summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-05-29 15:57:06 -0700
committerelijah <elijah@riseup.net>2014-05-29 15:57:06 -0700
commitfbf615b941f195b2fe513b528da9aec5771e75ea (patch)
treef4dbd7bb5c834339a8299a1cfe7051396a9638ac
parent1417c41e05a3afe79555950921c2bc6289bf02ea (diff)
linux firewall: s/insert/append, and switch order. it makes much more sense to insert custom chain at start of OUTPUT, then append to that chain.
-rwxr-xr-xpkg/linux/bitmask-root54
1 files changed, 27 insertions, 27 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 83e85774..9bd5dfce 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -729,63 +729,63 @@ def firewall_start(args):
local_network_ipv6 = get_local_network_ipv6(default_device)
gateways = get_gateways(args)
- # add custom chain "bitmask"
+ # add custom chain "bitmask" to front of OUTPUT chain
if not ipv4_chain_exists(BITMASK_CHAIN):
ip4tables("--new-chain", BITMASK_CHAIN)
if not ipv6_chain_exists(BITMASK_CHAIN):
ip6tables("--new-chain", BITMASK_CHAIN)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
- # reject everything
- iptables("--insert", BITMASK_CHAIN, "-o", default_device,
- "--jump", "REJECT")
-
- # log rejected packets to syslog
- if DEBUG:
- iptables("--insert", BITMASK_CHAIN, "-o", default_device,
- "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+ # allow DNS over VPN
+ for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]:
+ ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp",
+ "--dport", "53", "--destination", allowed_dns,
+ "--jump", "ACCEPT")
- # allow traffic to gateways
- for gateway in gateways:
- ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway,
- "-o", default_device, "--jump", "ACCEPT")
+ # block DNS requests to anyone but the service provider or localhost
+ # (when we actually route ipv6, we will need DNS rules for it too)
+ ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53",
+ "--jump", "REJECT")
# allow traffic to IPs on local network
if local_network_ipv4:
- ip4tables("--insert", BITMASK_CHAIN,
+ ip4tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
- ip4tables("--insert", BITMASK_CHAIN,
+ ip4tables("--append", BITMASK_CHAIN,
"--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
- ip4tables("--insert", BITMASK_CHAIN,
+ ip4tables("--append", BITMASK_CHAIN,
"--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
if local_network_ipv6:
- ip6tables("--insert", BITMASK_CHAIN,
+ ip6tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv6, "-o", default_device,
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
- ip6tables("--insert", BITMASK_CHAIN,
+ ip6tables("--append", BITMASK_CHAIN,
"--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
- ip6tables("--insert", BITMASK_CHAIN,
+ ip6tables("--append", BITMASK_CHAIN,
"--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
+ # allow traffic to gateways
+ for gateway in gateways:
+ ip4tables("--append", BITMASK_CHAIN, "--destination", gateway,
+ "-o", default_device, "--jump", "ACCEPT")
- # block DNS requests to anyone but the service provider or localhost
- # when we actually route ipv6, we will need dns rules for it too
- ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53",
- "--jump", "REJECT")
+ # log rejected packets to syslog
+ if DEBUG:
+ iptables("--append", BITMASK_CHAIN, "-o", default_device,
+ "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
- for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]:
- ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp",
- "--dport", "53", "--destination", allowed_dns,
- "--jump", "ACCEPT")
+ # reject everything else
+ iptables("--append", BITMASK_CHAIN, "-o", default_device,
+ "--jump", "REJECT")
# workaround for ipv6 servers being blocked and not falling back to ipv4.
# See #5693