Modified iptables rules for transproxying. UDP is now blocked. Also removed some redundant rules and reordered others. I reordered by the idea that its generally easier to specifically allow traffic before your reject it.

Signed-off-by: n8fr8 <nathan@freitas.net>
This commit is contained in:
patch 2012-07-23 16:12:55 -04:00 committed by n8fr8
parent eb2f1c22df
commit c2f3f77053
1 changed files with 70 additions and 75 deletions

View File

@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid; int torUid = context.getApplicationInfo().uid;
// Allow everything for Tor
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(torUid);
script.append(" -j ACCEPT");
script.append(" || exit\n");
//build up array of shell cmds to execute under one root context //build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps) for (TorifiedApp tApp:apps)
{ {
@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants {
{ {
TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
// Set up port redirection // Set up port redirection
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -A OUTPUT -p tcp"); script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS // Same for DNS
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -A OUTPUT -p udp -m owner --uid-owner "); script.append(" -A OUTPUT -p udp");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid()); script.append(tApp.getUid());
script.append(" -m udp --dport "); script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT); script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports "); script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT); script.append(TOR_DNS_PORT);
script.append(" || exit\n"); script.append(" || exit\n");
// Allow loopback
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -o lo");
script.append(" -j ACCEPT");
script.append(" || exit\n");
/*
//Outgoing loopback already allowed (23/7/12)
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports) for (int port : ports)
@ -276,30 +299,8 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT"); script.append(" -j ACCEPT");
script.append(" || exit\n"); script.append(" || exit\n");
} }
*/
// Allow loopback
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -p tcp");
script.append(" -o lo");
script.append(" -j ACCEPT");
script.append(" || exit\n");
// Reject DNS that is not from Tor (order is important - first matched rule counts!)
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -p udp");
script.append(" --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REJECT");
script.append(" || exit\n");
// Reject all other outbound TCP packets // Reject all other outbound TCP packets
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t filter"); script.append(" -t filter");
@ -309,20 +310,21 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -p tcp"); script.append(" -p tcp");
script.append(" -j REJECT"); script.append(" -j REJECT");
script.append(" || exit\n"); script.append(" || exit\n");
// Reject all other outbound UDP packets
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -p udp");
script.append(" -j REJECT");
script.append(" || exit\n");
} }
} }
// Allow everything for Tor
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(torUid);
script.append(" -j ACCEPT");
script.append(" || exit\n");
String[] cmdAdd = {script.toString()}; String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants {
int torUid = context.getApplicationInfo().uid; int torUid = context.getApplicationInfo().uid;
// Set up port redirection // Set up port redirection
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -A OUTPUT -p tcp"); script.append(" -A OUTPUT -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS // Same for DNS
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -A OUTPUT -p udp -m owner ! --uid-owner "); script.append(" -A OUTPUT -p udp");
script.appent(" -m owner ! --uid-owner ");
script.append(torUid); script.append(torUid);
script.append(" -m udp --dport "); script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT); script.append(STANDARD_DNS_PORT);
script.append(" -j REDIRECT --to-ports "); script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT); script.append(TOR_DNS_PORT);
script.append(" || exit\n"); script.append(" || exit\n");
// Allow loopback
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -o lo");
script.append(" -j ACCEPT");
script.append(" || exit\n");
// Allow everything for Tor
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(torUid);
script.append(" -j ACCEPT");
script.append(" || exit\n");
/*
//Outgoing loopback already allowed (23/7/12)
int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
for (int port : ports) for (int port : ports)
@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT"); script.append(" -j ACCEPT");
script.append(" || exit\n"); script.append(" || exit\n");
} } */
// Allow loopback
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -p tcp");
script.append(" -o lo");
script.append(" -j ACCEPT");
script.append(" || exit\n");
// Allow everything for Tor
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -m owner --uid-owner ");
script.append(torUid);
script.append(" -j ACCEPT");
script.append(" || exit\n");
if (TorService.ENABLE_DEBUG_LOG) if (TorService.ENABLE_DEBUG_LOG)
{ {
@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" --log-uid"); script.append(" --log-uid");
script.append(" || exit\n"); script.append(" || exit\n");
} }
// Reject DNS that is not from Tor (order is important - first matched rule counts!) // Reject all other outbound packets by default
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -A OUTPUT"); script.append(" -P OUTPUT DROP");
script.append(" -p udp");
script.append(" --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REJECT");
script.append(" || exit\n");
// Reject all other outbound TCP packets
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -p tcp");
script.append(" -j REJECT");
script.append(" || exit\n"); script.append(" || exit\n");
String[] cmdAdd = {script.toString()}; String[] cmdAdd = {script.toString()};