summaryrefslogtreecommitdiff
path: root/src/leap/bitmask
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2017-12-21 23:27:23 +0100
committerKali Kaneko <kali@leap.se>2017-12-21 23:27:23 +0100
commited88df3d8ddc80d6ef1914c93e429d3e1e1f152a (patch)
treed4ad1e440142e10b12eb0876a245981182a27b43 /src/leap/bitmask
parent41f05cc921e381c0b4f2384395b5b9d42a1a1cad (diff)
[bug] temporarily revert dnsmasq firewall fix
It has been reported that, after this fix, dns leaks happen under some circumstances not yet clear. Preparing for a release, we have decided to revert this change until the problem can be properly triaged. This means a broken vpn aartful support for the time being, but a non-leaking master. https://0xacab.org/leap/bitmask-dev/issues/9137 - Related: #9137
Diffstat (limited to 'src/leap/bitmask')
-rwxr-xr-xsrc/leap/bitmask/vpn/helpers/linux/bitmask-root48
1 files changed, 44 insertions, 4 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 6b97cd5a..21cfe56f 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -1,7 +1,7 @@
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
-# Copyright (C) 2014-2017 LEAP
+# Copyright (C) 2014 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -73,11 +73,12 @@ def get_no_group_name():
return None
-VERSION = "8"
+VERSION = "7"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
+BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
BITMASK_CHAIN_EMAIL = "bitmask_email"
BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
LOCAL_INTERFACE = "lo"
@@ -605,18 +606,22 @@ def firewall_start(args):
ip4tables("--new-chain", BITMASK_CHAIN)
if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'):
ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT)
+ if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'):
+ ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST)
if not ipv6_chain_exists(BITMASK_CHAIN):
ip6tables("--new-chain", BITMASK_CHAIN)
ip4tables("--table", "nat", "--insert", "OUTPUT",
"--jump", BITMASK_CHAIN_NAT_OUT)
+ ip4tables("--table", "nat", "--insert", "POSTROUTING",
+ "--jump", BITMASK_CHAIN_NAT_POST)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
# route all ipv4 DNS over VPN
# (note: NAT does not work with ipv6 until kernel 3.7)
enable_ip_forwarding()
- # allow dns to localhost (for dnsmasq and systemd-resolve)
+ # allow dns to localhost
ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
- "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
+ "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
"--jump", "ACCEPT")
# rewrite all outgoing packets to use VPN DNS server
# (DNS does sometimes use TCP!)
@@ -624,6 +629,12 @@ def firewall_start(args):
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
+ # enable masquerading, so that DNS packets rewritten by DNAT will
+ # have the correct source IPs
+ ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+ "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
+ ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+ "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
# allow local network traffic
if local_network_ipv4:
@@ -631,6 +642,15 @@ def firewall_start(args):
ip4tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
+ # allow local network sources for DNS
+ # (required to allow local network DNS that gets rewritten by NAT
+ # to get passed through so that MASQUERADE can set correct source IP)
+ ip4tables("--append", BITMASK_CHAIN,
+ "--source", local_network_ipv4, "-o", default_device,
+ "-p", "udp", "--dport", "53", "--jump", "ACCEPT")
+ ip4tables("--append", BITMASK_CHAIN,
+ "--source", local_network_ipv4, "-o", default_device,
+ "-p", "tcp", "--dport", "53", "--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip4tables("--append", BITMASK_CHAIN,
"--protocol", "udp",
@@ -707,6 +727,15 @@ def firewall_stop():
"in 'nat' table (maybe it is already removed?)", exc)
ok = False
+ # -t nat -D POSTROUTING -j bitmask_postrouting
+ try:
+ ip4tables("-t", "nat", "--delete", "POSTROUTING",
+ "--jump", BITMASK_CHAIN_NAT_POST, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to remove bitmask firewall from POSTROUTING "
+ "chain in 'nat' table (maybe it is already removed?)", exc)
+ ok = False
+
# -t filter --delete-chain bitmask
try:
ip4tables("--flush", BITMASK_CHAIN, throw=True)
@@ -726,6 +755,16 @@ def firewall_stop():
"chain in 'nat' table (maybe it is already destroyed?)", exc)
ok = False
+ # -t nat --delete-chain bitmask_postrouting
+ try:
+ ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True)
+ ip4tables("-t", "nat", "--delete-chain",
+ BITMASK_CHAIN_NAT_POST, throw=True)
+ except subprocess.CalledProcessError as exc:
+ debug("INFO: not able to flush and delete bitmask ipv4 firewall "
+ "chain in 'nat' table (maybe it is already destroyed?)", exc)
+ ok = False
+
# -t filter --delete-chain bitmask (ipv6)
try:
ip6tables("--flush", BITMASK_CHAIN, throw=True)
@@ -932,6 +971,7 @@ def main():
else:
bail("ERROR: No such command")
+
if __name__ == "__main__":
debug(" ".join(sys.argv))
main()