105 lines
3.1 KiB
Bash
Executable File
105 lines
3.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
SOURCE=${BASH_SOURCE[0]}
|
|
while [ -L "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
|
|
DIR=$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)
|
|
SOURCE=$(readlink "$SOURCE")
|
|
[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
|
|
done
|
|
DIR=$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)
|
|
|
|
if [[ -f "$DIR/../../config/nat-config.sh" ]]; then
|
|
. "$DIR/../../config/nat-config.sh"
|
|
else
|
|
echo "$DIR/../../config/nat-config.sh missing!"
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$(id -u)" -ne 0 ]; then
|
|
echo 'This script must be run as root.' >&2
|
|
exit 1
|
|
fi
|
|
|
|
. "$DIR/get-dhcp-dns.sh"
|
|
|
|
# ==============================================================================
|
|
|
|
PRIVATE_LAN_IP="192.168.2.1"
|
|
BRIDGED_CLIENT_IP="192.168.2.2"
|
|
|
|
# Configure the wired interface with the bridge IP address
|
|
ifconfig $ETH_IFACE $PRIVATE_LAN_IP netmask 255.255.255.0 up
|
|
|
|
# Mirror the DNS servers to the private LAN
|
|
DHCP_DNS=($(get_dns_servers "$WLAN_IFACE"))
|
|
if [ -n "$DHCP_DNS" ]; then
|
|
dns_servers_config=""
|
|
for server in "${DHCP_DNS[@]}"; do
|
|
dns_servers_config+="server=$server"$'\n'
|
|
done
|
|
|
|
dhcp_opt_6_config="dhcp-option=6"
|
|
for server in "${DHCP_DNS[@]}"; do
|
|
dhcp_opt_6_config+=",$server"
|
|
done
|
|
echo "Mirrored WLAN DHCP DNS servers: ${DHCP_DNS[*]}"
|
|
else
|
|
dns_servers_config="""server=1.1.1.1
|
|
server=1.0.0.1"""
|
|
dhcp_opt_6_config=""
|
|
fi
|
|
|
|
# Also mirror DNS domain
|
|
DHCP_DNS_DOMAIN=$(get_dns_domain $WLAN_IFACE)
|
|
if [ -n "$DHCP_DNS_DOMAIN" ]; then
|
|
dns_domain_config="domain=$DHCP_DNS_DOMAIN"
|
|
echo "Mirrored WLAN DHCP DNS domain: $DHCP_DNS_DOMAIN"
|
|
else
|
|
dns_domain_config=""
|
|
fi
|
|
|
|
cat >/etc/dnsmasq.conf <<EOL
|
|
interface=$ETH_IFACE
|
|
domain-needed
|
|
bogus-priv
|
|
no-resolv
|
|
$dns_servers_config
|
|
$dhcp_opt_6_config
|
|
$dns_domain_config
|
|
listen-address=::1,127.0.0.1,$PRIVATE_LAN_IP
|
|
expand-hosts
|
|
dhcp-range=$PRIVATE_LAN_IP,$BRIDGED_CLIENT_IP,12h
|
|
dhcp-option=option:router,$PRIVATE_LAN_IP
|
|
dhcp-authoritative
|
|
dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
|
|
EOL
|
|
echo "Wrote to /etc/dnsmasq.conf"
|
|
|
|
# Configure NAT to forward traffic between the private LAN and the WLAN
|
|
iptables -X
|
|
iptables -F
|
|
iptables -t nat -X
|
|
iptables -t nat -F
|
|
echo "Reset iptables."
|
|
|
|
# Route/forward traffic between nets
|
|
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -t nat -I POSTROUTING -o $WLAN_IFACE -j MASQUERADE
|
|
echo "Created iptables to route traffic between nets."
|
|
|
|
# Exclude the SSH port from forwarding so we can still administer the router
|
|
iptables -t nat -A PREROUTING -i $WLAN_IFACE -p tcp --dport $ROUTER_SSH_PORT -j RETURN
|
|
# Forward all other ports to the single wired device
|
|
iptables -t nat -A PREROUTING -i $WLAN_IFACE -j DNAT --to-destination $BRIDGED_CLIENT_IP
|
|
iptables -t nat -A POSTROUTING -o $ETH_IFACE -j MASQUERADE
|
|
echo "Redirected the router's ports to the single bridged client."
|
|
|
|
echo -en "\nRestarting dnsmasq..."
|
|
systemctl stop systemd-resolved
|
|
# systemctl enable --now dnsmasq
|
|
systemctl restart dnsmasq
|
|
echo -e "\n"
|
|
sleep 5
|
|
systemctl status --no-pager dnsmasq
|