-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathjailbox-start
More file actions
executable file
·169 lines (140 loc) · 6.07 KB
/
jailbox-start
File metadata and controls
executable file
·169 lines (140 loc) · 6.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/bin/bash
if [ $UID -ne 0 ]; then
echo "Superuser rights required" >&2
exit 2
fi
source /etc/jailbox/config
if [[ "${PreStart}" ]]; then
bash -c "${PreStart}"
fi
for i in $(seq 0 $((tor_count - 1))); do
data_dir="${tor_dir}_${i}"
mkdir -p "${data_dir}"
chown -R ${tor_user}:${tor_user} "${data_dir}" && chmod -R 700 "${data_dir}"
_transport=$((tor_trans_port + i))
_dnsport=$((tor_dns_port + i))
sed -e "s|#tor_user|$tor_user|" -e "s|#data_dir|$data_dir|" -e "s|#pid_file|${data_dir}/tor.pid|" -e "s|#tor_virt_addr|$tor_virt_addr|" -e \
"s|#tor_trans_port|$_transport|" -e "s|#tor_dns_port|$_dnsport|" /etc/jailbox/torrc >"${data_dir}/torrc"
tor -f "${data_dir}/torrc"
done
# mount resolv.conf for isolated namespace
mkdir -p "/etc/netns/${namespace}"
_resolve="/etc/netns/${namespace}/resolv.conf"
cat /dev/null >${_resolve}
for _nameserver in ${default_nameservers}; do
echo "nameserver ${_nameserver}" >> "${_resolve}"
done
if ! ip netns list | grep -q "${namespace}"; then
# create a new network namespace
ip netns add ${namespace}
fi
if ! ip link show "${veth_iface}" &>/dev/null; then
# create two virtual ethernet interface
ip link add name ${veth_iface} type veth peer name ${vpeer_iface}
# bind one interface to new namespace
ip link set ${vpeer_iface} netns ${namespace}
# set interfaces ip and default routing
ip addr add ${veth_addr} dev ${veth_iface}
ip netns exec ${namespace} ip addr add ${vpeer_addr} dev ${vpeer_iface}
ip link set ${veth_iface} up
ip netns exec ${namespace} ip link set ${vpeer_iface} up
ip netns exec ${namespace} ip link set lo up
# add default route for veth_addr
ip netns exec ${namespace} ip route add default via ${veth_addr%/24}
fi
# enable ip forwarding
echo 1 >/proc/sys/net/ipv4/conf/all/forwarding
_chain_postrouting="${TAG}-POSTROUTING"
_chain_output="${TAG}-OUTPUT"
_chain_input="${TAG}-INPUT"
_chain_forward="${TAG}-FORWARD"
############### *nat
iptables -t nat -N ${_chain_postrouting}
iptables -t nat -N ${_chain_output}
iptables -t nat -I POSTROUTING -j ${_chain_postrouting}
iptables -t nat -I OUTPUT -j ${_chain_output}
# masquerade traffic from vpn to internet
iptables -t nat -A ${_chain_postrouting} -s ${vpeer_addr} -j MASQUERADE
#nat .onion addresses
for i in $(seq ${tor_count} -1 2); do
_port=$((tor_trans_port + i - 1))
iptables -t nat -A ${_chain_output} -d ${tor_virt_addr} -p tcp -m tcp --syn --match statistic --mode nth --every ${i} --packet 0 -j REDIRECT --to-ports ${_port}
done
iptables -t nat -A ${_chain_output} -d ${tor_virt_addr} -p tcp -m tcp --syn -j REDIRECT --to-ports ${tor_trans_port}
# redirect dns to tor
for i in $(seq ${tor_count} -1 2); do
_port=$((tor_dns_port + i - 1))
iptables -t nat -A ${_chain_output} -d 127.0.0.1 -p udp --dport 53 --match statistic --mode nth --every ${i} --packet 0 -j REDIRECT --to-ports ${_port}
done
iptables -t nat -A ${_chain_output} -d 127.0.0.1 -p udp --dport 53 -j REDIRECT --to-ports ${tor_dns_port}
