emdee
/
proxy_role
1
0
Fork 0
Code Issues Pull Requests Wiki Activity

bash

This commit is contained in:
emdee 2024-01-09 15:35:38 +00:00
parent d29b1e4542
commit a354df3d40
63 changed files with 26542 additions and 453 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
README.md
View File

@ -1,7 +1,8 @@
This role builds on, and requires, ../base_role and lays down the
basics for cntlm and socks and http and https proxies. It is required
to be run after ../base_role
to be run after ../base_role. Run this role even if you do not run
behind a proxy as it sets up the proxy variables for that case.
Look at the variables in defaults/main.yml to customize the role, and
double-check the settings in vars/*.yml.
@ -11,3 +12,17 @@ athough only tested on Gentoo. To bring it up to date, just copy the
existing files in vars and maybe tasks to the new name and edit to suit,
but be advised that it is systemd-challenged, like its author.
It should support a number of different proxy situations on a host:
1) http_proxy and https_proxy
2) socks_proxy and tor proxy
3) CNTLM proxy
4) Whonix gateway
It should also support these different proxy situations in a container.
It has 2 test scripts proxy_daily.bash and proxy_daily.bash than
run quick status checks and indepth testing respectively.

2
overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash
View File

@ -27,7 +27,7 @@ gpg2 --verify --keyring $keyf $BASE_PORTDIR/Manifest >/tmp/K$$.log 2>&1 || exit
grep 'using RSA key' /tmp/K$$.log || exit 4
grep 'Primary key fingerprint:' /tmp/K$$.log | sed -e 's/.*: //' -e 's/ //g' > /tmp/K$$.key || exit 5
if route | grep -q ^default ; then
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
. /root/bin/tor.sh
wget -O /tmp/K$$.html https://www.gentoo.org/downloads/signatures/ || exit 0
grep "`cat /tmp/K$$.key`" /tmp/K$$.html || {

35
overlay/Linux/usr/local/bin/curl.bash
View File

@ -2,16 +2,36 @@
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
PREFIX=/usr/local
. /usr/local/bin/usr_local_tput.bash || exit 2
ip route | grep -q ^def || {
WARN we are not connected
WARN we are not connected >&2
exit 1
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
# --silent --show-error
CURL_OPTS=( --fail-early --fail )
[[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
[[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] || CURL_OPTS+=( --http0.9 )
[[ ! "$*" =~ --retry ]] && CURL_OPTS+=( --retry 3 )
[[ ! "$*" =~ -4 ]] && CURL_OPTS+=( -4 )
# [[ ! "$*" =~ --http2 ]] && CURL_OPTS+=( --http2 )
[[ ! "$*" =~ --max-redirs ]] && CURL_OPTS+=( --max-redirs 10 )
[[ ! "$*" =~ --location ]] && CURL_OPTS+=( --location )
[[ ! "$*" =~ --remote-time ]] && CURL_OPTS+=( --remote-time )
[[ ! "$*" =~ --create-dirs ]] && CURL_OPTS+=( --create-dirs )
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
fi
if [[ ! "$*" =~ --proxy ]] && [ -n "$socks_proxy" ] ; then
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
@ -21,8 +41,14 @@ if [[ "$socks_proxy" =~ socks5://.* ]] ; then
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L )
if [ -d $HOME/.local/ ] ; then
[ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
[[ ! "$*" =~ --cookie-jar ]] && \
CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
fi
export CURL_OPTS+=( -L --remote-time )
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
@ -41,5 +67,6 @@ if [[ ! "$*" =~ --capath ]] && \
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
echo INFO: curl $CURL_OPTS "$@"
exec curl $CURL_OPTS "$@"
export CURL_OPTS
DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"

2
overlay/Linux/usr/local/bin/dirmngr.bash
View File

@ -31,7 +31,7 @@ if [ -n "$PROXY_WLAN" ] ; then
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }

7
overlay/Linux/usr/local/bin/proxy_daily.bash
View File

@ -13,7 +13,8 @@ ROLE=proxy
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
@ -34,8 +35,8 @@ rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
/var/local/bin/testforge_python_doctest3.bash \
/var/local/share/doc/txt/proxy3.txt \
$PREFIX/bin/testforge_python_doctest3.bash \
/usr/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi

2
overlay/Linux/usr/local/bin/proxy_dirmngr.bash
View File

@ -28,7 +28,7 @@ if [ -n "$PROXY_WLAN" ] ; then
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
route | grep -q ^default || { ERROR no route ; exit 1; }
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then

15
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
View File

@ -41,17 +41,21 @@ if [ -d /etc/pacman.d/gnupg ] ; then
fi
fi
if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
exit 1
fi
GPG="gpg --verbose --home $HOMEDIR"
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
sed -e 's@keyserver hkp://@@' | \
while read elt;do
while read elt ; do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
@ -61,3 +65,4 @@ grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
done
done
/usr/local/bin/proxy_ping_test.bash dirmngr

