[tor-commits] r24713: {projects} merged __sporkbomb's xclnt patch for fixing transproxy all m (projects/android/trunk/Orbot/src/org/torproject/android/service)
Nathan Freitas
nathan at freitas.net
Tue May 3 05:56:05 UTC 2011
Author: n8fr8
Date: 2011-05-03 05:56:04 +0000 (Tue, 03 May 2011)
New Revision: 24713
Modified:
projects/android/trunk/Orbot/src/org/torproject/android/service/TorTransProxy.java
Log:
merged __sporkbomb's xclnt patch for fixing transproxy all mode
Modified: projects/android/trunk/Orbot/src/org/torproject/android/service/TorTransProxy.java
===================================================================
--- projects/android/trunk/Orbot/src/org/torproject/android/service/TorTransProxy.java 2011-05-03 05:54:24 UTC (rev 24712)
+++ projects/android/trunk/Orbot/src/org/torproject/android/service/TorTransProxy.java 2011-05-03 05:56:04 UTC (rev 24713)
@@ -125,19 +125,52 @@
}
*/
- public static int setTransparentProxyingByApp(Context context, TorifiedApp[] apps, boolean forceAll) throws Exception
+ public static int testOwnerModule(Context context) throws Exception
{
boolean runRoot = true;
boolean waitFor = true;
- //android.os.Debug.waitForDebugger();
+ //redirectDNSResolvConf(); //not working yet
+ int torUid = context.getApplicationInfo().uid;
+
+ String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath();
+ StringBuilder script = new StringBuilder();
+
+ StringBuilder res = new StringBuilder();
+ int code = -1;
+
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+ String[] cmdAdd = {script.toString()};
+
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+ String msg = res.toString();
+ TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+
+
+ return code;
+ }
+
+
+
+ public static int setTransparentProxyingByApp(Context context, TorifiedApp[] apps) throws Exception
+ {
+
+ boolean runRoot = true;
+ boolean waitFor = true;
+
//redirectDNSResolvConf(); //not working yet
String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath();
-
- boolean ipTablesOld = false;
StringBuilder script = new StringBuilder();
@@ -145,14 +178,12 @@
int code = -1;
purgeIptables(context);
-
- script = new StringBuilder();
-
+
//build up array of shell cmds to execute under one root context
for (int i = 0; i < apps.length; i++)
{
- if (forceAll || apps[i].isTorified()) //if "Tor Everything" on or app is set to true
+ if (apps[i].isTorified()) //if app is set to true
{
if (apps[i].getUsername().equals(TorServiceConstants.TOR_APP_USERNAME))
@@ -170,14 +201,8 @@
script.append(" -m owner --uid-owner ");
script.append(apps[i].getUid());
script.append(" -m tcp --syn");
-
- if (ipTablesOld)
- script.append(" -j DNAT --to 127.0.0.1:");
- else
- script.append(" -j REDIRECT --to-ports ");
-
+ script.append(" -j REDIRECT --to-ports ");
script.append(TOR_TRANSPROXY_PORT);
-
script.append(" || exit\n");
//DNS
@@ -187,57 +212,37 @@
script.append(apps[i].getUid());
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
- if (ipTablesOld)
- script.append(" -j DNAT --to 127.0.0.1:");
- else
- script.append(" -j REDIRECT --to-ports ");
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" -m owner --uid-owner ");
+ script.append(apps[i].getUid());
+ script.append(" -m tcp --dport ");
+ script.append(TOR_TRANSPROXY_PORT);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT -p udp");
+ script.append(" -m owner --uid-owner ");
+ script.append(apps[i].getUid());
+ script.append(" -m udp --dport ");
script.append(TOR_DNS_PORT);
-
+ script.append(" -j ACCEPT");
script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -t filter -A OUTPUT -m owner --uid-owner ");
+ script.append(apps[i].getUid());
+ script.append(" -j DROP"); //drop all other packets as Tor won't handle them
+ script.append(" || exit\n");
- if (ipTablesOld) //for some reason this doesn't work on iptables 1.3.7
- {
- script.append(ipTablesPath);
- script.append(" -t nat");
- script.append(" -A OUTPUT -m owner --uid-owner ");
- script.append(apps[i].getUid());
- script.append(" -j DROP");
- script.append(" || exit\n");
- }
- else
- {
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT -p tcp");
- script.append(" -m owner --uid-owner ");
- script.append(apps[i].getUid());
- script.append(" -m tcp --dport ");
- script.append(TOR_TRANSPROXY_PORT);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT -p udp");
- script.append(" -m owner --uid-owner ");
- script.append(apps[i].getUid());
- script.append(" -m udp --dport ");
- script.append(TOR_DNS_PORT);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
-
- script.append(ipTablesPath);
- script.append(" -t filter -A OUTPUT -m owner --uid-owner ");
