2024-01-06 01:57:28 +00:00
|
|
|
#!/bin/bash
|
|
|
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$prog" ] && prog=proxy_ping_lib
|
|
|
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
|
|
|
PREFIX=/usr/local
|
|
|
|
ROLE=proxy
|
|
|
|
base=proxy_ping_lib
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$USER" ] && USER=$(id -un )
|
|
|
|
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
|
|
|
BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
2024-01-09 15:35:38 +00:00
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
|
2024-01-06 01:57:28 +00:00
|
|
|
|
|
|
|
PROXY_IFCONFIG=/sbin/ifconfig
|
|
|
|
[ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
|
|
|
|
[ -x /bin/ifconfig ] && PROXY_IFCONFIG=/bin/ifconfig
|
|
|
|
proxy_ifconfig () {
|
|
|
|
if [ $# -gt 0 ] && [[ $1 =~ .*DBUG:.* ]] ; then
|
|
|
|
dbug PANIC: $PROXY_IFCONFIG $*
|
|
|
|
exit 1
|
|
|
|
elif [ $# -gt 0 ] && [[ $1 =~ .*:.* ]] ; then
|
|
|
|
dbug WARN: proxy_ifconfig $PROXY_IFCONFIG $*
|
|
|
|
set -- $( echo $* |sed -e 's/:.*//' )
|
|
|
|
elif [ $# -eq 0 ] || [[ $1 =~ .*-a.* ]] ; then
|
|
|
|
:
|
|
|
|
elif [ $1 = wlan4 -o $1 = wlan6 -o $1 = wlan7 ] || [[ $1 =~ wlan[0-9] ]] ; then
|
|
|
|
:
|
|
|
|
else
|
|
|
|
dbug proxy_ifconfig $PROXY_IFCONFIG $*
|
|
|
|
# fixme - required
|
|
|
|
set -- $( echo $1 |sed -e 's/:.*//' )
|
|
|
|
fi
|
|
|
|
$PROXY_IFCONFIG $*
|
|
|
|
}
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/portage ] && PRIV_TOR_OWNER=tor
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/apt ] && PRIV_TOR_OWNER=debian-tor
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PRIV_TOR_GID" ] && PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
|
|
|
|
|
|
|
|
set -o pipefail || { ERROR bash is required ; exit 1 ; }
|
|
|
|
|
|
|
|
declare -a PROXY_WLAN_FILES
|
|
|
|
PROXY_WLAN_FILES=(
|
|
|
|
/etc/conf.d/hostapd
|
|
|
|
/etc/conf.d/net
|
|
|
|
/etc/connman/main.conf
|
|
|
|
/etc/default/macchanger
|
|
|
|
/etc/dnsmasq.conf
|
|
|
|
/etc/firewall.conf
|
|
|
|
/etc/pdnsd/pdnsd.conf
|
|
|
|
/etc/wicd/manager-settings.conf
|
|
|
|
/usr/local/etc/testforge/testforge.bash
|
|
|
|
/usr/local/etc/testforge/testforge.ini
|
|
|
|
/usr/local/etc/testforge/testforge.yml
|
|
|
|
/etc/snort/snort.debian.conf
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
# [ "$USER" != root ] && export PATH=/sbin:$PATH
|
|
|
|
export PATH=/bin:$PATH
|
|
|
|
|
|
|
|
grep -q 'Debian\|Devuan' /etc/os-release
|
|
|
|
DEBIAN=$?
|
|
|
|
|
|
|
|
DNS_HOST1="208.67.220.220"
|
|
|
|
DNS_HOST2="8.8.8.8"
|
|
|
|
HTTP_TARGET=172.217.169.14
|
|
|
|
CURL_ARGS="--connect-timeout 15 -s -S"
|
|
|
|
|
|
|
|
TRIES=10
|
|
|
|
DELAY=10
|
|
|
|
|
|
|
|
export PATH=$PATH:$PREFIX/sbin
|
|
|
|
|
|
|
|
declare -a PROXY_WHONIX_FILES
|
|
|
|
PROXY_WHONIX_FILES=(
|
|
|
|
$HOME/.gitconfig
|
|
|
|
/etc/dirmngr/dirmngr.conf
|
|
|
|
/etc/dnsmasq.conf
|
|
|
|
/etc/firewall.conf
|
|
|
|
/etc/freshclam.conf
|
|
|
|
/etc/gnupg/gpgconf.conf
|
|
|
|
/etc/java-11-openjdk/net.properties
|
|
|
|
/etc/polipo/config
|
|
|
|
/etc/privoxy/config
|
|
|
|
/etc/resolv.conf
|
|
|
|
/etc/tor/torsocks.conf
|
|
|
|
/var/local/etc/testforge/firefox/proxy.js
|
|
|
|
)
|
|
|
|
|
|
|
|
. /usr/local/etc/local.d/local.bash || { ERROR /usr/local/etc/local.d/local.bash ; exit 2 ; }
|
|
|
|
## proxy_rc_service
|
|
|
|
proxy_rc_service () { DBUG proxy_rc_service MODE=$MODE $* ;
|
|
|
|
local svc=$1
|
|
|
|
if [ -x /etc/init.d/$svc ] ; then
|
|
|
|
shift
|
|
|
|
/etc/init.d/$svc "$@"
|
|
|
|
else
|
|
|
|
local_rc_service $*
|
|
|
|
fi
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
proxy_rc_update () { local_rc_update MODE=$MODE $* ; }
|
|
|
|
|
|
|
|
## proxy_ping_online - true/0 iff ifconfig and nm-online
|
|
|
|
proxy_ping_online () { proxy_whonix_get_gateway_dom_bad ; }
|
|
|
|
|
|
|
|
GATEW_DOM=
|
|
|
|
## proxy_whonix_get_gateway_dom_bad
|
|
|
|
proxy_whonix_get_gateway_dom_bad () {
|
|
|
|
local host
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
|
|
|
|
|
|
|
|
if [ -e /usr/local/bin/testforge_get_inventory.bash ] ; then
|
|
|
|
host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1
|
|
|
|
[ -n "$host" ] && GATEW_DOM=$host
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$GATEW_DOM" ] && GATEW_DOM=Whonix-Gateway
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_get_gateway_dom
|
|
|
|
proxy_whonix_get_gateway_dom () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
|
|
|
|
proxy_testforge_get_gateway_dom "$@" && return 0
|
|
|
|
GATEW_DOM=Whonix-Gateway
|
|
|
|
echo -n "$GATEW_DOM"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_testforge_get_gateway_dom
|
|
|
|
proxy_testforge_get_gateway_dom () {
|
|
|
|
local host
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
|
|
|
|
|
|
|
|
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -n "$BASE_SRC_ANSIBLE" ] && \
|
|
|
|
[ -d $BASE_SRC_ANSIBLE ] &&
|
|
|
|
[ -x /usr/local/bin/testforge_get_inventory.bash ] ; then
|
|
|
|
host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1
|
|
|
|
[ $? -eq 0 -a -n "$host" ] && GATEW_DOM=$host
|
|
|
|
fi
|
|
|
|
echo -n "$GATEW_DOM"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
#move later
|
|
|
|
## proxy_whonix_mode
|
|
|
|
proxy_whonix_mode () { #
|
|
|
|
proxy_ping_mode
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_mode
|
|
|
|
proxy_ping_mode () { #
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$MODE" ] && echo "$MODE" && return 0
|
|
|
|
|
2024-01-09 15:35:38 +00:00
|
|
|
proxy_ifconfig -a >/tmp/ipconfig-a.$$
|
2024-01-06 01:57:28 +00:00
|
|
|
if grep -q /dev/vda /proc/cmdline ; then
|
|
|
|
MODE=vda
|
|
|
|
elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
|
|
|
|
# must come before ws gw
|
|
|
|
MODE=selektor
|
|
|
|
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth1| grep -q 10.152.152.11 ; then
|
|
|
|
MODE=ws
|
|
|
|
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2.15 ; then
|
|
|
|
MODE=gateway
|
|
|
|
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2. ; then
|
|
|
|
MODE=nat
|
|
|
|
elif [ -d /var/log/tor ] && proxy_rc_service tor status >/dev/null 2>/dev/null ; then
|
|
|
|
# a runing tor takes precedence over whonix
|
|
|
|
MODE=tor
|
|
|
|
elif [ -f $PREFIX/bin/testforge_get_inventory.bash ] ; then
|
|
|
|
mode=$( $PREFIX/bin/testforge_get_inventory.bash BOX_PROXY_MODE )
|
|
|
|
if [ -n "$mode" ] ; then
|
|
|
|
MODE=$mode
|
|
|
|
else
|
|
|
|
host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
|
2024-01-09 15:35:38 +00:00
|
|
|
[ -n "$host" ] && MODE=$host # whonix
|
2024-01-06 01:57:28 +00:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
rm -f /tmp/ipconfig-a.$$
|
|
|
|
echo -n $MODE
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_wlan_modules_reload () {
|
|
|
|
local wlan7
|
|
|
|
wlan7=$1
|
|
|
|
# may be empty
|
|
|
|
proxy_wlan_modules_unload $wlan7 || return 1$?