235
overlay/Linux/usr/local/bin/proxy_hourly.bash
View File

@ -12,15 +12,25 @@ DEBUG=1
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
. /usr/local/bin/proxy_export.bash
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
PLL=/usr/local/bin/proxy_libvirt_lib.bash
. $PLL
PLL=
DEBUG=1
declare -a BOX_NBD_OVERLAY_EXTERNAL
# fill this in with the ansible hosts.yml
BOX_NBD_OVERLAY_EXTERNALS=(
/o/var/local/src/play_tox/hosts.yml
/o/data/TestForge/src/ansible/hosts.yml
)
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
@ -40,48 +50,113 @@ ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
export PATH=$PATH:/usr/local/bin
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
[ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
elt=proxy_export
DBUG elt=$elt
. /usr/local/bin/$elt.bash || exit 2
DBUG http_proxy=$http_proxy
DBUG https_proxy=$https_proxy
DBUG socks_proxy=$socks_proxy
IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
DBUG external=$IP
GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
DBUG gw=$GW
grep -q "^wlan[1-9][ ]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
if [ $ZERO_CONNECTED == 0 ] ; then
/usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
[ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
fi
elt=/etc/ssl/certs
DBUG elt=$elt
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l | tee -a $ELOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
elt=route
DBUG elt=$elt
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
if [ $ONE_GUEST -eq 0 ] ; then
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
# 10.24.216.64
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
fi
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
NS=127.0.0.1
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] ; then
NS=10.0.2.2
else
NS=
fi
if [ -n "$NS" ] ; then
elt=/etc/resolv.conf
DBUG elt=$elt
a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
echo "nameserver $IP" > /etc/resolv.conf
fi
fi
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l >> $WLOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
# 10.24.216.64
elt=/etc/hosts
DBUG elt=$elt
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
[ -f $file ] || continue
grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
done
fi
elt=/etc/firewall.conf
DBUG elt=$elt
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
elt=iptables
DBUG elt=$elt
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] && [ $ONE_GUEST -eq 1 ]; then
elt=/etc/resolv.conf
DBUG elt=$elt
if [ $? -eq 0 -a -n "$GW" ] ; then
if ! grep -q "$GW" /etc/resolv.conf ; then
/usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
echo "nameserver $GW" >> /etc/resolv.conf
fi
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
if [ $ONE_GUEST -eq 0 ] ; then
if [ "$MODE" = whonix ] ; then
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
@ -89,18 +164,14 @@ if [ $ONE_GUEST -eq 0 ] ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PL proxy_libvirt_test >$OUT 2>&1
$PLL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
fi
[ $retval -gt 1 ] && \
ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
fi
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
ifconfig | grep -q ^wlan
if [ $? -eq 0 ] ; then
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
if [ -n "$wlan7" ] ; then
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
@ -109,66 +180,56 @@ fi
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if route | grep -q ^def ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check >> $ELOG
}
$PL proxy_ping_dnsmasq_check || {
x ERROR proxy_ping_dnsmasq_check >> $ELOG
}
$PL proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check >> $ELOG
}
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check | tee -a $ELOG
}
$PL proxy_ping_dnsmasq_check && \
ERROR proxy_ping_dnsmasq_check || {
ERROR proxy_ping_dnsmasq_check | tee -a $ELOG
}
$PL proxy_ping_firewall_check && \
INFO proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check | tee -a $ELOG
}
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
$PL proxy_test_dirmngr $OUT || \
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
$PL proxy_test_dirmngr $OUT && \
INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
retval=$?
ERROR proxy_test_dirmngr $retval | tee -a $ELOG
}
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians >> $WLOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians | tee -a $ELOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
else
INFO proxy_test_dirmngr no martians
fi
/usr/local/bin/proxy_ping_test.bash dns || {
ERROR $prog no dns >> $ELOG ;
}
/usr/local/bin/proxy_ping_test.bash 3128 || {
# can be false
WARN $prog no 3128 >> $WLOG
}
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
fi
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
exit $errs
fi
fi
@ -177,15 +238,7 @@ fi
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR "$errs $ly $prog errors in $ELOG"
cat $ELOG
exit $errs
fi
[ $errs -eq 0 ] && \
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"

2
overlay/Linux/usr/local/bin/proxy_jnettop.bash
View File

@ -6,7 +6,7 @@ prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
route | grep -q ^default || exit 0
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }

4
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
View File

@ -5,9 +5,11 @@
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \

104
overlay/Linux/usr/local/bin/proxy_ping_lib.bash
View File

@ -12,7 +12,11 @@ base=proxy_ping_lib
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
PROXY_GPG_KEYSERVER=keys.openpgp.org
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
PROXY_IFCONFIG=/sbin/ifconfig
[ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
@ -36,11 +40,6 @@ proxy_ifconfig () {
$PROXY_IFCONFIG $*
}
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
# shellcheck disable=SC2154
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
# shellcheck disable=SC2154
@ -136,90 +135,6 @@ proxy_whonix_get_gateway_dom_bad () {
return 0
}
proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ;
[ $# -eq 0 ] && set -- \
hkp://$PROXY_GPG_KEYSERVER \
hkp://gpg.mit.edu hkp://keys.gnupg.net
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
[ -h /usr/bin/dirmngr ] || {
ERROR /usr/bin/dirmngr not a symlink
return 2
}
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
[ -f $b ] || WARN file not found $b
done
/usr/bin/dirmngr --version </dev/null || {
ERROR /usr/bin/dirmngr not working --version
return 3
}
# grep ^OK
DBUG /usr/bin/dirmngr working --version
/etc/init.d/privoxy status || /etc/init.d/privoxy start
/etc/init.d/privoxy status || {
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
}
# /usr/local/bin/proxy_ping_test.bash 3128
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
return 4
}
DBUG /etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
route | grep -q ^default || return 0
gpg-connect-agent --dirmngr 'loadswdb --force' /bye </dev/null >/tmp/GpgL$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \
cat /tmp/GpgL$$.tmp && \
return 5$retval
! grep -q OK /tmp/GpgL$$.tmp && \
ERROR gpg-connect-agent 'loadswdb --force' not OK `cat /tmp/GpgL$$.tmp` && \
rm -f /tmp/GpgL$$.tmp && \
return 6$retval
DBUG gpg-connect-agent OK `cat /tmp/GpgL$$.tmp`
rm -f /tmp/GpgL$$.tmp
gpg-connect-agent </dev/null --dirmngr 'keyserver' /bye >/tmp/GpgG$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 7$retval
grep -q ^S /tmp/GpgG$$.tmp || { \
ERROR gpg-connect-agent 'keyserver' no S `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 8$retval
}
DBUG gpg-connect-agent 'keyserver' S `cat /tmp/GpgG$$.tmp`
if [ -d /root/.emacs.d/elpa/gnupg ] && \
ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
for elt in "$@" ; do
echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp
gpg-connect-agent </dev/null --dirmngr --homedir /root/.emacs.d/elpa/gnupg \
-r /tmp/GpgR$$.tmp >/tmp/GpgC$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \
rm -f /tmp/GpgC$$.tmp && \
return 9$retval
grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
rm -f /tmp/GpgC$$.tmp && \
return 10
INFO gpg-connect-agent $elt
done
rm -f /tmp/GpgC$$.tmp
fi
return 0
}
## proxy_whonix_get_gateway_dom
proxy_whonix_get_gateway_dom () {
# shellcheck disable=SC2154
@ -262,7 +177,7 @@ proxy_ping_mode () { #
# shellcheck disable=SC2154
[ -n "$MODE" ] && echo "$MODE" && return 0
proxy_ifconfig -a > /tmp/ipconfig-a.$$
proxy_ifconfig -a >/tmp/ipconfig-a.$$
if grep -q /dev/vda /proc/cmdline ; then
MODE=vda
elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
@ -283,7 +198,7 @@ proxy_ping_mode () { #
MODE=$mode
else
host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
[ -n "$host" ] && MODE=whonix
[ -n "$host" ] && MODE=$host # whonix
fi
fi
@ -851,6 +766,7 @@ proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN
## proxy_ping_firewall_check
proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
:
elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
@ -1473,10 +1389,10 @@ starbucks_pdnsd () {
[ -z "$pdnsd" ] && return 0
if [ "$pdnsd" = "dnscrypt" ] && \
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
cp /dev/null $PREFIX/var/log/dnscrypt-proxy.log
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
sleep $DELAY
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
[ ! -s $PREFIX/var/log/dnscrypt-proxy.log ] || \
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then

