[tor-commits] [orbot/master] fixes for transproxy to fix DNS leaks in some cases

commit c68ce2ce1e0030a0baa43e3a1ef0280ba3d13a61 Author: Nathan Freitas nathan@freitas.net Date: Tue Apr 15 00:22:52 2014 -0400

fixes for transproxy to fix DNS leaks in some cases latest RC was leaking DNS due to updates iptables/xtables binary and need for new iptables rules format --- .../torproject/android/service/TorTransProxy.java | 170 +++++++++++--------- 1 file changed, 95 insertions(+), 75 deletions(-)

diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java index b813ac8..5a11ebf 100644 --- a/src/org/torproject/android/service/TorTransProxy.java +++ b/src/org/torproject/android/service/TorTransProxy.java @@ -303,12 +303,24 @@ public class TorTransProxy implements TorServiceConstants { logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); + + // Allow loopback + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A ").append(srcChainName); + script.append(" -m owner --uid-owner "); + script.append(tApp.getUid()); + script.append(" -o lo"); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); + // Set up port redirection script.append(ipTablesPath); script.append(" -t nat"); script.append(" -A ").append(srcChainName); script.append(" -p tcp"); - script.append(" ! -d 127.0.0.1"); //allow access to localhost script.append(" -m owner --uid-owner "); script.append(tApp.getUid()); script.append(" -m tcp --syn"); @@ -320,20 +332,23 @@ public class TorTransProxy implements TorServiceConstants { // Same for DNS script.append(ipTablesPath); - script.append(" -t nat"); - script.append(" -A ").append(srcChainName); - script.append(" -p udp -m owner --uid-owner "); + script.append(" -t nat"); + script.append(" -A ").append(srcChainName); + script.append(" -p udp"); + script.append(" ! -d 127.0.0.1"); //allow access to localhost + script.append(" -m owner ! --uid-owner "); script.append(tApp.getUid()); script.append(" -m udp --dport "); script.append(STANDARD_DNS_PORT); script.append(" -j REDIRECT --to-ports "); script.append(TOR_DNS_PORT);

+ executeCommand (shell, script.toString()); script = new StringBuilder(); - int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; + int[] ports = {TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; for (int port : ports) { @@ -341,57 +356,38 @@ public class TorTransProxy implements TorServiceConstants { script.append(ipTablesPath); script.append(" -t filter"); script.append(" -A ").append(srcChainName); + script.append(" -p tcp"); script.append(" -m owner --uid-owner "); script.append(tApp.getUid()); - script.append(" -p tcp"); - script.append(" -d 127.0.0.1"); script.append(" --dport "); script.append(port); script.append(" -j ACCEPT"); executeCommand (shell, script.toString()); script = new StringBuilder(); - - } - // Allow loopback + // Allow packets to localhost (contains all the port-redirected ones) script.append(ipTablesPath); script.append(" -t filter"); script.append(" -A ").append(srcChainName); + script.append(" -p udp"); script.append(" -m owner --uid-owner "); script.append(tApp.getUid()); - script.append(" -p tcp"); - script.append(" -o lo"); + script.append(" --dport "); + script.append(TOR_DNS_PORT); script.append(" -j ACCEPT"); - - executeCommand (shell, script.toString()); - script = new StringBuilder(); - - // Reject all other outbound TCP packets - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A ").append(srcChainName); - script.append(" -m owner --uid-owner "); - script.append(tApp.getUid()); - script.append(" -p tcp"); - script.append(" ! -d 127.0.0.1"); //allow access to localhost - script.append(" -j REJECT"); - executeCommand (shell, script.toString()); script = new StringBuilder(); - - // Reject all other outbound UDP packets + // Reject all other outbound packets script.append(ipTablesPath); script.append(" -t filter"); script.append(" -A ").append(srcChainName); script.append(" -m owner --uid-owner "); - script.append(tApp.getUid()); - script.append(" -p udp"); - script.append(" ! -d 127.0.0.1"); //allow access to localhost - script.append(" -j REJECT"); + script.append(tApp.getUid()); + script.append(" -j DROP");

