summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xsrc/leap/bitmask/vpn/helpers/linux/bitmask-root48
1 files changed, 4 insertions, 44 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 21cfe56f..6b97cd5a 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -1,7 +1,7 @@
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
-# Copyright (C) 2014 LEAP
+# Copyright (C) 2014-2017 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -73,12 +73,11 @@ def get_no_group_name():
return None
-VERSION = "7"
+VERSION = "8"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
-BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
BITMASK_CHAIN_EMAIL = "bitmask_email"
BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
LOCAL_INTERFACE = "lo"
@@ -606,22 +605,18 @@ def firewall_start(args):
ip4tables("--new-chain", BITMASK_CHAIN)
if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'):
ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT)
- if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'):
- ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST)
if not ipv6_chain_exists(BITMASK_CHAIN):
ip6tables("--new-chain", BITMASK_CHAIN)
ip4tables("--table", "nat", "--insert", "OUTPUT",
"--jump", BITMASK_CHAIN_NAT_OUT)
- ip4tables("--table", "nat", "--insert", "POSTROUTING",
- "--jump", BITMASK_CHAIN_NAT_POST)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
# route all ipv4 DNS over VPN
# (note: NAT does not work with ipv6 until kernel 3.7)
enable_ip_forwarding()
- # allow dns to localhost
+ # allow dns to localhost (for dnsmasq and systemd-resolve)
ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
- "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
+ "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
"--jump", "ACCEPT")
# rewrite all outgoing packets to use VPN DNS server
# (DNS does sometimes use TCP!)
@@ -629,12 +624,6 @@ def firewall_start(args):
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
- # enable masquerading, so that DNS packets rewritten by DNAT will
- # have the correct source IPs
- ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
- "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
- ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
- "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
# allow local network traffic
if local_network_ipv4:
@@ -642,15 +631,6 @@ def firewall_start(args):
ip4tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
- # allow local network sources for DNS
- # (required to allow local network DNS that gets rewritten by NAT
- # to get passed through so that MASQUERADE can set correct source IP)
- ip4tables("--append", BITMASK_CHAIN,
- "--source", local_network_ipv4, "-o", default_device,
- "-p", "udp", "--dport", "53", "--jump", "ACCEPT")
- ip4tables("--append", BITMASK_CHAIN,
- "--source", local_network_ipv4, "-o", default_device,
- "-p", "tcp", "--dport", "53", "--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip4tables("--append", BITMASK_CHAIN,
"--protocol", "udp",
@@ -727,15 +707,6 @@ def firewall_stop():
"in 'nat' table (maybe it is already removed?)", exc)
ok = False
- # -t nat -D POSTROUTING -j bitmask_postrouting
- try:
- ip4tables("-t", "nat", "--delete", "POSTROUTING",
- "--jump", BITMASK_CHAIN_NAT_POST, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to remove bitmask firewall from POSTROUTING "
- "chain in 'nat' table (maybe it is already removed?)", exc)
- ok = False
-
# -t filter --delete-chain bitmask
try:
ip4tables("--flush", BITMASK_CHAIN, throw=True)
@@ -755,16 +726,6 @@ def firewall_stop():
"chain in 'nat' table (maybe it is already destroyed?)", exc)
ok = False
- # -t nat --delete-chain bitmask_postrouting
- try:
- ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True)
- ip4tables("-t", "nat", "--delete-chain",
- BITMASK_CHAIN_NAT_POST, throw=True)
- except subprocess.CalledProcessError as exc:
- debug("INFO: not able to flush and delete bitmask ipv4 firewall "
- "chain in 'nat' table (maybe it is already destroyed?)", exc)
- ok = False
-
# -t filter --delete-chain bitmask (ipv6)
try:
ip6tables("--flush", BITMASK_CHAIN, throw=True)
@@ -971,7 +932,6 @@ def main():
else:
bail("ERROR: No such command")
-
if __name__ == "__main__":
debug(" ".join(sys.argv))
main()