DNS server no cache
--mac <MAC> Set MAC address
--random-mac Use random MAC address
--tp <port> Transparent proxy,
redirect non-LAN TCP and UDP(not tested) traffic to
port. (usually used with '--dns')
WiFi hotspot options:
--ap <wifi interface> <SSID>
Create WiFi access point
-p, --password <password>
WiFi password
--qr Show WiFi QR code in terminal (need qrencode)
--hidden Hide access point (not broadcast SSID)
--no-virt Do not create virtual interface
Using this you can't use same wlan interface
for both Internet and AP
--virt-name <name> Set name of virtual interface
-c <channel> Channel number (default: 1)
--country <code> Set two-letter country code for regularity
(example: US)
--freq-band <GHz> Set frequency band: 2.4 or 5 (default: 2.4)
--driver Choose your WiFi adapter driver (default: nl80211)
-w <WPA version> '2' for WPA2, '1' for WPA, '1+2' for both
(default: 2)
--psk Use 64 hex digits pre-shared-key instead of
passphrase
--mac-filter Enable WiFi hotspot MAC address filtering
--mac-filter-accept Location of WiFi hotspot MAC address filter list
(defaults to /etc/hostapd/hostapd.accept)
--hostapd-debug <level> 1 or 2. Passes -d or -dd to hostapd
--isolate-clients Disable wifi communication between clients
--ieee80211n Enable IEEE 802.11n (HT)
--ieee80211ac Enable IEEE 802.11ac (VHT)
--ht_capab <HT> HT capabilities (default: [HT40+])
--vht_capab <VHT> VHT capabilities
--no-haveged Do not run haveged automatically when needed
Instance managing:
--daemon Run in background
-l, --list-running Show running instances
--lc, --list-clients <id|interface>
List clients of an instance. Or list neighbors of
an interface, even if it isn't handled by us.
(passive mode)
--stop <id> Stop a running instance
For <id> you can use PID or subnet interface name.
You can get them with '--list-running'
Notice
Notice 1: This script assume your host's default policy won't forward
packets, so the script won't explictly ban forwarding in any
mode. In some unexpected case (eg. mistaken configurations) may
cause unwanted packets leakage between 2 networks, which you
should be aware of if you want isolated network
What changes are done to Linux system
对 Linux 系统进行了哪些更改
On exit of a linux-router instance, script will do cleanup, i.e. undo most changes to system. Though, some changes (if needed) will not be undone, which are:
在 linux-router 实例退出时,脚本将执行清理,即撤消对系统的大部分更改。但是,某些更改(如果需要)不会撤消,它们是:
/proc/sys/net/ipv4/ip_forward = 1and/proc/sys/net/ipv6/conf/all/forwarding = 1
/proc/sys/net/ipv4/ip_forward = 1和/proc/sys/net/ipv6/conf/all/forwarding = 1- dnsmasq in Apparmor complain mode
Apparmor 抱怨模式下的 dnsmasq - hostapd in Apparmor complain mode
在 Apparmor 抱怨模式下的主机 - Kernel module
nf_nat_pptploaded
内核模块nf_nat_pptp已加载 - The wifi device which is used to create hotspot is
rfkill unblocked
用于创建热点的 wifi 设备是rfkill unblocked - WiFi country code, if user assigns
WiFi 国家/地区代码(如果用户分配)
Meet contributor(s) and become one of them
结识贡献者并成为他们中的一员
Visit my homepage 
访问我的主页
Buy me a coffee , this project took me lots of time! ( 扫码领红包并打赏一个!)
给我买杯咖啡,这个项目花了我很多时间!( 扫码领红包并打赏一个!)
( ^_^) o自自o (^_^ )
history branch for how I modified create_ap).
history 分支了解我如何修改create_ap)。
TODO
Sooner is better: 越早越好:
- Detect firewalld and make sure it won't interfere our interface
检测防火墙并确保它不会干扰我们的界面
Future:
- WPA3
- Global IPv6
- Explictly ban forwarding if not needed
如果不需要,明确禁止转发 - Bring bridging method back 带回桥接方法
License
linux-router is LGPL licensed Linux-router是LGPL许可的
linux-router
Copyright (C) 2018 garywill
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Upstream create_ap was BSD licensed
上游create_ap已获得 BSD 许可
Copyright (c) 2013, oblique
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.