|
|
|
|
proxy_wlan_modules_load $wlan7 || return 2$?
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
base_wlan_modules_load () { proxy_wlan_modules_load ; }
|
|
|
|
## proxy_wlan_modules_load
|
|
|
|
proxy_wlan_modules_load () { DBUG proxy_wlan_modules_load MODE=$MODE $* ;
|
|
|
|
local wlan7
|
|
|
|
wlan7=$1
|
|
|
|
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$wlan7" ] ; then
|
|
|
|
wlan7=$PROXY_WLAN
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$wlan7" ] ; then
|
|
|
|
WARN proxy_wlan_modules_load empty wlan7 PROXY_WLAN
|
|
|
|
return 3
|
|
|
|
else
|
|
|
|
# failsafe
|
|
|
|
wlan7=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/[: ].*//' )
|
|
|
|
fi
|
|
|
|
if [ $wlan7 = wlan7 ] ; then
|
|
|
|
modprobe iwlmvm
|
|
|
|
elif [ $wlan7 = wlan6 ] ; then
|
|
|
|
modprobe iwlmvm
|
|
|
|
elif [ $wlan7 = wlan4 ] ; then
|
|
|
|
# this is right but sometimes does not pull in the rest
|
|
|
|
# modprobe ath ath9k_hw ath9k_common ath9k_htc
|
|
|
|
modprobe ath9k_htc
|
|
|
|
else
|
|
|
|
# no default
|
|
|
|
return 3
|
|
|
|
fi
|
|
|
|
|
|
|
|
sleep 5
|
|
|
|
proxy_ifconfig $wlan7 >/dev/null || { return 8 ; }
|
|
|
|
proxy_ifconfig $wlan7 | grep -qi up && \
|
|
|
|
proxy_ifconfig $wlan7 down >/dev/null
|
|
|
|
|
|
|
|
t=`python2 -c "from random import Random;print ':'.join(['%02x' % Random().randint(0,255) for i in range(6)])"`
|
|
|
|
# macchanger $wlan7 -m $t
|
|
|
|
macchanger $wlan7 -A >/dev/null || return 1
|
|
|
|
old=""
|
|
|
|
macchanger -s $wlan7 | while read a b ; do
|
|
|
|
[ "$old" = "" ] && old=$b && continue ;
|
|
|
|
[ "$old" != "$b" ] && dbug "$old $b" && break
|
|
|
|
ERROR "$old = $b"
|
|
|
|
return 2
|
|
|
|
done
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_base_wlan_modules_unload () { proxy_wlan_modules_unload ; }
|
|
|
|
base_wlan_modules_unload () { proxy_wlan_modules_unload ; }
|
|
|
|
## base_wlan_modules_unload
|
|
|
|
proxy_wlan_modules_unload () { DBUG proxy_wlan_modules_unload ;
|
|
|
|
local wlan7
|
|
|
|
wlan7=$1
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$wlan7" ] ; then
|
|
|
|
[ $# -eq 0 ] && return 1 || wlan7=$1
|
|
|
|
fi
|
|
|
|
if [ "$wlan7" = eth2 ] ; then
|
|
|
|
PROXY_WLAN=$( proxy_set_if ) || return 1$?
|
|
|
|
wlan7=$PROXY_WLAN
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$wlan7" ] && return 2
|
|
|
|
|
|
|
|
macchanger=macchanger
|
|
|
|
|
|
|
|
pkill /sbin/dhclient
|
|
|
|
|
|
|
|
proxy_ifconfig $wlan7 down >/dev/null || true
|
|
|
|
proxy_ifconfig $wlan7 | grep -qi "up" && proxy_ifconfig $wlan7 down >/dev/null
|
|
|
|
|
|
|
|
a=`ps ax | grep -v grep | grep dnscrypt-proxy`
|
|
|
|
if [ $? -eq 0 ] ; then
|
|
|
|
b=`sed -e 's/^ *//' -e 's/ .*$//' <<< $a`
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$b" ] || kill $b
|
|
|
|
fi
|
|
|
|
|
|
|
|
rm -f /var/lib/NetworkManager/*lease
|
|
|
|
|
|
|
|
if [ "$wlan7" = wlan7 ] ; then
|
|
|
|
rmmod iwlmvm iwlwifi # 2>/dev/null
|
|
|
|
elif [ "$wlan7" = wlan4 ] ; then
|
|
|
|
rmmod iwlmvm iwlwifi # 2>/dev/null
|
|
|
|
else
|
|
|
|
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null
|
|
|
|
fi
|
|
|
|
sleep 5
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_get_if
|
|
|
|
proxy_get_wlan_ip () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] ; then
|
|
|
|
PROXY_WLAN=$( proxy_set_if )
|
|
|
|
[ $? -eq 0 -a -n "$PROXY_WLAN" ] || { return 1$? ; }
|
|
|
|
fi
|
|
|
|
# fixme - required
|
|
|
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
|
|
|
|
|
|
|
|
PROXY_WLAN_IP=$( proxy_ifconfig $PROXY_WLAN | grep -v '127.0.0.1\|grep' | grep 'inet.*broadcast' | sed -e 's/.*inet //' -e 's/ .*//' ) || return 2$?
|
|
|
|
|
|
|
|
# REQUIRED!
|
|
|
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan\|^en' |sed -e 's/:.*//' )
|
|
|
|
# may be empty
|
|
|
|
echo -n $PROXY_WLAN_IP
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_get_wlan_if () { proxy_get_if ; }
|
|
|
|
## proxy_get_if
|
|
|
|
proxy_get_if () { #
|
|
|
|
local wlan7
|
|
|
|
wlan7=$( proxy_set_if )
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ $? -ne 0 -o -z "$wlan7" ] && \
|
|
|
|
DEBUG=1 dbug proxy_get_if empty wlan7 && return 1
|
|
|
|
|
|
|
|
proxy_ifconfig $wlan7 >/dev/null || \
|
|
|
|
proxy_wlan_modules_load $wlan7
|
|
|
|
|
|
|
|
proxy_ifconfig $wlan7 >/dev/null || \
|
|
|
|
{ DEBUG=1 dbug proxy_get_if errored proxy_ifconfig $wlan7 ; return 1 ; }
|
|
|
|
|
|
|
|
# fixme - required
|
|
|
|
PROXY_WLAN=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/:.*//' )
|
|
|
|
|
|
|
|
echo -n $PROXY_WLAN
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_route_check
|
|
|
|
proxy_route_check () { DBUG proxy_route_check MODE=$MODE $* ;
|
|
|
|
# PATH=$PATH:/sbin ip
|
|
|
|
route|grep -q ^def || {
|
|
|
|
retval=$?
|
|
|
|
WARN $prog proxy_route_check retval=$retval
|
|
|
|
return 2$retval
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_route_test
|
|
|
|
proxy_route_test () { DBUG proxy_route_test MODE=$MODE $* ;
|
|
|
|
PATH=$PATH:/sbin ip route | grep -q ^def || {
|
|
|
|
WARN no route
|
|
|
|
exit 0
|
|
|
|
}
|
|
|
|
proxy_route_check||return $?