391
overlay/Linux/usr/local/bin/proxy_ping_test.bash
View File

@ -11,7 +11,10 @@ PYVER=3
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
@ -20,22 +23,19 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks >/dev/null
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
SOCKS_PAIR=`proxy_ping_get_socks`
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=`echo $SOCKS_PAIR|sed -e 's/:.*//'`
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=`echo $SOCKS_PAIR|sed -e 's/.*://'`
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https >/dev/null
HTTPS_PORT=`echo $HTTPS_PAIR|sed -e 's/.*://'`
HTTPS_HOST=`echo $HTTPS_PAIR|sed -e 's/:.*//'`
HTTPS_PAIR=`proxy_ping_get_https`
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http >/dev/null
HTTP_PAIR=`proxy_ping_get_http`
HTTP_PORT=`echo $HTTP_PAIR|sed -e 's/.*://'`
HTTP_HOST=`echo $HTTP_PAIR|sed -e 's/:.*//'`
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
@ -65,14 +65,14 @@ TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
DNS_HOST2="1.1.1.1"
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com
# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
# pool.ntp.org 78.46.53.2 205.206.70.7
NTP_HOST2=78.46.53.2
# --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
@ -103,6 +103,113 @@ DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
PROXY_GPG_KEYSERVER=keys.openpgp.org
declare -a GPG_KEYSERVERS=(
hkp://$PROXY_GPG_KEYSERVER
hkp://gpg.mit.edu
hkp://keys.gnupg.net
)
## proxy_test_dirmngr
proxy_test_dirmngr () {
[ $# -eq 0 ] && set -- "${GPG_KEYSERVERS[@]}"
DBUG proxy_test_dirmngr MODE=$MODE $* ;
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
[ -h /usr/bin/dirmngr ] || {
WARN /usr/bin/dirmngr not a symlink
#fixed? return 2
}
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
[ -f $b ] || WARN file not found $b in /etc/dirmngr/dirmngr.conf
done
/usr/bin/dirmngr --version </dev/null >/dev/null && \
INFO /usr/bin/dirmngr working --version || {
ERROR /usr/bin/dirmngr not working --version
return 3
}
# grep ^OK
DM=`grep ' keyserver ' /etc/dirmngr/dirmngr.conf | head -1 | sed -e 's/.* //'`
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || {
DBUG not connected
return 0
}
echo 'loadswdb --force' /bye | \
gpg-connect-agent --dirmngr \
>/tmp/GpgL$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye /tmp/GpgL$$.tmp && \
cat /tmp/GpgL$$.tmp && \
# return 5$retval
! grep -q OK /tmp/GpgL$$.tmp && \
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye OK not found /tmp/GpgL$$.tmp && \
# return 6$retval
INFO elt=gpg-connect-agent --dirmngr 'loadswdb --force' OK
rm -f /tmp/GpgL$$.tmp
# gpg-connect-agent --dirmngr 'help keyserver' /bye
echo 'keyserver --resolve' /bye | \
gpg-connect-agent --dirmngr \
>/tmp/GpgG$$.tmp 2>&1
retval=$?
grep 'ERR\|failed:' /tmp/GpgG$$.tmp >> $ELOG && \
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
return 10
grep -q ^S /tmp/GpgG$$.tmp || { \
WARN gpg-connect-agent 'keyserver' no S /tmp/GpgG$$.tmp && \
return 8$retval
}
INFO elt=gpg-connect-agent 'keyserver --resolve' S
cat /tmp/GpgG$$.tmp
rm -f /tmp/GpgG$$.tmp
if [ ! -d /root/.emacs.d/elpa/gnupg ] || \
! ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
WARN no running /root/.emacs.d/elpa/gnupg agent
else
INFO running /root/.emacs.d/elpa/gnupg agent
echo keyserver --resolve | \
gpg-connect-agent --dirmngr \
--homedir /root/.emacs.d/elpa/gnupg \
>/tmp/GpgC$$.tmp 2>&1
retval=$?
if grep 'ERR\|failed:' /tmp/GpgC$$.tmp >> $ELOG ; then
WARN /root/.emacs.d/elpa/gnupg gpg-connect-agent `tail -1 $ELOG` && \
cat /tmp/GpgC$$.tmp
else
INFO elt=gpg-connect-agent
cat /tmp/GpgC$$.tmp
rm -f /tmp/GpgC$$.tmp
fi
fi
return 0
}
## proxy_test_privoxy_test
proxy_test_privoxy_test () { DBUG proxy_test_privoxy_test $* ;
return 0
/etc/init.d/privoxy status || /etc/init.d/privoxy start
/etc/init.d/privoxy status && \
DBUG /etc/init.d/privoxy running || {
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
}
# /usr/local/bin/proxy_ping_test.bash 3128
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
return 4
}
INFO elt=/etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
return 0
}
## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
$NETS | grep -q ":53"
@ -119,7 +226,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
[ -z "$ALL" ] && exit $ARG$retval || return 1
[ -z "$ALL" ] && exit "$ARG$retval" || return 1
# works
GREP="-i icmp"
return 0
@ -128,7 +235,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
dig @$DNS_HOST1 $NTP_HOST2 +timeout=$TIMEOUT >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
@ -140,8 +247,8 @@ proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
return 0
}
## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
## proxy_test_curl_firewall_asbin
proxy_test_curl_firewall_asbin () { DBUG proxy_test_curl_firewall_asbin $* ;
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
retval=$?
[ $retval -eq 0 ] && return 0
@ -154,7 +261,7 @@ proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
local retval
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
retval=$?
# "DEBUG: wierd failure curl: (35) Encountered end of file"
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
@ -164,7 +271,7 @@ proxy_ping_curl () { DBUG proxy_ping_curl $* ;
## proxy_ping_make_help
proxy_ping_make_help () {
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
> /tmp/proxy_ping_test.hlp
> /tmp/proxy_ping_test-$USER.hlp
return 0
}
@ -260,7 +367,7 @@ proxy_test_pretest_exit () {
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
@ -276,19 +383,19 @@ proxy_test_help_args () {
declare -a elts=()
declare -a ret=()
local elt
if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
elts=($1 socks http dns https tordns firefail)
elif [ "$1" = torlibvirthost ] ; then
elts=($1 libvirthost socks http https tordns firefail)
if [ "$1" = selektor -o "$1" = torhost ] ; then
elts=($1 socks dns http https dirmngr tordns firefail)
elif [ "$1" = torlibvirthost -o "$1" = whonix ] ; then
elts=(libvirthost socks http https dirmngr tordns firefail)
elts+=($MODE)
elif [ "$1" = gateway ] ; then
elts=($1 libvirtguest socks dns http https firefail)
elif [ "$1" = gateway -o "$1" = nat ] ; then
elts=($1 libvirtguest socks dns http https dirmngr firefail)
else
elts=($1)
fi
for elt in "${elts[@]}" ; do
# DBUG proxy_test_help_args $elt $1 >&2
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test-$USER.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
done
DBUG proxy_test_help_args "${ret[@]}" >&2
@ -302,66 +409,88 @@ proxy_ping_test_set_args () {
local args="$@"
local val="$@"
declare -a aret=()
rm -f /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
rm -f /tmp/proxy_ping_test-$USER.hlp
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - gateway
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
aret=( 6 13 16 ) && \
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
# socks defines http as the target of a user using socks
[ "$1" = "$SOCKS_PORT" ] && set -- socks
# http defines http as the target of a user using http
[ "$1" = "$HTTP_PORT" ] && set -- http
# https defines http as the target of a user using https
[ "$1" = "$HTTPS_PORT" ] && set -- https
# dns defines http as the target of a user using dns
[ "$1" = "53" ] && set -- dns
# tordns defines http as the target of a user using tordns
[ "$1" = "9053" ] && set -- tordns
# aliases
# socks defines http as the target of a user using socks
[ "$1" = "$SOCKS_PORT" ] && set -- socks
# http defines http as the target of a user using http
[ "$1" = "$HTTP_PORT" ] && set -- http
# https defines http as the target of a user using https
[ "$1" = "$HTTPS_PORT" ] && set -- https
# dns defines http as the target of a user using dns
[ "$1" = "53" ] && set -- dns
# tordns defines http as the target of a user using tordns
[ "$1" = "9053" ] && set -- tordns
# old aliases
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = asbin ] && set -- firewall
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = to_tor ] && set -- gateway
[ "$1" = workstation ] && set -- ws
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
# scenarios - modes: nat selektor
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct
[ "$1" = tor ] && set -- torhost
# scenarios - modes: nat selektor
# wifi?
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor -o "$1" = selektor ] && \
set -- ping tordns dns trace torhost nmap gw
## torhost implies -
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1
# aret="${#tests[@]}"
if [ "$1" = nat ] ; then
set -- $1 ping dns socks http https dirmngr tordns firefail libvirtguest
