diff options
author | Christopher Laprise <tasket@protonmail.com> | 2017-12-30 15:36:49 -0500 |
---|---|---|
committer | Ruben Pollan <meskio@sindominio.net> | 2018-01-12 11:01:21 +0100 |
commit | 4da63fae464086d786eaf67d9effdb70d8131a18 (patch) | |
tree | 34ce1776c317cc116e7b66e8802384f3fd5104db /src/leap | |
parent | 799f16d85e569755dc7284a4f3d44878b4116d47 (diff) |
Add anti-leak rules for qubes-firewall
Diffstat (limited to 'src/leap')
-rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index ee838164..938fcb89 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -51,6 +51,7 @@ import socket import syslog import subprocess import sys +import stat import traceback cmdcheck = subprocess.check_output @@ -148,6 +149,18 @@ PARAM_FORMATS = { "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s) } +# Determine Qubes OS version, if any +if os.path.isdir("/etc/qubes"): + QUBES_CFG = "/rw/config/" + QUBES_IPHOOK = QUBES_CFG + "qubes-ip-change-hook" + QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall-user-script" + if subprocess.call([IPTABLES, "--list", "QBS-FORWARD"]) == 0: + QUBES_VER = 4 + else: + QUBES_VER = 3 +else: + QUBES_VER = 0 + DEBUG = os.getenv("DEBUG") TEST = os.getenv("TEST") @@ -706,6 +719,24 @@ def firewall_start(args): ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + # On Qubes OS, add anti-leak rules for proxyVM qubes-firewall.service + # Must stay on 'top' of chain! + if QUBES_VER >= 3 and not os.access(QUBES_FW_SCRIPT, os.X_OK): + with open(QUBES_FW_SCRIPT, mode="w") as qfile: + qfile.write("#!/bin/sh\n") + qfile.write("# Anti-leak rules installed by bitmask.\n") + qfile.write("iptables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("iptables --insert FORWARD -o eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -o eth0 -j DROP\n") + os.chmod(QUBES_FW_SCRIPT, stat.S_IRWXU) + if not os.path.exists(QUBES_IPHOOK): + os.symlink(QUBES_FW_SCRIPT, QUBES_IPHOOK) + if QUBES_VER = 4: + run(QUBES_FW_SCRIPT) + elif QUBES_VER = 3: + run("systemctl", ["restart", "qubes-firewall.service"]) + def firewall_stop(): """ |