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_set_if
|
|
|
|
proxy_set_if () { #
|
|
|
|
# stdout
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
|
|
|
proxy_ifconfig -a > /tmp/ipconfig-a.$$
|
|
|
|
|
|
|
|
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
|
|
|
|
PROXY_WLAN=eth0
|
|
|
|
|
|
|
|
elif [ "$MODE" = nat ] || [ "$MODE" = gateway ] ; then
|
|
|
|
PROXY_WLAN=eth0
|
|
|
|
|
|
|
|
# elif [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = host -o "$MODE" = selektor -o "$MODE" = client ] ; then
|
|
|
|
else
|
|
|
|
if ip route | grep -q ^defa ; then
|
|
|
|
PROXY_WLAN=$( ip route | grep ^defa|sed -e 's/.*dev //' -e 's/ .*//' )
|
|
|
|
fi
|
|
|
|
if [ -z "$PROXY_WLAN" ] ; then
|
|
|
|
PROXY_WLAN=`ifconfig|grep -B 1 inet.*broadcast|grep ^wlan|sed -e 's/ .*//'`
|
|
|
|
fi
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] && [ -d "$BASE_SRC_ANSIBLE" ] ; then
|
|
|
|
# do we really want this in inventory or live?
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$BOX_DEFAULT_OUTPUT_IF" ] ; then
|
|
|
|
BOX_DEFAULT_OUTPUT_IF=$( /usr/local/bin/testforge_get_inventory.bash BOX_DEFAULT_OUTPUT_IF )
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ $? -ne 0 -o -z "$BOX_DEFAULT_OUTPUT_IF" ] && return 1
|
|
|
|
#? recurse
|
|
|
|
fi
|
|
|
|
PROXY_WLAN="$BOX_DEFAULT_OUTPUT_IF"
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] && cat /tmp/ipconfig-a.$$ | grep -q '^wlan\|^eth' ; then
|
|
|
|
# there may be not a route yet
|
|
|
|
# there may be 2!!!
|
|
|
|
PROXY_WLAN=$( cat /tmp/ipconfig-a.$$ | grep '^eth\|^wlan' |head -1 |sed -e 's/:.*//' )
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
rm -f /tmp/ipconfig-a.$$
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN" ] && return 2
|
|
|
|
# fixme - required
|
|
|
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN" ] && return 3
|
|
|
|
|
|
|
|
echo -n $PROXY_WLAN
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_https
|
|
|
|
proxy_ping_get_https () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -n "$https_proxy" ] ; then
|
|
|
|
HTTPS_HOST=$( echo $https_proxy|sed -e 's@.*//@@' -e 's@:[0-9]*@@' )
|
|
|
|
HTTPS_PORT=$( echo $https_proxy|sed -e 's@.*//[^:]*:@@' )
|
|
|
|
# DBUG $prog $https_proxy HTTPS_PORT=$HTTPS_PORT HTTPS_HOST=$HTTPS_HOST
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTPS_HOST" ] && [ "$MODE" = whonix ] && HTTPS_HOST=10.0.2.15
|
|
|
|
if [ -z "$HTTPS_HOST" ] && [ "$MODE" = nat ] ; then
|
|
|
|
[ -z "$external"] && \
|
|
|
|
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
|
|
|
HTTPS_HOST=$external
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTPS_PORT" ] && HTTPS_PORT=9128
|
|
|
|
fi
|
|
|
|
echo -n "$HTTPS_HOST:$HTTPS_PORT"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_http
|
|
|
|
proxy_ping_get_http () {
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -n "$http_proxy" ] ; then
|
|
|
|
HTTP_HOST=$( echo $http_proxy | sed -e 's@.*//@@' -e 's@:[0-9]*@@' )
|
|
|
|
HTTP_PORT=$( echo $http_proxy | sed -e 's@.*//[^:]*:@@' )
|
|
|
|
# DBUG $prog $http_proxy HTTP_PORT=$HTTP_PORT HTTP_HOST=$HTTP_HOST
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTP_HOST" -a "$MODE" = whonix ] && HTTP_HOST=127.0.0.1
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTP_HOST" -a "$MODE" = tor ] && HTTP_HOST=127.0.0.1
|
|
|
|
if [ -z "$HTTP_HOST" ] && [ "$MODE" = nat ] ; then
|
|
|
|
[ -z "$external"] && \
|
|
|
|
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
|
|
|
HTTP_HOST=$external
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$HTTP_PORT" ] && HTTP_PORT=3128
|
|
|
|
fi
|
|
|
|
echo -n "$HTTP_HOST:$HTTP_PORT"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_socks_host
|
|
|
|
proxy_ping_get_socks_host () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -n "$socks_proxy" ] ; then
|
|
|
|
SOCKS_HOST=$( echo $socks_proxy|sed -e 's@.*//@@' -e 's/.*@//' -e 's@:[0-9]*@@' )
|
|
|
|
# DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST
|
|
|
|
fi
|
|
|
|
echo -n $SOCKS_HOST:9050
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_socks_port
|
|
|
|
proxy_ping_get_socks_port () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -n "$socks_proxy" ] ; then
|
|
|
|
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@.*//[^:]*:@@' )
|
|
|
|
# DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST
|
|
|
|
fi
|
|
|
|
# echo -n $SOCKS_PORT
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_socks
|
|
|
|
proxy_ping_get_socks () {
|
|
|
|
# let socks_proxy override
|
|
|
|
proxy_ping_get_socks_host
|
|
|
|
proxy_ping_get_socks_port
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$SOCKS_HOST" ] || return 0
|
|
|
|
if [ "$MODE" = whonix ] ; then
|
|
|
|
SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050
|
|
|
|
elif [ "$MODE" = gateway ] ; then
|
|
|
|
SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050
|
|
|
|
elif [ "$MODE" = nat ] ; then
|
|
|
|
SOCKS_HOST=10.0.2.2 && SOCKS_PORT=9050
|
|
|
|
elif [ "$MODE" = tor ] || [ "$MODE" = selektor ]; then
|
|
|
|
SOCKS_HOST=127.0.0.1 && SOCKS_PORT=9050
|
|
|
|
elif [ "$MODE" = vda ] ; then
|
|
|
|
SOCKS_HOST=10.152.152.10 && SOCKS_PORT=9050
|
|
|
|
elif [ "$MODE" = nat ] ; then
|
|
|
|
[ -z "$external"] && \
|
|
|
|
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
|
|
|
SOCKS_HOST=$external && SOCKS_PORT=9050
|
|
|
|
fi
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
|
|
|
|
echo -n $SOCKS_HOST:$SOCKS_PORT
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
# proxy_ping_chattr
|
|
|
|
proxy_ping_chattr () { DBUG proxy_ping_chattr MODE=$MODE $* ;
|
|
|
|
local elt
|
|
|
|
|
|
|
|
[ -f /etc/sysctl.d/70_testforge_ping.conf ] || \
|
|
|
|
{ echo 'net.ipv4.ping_group_range=0 1000' > /etc/sysctl.d/70_testforge_ping.conf ; \
