1 files changed, 4 insertions, 44 deletions

diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
index 21cfe56f..6b97cd5a 100755
--- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root
+++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root
@@ -1,7 +1,7 @@
 #!/usr/bin/python2.7
 # -*- coding: utf-8 -*-
 #
-# Copyright (C) 2014 LEAP
+# Copyright (C) 2014-2017 LEAP
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -73,12 +73,11 @@ def get_no_group_name():
             return None
 
 
-VERSION = "7"
+VERSION = "8"
 SCRIPT = "bitmask-root"
 NAMESERVER = "10.42.0.1"
 BITMASK_CHAIN = "bitmask"
 BITMASK_CHAIN_NAT_OUT = "bitmask"
-BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
 BITMASK_CHAIN_EMAIL = "bitmask_email"
 BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
 LOCAL_INTERFACE = "lo"
@@ -606,22 +605,18 @@ def firewall_start(args):
         ip4tables("--new-chain", BITMASK_CHAIN)
     if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'):
         ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT)
-    if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'):
-        ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST)
     if not ipv6_chain_exists(BITMASK_CHAIN):
         ip6tables("--new-chain", BITMASK_CHAIN)
     ip4tables("--table", "nat", "--insert", "OUTPUT",
               "--jump", BITMASK_CHAIN_NAT_OUT)
-    ip4tables("--table", "nat", "--insert", "POSTROUTING",
-              "--jump", BITMASK_CHAIN_NAT_POST)
     iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
 
     # route all ipv4 DNS over VPN
     # (note: NAT does not work with ipv6 until kernel 3.7)
     enable_ip_forwarding()
-    # allow dns to localhost
+    # allow dns to localhost (for dnsmasq and systemd-resolve)
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
-              "--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
+              "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
               "--jump", "ACCEPT")
     # rewrite all outgoing packets to use VPN DNS server
     # (DNS does sometimes use TCP!)
@@ -629,12 +624,6 @@ def firewall_start(args):
               "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
     ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
               "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
-    # enable masquerading, so that DNS packets rewritten by DNAT will
-    # have the correct source IPs
-    ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
-              "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
-    ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
-              "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
 
     # allow local network traffic
     if local_network_ipv4:
@@ -642,15 +631,6 @@ def firewall_start(args):
         ip4tables("--append", BITMASK_CHAIN,
                   "--destination", local_network_ipv4, "-o", default_device,
                   "--jump", "ACCEPT")
-        # allow local network sources for DNS
-        # (required to allow local network DNS that gets rewritten by NAT
-        #  to get passed through so that MASQUERADE can set correct source IP)
-        ip4tables("--append", BITMASK_CHAIN,
-                  "--source", local_network_ipv4, "-o", default_device,
-                  "-p", "udp", "--dport", "53", "--jump", "ACCEPT")
-        ip4tables("--append", BITMASK_CHAIN,
-                  "--source", local_network_ipv4, "-o", default_device,
-                  "-p", "tcp", "--dport", "53", "--jump", "ACCEPT")
         # allow multicast Simple Service Discovery Protocol
         ip4tables("--append", BITMASK_CHAIN,
                   "--protocol", "udp",
@@ -727,15 +707,6 @@ def firewall_stop():
               "in 'nat' table (maybe it is already removed?)", exc)
         ok = False
 
-    # -t nat -D POSTROUTING -j bitmask_postrouting
-    try:
-        ip4tables("-t", "nat", "--delete", "POSTROUTING",
-                  "--jump", BITMASK_CHAIN_NAT_POST, throw=True)
-    except subprocess.CalledProcessError as exc:
-        debug("INFO: not able to remove bitmask firewall from POSTROUTING "
-              "chain in 'nat' table (maybe it is already removed?)", exc)
-        ok = False
-
     # -t filter --delete-chain bitmask
     try:
         ip4tables("--flush", BITMASK_CHAIN, throw=True)
@@ -755,16 +726,6 @@ def firewall_stop():
               "chain in 'nat' table (maybe it is already destroyed?)", exc)
         ok = False
 
-    # -t nat --delete-chain bitmask_postrouting
-    try:
-        ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True)
-        ip4tables("-t", "nat", "--delete-chain",
-                  BITMASK_CHAIN_NAT_POST, throw=True)
-    except subprocess.CalledProcessError as exc:
-        debug("INFO: not able to flush and delete bitmask ipv4 firewall "
-              "chain in 'nat' table (maybe it is already destroyed?)", exc)
-        ok = False
-
     # -t filter --delete-chain bitmask (ipv6)
     try:
         ip6tables("--flush", BITMASK_CHAIN, throw=True)
@@ -971,7 +932,6 @@ def main():
     else:
         bail("ERROR: No such command")
 
-
 if __name__ == "__main__":
     debug(" ".join(sys.argv))
     main()