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## vda - through the Gateway with the firewall - also polipo,panic - uses env
## ws - through the Gateway with the firewall - it is a vda
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
elif [ "$1" = vda -o "$1" = ws ] ; then
# Fixme - guessing
# was aret=( 35 3 20 )
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
## gateway - ssh to the whonix gateway from the torhost
elif [ "$1" = gateway ] ; then
## gateway - on the Gateway, trans firewall with tor running -
#? looks like it had direct in gateway;
#? aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## whonix - whonix torhost with libvirt container running gateway behind firewa
elif [ "$1" = whonix ] ; then
set -- ping libvirtguest tordns dns socks http https dirmngr torhost tordns firefail gw
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
## torhost - running tor with the firewall
[ "$1" = torhost -o "$1" = selektor ] && \
set -- ping torhost tordns dns trace nmap gw
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
## direct - assume no firewall and no proxy - but may work depend on env
elif [ "$1" = direct -o "$1" = '' ] ; then
set -- ping dns trace nmap gw
## all - all tests not stopping on the first error
elif [ "$1" = all ] ; then
ALL=1
# aret="${#tests[@]}"
fi
## gw - test if we are connected to the gateway
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## torhost - running tor with the firewall
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
@ -373,23 +502,21 @@ proxy_ping_test_set_args () {
## iwlist - wlan scan of a wifi host
## firewall - test that the firewall blocks
## virbr1 - looks for virbr1 on a libvirt host torhost or whonix
## gateway - ssh to the whonix gateway from the torhost
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
## direct - assume no firewall and no proxy - but may work depend on env
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
if [ "$elt" = gw -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = torhost -o "$elt" = 'nat' -o "$elt" = whonix -o "$elt" = selektor -o \
"$elt" = tordns -o \
"$elt" = libvirthost -o "$elt" = torlibvirthost -o \
"$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
"$elt" = trace -o "$elt" = wifi -o "$elt" = 'dirmngr' -o "$elt" = 'test' \
] ; then
aret+=( `proxy_test_help_args $elt` )
else
@ -407,21 +534,23 @@ if [ "$#" = 0 ] ; then
# default to mode
set -- $MODE
fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
if [ "$1" = '-h' -o $1 = '--help' ] ; then
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
exit 0
elif [ "$1" = 0 ] ; then
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
echo 0 help /tmp/proxy_ping_test.hlp
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test.hlp
echo 0 help /tmp/proxy_ping_test-$USER.hlp
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
. /tmp/proxy_ping_test-$USER.hlp
for elt in "${!tests[@]}" ; do
echo $elt "${tests[$elt]}"
done
exit 0
elif [[ $1 =~ ^[0-9] ]] ; then
: passthrough
elif [ $1 = 'test' -o $1 = '--test' ] ; then
set -- 99
else
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
@ -459,7 +588,7 @@ while [ "$#" -gt 0 ] ; do
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
[ -n "$https_proxy" ] && LARGS="" || \
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
$LARGS $WGET https://$HTTP_TARGET
$LARGS $WGET https://$HTTP_TARGET 2>/dev/null
retval=$?
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
INFO $prog test=$ARG "${tests[$ARG]}"
@ -547,9 +676,9 @@ while [ "$#" -gt 0 ] ; do
GREP="$SOCKS_DNS"
elif [ $ARG -eq 6 ] ; then
tests[6]="curl_https_as_user - https "
proxy=`proxy_ping_get_https`
desc="curl --proxy http://${proxy}"
tests[6]="curl_https_as_user - https "
proxy_ping_curl --proxy http://${proxy} \
--proxy-insecure https://$HTTP_TARGET || { \
retval=$?
@ -630,7 +759,6 @@ while [ "$#" -gt 0 ] ; do
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
[ $USER = root ] || continue
which nmap 2>/dev/null >/dev/null || continue
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
@ -641,9 +769,9 @@ while [ "$#" -gt 0 ] ; do
GREP="53"
elif [ $ARG -eq 13 ] ; then
tests[13]="curl_firewall_bin - wifi "
tests[13]="curl_firewall_bin - firewall "
[ $USER = root ] || continue
proxy_test_curl_firewall_bin || continue
proxy_test_curl_firewall_asbin || continue
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
# works
GREP="443"
@ -664,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
elif [ $ARG -eq 16 ] ; then
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
tests[16]="nslookup_as_root nslookup ${DNS_HOST1} $PRIV_BIN_OWNER - firewall "
[ $USER = root ] || continue
[ $HAVE_NSLOOKUP = 1 ] || continue
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
@ -705,7 +833,8 @@ while [ "$#" -gt 0 ] ; do
GREP="123"
elif [ $ARG -eq 19 ] ; then
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
--noproxy "'*.*'" --connect-timeout $TIMEOUT \
http://$HTTP_TARGET >/dev/null && {
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
@ -782,7 +911,7 @@ while [ "$#" -gt 0 ] ; do
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null $DNS_TARGET || { \
$NSL >/dev/null $DNS_TARGET ${DNS_HOST} || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
@ -832,7 +961,7 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
[ $MODE = tor -o $MODE = whonix -o $MODE = gateway -o $MODE = selektor ] || {
# are there other roles that run tor?
WARN $prog MODE != tor test=$ARG
}
@ -856,9 +985,10 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 31 ] ; then
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
--noproxy '*' http://${HTTP_TARGET} && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval $HTTP_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -908,9 +1038,9 @@ while [ "$#" -gt 0 ] ; do
[ $USER = root ] || continue
[ $HAVE_DIG = 1 ] || continue
# @$DNS_HOST1
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
su -c "dig $NTP_HOST2 +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
retval=$?
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig $NTP_HOST2 $PRIV_BIN_OWNER
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -918,12 +1048,12 @@ while [ "$#" -gt 0 ] ; do
GREP="53"
elif [ $ARG -eq 36 ] ; then
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
tests[36]="tor_resolve_as_user tor-resolve $NTP_HOST2 - tordns "
[ $HAVE_TOR_RESOLVE = 1 ] || continue
tor-resolve pool.ntp.org >/dev/null || { \
tor-resolve $NTP_HOST2 >/dev/null || { \
retval=$?
# dunno Failed parsing SOCKS5 response conf?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve $NTP_HOST2
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -931,7 +1061,7 @@ while [ "$#" -gt 0 ] ; do
GREP="9053"
elif [ $ARG -eq 37 ] ; then
tests[37]="qemu-guest-agent and ports - libvirtguest "
tests[37]="qemu_guest_agent_ports - libvirtguest "
ser=qemu-guest-agent
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
proxy_rc_service $ser status >/dev/null || { \
@ -946,8 +1076,9 @@ while [ "$#" -gt 0 ] ; do
}
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost "
tests[38]="check_libvirt_running - libvirthost "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
@ -957,12 +1088,42 @@ while [ "$#" -gt 0 ] ; do
DBUG proxy_libvirt_status aret=$aret
else
# was $GATEW_DOM but now can be gentoo_vm-2 etc
$PL proxy_libvirt_list 2>&1 | grep -q "running" || {
WARN MODE=$MODE and nothing libvirt running ;
$PL proxy_libvirt_list 2>&1| grep -q "running" || {
WARN MODE=$MODE and nothing libvirt running
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
elif [ $ARG -eq 39 ] ; then
tests[39]="proxy_test_dirmngr - dirmngr "
[ $USER = root ] || continue
proxy_test_dirmngr
elif [ $ARG -eq 99 ] ; then
tests[99]="test_all_modes unfinished not sure"
[ $USER = root ] || continue
for elt in vda selektor ws gateway nat tor whonix; do
INFO testing $elt
if [ "$MODE" = vda ] ; then
: vda
elif [ "$MODE" = selektor ] ; then
: selektor
elif [ "$MODE" = ws ] ; then
: ws
elif [ "$MODE" = gateway ] ; then
: gateway
elif [ "$MODE" = nat ] ; then
: nat
elif [ "$MODE" = tor ] ; then
: tor
elif [ "$MODE" = whonix ] ; then
: whonix
else
WARN unrecognized mode MODE=$elt
fi
done
elif false ; then
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
$NETS | grep -q :53 || {
@ -977,21 +1138,3 @@ while [ "$#" -gt 0 ] ; do
done
exit 0
1)
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
2)
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
6)
curl -k --proxy $HTTP_PORT
16)
nslookup $PRIV_BIN_OWNER
18)
ntpdate as sroot
19)
curl raw noproxy
0)
usage