|
|
|
|
sysctl net.ipv4.ping_group_range="0 1000" >/dev/null ; }
|
|
|
|
|
|
|
|
# setcap not supported on ext2?
|
|
|
|
mount | grep -q ' / .*type ext2' && return 0
|
|
|
|
|
|
|
|
# https://github.com/DietPi/issues/1012
|
|
|
|
for elt in ping traceroute ; do
|
|
|
|
EXE=$(which $elt) || continue
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$EXE" ] && continue
|
|
|
|
[ -h $EXE ] && EXE=$(readlink $EXE)
|
|
|
|
[ -h $EXE ] && continue
|
|
|
|
getcap $EXE | grep -q 'cap_net_admin' && continue
|
|
|
|
setcap 'cap_net_admin,cap_net_raw+ep' $(which $elt)
|
|
|
|
done
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_tor_update_wlan_ip () { DBUG proxy_tor_update_wlan_ip MODE=$MODE $* ;
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN_IP" ] ; then
|
|
|
|
PROXY_WLAN_IP=`proxy_get_wlan_ip`
|
|
|
|
[ $? -ne 0 ] && return 1
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN_IP" ] && return 2
|
|
|
|
[ -f /etc/tor/torrc-defaults ] || return 0
|
|
|
|
sed -e "s@^SocksPolicy accept 10.16.*@SocksPolicy accept $PROXY_WLAN_IP@" \
|
|
|
|
-i /etc/tor/torrc-defaults
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_tor_set_socks_accept
|
|
|
|
proxy_tor_set_socks_accept () { DBUG proxy_tor_set_socks_accept MODE=$MODE $* ;
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_ping_get_wlan`
|
|
|
|
retval=$?
|
|
|
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
|
|
|
ERROR proxy_tor_set_socks_accept empty wlan retval=$retval
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
wlan7=$PROXY_WLAN
|
|
|
|
if [ -n "$wlan7" ] ; then
|
|
|
|
ip=`proxy_get_wlan_ip`
|
|
|
|
anet="${ip:0:3}"
|
|
|
|
for file in /etc/tor/torrc-defaults /etc/tor/torrc ; do
|
|
|
|
[ -f $file ] || continue
|
|
|
|
DBUG $file
|
|
|
|
if grep -q "^SocksPolicy accept $anet" $file ; then
|
|
|
|
sed -e "s@^SocksPolicy accept ${anet}.*@SocksPolicy accept $ip@" \
|
|
|
|
-i $file
|
|
|
|
INFO updated $anet $file
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_ip_gw
|
|
|
|
proxy_ping_get_ip_gw () { proxy_ping_get_wlan_gw ; }
|
|
|
|
|
|
|
|
## proxy_ping_get_wlan_gw
|
|
|
|
proxy_ping_get_wlan_gw () {
|
|
|
|
|
|
|
|
PROXY_WLAN=`proxy_ping_get_wlan`
|
|
|
|
retval=$?
|
|
|
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
|
|
|
ERROR proxy_ping_get_wlan_gw empty wlan retval=$retval
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
|
|
|
# can be up without having an address
|
|
|
|
a=$( proxy_ifconfig $PROXY_WLAN | grep 'inet.*broadcast' )
|
|
|
|
[ $? -ne 0 -o -z "$a" ] && return 2
|
|
|
|
|
|
|
|
IP=$( echo $a | sed -e 's/.*inet //' -e 's/ .*//' )
|
|
|
|
# | grep -v '127.0.0.1\|grep'
|
|
|
|
[ -z "$IP" ] && return 2
|
|
|
|
PROXY_WLAN_GW=$( echo -n $IP | sed -e 's/[0-9]*$//' )1
|
|
|
|
echo -n $PROXY_WLAN_GW
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_get_wlan
|
|
|
|
proxy_ping_get_wlan () {
|
|
|
|
local retval
|
|
|
|
PROXY_WLAN=$( proxy_get_if )
|
|
|
|
retval=$?
|
|
|
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
|
|
|
ERROR proxy_get_if empty wlan7 retval=$retval
|
|
|
|
return 2$retval
|
|
|
|
}
|
|
|
|
# REQUIRED!
|
|
|
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
|
|
|
|
echo -n $PROXY_WLAN
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_test_env
|
|
|
|
proxy_ping_test_env () { DBUG proxy_ping_test_env MODE=$MODE $* ;
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$https_proxy" ] && return 0
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$socks_proxy" ] && return 0
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$http_proxy" ] && return 0
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_get_conn
|
|
|
|
proxy_whonix_get_conn () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$CONN" ] && echo -n $CONN && return 0
|
|
|
|
[ -f /etc/rc.local ] && return 0
|
|
|
|
for elt in Gateway Host Vda Workstation ; do
|
|
|
|
if grep -q Whonix-$elt.rc /etc/rc.local && \
|
|
|
|
[ -f /usr/local/etc/local.d/Whonix-$elt.rc ] ; then
|
|
|
|
CONN=$elt
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
[ "$CONN" = Vda -o "$CONN" = Gateway -o "$CONN" = Workstation ] && CHORG=guest
|
|
|
|
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || CHORG=guest
|
|
|
|
[ -z "$CONN" -a "$CONN" = "Host" ] && CHORG=host
|
|
|
|
# giggle host in host?
|
|
|
|
#? [ -e /run/libvirt/libvirt-sock ] && CHORG=host
|
|
|
|
|
|
|
|
echo -n $CONN
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_curl_privoxy
|
|
|
|
proxy_ping_curl_privoxy () { DBUG proxy_ping_curl_privoxy MODE=$MODE $* ;
|
|
|
|
curl $CURL_ARGS --insecure \
|
|
|
|
--proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT \
|
|
|
|
--proxy-insecure https://$HTTP_TARGET
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_curl_polipo
|
|
|
|
proxy_ping_curl_polipo () { DBUG proxy_ping_curl_polipo MODE=$MODE $* ;
|
|
|
|
curl $CURL_ARGS --insecure --proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT --proxy-insecure https://$HTTP_TARGET
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_curl_bin
|
|
|
|
proxy_ping_curl_bin () { DBUG proxy_ping_curl_bin MODE=$MODE $* ;
|
|
|
|
su -c "curl $CURL_ARGS --insecure --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_nmap_guid_$PRIV_BIN_OWNER
|
|
|
|
proxy_nmap_guid_bin () { DBUG proxy_nmap_guid_bin MODE=$MODE $* ;
|
|
|
|
# must be suid bin
|
|
|
|
if [ -z "$( find /usr/bin/nmap -perm 2755 )" ] ; then
|
|
|
|
chgrp $PRIV_BIN_OWNER /usr/bin/nmap
|
|
|
|
chmod 2755 /usr/bin/nmap
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_nmap_direct
|
|
|
|
proxy_ping_nmap_direct () { DBUG proxy_ping_nmap_direct MODE=$MODE $* ;
|
|
|
|
local i
|
|
|
|
local target
|
|
|
|
proxy_nmap_guid_bin
|
|
|
|
[ "$#" -eq 1 ] && target=$1 || target="$DNS_HOST1"
|
|
|
|
shift
|
|
|
|
[ "$#" -eq 1 ] && p=$1 || p="U:53"
|
|
|
|
|
|
|
|
i=0
|
|
|
|
while [ $i -lt $TRIES ] ; do
|
|
|
|
#su -s /bin/bash -c 'ping -c 1 8.8.8.8' $PRIV_BIN_OWNER && break
|
|
|
|
nmap -Pn -sU -p $p $target && break
|
|
|
|
sleep $DELAY
|
|
|
|
i=$( expr $i + 1 )
|
|
|
|
done
|
|
|
|
