Modified iptables rules for transproxying. UDP is now blocked. Also removed some redundant rules and reordered others. I reordered by the idea that its generally easier to specifically allow traffic before your reject it.

Signed-off-by: n8fr8 <nathan@freitas.net>
2012-07-23 16:12:55 -04:00 · 2012-07-23 16:12:55 -04:00 · c2f3f77053
parent eb2f1c22df
commit c2f3f77053
1 changed files with 70 additions and 75 deletions
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants {
 				
    	int torUid = context.getApplicationInfo().uid;

+		// Allow everything for Tor
+		script.append(ipTablesPath);
+		script.append(" -t filter");
+		script.append(" -A OUTPUT");
+		script.append(" -m owner --uid-owner ");
+		script.append(torUid);
+		script.append(" -j ACCEPT");
+		script.append(" || exit\n");
+
 		//build up array of shell cmds to execute under one root context
 		for (TorifiedApp tApp:apps)
 		{
@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants {
 			{
 				
 				TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
-			 
-				// Set up port redirection
-		    	script.append(ipTablesPath);
+
+			 	// Set up port redirection
+				script.append(ipTablesPath);
 				script.append(" -t nat");
 				script.append(" -A OUTPUT -p tcp");
 				script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants {
 				// Same for DNS
 				script.append(ipTablesPath);
 				script.append(" -t nat");
-				script.append(" -A OUTPUT -p udp -m owner --uid-owner ");
+				script.append(" -A OUTPUT -p udp");
+				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -m udp --dport "); 
 				script.append(STANDARD_DNS_PORT);
 				script.append(" -j REDIRECT --to-ports ");
 				script.append(TOR_DNS_PORT);
 				script.append(" || exit\n");
-				
+
+				// Allow loopback
+				script.append(ipTablesPath);
+				script.append(" -t filter");
+				script.append(" -A OUTPUT");
+				script.append(" -m owner --uid-owner ");
+				script.append(tApp.getUid());
+				script.append(" -o lo");
+				script.append(" -j ACCEPT");
+				script.append(" || exit\n");
+
+				/* 	
+				//Outgoing loopback already allowed (23/7/12)
+
 				int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
 				
 				for (int port : ports)
@ -276,30 +299,8 @@ public class TorTransProxy implements TorServiceConstants {
 					script.append(" -j ACCEPT");
 					script.append(" || exit\n");				
 				}
-				
-				// Allow loopback
-				script.append(ipTablesPath);
-				script.append(" -t filter");
-				script.append(" -A OUTPUT");
-				script.append(" -m owner --uid-owner ");
-				script.append(tApp.getUid());
-				script.append(" -p tcp");
-				script.append(" -o lo");
-				script.append(" -j ACCEPT");
-				script.append(" || exit\n");
-				
-				// Reject DNS that is not from Tor (order is important - first matched rule counts!)
-				script.append(ipTablesPath);
-				script.append(" -t filter");
-				script.append(" -A OUTPUT");
-				script.append(" -m owner --uid-owner ");
-				script.append(tApp.getUid());
-				script.append(" -p udp");
-				script.append(" --dport ");
-				script.append(STANDARD_DNS_PORT);
-				script.append(" -j REJECT");
-				script.append(" || exit\n");
-				
+				*/
+
 				// Reject all other outbound TCP packets
 				script.append(ipTablesPath);
 				script.append(" -t filter");
@ -309,20 +310,21 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" -p tcp");
 				script.append(" -j REJECT");
 				script.append(" || exit\n");
+
+				// Reject all other outbound UDP packets
+				script.append(ipTablesPath);
+				script.append(" -t filter");
+				script.append(" -A OUTPUT");
+				script.append(" -m owner --uid-owner ");
+				script.append(tApp.getUid());
+				script.append(" -p udp");
+				script.append(" -j REJECT");
+				script.append(" || exit\n");
+
 				
 			}		
 		}			
-		

-		// Allow everything for Tor
-		script.append(ipTablesPath);
-		script.append(" -t filter");
-		script.append(" -A OUTPUT");
-		script.append(" -m owner --uid-owner ");
-		script.append(torUid);
-		script.append(" -j ACCEPT");
-		script.append(" || exit\n");
-		
 		String[] cmdAdd = {script.toString()};    	
    		
 		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants {
    	
    	int torUid = context.getApplicationInfo().uid;

-    	// Set up port redirection
-    	script.append(ipTablesPath);
+		// Set up port redirection
+		script.append(ipTablesPath);
 		script.append(" -t nat");
 		script.append(" -A OUTPUT -p tcp");
 		script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants {
 		// Same for DNS
 		script.append(ipTablesPath);
 		script.append(" -t nat");
-		script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
+		script.append(" -A OUTPUT -p udp");
+		script.appent(" -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -m udp --dport "); 
 		script.append(STANDARD_DNS_PORT);
 		script.append(" -j REDIRECT --to-ports ");
 		script.append(TOR_DNS_PORT);
 		script.append(" || exit\n");
+
+		// Allow loopback
+		script.append(ipTablesPath);
+		script.append(" -t filter");
+		script.append(" -A OUTPUT");
+		script.append(" -o lo");
+		script.append(" -j ACCEPT");
+		script.append(" || exit\n");
 		
+		// Allow everything for Tor
+		script.append(ipTablesPath);
+		script.append(" -t filter");
+		script.append(" -A OUTPUT");
+		script.append(" -m owner --uid-owner ");
+		script.append(torUid);
+		script.append(" -j ACCEPT");
+		script.append(" || exit\n");
+	
+
+		/* 	
+		//Outgoing loopback already allowed (23/7/12)
+
 		int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
 		
 		for (int port : ports)
@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants {
 			script.append(" -j ACCEPT");
 			script.append(" || exit\n");
 		
-		}
+		} */
 		
-		// Allow loopback
-		script.append(ipTablesPath);
-		script.append(" -t filter");
-		script.append(" -A OUTPUT");
-		script.append(" -p tcp");
-		script.append(" -o lo");
-		script.append(" -j ACCEPT");
-		script.append(" || exit\n");
-		
-		// Allow everything for Tor
-		script.append(ipTablesPath);
-		script.append(" -t filter");
-		script.append(" -A OUTPUT");
-		script.append(" -m owner --uid-owner ");
-		script.append(torUid);
-		script.append(" -j ACCEPT");
-		script.append(" || exit\n");
 		
 		if (TorService.ENABLE_DEBUG_LOG)
 		{
@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants {
 			script.append(" --log-uid");
 			script.append(" || exit\n");
 		}
-		
-		// Reject DNS that is not from Tor (order is important - first matched rule counts!)
+			
+		// Reject all other outbound packets by default
 		script.append(ipTablesPath);
 		script.append(" -t filter");
-		script.append(" -A OUTPUT");
-		script.append(" -p udp");
-		script.append(" --dport ");
-		script.append(STANDARD_DNS_PORT);
-		script.append(" -j REJECT");
-		script.append(" || exit\n");
-		
-		// Reject all other outbound TCP packets
-		script.append(ipTablesPath);
-		script.append(" -t filter");
-		script.append(" -A OUTPUT");
-		script.append(" -p tcp");
-		script.append(" -j REJECT");
+		script.append(" -P OUTPUT DROP");
 		script.append(" || exit\n");
 		
 		String[] cmdAdd = {script.toString()};