From 799f16d85e569755dc7284a4f3d44878b4116d47 Mon Sep 17 00:00:00 2001 From: Ruben Pollan Date: Tue, 9 Jan 2018 20:49:17 +0100 Subject: [bug] fix issues with dns resolution with systemd-resolved In ubuntu 17.10 some changes with systemd-resolved broke our firewall, blocking all DNS queries. The masquerade rules in the firewall, that are used to rewrite the source IP address of the DNS queries, were wrongly modifying the queries to systemd-resolved. Let's apply masquerade only to the packets addressed to the nameserver. - Resolves: #9137 --- src/leap/bitmask/vpn/helpers/linux/bitmask-root | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'src/leap/bitmask/vpn/helpers/linux/bitmask-root') diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index 9be9a61a..ee838164 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -628,7 +628,7 @@ def firewall_start(args): enable_ip_forwarding() # allow dns to localhost ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp", - "--dest", "127.0.1.1,127.0.0.1", "--dport", "53", + "--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53", "--jump", "ACCEPT") # rewrite all outgoing packets to use VPN DNS server # (DNS does sometimes use TCP!) @@ -637,10 +637,13 @@ def firewall_start(args): ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp", "--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53") # enable masquerading, so that DNS packets rewritten by DNAT will - # have the correct source IPs + # have the correct source IPs. Apply masquerade only to the NAMESERVER, + # we don't want to apply it to the localhost dns resolver. ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE") ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST, + "--dest", NAMESERVER, "--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE") # allow local network traffic -- cgit v1.2.3