diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java index 25711234..c248a9fa 100644 --- a/src/org/torproject/android/service/TorTransProxy.java +++ b/src/org/torproject/android/service/TorTransProxy.java @@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants { int torUid = context.getApplicationInfo().uid; + // Allow everything for Tor + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(torUid); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + //build up array of shell cmds to execute under one root context for (TorifiedApp tApp:apps) { @@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants { { TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); - - // Set up port redirection - script.append(ipTablesPath); + + // Set up port redirection + script.append(ipTablesPath); script.append(" -t nat"); script.append(" -A OUTPUT -p tcp"); script.append(" ! -d 127.0.0.1"); //allow access to localhost @@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants { // Same for DNS script.append(ipTablesPath); script.append(" -t nat"); - script.append(" -A OUTPUT -p udp -m owner --uid-owner "); + script.append(" -A OUTPUT -p udp"); + script.append(" -m owner --uid-owner "); script.append(tApp.getUid()); script.append(" -m udp --dport "); script.append(STANDARD_DNS_PORT); script.append(" -j REDIRECT --to-ports "); script.append(TOR_DNS_PORT); script.append(" || exit\n"); - + + // Allow loopback + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -o lo"); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + /* + //Outgoing loopback already allowed (23/7/12) + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; for (int port : ports) @@ -276,30 +299,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -j ACCEPT"); script.append(" || exit\n"); } - - // Allow loopback - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -m owner --uid-owner "); - script.append(tApp.getUid()); - script.append(" -p tcp"); - script.append(" -o lo"); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - - // Reject DNS that is not from Tor (order is important - first matched rule counts!) - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -m owner --uid-owner "); - script.append(tApp.getUid()); - script.append(" -p udp"); - script.append(" --dport "); - script.append(STANDARD_DNS_PORT); - script.append(" -j REJECT"); - script.append(" || exit\n"); - + */ + // Reject all other outbound TCP packets script.append(ipTablesPath); script.append(" -t filter"); @@ -309,20 +310,21 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -p tcp"); script.append(" -j REJECT"); script.append(" || exit\n"); + + // Reject all other outbound UDP packets + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -p udp"); + script.append(" -j REJECT"); + script.append(" || exit\n"); + } } - - // Allow everything for Tor - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -m owner --uid-owner "); - script.append(torUid); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - String[] cmdAdd = {script.toString()}; code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); @@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants { int torUid = context.getApplicationInfo().uid; - // Set up port redirection - script.append(ipTablesPath); + // Set up port redirection + script.append(ipTablesPath); script.append(" -t nat"); script.append(" -A OUTPUT -p tcp"); script.append(" ! -d 127.0.0.1"); //allow access to localhost @@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants { // Same for DNS script.append(ipTablesPath); script.append(" -t nat"); - script.append(" -A OUTPUT -p udp -m owner ! --uid-owner "); + script.append(" -A OUTPUT -p udp"); + script.appent(" -m owner ! --uid-owner "); script.append(torUid); script.append(" -m udp --dport "); script.append(STANDARD_DNS_PORT); script.append(" -j REDIRECT --to-ports "); script.append(TOR_DNS_PORT); script.append(" || exit\n"); + + // Allow loopback + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -o lo"); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + // Allow everything for Tor + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(torUid); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + + /* + //Outgoing loopback already allowed (23/7/12) + int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; for (int port : ports) @@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -j ACCEPT"); script.append(" || exit\n"); - } + } */ - // Allow loopback - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -p tcp"); - script.append(" -o lo"); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - - // Allow everything for Tor - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -m owner --uid-owner "); - script.append(torUid); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); if (TorService.ENABLE_DEBUG_LOG) { @@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants { script.append(" --log-uid"); script.append(" || exit\n"); } - - // Reject DNS that is not from Tor (order is important - first matched rule counts!) + + // Reject all other outbound packets by default script.append(ipTablesPath); script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -p udp"); - script.append(" --dport "); - script.append(STANDARD_DNS_PORT); - script.append(" -j REJECT"); - script.append(" || exit\n"); - - // Reject all other outbound TCP packets - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT"); - script.append(" -p tcp"); - script.append(" -j REJECT"); + script.append(" -P OUTPUT DROP"); script.append(" || exit\n"); String[] cmdAdd = {script.toString()};