collection of submitted patches

This commit is contained in:
n8fr8 2012-10-04 11:28:47 +05:30
parent 6e45cab8ee
commit 3ff65d2eed
3 changed files with 490 additions and 0 deletions

243
patches/UDP-block.patch Normal file
View File

@ -0,0 +1,243 @@
From c2620d6939713762e30badc3ed5da981e296b742 Mon Sep 17 00:00:00 2001
From: patch <patrickbx@gmail.com>
Date: Mon, 23 Jul 2012 16:12:55 -0400
Subject: [PATCH] Modified iptables rules for transproxying. UDP is now
blocked. Also removed some redundant rules and reordered
others. I reordered by the idea that its generally easier
to specifically allow traffic before your reject it.
---
.../torproject/android/service/TorTransProxy.java | 133 ++++++++++----------
1 file changed, 64 insertions(+), 69 deletions(-)
diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index 2571123..c248a9f 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid;
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
//build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps)
{
@@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants {
{
TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
-
- // Set up port redirection
- script.append(ipTablesPath);
+
+ // Set up port redirection
+ script.append(ipTablesPath);
script.append(" -t nat");
script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
script.append(" -t nat");
- script.append(" -A OUTPUT -p udp -m owner --uid-owner ");
+ script.append(" -A OUTPUT -p udp");
+ script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
script.append(" || exit\n");
-
+
+ // Allow loopback
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -o lo");
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+ /*
+ //Outgoing loopback already allowed (23/7/12)
+
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports)
@@ -276,53 +299,32 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT");
script.append(" || exit\n");
}
-
- // Allow loopback
+ */
+
+ // Reject all other outbound TCP packets
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -p tcp");
- script.append(" -o lo");
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
- // Reject DNS that is not from Tor (order is important - first matched rule counts!)
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(tApp.getUid());
- script.append(" -p udp");
- script.append(" --dport ");
- script.append(STANDARD_DNS_PORT);
script.append(" -j REJECT");
script.append(" || exit\n");
-
- // Reject all other outbound TCP packets
+
+ // Reject all other outbound UDP packets
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
- script.append(" -p tcp");
+ script.append(" -p udp");
script.append(" -j REJECT");
script.append(" || exit\n");
+
}
}
-
- // Allow everything for Tor
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(torUid);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
@@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid;
- // Set up port redirection
- script.append(ipTablesPath);
+ // Set up port redirection
+ script.append(ipTablesPath);
script.append(" -t nat");
script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
script.append(" -t nat");
- script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
+ script.append(" -A OUTPUT -p udp");
+ script.appent(" -m owner ! --uid-owner ");
script.append(torUid);
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
script.append(" || exit\n");
+
+ // Allow loopback
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -o lo");
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+
+ /*
+ //Outgoing loopback already allowed (23/7/12)
+
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports)
@@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT");
script.append(" || exit\n");
- }
-
- // Allow loopback
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -p tcp");
- script.append(" -o lo");
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
+ } */
- // Allow everything for Tor
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(torUid);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
if (TorService.ENABLE_DEBUG_LOG)
{
@@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" --log-uid");
script.append(" || exit\n");
}
-
- // Reject DNS that is not from Tor (order is important - first matched rule counts!)
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -p udp");
- script.append(" --dport ");
- script.append(STANDARD_DNS_PORT);
- script.append(" -j REJECT");
- script.append(" || exit\n");
-
- // Reject all other outbound TCP packets
+
+ // Reject all other outbound packets by default
script.append(ipTablesPath);
script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -p tcp");
- script.append(" -j REJECT");
+ script.append(" -P OUTPUT DROP");
script.append(" || exit\n");
String[] cmdAdd = {script.toString()};
--
1.7.9.5

0
patches/transproxy.patch Normal file
View File

View File

@ -0,0 +1,247 @@
From a81741afe06ac2309b4306dedbd5a0ebf755b7e1 Mon Sep 17 00:00:00 2001
From: patch <patrickbx@gmail.com>
Date: Fri, 31 Aug 2012 17:25:52 -0400
Subject: [PATCH] Addendum to the last commit on UDP transproxy rules. Trying
to simplfy the iptables rules didn't work out so this is a
minimal change from the original TorTransProxy.java file.
UDP is blocked and tested as working.
---
.../torproject/android/service/TorTransProxy.java | 144 ++++++++++++--------
1 file changed, 84 insertions(+), 60 deletions(-)
diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index c248a9f..90bdc34 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -224,15 +224,6 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid;
- // Allow everything for Tor
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(torUid);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
//build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps)
{
@@ -244,9 +235,9 @@ public class TorTransProxy implements TorServiceConstants {
{
TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
-
- // Set up port redirection
- script.append(ipTablesPath);
+
+ // Set up port redirection
+ script.append(ipTablesPath);
script.append(" -t nat");
script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -260,28 +251,14 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
script.append(" -t nat");
- script.append(" -A OUTPUT -p udp");
- script.append(" -m owner --uid-owner ");
+ script.append(" -A OUTPUT -p udp -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
script.append(" || exit\n");
-
- // Allow loopback
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(tApp.getUid());
- script.append(" -o lo");
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
- /*
- //Outgoing loopback already allowed (23/7/12)
-
+
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports)
@@ -299,8 +276,30 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT");
script.append(" || exit\n");
}
- */
-
+
+ // Allow loopback
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -p tcp");
+ script.append(" -o lo");
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+ // Reject DNS that is not from Tor (order is important - first matched rule counts!)
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -p udp");
+ script.append(" --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
// Reject all other outbound TCP packets
script.append(ipTablesPath);
script.append(" -t filter");
@@ -321,10 +320,19 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j REJECT");
script.append(" || exit\n");
-
}
}
+
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
@@ -452,8 +460,8 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid;
- // Set up port redirection
- script.append(ipTablesPath);
+ // Set up port redirection
+ script.append(ipTablesPath);
script.append(" -t nat");
script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -467,36 +475,14 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
script.append(" -t nat");
- script.append(" -A OUTPUT -p udp");
- script.appent(" -m owner ! --uid-owner ");
+ script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
script.append(torUid);
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
script.append(" || exit\n");
-
- // Allow loopback
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -o lo");
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
- // Allow everything for Tor
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -m owner --uid-owner ");
- script.append(torUid);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
-
- /*
- //Outgoing loopback already allowed (23/7/12)
-
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports)
@@ -514,8 +500,25 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT");
script.append(" || exit\n");
- } */
+ }
+
+ // Allow loopback
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -o lo");
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
if (TorService.ENABLE_DEBUG_LOG)
{
@@ -539,13 +542,34 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" --log-uid");
script.append(" || exit\n");
}
-
- // Reject all other outbound packets by default
+
+ // Reject DNS that is not from Tor (order is important - first matched rule counts!)
script.append(ipTablesPath);
script.append(" -t filter");
- script.append(" -P OUTPUT DROP");
+ script.append(" -A OUTPUT");
+ script.append(" -p udp");
+ script.append(" --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REJECT");
script.append(" || exit\n");
+ // Reject all other outbound TCP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
+ // Reject all other outbound UDP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p udp");
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
+
String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
--
1.7.9.5