diff options
Diffstat (limited to 'pkg/linux')
| -rwxr-xr-x | pkg/linux/bitmask-root | 78 |
1 files changed, 49 insertions, 29 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 6d296ecf..82e8799f 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -653,6 +653,7 @@ def get_local_network_ipv6(device): def run_iptable_with_check(cmd, *args, **options): """ Run an iptables command checking to see if it should: + for --append: run only if rule does not already exist. for --insert: run only if rule does not already exist. for --delete: run only if rule does exist. other commands are run normally. @@ -662,6 +663,11 @@ def run_iptable_with_check(cmd, *args, **options): check_code = run(cmd, *check_args, exitcode=True) if check_code != 0: run(cmd, *args, **options) + elif "--append" in args: + check_args = [arg.replace("--append", "--check") for arg in args] + check_code = run(cmd, *check_args, exitcode=True) + if check_code != 0: + run(cmd, *args, **options) elif "--delete" in args: check_args = [arg.replace("--delete", "--check") for arg in args] check_code = run(cmd, *check_args, exitcode=True) @@ -729,53 +735,67 @@ def firewall_start(args): local_network_ipv6 = get_local_network_ipv6(default_device) gateways = get_gateways(args) - # add custom chain "bitmask" + # add custom chain "bitmask" to front of OUTPUT chain if not ipv4_chain_exists(BITMASK_CHAIN): ip4tables("--new-chain", BITMASK_CHAIN) if not ipv6_chain_exists(BITMASK_CHAIN): ip6tables("--new-chain", BITMASK_CHAIN) iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN) - # reject everything - iptables("--insert", BITMASK_CHAIN, "-o", default_device, - "--jump", "REJECT") + # allow DNS over VPN + for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]: + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", + "--dport", "53", "--destination", allowed_dns, + "--jump", "ACCEPT") - # allow traffic to gateways - for gateway in gateways: - ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway, - "-o", default_device, "--jump", "ACCEPT") + # block DNS requests to anyone but the service provider or localhost + # (when we actually route ipv6, we will need DNS rules for it too) + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53", + "--jump", "REJECT") # allow traffic to IPs on local network if local_network_ipv4: - ip4tables("--insert", BITMASK_CHAIN, + ip4tables("--append", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip4tables("--append", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "-o", default_device, "--jump", "RETURN") + # allow multicast Bonjour/mDNS + ip4tables("--append", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "-o", default_device, "--jump", "RETURN") if local_network_ipv6: - ip6tables("--insert", BITMASK_CHAIN, + ip6tables("--append", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip6tables("--append", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "-o", default_device, "--jump", "RETURN") + # allow multicast Bonjour/mDNS + ip6tables("--append", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "-o", default_device, "--jump", "RETURN") + + # allow ipv4 traffic to gateways + for gateway in gateways: + ip4tables("--append", BITMASK_CHAIN, "--destination", gateway, + "-o", default_device, "--jump", "ACCEPT") - # block DNS requests to anyone but the service provider or localhost - # when we actually route ipv6, we will need dns rules for it too - ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53", - "--jump", "REJECT") - - for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]: - ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", - "--dport", "53", "--destination", allowed_dns, - "--jump", "ACCEPT") + # log rejected packets to syslog + if DEBUG: + iptables("--append", BITMASK_CHAIN, "-o", default_device, + "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") - # workaround for ipv6 servers being blocked and not falling back to ipv4. - # See #5693 - ip6tables("--append", "OUTPUT", "--jump", "REJECT", - "-s", "::/0", "-d", "::/0", - "-p", "tcp", - "--reject-with", "icmp6-port-unreachable") - ip6tables("--append", "OUTPUT", "--jump", "REJECT", - "-s", "::/0", "-d", "::/0", - "-p", "udp", - "--reject-with", "icmp6-port-unreachable") + # for now, ensure all other ipv6 packets get rejected (regardless of device) + # (not sure why, but "-p any" doesn't work) + ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT") + ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT") + # reject all other ipv4 sent over the default device + ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") def firewall_stop(): """ |