summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rwxr-xr-xpkg/linux/bitmask-root78
1 files changed, 49 insertions, 29 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 6d296ecf..82e8799f 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -653,6 +653,7 @@ def get_local_network_ipv6(device):
def run_iptable_with_check(cmd, *args, **options):
"""
Run an iptables command checking to see if it should:
+ for --append: run only if rule does not already exist.
for --insert: run only if rule does not already exist.
for --delete: run only if rule does exist.
other commands are run normally.
@@ -662,6 +663,11 @@ def run_iptable_with_check(cmd, *args, **options):
check_code = run(cmd, *check_args, exitcode=True)
if check_code != 0:
run(cmd, *args, **options)
+ elif "--append" in args:
+ check_args = [arg.replace("--append", "--check") for arg in args]
+ check_code = run(cmd, *check_args, exitcode=True)
+ if check_code != 0:
+ run(cmd, *args, **options)
elif "--delete" in args:
check_args = [arg.replace("--delete", "--check") for arg in args]
check_code = run(cmd, *check_args, exitcode=True)
@@ -729,53 +735,67 @@ def firewall_start(args):
local_network_ipv6 = get_local_network_ipv6(default_device)
gateways = get_gateways(args)
- # add custom chain "bitmask"
+ # add custom chain "bitmask" to front of OUTPUT chain
if not ipv4_chain_exists(BITMASK_CHAIN):
ip4tables("--new-chain", BITMASK_CHAIN)
if not ipv6_chain_exists(BITMASK_CHAIN):
ip6tables("--new-chain", BITMASK_CHAIN)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
- # reject everything
- iptables("--insert", BITMASK_CHAIN, "-o", default_device,
- "--jump", "REJECT")
+ # allow DNS over VPN
+ for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]:
+ ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp",
+ "--dport", "53", "--destination", allowed_dns,
+ "--jump", "ACCEPT")
- # allow traffic to gateways
- for gateway in gateways:
- ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway,
- "-o", default_device, "--jump", "ACCEPT")
+ # block DNS requests to anyone but the service provider or localhost
+ # (when we actually route ipv6, we will need DNS rules for it too)
+ ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53",
+ "--jump", "REJECT")
# allow traffic to IPs on local network
if local_network_ipv4:
- ip4tables("--insert", BITMASK_CHAIN,
+ ip4tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip4tables("--append", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+ "-o", default_device, "--jump", "RETURN")
+ # allow multicast Bonjour/mDNS
+ ip4tables("--append", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+ "-o", default_device, "--jump", "RETURN")
if local_network_ipv6:
- ip6tables("--insert", BITMASK_CHAIN,
+ ip6tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv6, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip6tables("--append", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+ "-o", default_device, "--jump", "RETURN")
+ # allow multicast Bonjour/mDNS
+ ip6tables("--append", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+ "-o", default_device, "--jump", "RETURN")
+
+ # allow ipv4 traffic to gateways
+ for gateway in gateways:
+ ip4tables("--append", BITMASK_CHAIN, "--destination", gateway,
+ "-o", default_device, "--jump", "ACCEPT")
- # block DNS requests to anyone but the service provider or localhost
- # when we actually route ipv6, we will need dns rules for it too
- ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53",
- "--jump", "REJECT")
-
- for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]:
- ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp",
- "--dport", "53", "--destination", allowed_dns,
- "--jump", "ACCEPT")
+ # log rejected packets to syslog
+ if DEBUG:
+ iptables("--append", BITMASK_CHAIN, "-o", default_device,
+ "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
- # workaround for ipv6 servers being blocked and not falling back to ipv4.
- # See #5693
- ip6tables("--append", "OUTPUT", "--jump", "REJECT",
- "-s", "::/0", "-d", "::/0",
- "-p", "tcp",
- "--reject-with", "icmp6-port-unreachable")
- ip6tables("--append", "OUTPUT", "--jump", "REJECT",
- "-s", "::/0", "-d", "::/0",
- "-p", "udp",
- "--reject-with", "icmp6-port-unreachable")
+ # for now, ensure all other ipv6 packets get rejected (regardless of device)
+ # (not sure why, but "-p any" doesn't work)
+ ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT")
+ ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT")
+ # reject all other ipv4 sent over the default device
+ ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT")
def firewall_stop():
"""