- script.append(apps[i].getUid());
- script.append(" -j DROP"); //drop all other packets as Tor won't handle them
- script.append(" || exit\n");
-
- }
-
-
}
}
@@ -260,20 +265,13 @@
//String baseDir = context.getDir("bin",0).getAbsolutePath() + '/';
String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath();
-
- boolean ipTablesOld = false;
StringBuilder script = new StringBuilder();
StringBuilder res = new StringBuilder();
int code = -1;
-
- String[] cmdFlush = {script.toString()};
- code = TorServiceUtils.doShellCommand(cmdFlush, res, true, true);
- //String msg = res.toString(); //get stdout from command
+ purgeIptables(context);
- script = new StringBuilder();
-
//TCP
//iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
@@ -283,14 +281,8 @@
script.append(" --dport ");
script.append(port);
//script.append(" -m tcp --syn");
-
- if (ipTablesOld)
- script.append(" -j DNAT --to 127.0.0.1:");
- else
- script.append(" -j REDIRECT --to-ports ");
-
+ script.append(" -j REDIRECT --to-ports ");
script.append(TOR_TRANSPROXY_PORT);
-
script.append(" || exit\n");
script.append(ipTablesPath);
@@ -298,14 +290,8 @@
script.append(" -A OUTPUT -p udp");
script.append(" --dport ");
script.append(port);
-
- if (ipTablesOld)
- script.append(" -j DNAT --to 127.0.0.1:");
- else
- script.append(" -j REDIRECT --to-ports ");
-
+ script.append(" -j REDIRECT --to-ports ");
script.append(TOR_TRANSPROXY_PORT);
-
script.append(" || exit\n");
//DNS
@@ -314,24 +300,135 @@
script.append(" -A OUTPUT -p udp ");
script.append(" -m udp --dport ");
script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
- if (ipTablesOld)
- script.append(" -j DNAT --to 127.0.0.1:");
- else
- script.append(" -j REDIRECT --to-ports ");
+
+ String[] cmdAdd = {script.toString()};
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, true, true);
+ String msg = res.toString();
+ TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+ return code;
+ }
+
+ public static int setTransparentProxyingAll(Context context) throws Exception
+ {
+ boolean runRoot = true;
+ boolean waitFor = true;
+
+ //redirectDNSResolvConf(); //not working yet
+
+ String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath();
+
+ StringBuilder script = new StringBuilder();
+
+ StringBuilder res = new StringBuilder();
+ int code = -1;
+
+ purgeIptables(context);
+
+ int torUid = context.getApplicationInfo().uid;
+
+ // Set up port redirection
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" -m owner ! --uid-owner ");
+ script.append(torUid);
+ script.append(" -m tcp --syn");
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_TRANSPROXY_PORT);
+ script.append(" || exit\n");
+
+ // Same for DNS
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
+ script.append(torUid);
+ script.append(" -m udp --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
+ // Allow packets to localhost (contains all the port-redirected ones)
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -d 127.0.0.1");
+ script.append(" -j ACCEPT");
script.append(" || exit\n");
+ // Allow loopback
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -o lo");
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+ // Allow everything for Tor
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(torUid);
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+ if (TorService.ENABLE_DEBUG_LOG)
+ {
+ //XXX: Comment the following rules for non-debug builds
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p udp");
+ script.append(" --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j LOG");
+ script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'");
+ script.append(" --log-uid");
+ script.append(" || exit\n");
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -j LOG");
+ script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'");
+ script.append(" --log-uid");
+ script.append(" || exit\n");
+ }
+
+ // Reject DNS that is not from Tor (order is important - first matched rule counts!)
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p udp");
+ script.append(" --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
+ // Reject all other outbound TCP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -p tcp");
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
+ String[] cmdAdd = {script.toString()};
- String[] cmdAdd = {script.toString()};
- code = TorServiceUtils.doShellCommand(cmdAdd, res, true, true);
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
String msg = res.toString();
TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
- return code;
- }
+ return code;
+ }
}
More information about the tor-commits
mailing list