4
overlay/Linux/usr/local/bin/proxy_test_ssl.bash
View File

@ -161,8 +161,8 @@ else
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
analyze=/var/local/bin/analyze-ssl.pl.bash
if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
analyze=$PREFIX/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""

6
overlay/Linux/usr/local/bin/scurl.bash
View File

@ -15,7 +15,7 @@ SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! route | grep -q ^def ; then
if ! grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
WARN $prog we are not connected >&2
exit -1
fi
@ -51,8 +51,8 @@ LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x /var/local/bin/curl.bash ] ; then
EXE=/var/local/bin/curl.bash
if [ -x $PREFIX/bin/curl.bash ] ; then
EXE=$PREFIX/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else

42
overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash
View File

@ -3,25 +3,21 @@
set -o pipefail || exit 1
# was in /usr/lib/whonix-libvirt/install
# unlike that one, this should be idempotent
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=base
. /usr/local/bin/usr_local_tput.bash
. /usr/local/sbin/proxy-libvirt-install.bash
# was in /usr/lib/whonix-libvirt/install
# unlike that one, this should be idempotent
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
GATEW=1
# for testforge use we only need the Gateway
WORKS=
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
. /usr/local/bin/usr_local_base.bash || exit 2
MODE=`proxy_ping_mode`
[ $MODE = whonix ] || exit 0
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
@ -29,9 +25,6 @@ MODE=`proxy_ping_mode`
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
chmod 1777 /usr/local/var/log
[ -f /etc/firewall.conf.whonix ] || \
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
@ -49,36 +42,14 @@ EOF
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
/etc/libvirt/hooks/network || exit 16
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
## {{ Taken from qemu-system-common.postinst.
# Add the kvm group unless it's already there
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm || true
fi
## }} Taken from qemu-system-common.postinst.
## {{ Taken from libvirt-bin.postinst.
if ! getent group libvirt >/dev/null; then
addgroup --system libvirt
fi
## }} Taken from libvirt-bin.postinst.
## Existence of user "user" is not guaranteed at this point.
if grep -q ^user /etc/passwd ; then
grep -q ^kvm /etc/group || addgroup user kvm
grep -q ^libvirt /etc/group || addgroup user libvirt
fi
## Create shared directory and adjust permissions
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
chmod 1777 /mnt/gateway-shared
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
## networks
proxy_virsh net-list --all | grep -q default || \
virsh -c qemu:///system net-autostart "default" || exit 1$?
@ -97,7 +68,6 @@ proxy_virsh net-list | grep -q Whonix-External || \
proxy_virsh net-list | grep -q Whonix-Internal || \
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
lsmod | grep -q kvm||modprobe kvm || exit 7
temp_dir=/usr/local/etc/libvirt/qemu
if virsh capabilities | grep -q "<domain type='kvm'" ; then

