dns host iptables rules should be restricted to specific user

[dolanjs]

the host iptables rules do restrict outbound connections to the root user but the destination for the outbound rules and source for the inbound rules is not restricted on the host iptables rules. The destination ip address for outbound rules and the source for inbound rules are defined and restricted on the network firewall currentyl though it should still be applied to the host iptables rules also. Reported by @iSEC

[garrettr]

@dolanjs Question about the title: the rules are restricted to a specific user (root) - did you mean they should be restricted to a specific destination (the DNS server chosen at installation)?

[garrettr]

At the time this issue as filed, we were still planning to solely use Debian packages to manage the installation and automatic upgrading of SecureDrop. Fixing this issue would've required input from the installer during the package installation process to configure this correctly. While this is possible via debconf (among other options), we ultimately decided to switch to using Ansible for the configuration, installation, and maintenance of SecureDrop instances. The ultimate solution was to allow the admin to specify which external DNS servers should be used in the configuration file for the playbook, and then templatetize the IP tables rules to insert the chosen DNS servers into the rules and restrict DNS traffic to only the specified servers.

This was implemented in a8a4979. I am not sure why this issue was not updated to reflect this at that time, but it is resolved now.