[bug] fix issues with dns resolution with systemd-resolved

In ubuntu 17.10 some changes with systemd-resolved broke our firewall,
blocking all DNS queries. The masquerade rules in the firewall, that
are used to rewrite the source IP address of the DNS queries, were
wrongly modifying the queries to systemd-resolved.

Let's apply masquerade only to the packets addressed to the nameserver.

- Resolves: #9137

1 files changed, 5 insertions, 2 deletions

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 9be9a61a..ee838164 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -628,7 +628,7 @@ def firewall_start(args):
     enable_ip_forwarding()
     # allow dns to localhost
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
-              "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
+              "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
               "--jump", "ACCEPT")
     # rewrite all outgoing packets to use VPN DNS server
     # (DNS does sometimes use TCP!)
@@ -637,10 +637,13 @@ def firewall_start(args):
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
               "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
     # enable masquerading, so that DNS packets rewritten by DNAT will
-    # have the correct source IPs
+    # have the correct source IPs. Apply masquerade only to the NAMESERVER,
+    # we don't want to apply it to the localhost dns resolver.
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+              "--dest", NAMESERVER,
               "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+              "--dest", NAMESERVER,
               "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
 
     # allow local network traffic