2
overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash
View File

@ -111,7 +111,7 @@ proxy_vda_start () {
ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
#? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255
fi
ip route | grep -q ^default || \
ip grep -q "^wlan[1-9][ ]00000000" /proc/net/route || \
route add default gw $PROXY_WLAN_GW
# dnsmasq

72
overlay/Linux/usr/local/src/curl.bash Executable file
View File

@ -0,0 +1,72 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
ROLE=proxy
PREFIX=/usr/local
. /usr/local/bin/usr_local_tput.bash || exit 2
ip route | grep -q ^def || {
WARN we are not connected >&2
exit 1
}
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
declare -a CURL_OPTS
# --silent --show-error
CURL_OPTS=( --fail-early --fail )
[[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
[[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] || CURL_OPTS+=( --http0.9 )
[[ ! "$*" =~ --retry ]] && CURL_OPTS+=( --retry 3 )
[[ ! "$*" =~ -4 ]] && CURL_OPTS+=( -4 )
# [[ ! "$*" =~ --http2 ]] && CURL_OPTS+=( --http2 )
[[ ! "$*" =~ --max-redirs ]] && CURL_OPTS+=( --max-redirs 10 )
[[ ! "$*" =~ --location ]] && CURL_OPTS+=( --location )
[[ ! "$*" =~ --remote-time ]] && CURL_OPTS+=( --remote-time )
[[ ! "$*" =~ --create-dirs ]] && CURL_OPTS+=( --create-dirs )
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
fi
if [[ ! "$*" =~ --proxy ]] && [ -n "$socks_proxy" ] ; then
CURL_OPTS+=( --proxy $socks_proxy )
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$https_proxy" ] ; then
CURL_OPTS+=( --proxy $https_proxy )
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
elif [ -n "$http_proxy" ] ; then
CURL_OPTS+=( --proxy $http_proxy )
fi
export CURL_OPTS+=( -L )
if [ -d $HOME/.local/ ] ; then
[ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
[[ ! "$*" =~ --cookie-jar ]] && \
CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
fi
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
export CURLOPT_ALTSVC_CTRL=16
fi
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
export CURL_OPTS+=( --config $HOME/.curlrc )
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
if [[ ! "$*" =~ --capath ]] && \
[[ ! "$*" =~ --cacert ]] && \
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
# --capath /usr/local/etc/:/etc/ssl/certs
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
fi
export CURL_OPTS
DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"

63
overlay/Linux/usr/local/src/dirmngr.bash Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
exec /usr/bin/dirmngr.bin --version
return 0
fi
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

17
overlay/Linux/usr/local/src/gentoo_lis_to_urls.bash Executable file
View File

@ -0,0 +1,17 @@
#!/bin/sh
# filter
ROLE=proxy
CACHE=/mnt/i/net/Http
grep --text ^http:// | \
sed -e 's@ftp://[^ ]*@@g' | \
while read line ; do
for url in $line ; do
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && break
pre=`sed -e "s@http://@${CACHE}@" <<< $url`
[ -e $pre ] && break
echo $line
break
done
done
exit 0

29
overlay/Linux/usr/local/src/gentoo_swget_urls.sh Executable file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
# filter - arguments are to wget - quoted?
if [ "$#" -eq 0 ] ; then
WARGS="-xc -P /i/net/Http --tries=1 --no-hsts"
export CURL_OPTS="-C - --retry 3 --remote-name --create-dirs"
else
WARGS="$@"
export CURL_OPTS="$@"
fi
grep ^http | \
sed -e 's@ftp://[^ ]*@@' \
-e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' \
-e 's/http:/https:/' \
-e 's@distfiles.gentoo.org/@mirror.leaseweb.com/gentoo/@g' | \
while read urls ; do
url=`echo $urls|sed -e 's@ .*@@'`
base=`basename "$url"`
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
for url in $urls ; do
# wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
scurl.bash --directory-prefix /i/net/Http --force-directories \
-- $CURL_OPTS $url || continue
break
done
done

10
overlay/Linux/usr/local/src/gitproxy.bash Executable file
View File

@ -0,0 +1,10 @@
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
# BEGIN ANSIBLE MANAGED BLOCK proxy
exec corkscrew $1 $2
# $1 %h $2 %p
#? exec connect -4 -S : $(tor-resolve $1 :) $2
# END ANSIBLE MANAGED BLOCK proxy

12
overlay/Linux/usr/local/src/proxy_ansible.bash Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/etc/testforge/testforge.bash
PREFIX=$PROXY_VAR_LOCAL
[ "$#" -eq 0 ] && set -- proxy
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
ROLE=proxy

