From 1ef424fcd34d1f3800ffd200be72d775be5a9740 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 29 May 2014 01:23:53 -0700 Subject: unblock local multicast IPs from linux firewall, to allow SSDP and Bonjour/mDNS to work. --- pkg/linux/bitmask-root | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'pkg') diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 6d296ecf..f1c5c0c3 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -740,6 +740,11 @@ def firewall_start(args): iptables("--insert", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + # log rejected packets to syslog + if DEBUG: + iptables("--insert", BITMASK_CHAIN, "-o", default_device, + "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + # allow traffic to gateways for gateway in gateways: ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway, @@ -750,10 +755,27 @@ def firewall_start(args): ip4tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") if local_network_ipv6: ip6tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") + # block DNS requests to anyone but the service provider or localhost # when we actually route ipv6, we will need dns rules for it too -- cgit v1.2.3 From 1417c41e05a3afe79555950921c2bc6289bf02ea Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 29 May 2014 15:48:02 -0700 Subject: return instead of reject for multicast --- pkg/linux/bitmask-root | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'pkg') diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index f1c5c0c3..83e85774 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -758,11 +758,11 @@ def firewall_start(args): # allow multicast Simple Service Discovery Protocol ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", - "-o", default_device, "--jump", "ACCEPT") + "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", - "-o", default_device, "--jump", "ACCEPT") + "-o", default_device, "--jump", "RETURN") if local_network_ipv6: ip6tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, @@ -770,11 +770,11 @@ def firewall_start(args): # allow multicast Simple Service Discovery Protocol ip6tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", - "-o", default_device, "--jump", "ACCEPT") + "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip6tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", - "-o", default_device, "--jump", "ACCEPT") + "-o", default_device, "--jump", "RETURN") # block DNS requests to anyone but the service provider or localhost -- cgit v1.2.3 From fbf615b941f195b2fe513b528da9aec5771e75ea Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 29 May 2014 15:57:06 -0700 Subject: linux firewall: s/insert/append, and switch order. it makes much more sense to insert custom chain at start of OUTPUT, then append to that chain. --- pkg/linux/bitmask-root | 54 +++++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) (limited to 'pkg') diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 83e85774..9bd5dfce 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -729,63 +729,63 @@ def firewall_start(args): local_network_ipv6 = get_local_network_ipv6(default_device) gateways = get_gateways(args) - # add custom chain "bitmask" + # add custom chain "bitmask" to front of OUTPUT chain if not ipv4_chain_exists(BITMASK_CHAIN): ip4tables("--new-chain", BITMASK_CHAIN) if not ipv6_chain_exists(BITMASK_CHAIN): ip6tables("--new-chain", BITMASK_CHAIN) iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN) - # reject everything - iptables("--insert", BITMASK_CHAIN, "-o", default_device, - "--jump", "REJECT") - - # log rejected packets to syslog - if DEBUG: - iptables("--insert", BITMASK_CHAIN, "-o", default_device, - "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + # allow DNS over VPN + for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]: + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", + "--dport", "53", "--destination", allowed_dns, + "--jump", "ACCEPT") - # allow traffic to gateways - for gateway in gateways: - ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway, - "-o", default_device, "--jump", "ACCEPT") + # block DNS requests to anyone but the service provider or localhost + # (when we actually route ipv6, we will need DNS rules for it too) + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53", + "--jump", "REJECT") # allow traffic to IPs on local network if local_network_ipv4: - ip4tables("--insert", BITMASK_CHAIN, + ip4tables("--append", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol - ip4tables("--insert", BITMASK_CHAIN, + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS - ip4tables("--insert", BITMASK_CHAIN, + ip4tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", "-o", default_device, "--jump", "RETURN") if local_network_ipv6: - ip6tables("--insert", BITMASK_CHAIN, + ip6tables("--append", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol - ip6tables("--insert", BITMASK_CHAIN, + ip6tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS - ip6tables("--insert", BITMASK_CHAIN, + ip6tables("--append", BITMASK_CHAIN, "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", "-o", default_device, "--jump", "RETURN") + # allow traffic to gateways + for gateway in gateways: + ip4tables("--append", BITMASK_CHAIN, "--destination", gateway, + "-o", default_device, "--jump", "ACCEPT") - # block DNS requests to anyone but the service provider or localhost - # when we actually route ipv6, we will need dns rules for it too - ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", "--dport", "53", - "--jump", "REJECT") + # log rejected packets to syslog + if DEBUG: + iptables("--append", BITMASK_CHAIN, "-o", default_device, + "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") - for allowed_dns in [NAMESERVER, "127.0.0.1", "127.0.1.1"]: - ip4tables("--insert", BITMASK_CHAIN, "--protocol", "udp", - "--dport", "53", "--destination", allowed_dns, - "--jump", "ACCEPT") + # reject everything else + iptables("--append", BITMASK_CHAIN, "-o", default_device, + "--jump", "REJECT") # workaround for ipv6 servers being blocked and not falling back to ipv4. # See #5693 -- cgit v1.2.3 From a0eecf4d0dc8ac17c8f2d99d56c21d5b2fae4f30 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 30 May 2014 01:51:53 -0700 Subject: fix bug with ipv6 blocking (added to wrong chain, so never removed and also it would keep getting added repeatedly) --- pkg/linux/bitmask-root | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'pkg') diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 9bd5dfce..82e8799f 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -653,6 +653,7 @@ def get_local_network_ipv6(device): def run_iptable_with_check(cmd, *args, **options): """ Run an iptables command checking to see if it should: + for --append: run only if rule does not already exist. for --insert: run only if rule does not already exist. for --delete: run only if rule does exist. other commands are run normally. @@ -662,6 +663,11 @@ def run_iptable_with_check(cmd, *args, **options): check_code = run(cmd, *check_args, exitcode=True) if check_code != 0: run(cmd, *args, **options) + elif "--append" in args: + check_args = [arg.replace("--append", "--check") for arg in args] + check_code = run(cmd, *check_args, exitcode=True) + if check_code != 0: + run(cmd, *args, **options) elif "--delete" in args: check_args = [arg.replace("--delete", "--check") for arg in args] check_code = run(cmd, *check_args, exitcode=True) @@ -773,7 +779,7 @@ def firewall_start(args): "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", "-o", default_device, "--jump", "RETURN") - # allow traffic to gateways + # allow ipv4 traffic to gateways for gateway in gateways: ip4tables("--append", BITMASK_CHAIN, "--destination", gateway, "-o", default_device, "--jump", "ACCEPT") @@ -783,21 +789,13 @@ def firewall_start(args): iptables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") - # reject everything else - iptables("--append", BITMASK_CHAIN, "-o", default_device, - "--jump", "REJECT") - - # workaround for ipv6 servers being blocked and not falling back to ipv4. - # See #5693 - ip6tables("--append", "OUTPUT", "--jump", "REJECT", - "-s", "::/0", "-d", "::/0", - "-p", "tcp", - "--reject-with", "icmp6-port-unreachable") - ip6tables("--append", "OUTPUT", "--jump", "REJECT", - "-s", "::/0", "-d", "::/0", - "-p", "udp", - "--reject-with", "icmp6-port-unreachable") + # for now, ensure all other ipv6 packets get rejected (regardless of device) + # (not sure why, but "-p any" doesn't work) + ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT") + ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT") + # reject all other ipv4 sent over the default device + ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") def firewall_stop(): """ -- cgit v1.2.3