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_nmap_direct nmap -Pn -sU -p U:53 $target failed" && return 5
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_copy_dir_file
|
|
|
|
proxy_whonix_copy_dir_file () { DBUG proxy_whonix_copy_dir_file PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
|
|
|
|
[ "$#" -le 1 ] && { ERROR proxy_whonix_copy_dir_file from empty: MODE=$MODE $* ; return 1 ; }
|
|
|
|
[ "$#" -eq 2 ] || { ERROR to empty ; return 2 ; }
|
|
|
|
local file=$1
|
|
|
|
local to=$2
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] ; then
|
|
|
|
PROXY_WLAN=$( proxy_get_if )
|
|
|
|
[ $? -ne 0 -o -z "$PROXY_WLAN" ] && ERROR empty PROXY_WLAN && return 2
|
|
|
|
fi
|
|
|
|
# fixme - required
|
|
|
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
|
|
|
|
|
|
|
|
[ -f $to ] || return 0
|
|
|
|
[ -f $file ] || return 0
|
|
|
|
diff -q $to $file && return 0
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
if ! diff -q $to $file && false ; then
|
|
|
|
INFO proxy_whonix_copy_files cp -p $to $file
|
|
|
|
cp -p $to $file || { ERROR copying $file.dire ; }
|
|
|
|
fi
|
|
|
|
grep -q wlan $file || \
|
|
|
|
sed -e "s@wlan[0-9]@$PROXY_WLAN@" \
|
|
|
|
-i $file
|
|
|
|
# -e "s@eth[0-9]@$PROXY_WLAN@"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_copy_files
|
|
|
|
proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
[ "$#" -eq 1 ] || { ERROR dire empty ; return 1 ; }
|
|
|
|
dire=$1
|
|
|
|
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
|
|
|
|
|
|
|
|
# DBUG proxy_whonix_copy_files $dire ${PROXY_WHONIX_FILES[*]}
|
|
|
|
|
|
|
|
for file in "${PROXY_WHONIX_FILES[@]}" ; do
|
|
|
|
proxy_whonix_copy_dir_file $file.$dire $file
|
|
|
|
done
|
|
|
|
|
|
|
|
if [ -d /etc/apt/apt.conf.f ] ; then
|
|
|
|
for file in /etc/apt/*.conf.$dire ; do
|
|
|
|
to=`sed -e "s/.$dire//" <<< $file`
|
|
|
|
proxy_whonix_copy_dir_file $file $to
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_firewall_check
|
|
|
|
proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
|
2024-01-09 15:35:38 +00:00
|
|
|
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
2024-01-06 01:57:28 +00:00
|
|
|
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
|
|
|
|
:
|
|
|
|
elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
|
|
|
|
:
|
|
|
|
elif [ "$MODE" = tor -o "$MODE" = selektor ] ; then
|
|
|
|
[ -s /etc/firewall.conf ] || {
|
|
|
|
ERROR "proxy_ping_firewall_check /etc/firewall.conf empty "
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
grep -q -i reject /etc/firewall.conf || {
|
|
|
|
ERROR "proxy_ping_firewall_check no reject in /etc/firewall.conf"
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
grep -q -e "--gid-owner $PRIV_BIN_GID .* ACCEPT" /etc/firewall.conf || {
|
|
|
|
WARN "proxy_ping_firewall_check no bin --gid-owner $PRIV_BIN_GID in /etc/firewall.conf"
|
|
|
|
# return 3
|
|
|
|
}
|
|
|
|
grep -q -e "--gid-owner $PRIV_TOR_GID .* ACCEPT" /etc/firewall.conf || {
|
|
|
|
WARN "proxy_ping_firewall_check no tor --gid-owner $PRIV_TOR_GID in /etc/firewall.conf"
|
|
|
|
# return 4
|
|
|
|
}
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_wlan_config
|
|
|
|
proxy_ping_wlan_config () { DBUG proxy_ping_wlan_config MODE=$MODE $* ;
|
|
|
|
local file gid
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || {
|
|
|
|
ERROR proxy_whonix_wlan_config null interface && return 1
|
|
|
|
}
|
|
|
|
for file in "${PROXY_WLAN_FILES[@]}" ; do
|
|
|
|
[ -f "$file" ] || continue
|
|
|
|
sed -e "s@wlan[0-9]@$PROXY_WLAN@" -i $file
|
|
|
|
done
|
|
|
|
if ! grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf ; then
|
|
|
|
sed -e "s@-m owner --gid-owner [1-9] -j ACCEPT@-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT@" -i /etc/firewall.conf
|
|
|
|
fi
|
|
|
|
|
|
|
|
grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf || {
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_firewall_sysctl_ipv6
|
|
|
|
proxy_ping_firewall_sysctl_ipv6 () {
|
|
|
|
if [ ! -e /proc/net/if_inet6 ] ; then
|
|
|
|
sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
|
|
|
|
else
|
|
|
|
sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_iptables_rename
|
|
|
|
proxy_iptables_rename () { DBUG proxy_iptables_rename MODE=$MODE $* ;
|
|
|
|
local wd=$PWD
|
|
|
|
cd /usr/sbin/
|
|
|
|
for file in iptables* ; do
|
|
|
|
base=$( basename $file .bin )
|
|
|
|
[ $base = $file ] || continue
|
|
|
|
[ -e $file.bin ] || mv $file $file.bin
|
|
|
|
[ ! -e $file.bash ] && \
|
|
|
|
echo "#!/bin/sh" > $file.bash && \
|
|
|
|
echo "exec $file.bin \"\$@\"" >> $file.bash && \
|
|
|
|
chmod 755 $file.bash
|
|
|
|
done
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
IPT_LEGACY="iptables-legacy"
|
|
|
|
## proxy_iptables
|
|
|
|
proxy_iptables () { DBUG proxy_iptables MODE=$MODE $* ;
|
|
|
|
if [ "$IPT_LEGACY" = "" ] ;then
|
|
|
|
# DEBIAN -eq 0
|
|
|
|
which iptables-legacy 2>/dev/null >/dev/null && \
|
|
|
|
IPT_LEGACY=iptables-legacy || IPT_LEGACY=iptables
|
|
|
|
fi
|
|
|
|
$IPT_LEGACY $*
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
IPT_SAVE_LEGACY="iptables-legacy-save"
|
|
|
|
## proxy_iptables_save
|
|
|
|
proxy_iptables_save () { DBUG proxy_iptables_save MODE=$MODE $* ;
|
|
|
|
if [ "$IPT_SAVE_LEGACY" = "" ] ; then
|
|
|
|
# DEBIAN -eq 0
|
|
|
|
which iptables-legacy-save 2>/dev/null >/dev/null && \
|
|
|
|
IPT_SAVE_LEGACY=iptables-legacy-save || IPT_SAVE_LEGACY=iptables-save
|
|
|
|
fi
|
|
|
|
$IPT_SAVE_LEGACY $*
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
IPT_RESTORE_LEGACY="iptables-legacy-restore"
|
|
|
|
## proxy_iptables_restore
|
|
|
|
proxy_iptables_restore () { DBUG proxy_iptables_restore MODE=$MODE $* ;
|
|
|
|
local retval
|
|
|
|
proxy_iptables -F -t filter ;proxy_iptables -F -t nat ; proxy_iptables -F -t mangle;
|
|
|
|
|
|
|
|
if [ "$IPT_RESTORE_LEGACY" = "" ] ; then
|
|
|
|
which iptables-legacy-restore 2>/dev/null >/dev/null && \
|
|
|
|
IPT_RESTORE_LEGACY=iptables-legacy-restore || \
|
|
|
|
IPT_RESTORE_LEGACY=iptables-restore
|
|
|
|
fi
|
|
|
|
$IPT_RESTORE_LEGACY $*
|
|
|
|
retval=$?
