diff options
Diffstat (limited to 'src/leap/bitmask/vpn/helpers/linux')
-rwxr-xr-x | src/leap/bitmask/vpn/helpers/linux/bitmask-root | 54 |
1 files changed, 34 insertions, 20 deletions
diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 46794c59..ff689167 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -63,7 +63,6 @@ cmdcheck = subprocess.check_output # CONSTANTS - def get_no_group_name(): """ Return the right group name to use for the current OS. @@ -670,9 +669,11 @@ def firewall_start(args): # rewrite DNS packets for VPN DNS; Qubes preconfigures masquerade ip4tables("-t", "nat", "--flush", "PR-QBS") ip4tables("-t", "nat", "--append", "PR-QBS", "-p", "udp", - "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") + "--dport", "53", "--jump", "DNAT", "--to", + NAMESERVER + ":53") ip4tables("-t", "nat", "--append", "PR-QBS", "-p", "tcp", - "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") + "--dport", "53", "--jump", "DNAT", "--to", + NAMESERVER + ":53") else: # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", @@ -681,9 +682,11 @@ def firewall_start(args): # rewrite all outgoing packets to use VPN DNS server # (DNS does sometimes use TCP!) ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "udp", - "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") + "--dport", "53", "--jump", "DNAT", "--to", + NAMESERVER + ":53") ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp", - "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") + "--dport", "53", "--jump", "DNAT", "--to", + NAMESERVER + ":53") # enable masquerading, so that DNS packets rewritten by DNAT will # have the correct source IPs. Apply masquerade only to the NAMESERVER, # we don't want to apply it to the localhost dns resolver. @@ -756,18 +759,19 @@ def firewall_start(args): # On Qubes OS, add anti-leak rules for proxyVM qubes-firewall.service # Must stay on 'top' of chain! - if QUBES_PROXY and QUBES_VER >= 3 and run("grep", \ - "installed\ by\ " + SCRIPT, QUBES_FW_SCRIPT, exitcode=True) != 0: + if QUBES_PROXY and QUBES_VER >= 3 and run("grep", "installed\ by\ " + + SCRIPT, QUBES_FW_SCRIPT, + exitcode=True) != 0: with open(QUBES_FW_SCRIPT, mode="w") as qfile: - qfile.write("#!/bin/sh\n") - qfile.write("# Anti-leak rules installed by " + SCRIPT + " " \ - + VERSION + "\n") - qfile.write("iptables --insert FORWARD -i eth0 -j DROP\n") - qfile.write("iptables --insert FORWARD -o eth0 -j DROP\n") - qfile.write("ip6tables --insert FORWARD -i eth0 -j DROP\n") - qfile.write("ip6tables --insert FORWARD -o eth0 -j DROP\n") - qfile.write("iptables --insert INPUT -i tun+ -j DROP\n") - qfile.write("ip6tables --insert INPUT -i tun+ -j DROP\n") + qfile.write("#!/bin/sh\n") + qfile.write("# Anti-leak rules installed by " + SCRIPT + " " + + + VERSION + "\n") + qfile.write("iptables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("iptables --insert FORWARD -o eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -o eth0 -j DROP\n") + qfile.write("iptables --insert INPUT -i tun+ -j DROP\n") + qfile.write("ip6tables --insert INPUT -i tun+ -j DROP\n") os.chmod(QUBES_FW_SCRIPT, stat.S_IRWXU) if not os.path.exists(QUBES_IPHOOK): os.symlink(QUBES_FW_SCRIPT, QUBES_IPHOOK) @@ -980,19 +984,29 @@ def fw_email_stop(): # MAIN # +USAGE = """ +bitmask-root version +bitmask-root +""" + def main(): """ Entry point for cmdline execution. """ - # TODO use argparse instead. + # TODO use argparse instead please. if len(sys.argv) >= 2: command = "_".join(sys.argv[1:3]) args = sys.argv[3:] is_restart = False - if args and args[0] == "restart": + + if args and (args[0] == 'help' or args[0] == '-h'): + print(USAGE) + exit(0) + + if args and args[0] == 'restart': is_restart = True args.remove('restart') @@ -1051,9 +1065,9 @@ def main(): bail("INFO: bitmask email firewall is down") else: - bail("ERROR: No such command") + bail("ERROR: No such command. Try bitmask-root -h") else: - bail("ERROR: No such command") + bail("ERROR: No such command. Try bitmask-root -h") if __name__ == "__main__": |