# skip NATing tor process
iptables -t nat -A ${_chain_output} -m owner --uid-owner ${tor_uid} -j RETURN
# skip NATing internal lan segments
for _lan in ${nontor_lan}; do
iptables -t nat -A ${_chain_output} -d ${_lan} -j RETURN
done
# redirect tcp traffic to tor
for i in $(seq ${tor_count} -1 2); do
_port=$((tor_trans_port + i - 1))
iptables -t nat -A ${_chain_output} -p tcp --syn --match statistic --mode nth --every ${i} --packet 0 -j REDIRECT --to-ports ${_port}
done
iptables -t nat -A ${_chain_output} -p tcp --syn -j REDIRECT --to-ports ${tor_trans_port}
############### *filter
iptables -N ${_chain_forward}
iptables -N ${_chain_input}
iptables -N ${_chain_output}
iptables -I FORWARD -j ${_chain_forward}
iptables -I INPUT -j ${_chain_input}
iptables -I OUTPUT -j ${_chain_output}
#*forward
# allow traffic forwarding from internet to vpn
iptables -A ${_chain_forward} -o ${veth_iface} -d ${vpeer_addr} -j ACCEPT
# allow traffic forwarding from vpn to internet
iptables -A ${_chain_forward} -i ${veth_iface} -s ${veth_addr} -j ACCEPT
[ ${restrictive} -eq 0 ] || iptables -A ${_chain_forward} -j DROP
#*input
iptables -A ${_chain_input} -m state --state ESTABLISHED -j ACCEPT
iptables -A ${_chain_input} -i lo -j ACCEPT
for _lan in ${allowed_input_lan}; do
iptables -A ${_chain_input} -s ${_lan} -m state --state NEW -j ACCEPT
done
for _port in ${allowed_ports}; do
iptables -A ${_chain_input} -p tcp --dport ${_port} -m state --state NEW -j ACCEPT
done
[ ${restrictive} -eq 0 ] || iptables -A ${_chain_input} -j DROP
#*output
# drop invalid packets
iptables -A ${_chain_output} -m state --state INVALID -j DROP
# accept established connections
iptables -A ${_chain_output} -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept connection from tor process
iptables -A ${_chain_output} -m owner --uid-owner ${tor_uid} -j ACCEPT
# accept tor transproxy
for i in $(seq 0 $((tor_count - 1))); do
_transport=$((tor_trans_port + i))
iptables -A ${_chain_output} -d 127.0.0.1 -p tcp -m tcp --syn --dport ${_transport} -j ACCEPT
done
# limit dns requests, avoid tor process eating cpu when there's no internet connection
if [[ -n "${dns_max_rate}" && -n "${dns_max_burst}" ]]; then
for i in $(seq 0 $((tor_count - 1))); do
_dns_port=$((tor_dns_port + i))
iptables -A ${_chain_output} -d 127.0.0.1 -p udp --dport ${_dns_port} -m state --state NEW -m limit --limit "${dns_max_rate}" --limit-burst "${dns_max_burst}" -j ACCEPT
iptables -A ${_chain_output} -d 127.0.0.1 -p udp --dport ${_dns_port} -m state --state NEW -j DROP
done
fi
# accept connections to internal lan segments
for _lan in ${nontor_lan}; do
iptables -A ${_chain_output} -d ${_lan} -j ACCEPT
done
[ ${allow_udp} -eq 1 ] && iptables -A ${_chain_output} -p udp ! --dport 53 -m state --state NEW -j ACCEPT
[ ${allow_ping} -eq 1 ] && iptables -A ${_chain_output} -p icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
[ ${restrictive} -eq 0 ] || iptables -A ${_chain_output} -j DROP
# set restrictive policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# configure dns resolver
echo "nameserver 127.0.0.1" >/etc/resolv.conf
if [[ "${PostStart}" ]]; then
bash -c "${PostStart}"
fi