|
|
|
|
if [ $retval -eq 0 ] ; then
|
|
|
|
DBUG proxy_iptables_restored $*
|
|
|
|
else
|
|
|
|
ERROR proxy_iptables_restore retval=$retval $*
|
|
|
|
fi
|
|
|
|
# /usr/local/bin/proxy_firewall_restore_iptable.bash
|
|
|
|
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_firewall_modules
|
|
|
|
proxy_ping_firewall_modules () { DBUG proxy_ping_firewall_modules MODE=$MODE $* ;
|
|
|
|
local elt kern
|
|
|
|
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
if [ $MODE = nat ] ; then
|
|
|
|
lsmod|grep -q virtio_console || \
|
|
|
|
modprobe virtio_console
|
|
|
|
return $?
|
|
|
|
fi
|
|
|
|
|
|
|
|
# /etc/modules-load.d/vda*.conf
|
|
|
|
for file in /etc/modules-load.d/firewall.conf ; do
|
|
|
|
grep -v '#\|floppy' $file | xargs modprobe --all
|
|
|
|
done
|
|
|
|
|
|
|
|
kern=$( uname -r )
|
|
|
|
if [ -d "/lib/modules/$kern" ] ; then
|
|
|
|
# bpfilter
|
|
|
|
for elt in xt_MASQUERADE nf_nat_ipv4 ; do
|
|
|
|
if grep -q -i $elt "/lib/modules/$kern"/*der ; then
|
|
|
|
lsmod | grep -qi $elt || modprobe $elt || return 5$?
|
|
|
|
# else # 5.0.8 kernel
|
|
|
|
# WARN $elt not in "/lib/modules/$kern"/*der # 2>&1|tee $WLOG
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
|
|
|
|
lsmod | grep -q nft_masq || modprobe nft_masq
|
|
|
|
lsmod | grep -q bridge|| modprobe bridge
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_ping_check_root () {
|
|
|
|
[ $USER = root ] || {
|
|
|
|
# WARN proxy_ping_check_root - not root
|
|
|
|
return 2
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
## proxy_ping_firewall_start
|
|
|
|
proxy_ping_firewall_start () { DBUG proxy_ping_firewall_start PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
|
|
|
|
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
|
|
|
[ $MODE = direct -o $MODE = nat ] && {
|
|
|
|
WARN no proxy_ping_firewall_start MODE=$MODE
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
|
|
|
|
proxy_ping_firewall_modules
|
|
|
|
proxy_ping_firewall_check || {
|
|
|
|
ret=$?
|
|
|
|
ERROR failed proxy_ping_firewall_start ret=$ret
|
|
|
|
return 1$ret
|
|
|
|
}
|
|
|
|
[ $MODE = tor -o $MODE = selektor -o $MODE = ws ] || {
|
|
|
|
ERROR failed proxy_ping_firewall_check MODE=$MODE
|
|
|
|
return 1$ret
|
|
|
|
}
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
proxy_iptables_save 2>&1 | grep -iq reject && return 0
|
|
|
|
proxy_ping_firewall_restart || return 3$?
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_ping_firewall_set () { proxy_ping_firewall_restart ; }
|
|
|
|
## proxy_ping_firewall_restart
|
|
|
|
proxy_ping_firewall_restart () { DBUG proxy_ping_firewall_restart MODE=$MODE $* ;
|
|
|
|
local gid
|
|
|
|
proxy_ping_check_root || return 2
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
|
|
|
|
|
|
|
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
|
|
|
|
proxy_ping_firewall_modules
|
|
|
|
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] ; then
|
|
|
|
PROXY_WLAN=$( proxy_get_if )
|
|
|
|
retval=$?
|
|
|
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
|
|
|
ERROR proxy_ping_get_wlan empty wlan retval=$retval
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
fi
|
|
|
|
proxy_ping_wlan_config
|
|
|
|
|
|
|
|
proxy_iptables_restore /etc/firewall.conf || {
|
|
|
|
ERROR $prog proxy_iptables_restore failed
|
|
|
|
[ -x /usr/local/bin/proxy_wall.bash ] && \
|
|
|
|
/usr/local/bin/proxy_wall.bash ERROR: $prog proxy_iptables_restore failed
|
|
|
|
return 3
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy_whonix_copy_files "$MODE" || {
|
|
|
|
ERROR "proxy_ping_firewall_restart failed proxy_whonix_copy_files"
|
|
|
|
return 4
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsmasq_config
|
|
|
|
proxy_ping_dnsmasq_config () { DBUG proxy_ping_dnsmasq_config MODE=$MODE $* ;
|
|
|
|
# fixme: NEEDS dire
|
|
|
|
local dire
|
|
|
|
local retval=0
|
|
|
|
|
|
|
|
if [ "$#" -gt 0 ] ; then
|
|
|
|
dire=$1
|
|
|
|
DEBUG=1 dbug proxy_ping_dnsmasq_config "$@"
|
|
|
|
else
|
|
|
|
WARN proxy_ping_dnsmasq_config no args - defaulting $MODE
|
|
|
|
dire=$MODE
|
|
|
|
fi
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
|
|
|
|
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
|
|
|
|
ERROR proxy_ping_dnsmasq_config null PROXY_WLAN=$PROXY_WLAN
|
|
|
|
return 3
|
|
|
|
}
|
|
|
|
|
|
|
|
[ -e /etc/dnsmasq.conf ] || {
|
|
|
|
ERROR proxy_ping_dnsmasq_config not /etc/dnsmasq.conf ; return 2 ;
|
|
|
|
}
|
|
|
|
if [ ! -f /etc/dnsmasq.conf.$dire ] ; then
|
|
|
|
cp -p /etc/dnsmasq.conf /etc/dnsmasq.conf.$dire
|
|
|
|
fi
|
|
|
|
|
|
|
|
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" \
|
|
|
|
-i /etc/dnsmasq.conf
|
|
|
|
INFO proxy_ping_dnsmasq_config setting PROXY_WLAN=$PROXY_WLAN
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_gw_check
|
|
|
|
proxy_ping_gw_check () { DBUG proxy_ping_gw_check MODE=$MODE $* ;
|
|
|
|
PROXY_WLAN_GW=`proxy_ping_get_ip_gw`
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_gw$$.err
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_gw$$.log
|
|
|
|
if [ $? -eq 0 -a -n "$PROXY_WLAN_GW" ] ; then
|
|
|
|
a=`traceroute -m 10 $PROXY_WLAN_GW | wc -l`
|
|
|
|
[ $? -eq 0 -a -n "$a" -a "$a" -gt 4 ] && \
|
|
|
|
echo ERROR: traceroute $PROXY_WLAN_GW >> $ELOG && \
|
|
|
|
traceroute -m 10 $PROXY_WLAN_GW >> $ELOG && \
|
|
|
|
nmap -A -T4 $PROXY_WLAN_GW |tee -a $WLOG | grep -A 1 HOP | grep -v ^1
|
|
|
|
# /usr/local/bin/base_wall.bash $prog CRIT: traceroute $PROXY_WLAN_GW '>10'
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsd_check
|
|
|
|
proxy_ping_dnsd_check () { DBUG proxy_ping_dnsd_check MODE=$MODE $* ;
|
|
|
|
# fixme: decide which
|
|
|
|
proxy_ping_dnsmasq_check $*
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsmasq_status
|
|
|
|
proxy_ping_dnsmasq_status () { DBUG proxy_ping_dnsmasq_status MODE=$MODE $* ;
|
|
|
|
proxy_rc_service dnsmasq status >/dev/null || return 2$?
|
|
|
|
[ -s /var/log/dnsmasq.log ] || {
|
|
|
|
WARN proxy_ping_dnsmasq_status no file /var/log/dnsmasq.log
|
|
|
|
return 3
|
|
|
|
}
|
|
|
|
tail /var/log/dnsmasq.log | grep 'using nameserver ' || \
|
|
|
|
WARN proxy_ping_dnsmasq_status no using in /var/log/dnsmasq.log
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsmasq_start
|
|
|
|
proxy_ping_dnsmasq_start () { DBUG proxy_ping_dnsmasq_start MODE=$MODE $* ;
|
|
|
|
local ret
|
|
|
|
# fixme: need dire
|
|
|
|
[ "$#" -eq 0 ] && set -- $MODE
|
|
|
|
|
|
|
|
proxy_ping_dnsmasq_config $* || {
|
|
|
|
ret=$?
