Verified Commit 34fa8f02 by elijah Committed by meskio

[bug] change bitmask-root to work with dnsmasq

parent 628c1ceb
Pipeline #7098 failed with stages
in 95 minutes 43 seconds
#!/usr/bin/python2.7
# -*- coding: utf-8 -*-
#
# Copyright (C) 2014 LEAP
# Copyright (C) 2014-2017 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -73,12 +73,11 @@ def get_no_group_name():
return None
VERSION = "7"
VERSION = "8"
SCRIPT = "bitmask-root"
NAMESERVER = "10.42.0.1"
BITMASK_CHAIN = "bitmask"
BITMASK_CHAIN_NAT_OUT = "bitmask"
BITMASK_CHAIN_NAT_POST = "bitmask_postrouting"
BITMASK_CHAIN_EMAIL = "bitmask_email"
BITMASK_CHAIN_EMAIL_OUT = "bitmask_email_output"
LOCAL_INTERFACE = "lo"
......@@ -606,22 +605,18 @@ def firewall_start(args):
ip4tables("--new-chain", BITMASK_CHAIN)
if not ipv4_chain_exists(BITMASK_CHAIN_NAT_OUT, 'nat'):
ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_OUT)
if not ipv4_chain_exists(BITMASK_CHAIN_NAT_POST, 'nat'):
ip4tables("--table", "nat", "--new-chain", BITMASK_CHAIN_NAT_POST)
if not ipv6_chain_exists(BITMASK_CHAIN):
ip6tables("--new-chain", BITMASK_CHAIN)
ip4tables("--table", "nat", "--insert", "OUTPUT",
"--jump", BITMASK_CHAIN_NAT_OUT)
ip4tables("--table", "nat", "--insert", "POSTROUTING",
"--jump", BITMASK_CHAIN_NAT_POST)
iptables("--insert", "OUTPUT", "--jump", BITMASK_CHAIN)
# route all ipv4 DNS over VPN
# (note: NAT does not work with ipv6 until kernel 3.7)
enable_ip_forwarding()
# allow dns to localhost
# allow dns to localhost (for dnsmasq and systemd-resolve)
ip4tables("-t", "nat", "--append", BITMASK_CHAIN, "--protocol", "udp",
"--dest", "127.0.1.1,127.0.0.1", "--dport", "53",
"--dest", "127.0.1.1,127.0.0.1,127.0.0.53", "--dport", "53",
"--jump", "ACCEPT")
# rewrite all outgoing packets to use VPN DNS server
# (DNS does sometimes use TCP!)
......@@ -629,12 +624,6 @@ def firewall_start(args):
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_OUT, "-p", "tcp",
"--dport", "53", "--jump", "DNAT", "--to", NAMESERVER+":53")
# enable masquerading, so that DNS packets rewritten by DNAT will
# have the correct source IPs
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
"--protocol", "udp", "--dport", "53", "--jump", "MASQUERADE")
ip4tables("-t", "nat", "--append", BITMASK_CHAIN_NAT_POST,
"--protocol", "tcp", "--dport", "53", "--jump", "MASQUERADE")
# allow local network traffic
if local_network_ipv4:
......@@ -642,15 +631,6 @@ def firewall_start(args):
ip4tables("--append", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
# allow local network sources for DNS
# (required to allow local network DNS that gets rewritten by NAT
# to get passed through so that MASQUERADE can set correct source IP)
ip4tables("--append", BITMASK_CHAIN,
"--source", local_network_ipv4, "-o", default_device,
"-p", "udp", "--dport", "53", "--jump", "ACCEPT")
ip4tables("--append", BITMASK_CHAIN,
"--source", local_network_ipv4, "-o", default_device,
"-p", "tcp", "--dport", "53", "--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip4tables("--append", BITMASK_CHAIN,
"--protocol", "udp",
......@@ -727,15 +707,6 @@ def firewall_stop():
"in 'nat' table (maybe it is already removed?)", exc)
ok = False
# -t nat -D POSTROUTING -j bitmask_postrouting
try:
ip4tables("-t", "nat", "--delete", "POSTROUTING",
"--jump", BITMASK_CHAIN_NAT_POST, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to remove bitmask firewall from POSTROUTING "
"chain in 'nat' table (maybe it is already removed?)", exc)
ok = False
# -t filter --delete-chain bitmask
try:
ip4tables("--flush", BITMASK_CHAIN, throw=True)
......@@ -755,16 +726,6 @@ def firewall_stop():
"chain in 'nat' table (maybe it is already destroyed?)", exc)
ok = False
# -t nat --delete-chain bitmask_postrouting
try:
ip4tables("-t", "nat", "--flush", BITMASK_CHAIN_NAT_POST, throw=True)
ip4tables("-t", "nat", "--delete-chain",
BITMASK_CHAIN_NAT_POST, throw=True)
except subprocess.CalledProcessError as exc:
debug("INFO: not able to flush and delete bitmask ipv4 firewall "
"chain in 'nat' table (maybe it is already destroyed?)", exc)
ok = False
# -t filter --delete-chain bitmask (ipv6)
try:
ip6tables("--flush", BITMASK_CHAIN, throw=True)
......@@ -971,7 +932,6 @@ def main():
else:
bail("ERROR: No such command")
if __name__ == "__main__":
debug(" ".join(sys.argv))
main()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment