diff options
| author | Ruben Pollan <meskio@sindominio.net> | 2018-01-09 20:49:17 +0100 |
|---|---|---|
| committer | Ruben Pollan <meskio@sindominio.net> | 2018-01-09 22:10:53 +0100 |
| commit | 799f16d85e569755dc7284a4f3d44878b4116d47 (patch) | |
| tree | b9c626cb01d775152cad4c5e610e3b07df6f3aca | |
| parent | 45947832d5b5918bfbfefc64f20fa4d93ad6c7a1 (diff) | |
[bug] fix issues with dns resolution with systemd-resolved
In ubuntu 17.10 some changes with systemd-resolved broke our firewall,
blocking all DNS queries. The masquerade rules in the firewall, that
are used to rewrite the source IP address of the DNS queries, were
wrongly modifying the queries to systemd-resolved.
Let's apply masquerade only to the packets addressed to the nameserver.
- Resolves: #9137
| -rw-r--r-- | docs/changelog.rst | 1 | ||||
| -rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 7 |
2 files changed, 6 insertions, 2 deletions
diff --git a/docs/changelog.rst b/docs/changelog.rst index 60f756f8..6fd052a8 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -19,6 +19,7 @@ Bugfixes - `#9191 <https://0xacab.org/leap/bitmask-dev/issues/9191>`_: workaround for missing libs needed for qtwebengine. - `#9171 <https://0xacab.org/leap/bitmask-dev/issues/9171>`_: fix a bug in bootstrap that avoided more than one user to login. - `#9165 <https://0xacab.org/leap/bitmask-dev/issues/9165>`_: deprecate pyqt5-webkit, use qtwebengine instead. +- `#9137 <https://0xacab.org/leap/bitmask-dev/issues/9137>`_: fix issues with dns resolution with systemd-resolved (mostly ubuntu 17.10). Misc ~~~~ diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 9be9a61a..ee838164 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -628,7 +628,7 @@ def firewall_start(args): enable_ip_forwarding() # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", - "--dest", "127.0.1.1,127.0.0.1", "--dport", "53", + "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53", "--jump", "ACCEPT") # rewrite all outgoing packets to use VPN DNS server # (DNS does sometimes use TCP!) @@ -637,10 +637,13 @@ def firewall_start(args): ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp", "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") # enable masquerading, so that DNS packets rewritten by DNAT will - # have the correct source IPs + # have the correct source IPs. Apply masquerade only to the NAMESERVER, + # we don't want to apply it to the localhost dns resolver. ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE") ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE") # allow local network traffic |