|
|
|
|
WARN proxy_ping_dnsmasq_start dnsmasq not configing $ret
|
|
|
|
return 1$ret
|
|
|
|
}
|
|
|
|
proxy_ping_dnsmasq_status && return 0
|
|
|
|
cp /dev/null /var/log/dnsmasq.log
|
|
|
|
proxy_rc_service dnsmasq start || {
|
|
|
|
WARN proxy_ping_dnsmasq_start dnsmasq not starting
|
|
|
|
tail /var/log/dnsmasq.log
|
|
|
|
return 3$?
|
|
|
|
}
|
|
|
|
sleep $DELAY
|
|
|
|
netstat -nlp4e | grep :53 || {
|
|
|
|
WARN proxy_ping_dnsmasq_start dnsmasq not running
|
|
|
|
tail /var/log/dnsmasq.log
|
|
|
|
return 4
|
|
|
|
}
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsmasq_stop
|
|
|
|
proxy_ping_dnsmasq_stop () { DBUG proxy_ping_dnsmasq_stop MODE=$MODE $* ;
|
|
|
|
proxy_ping_dnsmasq_status || return 0
|
|
|
|
proxy_rc_service dnsmasq stop >/dev/null || return 2$?
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_pdnsd_check
|
|
|
|
proxy_ping_pdnsd_check () { DBUG proxy_ping_pdnsd_check MODE=$MODE $* ;
|
|
|
|
ps ax | grep -v grep | grep -q pdnsd && return 0
|
|
|
|
[ -e /etc/pdnsd/pdnsd.conf ] || return 0
|
|
|
|
proxy_rc_service pdnsd start || return 1$?
|
|
|
|
sleep $DELAY
|
|
|
|
tail /var/log/pdnsd.log | grep -q 'All threads started successfully' || return 4
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_dnsmasq_check
|
|
|
|
proxy_ping_dnsmasq_check () { DBUG proxy_ping_dnsmasq_check MODE=$MODE $* ;
|
|
|
|
ps ax | grep -v grep | grep -q dnsmasq && return 0
|
|
|
|
[ -e /etc/dnsmasq.conf ] && return 0
|
|
|
|
proxy_rc_service dnsmasq start || return 1$?
|
|
|
|
sleep $DELAY
|
|
|
|
tail /var/log/dnsmasq.log | grep -q 'started, ' || return 4
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_dest_port_wlan_config
|
|
|
|
proxy_dest_port_wlan_config () { DBUG proxy_dest_port_wlan_config MODE=$MODE $* ;
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$DEST" -a "$#" -gt 0 ] && DEST=$1 && shift
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$DEST" ] && DEST=127.0.0.1
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PORT" -a "$#" -gt 0 ] && PORT=$1 && shift
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PORT" ] && PORT=9053
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PROXY_WLAN" -a "$#" -gt 0 ] && PROXY_WLAN=$1 && shift
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if [ -z "$PROXY_WLAN" ] ; then
|
|
|
|
PROXY_WLAN=$( proxy_get_if )
|
|
|
|
retval=$?
|
|
|
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
|
|
|
ERROR proxy_get_if empty wlan7 retval=$retval
|
|
|
|
return 2$retval
|
|
|
|
}
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_polipo_config
|
|
|
|
proxy_whonix_polipo_config () { DBUG proxy_whonix_polipo_config MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
local file
|
|
|
|
dire=$1 ; shift
|
|
|
|
|
|
|
|
file=/etc/polipo/config
|
|
|
|
if [ $dire = whonix ]; then
|
|
|
|
if [ ! -f $file.$dire ] ; then
|
|
|
|
cp -p $file $file.$dire
|
|
|
|
cat >> $file.conf <<EOF
|
|
|
|
proxyAddress=127.0.0.1
|
|
|
|
proxyPort=3128
|
|
|
|
proxyName=127.0.0.1
|
|
|
|
socksParentProxy=10.0.2.15:9050
|
|
|
|
socksProxyType=socks5
|
|
|
|
#?ssocksUserName=foo
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
if [ ! -f $file.$dire ] ; then
|
|
|
|
cp -p $file $file.$dire
|
|
|
|
cat >> $file.conf <<EOF
|
|
|
|
proxyAddress=127.0.0.1
|
|
|
|
proxyPort=3128
|
|
|
|
proxyName=127.0.0.1
|
|
|
|
socksParentProxy=${DEST}:$PORT
|
|
|
|
socksProxyType=socks5
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_privoxy_config
|
|
|
|
proxy_whonix_privoxy_config () { DBUG proxy_whonix_privoxy_config MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
local file
|
|
|
|
dire=$1 ; shift
|
|
|
|
|
|
|
|
file=/etc/privoxy/config
|
|
|
|
if [ $dire = whonix ]; then
|
|
|
|
SOCKS_HOST=10.0.2.15
|
|
|
|
SOCKS_PORT=9050
|
|
|
|
elif [ $dire = selaktor ]; then
|
|
|
|
SOCKS_HOST=127.0.0.1
|
|
|
|
SOCKS_PORT=9050
|
|
|
|
else
|
|
|
|
SOCKS_HOST=127.0.0.1
|
|
|
|
SOCKS_PORT=9050
|
|
|
|
fi
|
|
|
|
if [ ! -f $file.$dire ] ; then
|
|
|
|
cp -p $file $file.$dire
|
|
|
|
cat >> $file.conf <<EOF
|
|
|
|
listen-address 127.0.0.1:3128
|
|
|
|
forward-socks5t / $SOCKS_HOST:$SOCKS_PORT .
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_whonix_dnsmasq_config
|
|
|
|
proxy_whonix_dnsmasq_config () { DBUG proxy_whonix_dnsmasq_config MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
|
|
|
|
[ "$#" -eq 0 ] && set -- tor
|
|
|
|
dire=$1 ; shift
|
|
|
|
proxy_dest_port_wlan_config $*
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$PORT" -o -z "$DEST" ] && return 1
|
|
|
|
|
|
|
|
# 9040 - no wgetrc
|
|
|
|
# need dnsmasq to 127
|
|
|
|
file=/etc/dnsmasq.conf
|
|
|
|
if [ ! -f $file.$dire ] ; then
|
|
|
|
cp -p $file $file.$dire
|
|
|
|
cat >> $file.$dire <<EOF
|
|
|
|
log-facility=/var/log/dnsmasq.log
|
|
|
|
no-resolv
|
|
|
|
listen-address=127.0.0.1
|
|
|
|
server=${DEST}#$PORT
|
|
|
|
port=53
|
|
|
|
# wlan4
|
|
|
|
interface=$PROXY_WLAN
|
|
|
|
bind-interfaces
|
|
|
|
no-dhcp-interface=$PROXY_WLAN
|
|
|
|
EOF
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
# unused
|
|
|
|
## proxy_testssl_lib_update
|
|
|
|
proxy_testssl_lib_update () { DBUG proxy_testssl_lib_update MODE=$MODE $* ;
|
|
|
|
[ ! -s /usr/local/bin/proxy_testssl_lib.bash -o \
|
|
|
|
/usr/bin/testssl.sh -nt /usr/local/bin/proxy_testssl_lib.bash ] && \
|
|
|
|
sed -e '/^##* main ##/,$d' /usr/bin/testssl.sh > /usr/local/bin/proxy_testssl_lib.bash
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_wait_for_tor
|
|
|
|
proxy_ping_wait_for_tor () { DBUG proxy_ping_wait_for_tor MODE=$MODE $* ;
|
|
|
|
local i
|
|
|
|
|
|
|
|
i=0
|
|
|
|
while [ $i -lt $TRIES ] ; do
|
|
|
|
sleep $DELAY
|
|
|
|
tail -20 /var/log/tor/notice.log | grep 100% && break
|
|
|
|
i=$( expr $i + 1 )
|
|
|
|
done
|
|
|
|
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_tor tor failed" && return 3
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
## proxy_ping_dig_test
|
|
|
|
proxy_ping_dig_test () { DBUG proxy_ping_dig_test MODE=$MODE $* ;
|
|
|
|
proxy_ping_wait_for_dig $*
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_wait_for_dig
|
|
|
|
proxy_ping_wait_for_dig () { DBUG proxy_ping_wait_for_dig MODE=$MODE $* ;
|
|
|
|
local i
|
|
|
|
|
|
|
|
i=0
|
|
|
|
while [ $i -lt $TRIES ] ; do
|
|
|
|
su -s /bin/bash -c 'dig google.com' $PRIV_BIN_OWNER 2>&1 | grep -v grep | grep -A 1 ANSWER && break
|
|
|
|
sleep $DELAY
|
|
|
|
i=$( expr $i + 1 )
|
|
|
|
done
|
|
|
|
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_dig dig failed" && return 2
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_set_resolv
|
|
|
|
proxy_ping_set_resolv () { DBUG proxy_ping_set_resolv MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
|
|
|
|
|
|
|
|
proxy_ping_test_resolv $dire
|
|
|
|
ret=$?
