diff options
author | Kali Kaneko <kali@leap.se> | 2017-12-21 23:27:23 +0100 |
---|---|---|
committer | Kali Kaneko <kali@leap.se> | 2017-12-21 23:27:23 +0100 |
commit | ed88df3d8ddc80d6ef1914c93e429d3e1e1f152a (patch) | |
tree | d4ad1e440142e10b12eb0876a245981182a27b43 /src/leap/bitmask | |
parent | 41f05cc921e381c0b4f2384395b5b9d42a1a1cad (diff) |
[bug] temporarily revert dnsmasq firewall fix
It has been reported that, after this fix, dns leaks happen under some
circumstances not yet clear. Preparing for a release, we have decided to
revert this change until the problem can be properly triaged.
This means a broken vpn aartful support for the time being, but a
non-leaking master.
https://0xacab.org/leap/bitmask-dev/issues/9137
- Related: #9137
Diffstat (limited to 'src/leap/bitmask')
-rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 48 |
1 files changed, 44 insertions, 4 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 6b97cd5a..21cfe56f 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -1,7 +1,7 @@ #!/usr/bin/python2.7 # -*- coding: utf-8 -*- # -# Copyright (C) 2014-2017 LEAP +# Copyright (C) 2014 LEAP # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -73,11 +73,12 @@ def get_no_group_name(): return None -VERSION = "8" +VERSION = "7" SCRIPT = "bitmask-root" NAMESERVER = "10.42.0.1" BITMASK_CHAIN = "bitmask" BITMASK_CHAIN_NAT_OUT = "bitmask" +BITMASK_CHAIN_NAT_POST = "bitmask_postrouting" BITMASK_CHAIN_EMAIL = "bitmask_email" BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output" LOCAL_INTERFACE = "lo" @@ -605,18 +606,22 @@ def firewall_start(args): ip4tables("--new-chain", BITMASK_CHAIN) if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'): ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT) + if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'): + ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST) if not ipv6_chain_exists(BITMASK_CHAIN): ip6tables("--new-chain", BITMASK_CHAIN) ip4tables("--table", "nat", "--insert", "OUTPUT", "--jump", BITMASK_CHAIN_NAT_OUT) + ip4tables("--table", "nat", "--insert", "POSTROUTING", + "--jump", BITMASK_CHAIN_NAT_POST) iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN) # route all ipv4 DNS over VPN # (note: NAT does not work with ipv6 until kernel 3.7) enable_ip_forwarding() - # allow dns to localhost (for dnsmasq and systemd-resolve) + # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", - "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53", + "--dest", "127.0.1.1,127.0.0.1", "--dport", "53", "--jump", "ACCEPT") # rewrite all outgoing packets to use VPN DNS server # (DNS does sometimes use TCP!) @@ -624,6 +629,12 @@ def firewall_start(args): "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp", "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") + # enable masquerading, so that DNS packets rewritten by DNAT will + # have the correct source IPs + ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE") + ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE") # allow local network traffic if local_network_ipv4: @@ -631,6 +642,15 @@ def firewall_start(args): ip4tables("--append", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") + # allow local network sources for DNS + # (required to allow local network DNS that gets rewritten by NAT + # to get passed through so that MASQUERADE can set correct source IP) + ip4tables("--append", BITMASK_CHAIN, + "--source", local_network_ipv4, "-o", default_device, + "-p", "udp", "--dport", "53", "--jump", "ACCEPT") + ip4tables("--append", BITMASK_CHAIN, + "--source", local_network_ipv4, "-o", default_device, + "-p", "tcp", "--dport", "53", "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", @@ -707,6 +727,15 @@ def firewall_stop(): "in 'nat' table (maybe it is already removed?)", exc) ok = False + # -t nat -D POSTROUTING -j bitmask_postrouting + try: + ip4tables("-t", "nat", "--delete", "POSTROUTING", + "--jump", BITMASK_CHAIN_NAT_POST, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to remove bitmask firewall from POSTROUTING " + "chain in 'nat' table (maybe it is already removed?)", exc) + ok = False + # -t filter --delete-chain bitmask try: ip4tables("--flush", BITMASK_CHAIN, throw=True) @@ -726,6 +755,16 @@ def firewall_stop(): "chain in 'nat' table (maybe it is already destroyed?)", exc) ok = False + # -t nat --delete-chain bitmask_postrouting + try: + ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True) + ip4tables("-t", "nat", "--delete-chain", + BITMASK_CHAIN_NAT_POST, throw=True) + except subprocess.CalledProcessError as exc: + debug("INFO: not able to flush and delete bitmask ipv4 firewall " + "chain in 'nat' table (maybe it is already destroyed?)", exc) + ok = False + # -t filter --delete-chain bitmask (ipv6) try: ip6tables("--flush", BITMASK_CHAIN, throw=True) @@ -932,6 +971,7 @@ def main(): else: bail("ERROR: No such command") + if __name__ == "__main__": debug(" ".join(sys.argv)) main() |