diff --git a/patches/UDP-block.patch b/patches/UDP-block.patch new file mode 100644 index 00000000..e16a9574 --- /dev/null +++ b/patches/UDP-block.patch @@ -0,0 +1,243 @@ +From c2620d6939713762e30badc3ed5da981e296b742 Mon Sep 17 00:00:00 2001 +From: patch +Date: Mon, 23 Jul 2012 16:12:55 -0400 +Subject: [PATCH] Modified iptables rules for transproxying. UDP is now + blocked. Also removed some redundant rules and reordered + others. I reordered by the idea that its generally easier + to specifically allow traffic before your reject it. + +--- + .../torproject/android/service/TorTransProxy.java | 133 ++++++++++---------- + 1 file changed, 64 insertions(+), 69 deletions(-) + +diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java +index 2571123..c248a9f 100644 +--- a/src/org/torproject/android/service/TorTransProxy.java ++++ b/src/org/torproject/android/service/TorTransProxy.java +@@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants { + + int torUid = context.getApplicationInfo().uid; + ++ // Allow everything for Tor ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(torUid); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); ++ + //build up array of shell cmds to execute under one root context + for (TorifiedApp tApp:apps) + { +@@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants { + { + + TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); +- +- // Set up port redirection +- script.append(ipTablesPath); ++ ++ // Set up port redirection ++ script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p tcp"); + script.append(" ! -d 127.0.0.1"); //allow access to localhost +@@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants { + // Same for DNS + script.append(ipTablesPath); + script.append(" -t nat"); +- script.append(" -A OUTPUT -p udp -m owner --uid-owner "); ++ script.append(" -A OUTPUT -p udp"); ++ script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -m udp --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_DNS_PORT); + script.append(" || exit\n"); +- ++ ++ // Allow loopback ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(tApp.getUid()); ++ script.append(" -o lo"); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); ++ ++ /* ++ //Outgoing loopback already allowed (23/7/12) ++ + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; + + for (int port : ports) +@@ -276,53 +299,32 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + } +- +- // Allow loopback ++ */ ++ ++ // Reject all other outbound TCP packets + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -p tcp"); +- script.append(" -o lo"); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); +- +- // Reject DNS that is not from Tor (order is important - first matched rule counts!) +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(tApp.getUid()); +- script.append(" -p udp"); +- script.append(" --dport "); +- script.append(STANDARD_DNS_PORT); + script.append(" -j REJECT"); + script.append(" || exit\n"); +- +- // Reject all other outbound TCP packets ++ ++ // Reject all other outbound UDP packets + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); +- script.append(" -p tcp"); ++ script.append(" -p udp"); + script.append(" -j REJECT"); + script.append(" || exit\n"); ++ + + } + } +- + +- // Allow everything for Tor +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(torUid); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); +- + String[] cmdAdd = {script.toString()}; + + code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); +@@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants { + + int torUid = context.getApplicationInfo().uid; + +- // Set up port redirection +- script.append(ipTablesPath); ++ // Set up port redirection ++ script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p tcp"); + script.append(" ! -d 127.0.0.1"); //allow access to localhost +@@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants { + // Same for DNS + script.append(ipTablesPath); + script.append(" -t nat"); +- script.append(" -A OUTPUT -p udp -m owner ! --uid-owner "); ++ script.append(" -A OUTPUT -p udp"); ++ script.appent(" -m owner ! --uid-owner "); + script.append(torUid); + script.append(" -m udp --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_DNS_PORT); + script.append(" || exit\n"); ++ ++ // Allow loopback ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -o lo"); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); + ++ // Allow everything for Tor ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(torUid); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); ++ ++ ++ /* ++ //Outgoing loopback already allowed (23/7/12) ++ + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; + + for (int port : ports) +@@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + +- } +- +- // Allow loopback +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -p tcp"); +- script.append(" -o lo"); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); ++ } */ + +- // Allow everything for Tor +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(torUid); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); + + if (TorService.ENABLE_DEBUG_LOG) + { +@@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" --log-uid"); + script.append(" || exit\n"); + } +- +- // Reject DNS that is not from Tor (order is important - first matched rule counts!) +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -p udp"); +- script.append(" --dport "); +- script.append(STANDARD_DNS_PORT); +- script.append(" -j REJECT"); +- script.append(" || exit\n"); +- +- // Reject all other outbound TCP packets ++ ++ // Reject all other outbound packets by default + script.append(ipTablesPath); + script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -p tcp"); +- script.append(" -j REJECT"); ++ script.append(" -P OUTPUT DROP"); + script.append(" || exit\n"); + + String[] cmdAdd = {script.toString()}; +-- +1.7.9.5 + diff --git a/patches/transproxy.patch b/patches/transproxy.patch new file mode 100644 index 00000000..e69de29b diff --git a/patches/udptransproxyfinal.patch b/patches/udptransproxyfinal.patch new file mode 100644 index 00000000..32cc0e2f --- /dev/null +++ b/patches/udptransproxyfinal.patch @@ -0,0 +1,247 @@ +From a81741afe06ac2309b4306dedbd5a0ebf755b7e1 Mon Sep 