summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRuben Pollan <meskio@sindominio.net>2018-01-09 20:49:17 +0100
committerRuben Pollan <meskio@sindominio.net>2018-01-09 22:10:53 +0100
commit799f16d85e569755dc7284a4f3d44878b4116d47 (patch)
treeb9c626cb01d775152cad4c5e610e3b07df6f3aca /src
parent45947832d5b5918bfbfefc64f20fa4d93ad6c7a1 (diff)
[bug] fix issues with dns resolution with systemd-resolved
In ubuntu 17.10 some changes with systemd-resolved broke our firewall, blocking all DNS queries. The masquerade rules in the firewall, that are used to rewrite the source IP address of the DNS queries, were wrongly modifying the queries to systemd-resolved. Let's apply masquerade only to the packets addressed to the nameserver. - Resolves: #9137
Diffstat (limited to 'src')
-rwxr-xr-xsrc/leap/bitmask/vpn/helpers/linux/bitmask-root7
1 files changed, 5 insertions, 2 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 9be9a61a..ee838164 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -628,7 +628,7 @@ def firewall_start(args):
enable_ip_forwarding()
# allow dns to localhost
ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
- "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
+ "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
"--jump", "ACCEPT")
# rewrite all outgoing packets to use VPN DNS server
# (DNS does sometimes use TCP!)
@@ -637,10 +637,13 @@ def firewall_start(args):
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
# enable masquerading, so that DNS packets rewritten by DNAT will
- # have the correct source IPs
+ # have the correct source IPs. Apply masquerade only to the NAMESERVER,
+ # we don't want to apply it to the localhost dns resolver.
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+ "--dest", NAMESERVER,
"--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
+ "--dest", NAMESERVER,
"--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
# allow local network traffic