lastExit = executeCommand (shell, script.toString()); script = new StringBuilder(); @@ -400,8 +396,6 @@ public class TorTransProxy implements TorServiceConstants { } } - fixTransproxyLeak (context); - shell.close(); return lastExit; @@ -546,8 +540,9 @@ public class TorTransProxy implements TorServiceConstants { StringBuilder script = new StringBuilder(); // Allow everything for Tor + script.append(ipTablesPath); - script.append(" -t filter"); + script.append(" -t nat"); script.append(" -A ").append(srcChainName); script.append(" -m owner --uid-owner "); script.append(torUid); @@ -555,7 +550,17 @@ public class TorTransProxy implements TorServiceConstants { executeCommand (shell, script.toString()); script = new StringBuilder(); + + // Allow loopback + script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A ").append(srcChainName); + script.append(" -o lo"); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); // Set up port redirection script.append(ipTablesPath); @@ -589,38 +594,6 @@ public class TorTransProxy implements TorServiceConstants { script = new StringBuilder(); - /** - int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP}; - - for (int port : ports) - { - // Allow packets to localhost (contains all the port-redirected ones) - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A ").append(srcChainName); - script.append(" -m owner ! --uid-owner "); - script.append(torUid); - script.append(" -p tcp"); - script.append(" -d 127.0.0.1"); - script.append(" --dport "); - script.append(port); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - - }**/ - - // Allow loopback - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A ").append(srcChainName); - script.append(" -p tcp"); - script.append(" -o lo"); - script.append(" -j ACCEPT"); - - executeCommand (shell, script.toString()); - script = new StringBuilder(); - - if (TorService.ENABLE_DEBUG_LOG) { //XXX: Comment the following rules for non-debug builds @@ -650,32 +623,79 @@ public class TorTransProxy implements TorServiceConstants { }

- // Reject all other outbound TCP packets + //allow access to transproxy port script.append(ipTablesPath); script.append(" -t filter"); script.append(" -A ").append(srcChainName); - script.append(" -m owner ! --uid-owner "); - script.append(torUid); script.append(" -p tcp"); - script.append(" ! -d 127.0.0.1"); //allow access to localhost - script.append(" -j REJECT"); + script.append(" -m tcp"); + script.append(" --dport ").append(TOR_TRANSPROXY_PORT); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); + + //allow access to local SOCKS port + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A ").append(srcChainName); + script.append(" -p tcp"); + script.append(" -m tcp"); + script.append(" --dport ").append(PORT_SOCKS); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); + + //allow access to local SOCKS port + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A ").append(srcChainName); + script.append(" -p tcp"); + script.append(" -m tcp"); + script.append(" --dport ").append(PORT_HTTP); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); + + //allow access to local DNS port + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A ").append(srcChainName); + script.append(" -p udp"); + script.append(" -m udp"); + script.append(" --dport ").append(TOR_DNS_PORT); + script.append(" -j ACCEPT");

executeCommand (shell, script.toString()); script = new StringBuilder(); + //allow access to local DNS port + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A ").append(srcChainName); + script.append(" -p udp"); + script.append(" -m udp"); + script.append(" --dport ").append(TOR_DNS_PORT); + script.append(" -j ACCEPT"); + + executeCommand (shell, script.toString()); + script = new StringBuilder(); + + // Reject all other outbound UDP packets script.append(ipTablesPath); script.append(" -t filter"); script.append(" -A ").append(srcChainName); script.append(" -m owner ! --uid-owner "); script.append(torUid); - script.append(" -p udp"); - script.append(" ! -d 127.0.0.1"); //allow access to localhost - script.append(" -j REJECT"); + script.append(" -j DROP");

int lastExit = executeCommand (shell, script.toString()); fixTransproxyLeak (context); + shell.close(); return lastExit;