[bug] temporarily revert dnsmasq firewall fix

It has been reported that, after this fix, dns leaks happen under some
circumstances not yet clear. Preparing for a release, we have decided to
revert this change until the problem can be properly triaged.

This means a broken vpn aartful support for the time being, but a
 non-leaking master.

https://0xacab.org/leap/bitmask-dev/issues/9137

- Related: #9137

1 files changed, 44 insertions, 4 deletions

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 6b97cd5a..21cfe56f 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -1,7 +1,7 @@
 #!/usr/bin/python2.7
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2014-2017 LEAP
+# Copyright (C) 2014 LEAP
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -73,11 +73,12 @@ def get_no_group_name():
             return None
 
 
-VERSION = "8"
+VERSION = "7"
 SCRIPT = "bitmask-root"
 NAMESERVER = "10.42.0.1"
 BITMASK_CHAIN = "bitmask"
 BITMASK_CHAIN_NAT_OUT = "bitmask"
+BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
 BITMASK_CHAIN_EMAIL = "bitmask_email"
 BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
 LOCAL_INTERFACE = "lo"
@@ -605,18 +606,22 @@ def firewall_start(args):
         ip4tables("--new-chain", BITMASK_CHAIN)
     if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'):
         ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT)
+    if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'):
+        ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST)
     if not ipv6_chain_exists(BITMASK_CHAIN):
         ip6tables("--new-chain", BITMASK_CHAIN)
     ip4tables("--table", "nat", "--insert", "OUTPUT",
               "--jump", BITMASK_CHAIN_NAT_OUT)
+    ip4tables("--table", "nat", "--insert", "POSTROUTING",
+              "--jump", BITMASK_CHAIN_NAT_POST)
     iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
 
     # route all ipv4 DNS over VPN
     # (note: NAT does not work with ipv6 until kernel 3.7)
     enable_ip_forwarding()
-    # allow dns to localhost (for dnsmasq and systemd-resolve)
+    # allow dns to localhost
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
-              "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
+              "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
               "--jump", "ACCEPT")
     # rewrite all outgoing packets to use VPN DNS server
     # (DNS does sometimes use TCP!)
@@ -624,6 +629,12 @@ def firewall_start(args):
               "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
               "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
+    # enable masquerading, so that DNS packets rewritten by DNAT will
+    # have the correct source IPs
+    ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+              "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
+    ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+              "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
 
     # allow local network traffic
     if local_network_ipv4:
@@ -631,6 +642,15 @@ def firewall_start(args):
         ip4tables("--append", BITMASK_CHAIN,
                   "--destination", local_network_ipv4, "-o", default_device,
                   "--jump", "ACCEPT")
+        # allow local network sources for DNS
+        # (required to allow local network DNS that gets rewritten by NAT
+        #  to get passed through so that MASQUERADE can set correct source IP)
+        ip4tables("--append", BITMASK_CHAIN,
+                  "--source", local_network_ipv4, "-o", default_device,
+                  "-p", "udp", "--dport", "53", "--jump", "ACCEPT")
+        ip4tables("--append", BITMASK_CHAIN,
+                  "--source", local_network_ipv4, "-o", default_device,
+                  "-p", "tcp", "--dport", "53", "--jump", "ACCEPT")
         # allow multicast Simple Service Discovery Protocol
         ip4tables("--append", BITMASK_CHAIN,
                   "--protocol", "udp",
@@ -707,6 +727,15 @@ def firewall_stop():
               "in 'nat' table (maybe it is already removed?)", exc)
         ok = False
 
+    # -t nat -D POSTROUTING -j bitmask_postrouting
+    try:
+        ip4tables("-t", "nat", "--delete", "POSTROUTING",
+                  "--jump", BITMASK_CHAIN_NAT_POST, throw=True)
+    except subprocess.CalledProcessError as exc:
+        debug("INFO: not able to remove bitmask firewall from POSTROUTING "
+              "chain in 'nat' table (maybe it is already removed?)", exc)
+        ok = False
+
     # -t filter --delete-chain bitmask
     try:
         ip4tables("--flush", BITMASK_CHAIN, throw=True)
@@ -726,6 +755,16 @@ def firewall_stop():
               "chain in 'nat' table (maybe it is already destroyed?)", exc)
         ok = False
 
+    # -t nat --delete-chain bitmask_postrouting
+    try:
+        ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True)
+        ip4tables("-t", "nat", "--delete-chain",
+                  BITMASK_CHAIN_NAT_POST, throw=True)
+    except subprocess.CalledProcessError as exc:
+        debug("INFO: not able to flush and delete bitmask ipv4 firewall "
+              "chain in 'nat' table (maybe it is already destroyed?)", exc)
+        ok = False
+
     # -t filter --delete-chain bitmask (ipv6)
     try:
         ip6tables("--flush", BITMASK_CHAIN, throw=True)
@@ -932,6 +971,7 @@ def main():
     else:
         bail("ERROR: No such command")
 
+
 if __name__ == "__main__":
     debug(" ".join(sys.argv))
     main()