17 00:00:00 2001 +From: patch +Date: Fri, 31 Aug 2012 17:25:52 -0400 +Subject: [PATCH] Addendum to the last commit on UDP transproxy rules. Trying + to simplfy the iptables rules didn't work out so this is a + minimal change from the original TorTransProxy.java file. + UDP is blocked and tested as working. + +--- + .../torproject/android/service/TorTransProxy.java | 144 ++++++++++++-------- + 1 file changed, 84 insertions(+), 60 deletions(-) + +diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java +index c248a9f..90bdc34 100644 +--- a/src/org/torproject/android/service/TorTransProxy.java ++++ b/src/org/torproject/android/service/TorTransProxy.java +@@ -224,15 +224,6 @@ public class TorTransProxy implements TorServiceConstants { + + int torUid = context.getApplicationInfo().uid; + +- // Allow everything for Tor +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(torUid); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); +- + //build up array of shell cmds to execute under one root context + for (TorifiedApp tApp:apps) + { +@@ -244,9 +235,9 @@ public class TorTransProxy implements TorServiceConstants { + { + + TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); +- +- // Set up port redirection +- script.append(ipTablesPath); ++ ++ // Set up port redirection ++ script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p tcp"); + script.append(" ! -d 127.0.0.1"); //allow access to localhost +@@ -260,28 +251,14 @@ public class TorTransProxy implements TorServiceConstants { + // Same for DNS + script.append(ipTablesPath); + script.append(" -t nat"); +- script.append(" -A OUTPUT -p udp"); +- script.append(" -m owner --uid-owner "); ++ script.append(" -A OUTPUT -p udp -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -m udp --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_DNS_PORT); + script.append(" || exit\n"); +- +- // Allow loopback +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(tApp.getUid()); +- script.append(" -o lo"); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); +- +- /* +- //Outgoing loopback already allowed (23/7/12) +- ++ + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; + + for (int port : ports) +@@ -299,8 +276,30 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + } +- */ +- ++ ++ // Allow loopback ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(tApp.getUid()); ++ script.append(" -p tcp"); ++ script.append(" -o lo"); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); ++ ++ // Reject DNS that is not from Tor (order is important - first matched rule counts!) ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(tApp.getUid()); ++ script.append(" -p udp"); ++ script.append(" --dport "); ++ script.append(STANDARD_DNS_PORT); ++ script.append(" -j REJECT"); ++ script.append(" || exit\n"); ++ + // Reject all other outbound TCP packets + script.append(ipTablesPath); + script.append(" -t filter"); +@@ -321,10 +320,19 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" -j REJECT"); + script.append(" || exit\n"); + +- + } + } ++ + ++ // Allow everything for Tor ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(torUid); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); ++ + String[] cmdAdd = {script.toString()}; + + code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); +@@ -452,8 +460,8 @@ public class TorTransProxy implements TorServiceConstants { + + int torUid = context.getApplicationInfo().uid; + +- // Set up port redirection +- script.append(ipTablesPath); ++ // Set up port redirection ++ script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p tcp"); + script.append(" ! -d 127.0.0.1"); //allow access to localhost +@@ -467,36 +475,14 @@ public class TorTransProxy implements TorServiceConstants { + // Same for DNS + script.append(ipTablesPath); + script.append(" -t nat"); +- script.append(" -A OUTPUT -p udp"); +- script.appent(" -m owner ! --uid-owner "); ++ script.append(" -A OUTPUT -p udp -m owner ! --uid-owner "); + script.append(torUid); + script.append(" -m udp --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_DNS_PORT); + script.append(" || exit\n"); +- +- // Allow loopback +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -o lo"); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); + +- // Allow everything for Tor +- script.append(ipTablesPath); +- script.append(" -t filter"); +- script.append(" -A OUTPUT"); +- script.append(" -m owner --uid-owner "); +- script.append(torUid); +- script.append(" -j ACCEPT"); +- script.append(" || exit\n"); +- +- +- /* +- //Outgoing loopback already allowed (23/7/12) +- + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; + + for (int port : ports) +@@ -514,8 +500,25 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + +- } */ ++ } ++ ++ // Allow loopback ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -p tcp"); ++ script.append(" -o lo"); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); + ++ // Allow everything for Tor ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -m owner --uid-owner "); ++ script.append(torUid); ++ script.append(" -j ACCEPT"); ++ script.append(" || exit\n"); + + if (TorService.ENABLE_DEBUG_LOG) + { +@@ -539,13 +542,34 @@ public class TorTransProxy implements TorServiceConstants { + script.append(" --log-uid"); + script.append(" || exit\n"); + } +- +- // Reject all other outbound packets by default ++ ++ // Reject DNS that is not from Tor (order is important - first matched rule counts!) + script.append(ipTablesPath); + script.append(" -t filter"); +- script.append(" -P OUTPUT DROP"); ++ script.append(" -A OUTPUT"); ++ script.append(" -p udp"); ++ script.append(" --dport "); ++ script.append(STANDARD_DNS_PORT); ++ script.append(" -j REJECT"); + script.append(" || exit\n"); + ++ // Reject all other outbound TCP packets ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -p tcp"); ++ script.append(" -j REJECT"); ++ script.append(" || exit\n"); ++ ++ // Reject all other outbound UDP packets ++ script.append(ipTablesPath); ++ script.append(" -t filter"); ++ script.append(" -A OUTPUT"); ++ script.append(" -p udp"); ++ script.append(" -j REJECT"); ++ script.append(" || exit\n"); ++ ++ + String[] cmdAdd = {script.toString()}; + + code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); +-- +1.7.9.5 +