|
|
|
|
[ $ret -eq 0 ] && return 0
|
|
|
|
[ $ret -eq 1 ] && return 1
|
|
|
|
proxy_clobber_resolv_local $DEST
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_test_resolv
|
|
|
|
proxy_ping_test_resolv () { DBUG proxy_ping_test_resolv MODE=$MODE $* ;
|
|
|
|
local dire
|
|
|
|
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
|
|
|
|
[ -z "$dire" ] && return 1
|
|
|
|
# fixme - has polipo?
|
|
|
|
#? proxy_whonix_polipo_config $dire
|
|
|
|
if [ $dire = whonix ] ; then
|
|
|
|
# PROXY_DNS_IP="10.0.2.15#9053"
|
|
|
|
PROXY_DNS_IP=127.0.0.1
|
|
|
|
elif [ $dire = gateway ] ; then
|
|
|
|
PROXY_DNS_IP=10.0.2.15
|
|
|
|
elif [ $dire = nat ] ; then
|
|
|
|
PROXY_DNS_IP=10.0.2.2
|
|
|
|
elif [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
|
|
|
|
PROXY_DNS_IP=10.152.152.10
|
|
|
|
elif [ $dire = tor -o $dire = selektor -o $dire = host ] ; then
|
|
|
|
PROXY_DNS_IP=127.0.0.1
|
|
|
|
else
|
|
|
|
WARN proxy_ping_test_resolv unexpected dire=$dire
|
|
|
|
PROXY_DNS_IP=127.0.0.1
|
|
|
|
#?
|
|
|
|
return 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
grep -q $PROXY_DNS_IP /etc/resolv.conf && return 0
|
|
|
|
#? grep '^nameserver *[2-9]' /etc/resolv.conf && return 2
|
|
|
|
if [ "$USER" = root ] ; then
|
|
|
|
[ -f /etc/resolv.conf.$dire ] && \
|
|
|
|
sed -e "s@nameserver.*@nameserver $PROXY_DNS_IP@" -i /etc/resolv.conf.$dire \
|
|
|
|
|| echo nameserver $PROXY_DNS_IP > /etc/resolv.conf.$dire
|
|
|
|
fi
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_clobber_resolv_local
|
|
|
|
proxy_clobber_resolv_local () { DBUG proxy_clobber_resolv_local MODE=$MODE $* ;
|
|
|
|
local ip
|
|
|
|
[ "$#" -eq 0 ] && ip=127.0.0.1 || ip=$1
|
|
|
|
|
|
|
|
# FixMe: /etc/resolv.conf resolvconf
|
|
|
|
|
|
|
|
grep -q "^nameserver $ip" /etc/resolv.conf && return 0
|
|
|
|
proxy_ping_check_root || return 0
|
|
|
|
grep -q "^nameserver" /etc/resolv.conf && \
|
|
|
|
sed -e "s/^nameserver.*/nameserver $ip/" -i /etc/resolv.conf || \
|
|
|
|
echo "nameserver $ip" >> /etc/resolv.conf
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_ping_status
|
|
|
|
proxy_ping_status () { DBUG proxy_ping_status MODE=$MODE $* ;
|
|
|
|
/usr/local/bin/proxy_libvirt_lib.bash proxy_libvirt_status
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
## proxy_virsh
|
|
|
|
proxy_virsh () { DBUG proxy_virsh MODE=$MODE $* ;
|
|
|
|
timeout --kill-after=10 20 virsh $*
|
|
|
|
# timeout=124
|
|
|
|
return $?
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
## proxy_ping_update_cacert
|
|
|
|
proxy_ping_update_cacert () {
|
|
|
|
# echos filename answer
|
|
|
|
local WD=$PWD
|
|
|
|
local DIR=/usr/local/etc/ssl
|
|
|
|
local URL=https://curl.se/ca/cacert.pem
|
|
|
|
local curls='curl.bash'
|
|
|
|
local RARGS
|
|
|
|
local retval=0
|
|
|
|
|
|
|
|
[ -d $DIR ] || return 0
|
|
|
|
cd $DIR
|
|
|
|
if [ -w $DIR ] ; then
|
|
|
|
if [ -f cacert-curl.se.pem ] ; then
|
|
|
|
$curls -o $DIR/cacert-curl.se.pem -z cacert-curl.se.pem $RARGS $URL \
|
|
|
|
>/dev/null
|
|
|
|
else
|
|
|
|
$curls -o $DIR/cacert-curl.se.pem $RARGS $URL \
|
|
|
|
>/dev/null
|
|
|
|
fi
|
|
|
|
retval=$?
|
|
|
|
# [ $? -ne 0 ] && exit $?
|
|
|
|
fi
|
|
|
|
for file in cacert-curl.se.pem cacert-testforge.pem; do
|
|
|
|
if [ -s $DIR/$file ] ; then
|
|
|
|
echo -n $DIR/$file
|
|
|
|
break
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
cd $WD
|
|
|
|
|
|
|
|
return $retval
|
|
|
|
}
|
|
|
|
|
|
|
|
starbucks_pdnsd () {
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
[ -z "$pdnsd" ] && return 0
|
|
|
|
if [ "$pdnsd" = "dnscrypt" ] && \
|
|
|
|
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
|
2024-01-09 15:35:38 +00:00
|
|
|
cp /dev/null $PREFIX/var/log/dnscrypt-proxy.log
|
2024-01-06 01:57:28 +00:00
|
|
|
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
|
|
|
|
sleep $DELAY
|
2024-01-09 15:35:38 +00:00
|
|
|
[ ! -s $PREFIX/var/log/dnscrypt-proxy.log ] || \
|
2024-01-06 01:57:28 +00:00
|
|
|
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
|
|
|
|
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
|
|
|
|
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
|
|
|
|
if [ -x /bin/systemctl ] ; then
|
|
|
|
[ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null
|
|
|
|
else
|
|
|
|
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
base=proxy_ping_lib
|
|
|
|
# DBUG 0=$0
|
|
|
|
if [ -x /usr/bin/basename ] && \
|
|
|
|
[ $( basename -- "$0" .bash ) = $base \
|
|
|
|
-o $( basename -- "$0" .sh ) = $base ] ; then
|
|
|
|
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
|
|
|
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
|
|
|
|
"$@"
|
|
|
|
exit $?
|
|
|
|
fi
|