401
overlay/Linux/usr/local/src/proxy_curl_lib.bash Executable file
View File

@ -0,0 +1,401 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
## proxy_ami_cloudflared
proxy_ami_cloudflared() {
[ $# -gt 0 ] || return 1
local ip=$1
for no in "${CLOUDFN[@]}" ; do
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
[[ $ip =~ ${nopat}.* ]] && {
# WARN $url cloudflared $ip $no
echo True
return 0
}
done
echo False
return 0
}
## proxy_ami_cloudflared_py
proxy_ami_cloudflared_py() {
[ $# -gt 0 ] || return 1
local ip=$1
a=`proxy_ami_cloudflared $ip`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
for no in "${CLOUDFN[@]}" ; do
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
if [ $? -eq 0 -a "$a" = True ] ; then
echo $a
return 0
fi
done
echo False
return 0
}
## proxy_ami_nottlsv3
proxy_ami_nottlsv3() {
[ $# -gt 0 ] || return 1
local site=$1
for no in "${NOTLSV3[@]}" ; do
[[ $site =~ $no ]] && echo True && return 0
done
echo False
return 0
}
declare -a NOTLSV3
NOTLSV3=(
# connection refused
www.mirrorservice.org
# no ipv3
files.pythonhosted.org
# forbidden
download.nvidia.com
# 500
www.x.org
)
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
declare -a CLOUDFN
CLOUDFN=(
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/13
104.24.0.0/14
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17
)
#for no in "${CLOUDFN[@]}" ; do
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
#done
# /usr/include/openssl/x509_vfy.h
declare -A OPENSSL_X509_V
OPENSSL_X509_V=(
[0]=OK
[1]=ERR_UNSPECIFIED
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
[3]=ERR_UNABLE_TO_GET_CRL
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
[7]=ERR_CERT_SIGNATURE_FAILURE
[8]=ERR_CRL_SIGNATURE_FAILURE
[9]=ERR_CERT_NOT_YET_VALID
[10]=ERR_CERT_HAS_EXPIRED
[11]=ERR_CRL_NOT_YET_VALID
[12]=ERR_CRL_HAS_EXPIRED
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
[17]=ERR_OUT_OF_MEM
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[22]=ERR_CERT_CHAIN_TOO_LONG
[23]=ERR_CERT_REVOKED
[24]=ERR_INVALID_CA
[25]=ERR_PATH_LENGTH_EXCEEDED
[26]=ERR_INVALID_PURPOSE
[27]=ERR_CERT_UNTRUSTED
[28]=ERR_CERT_REJECTED
# These are 'informational' when looking for issuer cert
[29]=ERR_SUBJECT_ISSUER_MISMATCH
[30]=ERR_AKID_SKID_MISMATCH
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
[32]=ERR_KEYUSAGE_NO_CERTSIGN
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
[37]=ERR_INVALID_NON_CA
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
[41]=ERR_INVALID_EXTENSION
[42]=ERR_INVALID_POLICY_EXTENSION
[43]=ERR_NO_EXPLICIT_POLICY
[44]=ERR_DIFFERENT_CRL_SCOPE
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
[46]=ERR_UNNESTED_RESOURCE
[47]=ERR_PERMITTED_VIOLATION
[48]=ERR_EXCLUDED_VIOLATION
[49]=ERR_SUBTREE_MINMAX
# The application is not happy
[50]=ERR_APPLICATION_VERIFICATION
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
[54]=ERR_CRL_PATH_VALIDATION_ERROR
# Another issuer check debug option
[55]=ERR_PATH_LOOP
# Suite B mode algorithm violation
[56]=ERR_SUITE_B_INVALID_VERSION
[57]=ERR_SUITE_B_INVALID_ALGORITHM
[58]=ERR_SUITE_B_INVALID_CURVE
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
# Host, email and IP check errors
[62]=ERR_HOSTNAME_MISMATCH
[63]=ERR_EMAIL_MISMATCH
[64]=ERR_IP_ADDRESS_MISMATCH
# DANE TLSA errors
[65]=ERR_DANE_NO_MATCH
# security level errors
[66]=ERR_EE_KEY_TOO_SMALL
[67]=ERR_CA_KEY_TOO_SMALL
[68]=ERR_CA_MD_TOO_WEAK
# Caller error
[69]=ERR_INVALID_CALL
# Issuer lookup error
[70]=ERR_STORE_LOOKUP
# Certificate transparency
[71]=ERR_NO_VALID_SCTS
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
# OCSP status errors
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
[77]=ERR_NO_ISSUER_PUBLIC_KEY
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
)
# man 3 libcurl-errors
declare -A CURLE
CURLE=(
[0]=CURLE_OK
[1]=CURLE_UNSUPPORTED_PROTOCOL
[2]=CURLE_FAILED_INIT
[3]=CURLE_URL_MALFORMAT
[4]=CURLE_NOT_BUILT_IN
[5]=CURLE_COULDNT_RESOLVE_PROXY
[6]=CURLE_COULDNT_RESOLVE_HOST
[7]=CURLE_COULDNT_CONNECT
[8]=CURLE_WEIRD_SERVER_REPLY
[9]=CURLE_REMOTE_ACCESS_DENIED
[10]=CURLE_FTP_ACCEPT_FAILED
[11]=CURLE_FTP_WEIRD_PASS_REPLY
[12]=CURLE_FTP_ACCEPT_TIMEOUT
[13]=CURLE_FTP_WEIRD_PASV_REPLY
[14]=CURLE_FTP_WEIRD_227_FORMAT
[15]=CURLE_FTP_CANT_GET_HOST
[16]=CURLE_HTTP2
[17]=CURLE_FTP_COULDNT_SET_TYPE
[18]=CURLE_PARTIAL_FILE
[19]=CURLE_FTP_COULDNT_RETR_FILE
[21]=CURLE_QUOTE_ERROR
[22]=CURLE_HTTP_RETURNED_ERROR
[23]=CURLE_WRITE_ERROR
[25]=CURLE_UPLOAD_FAILED
[26]=CURLE_READ_ERROR
[27]=CURLE_OUT_OF_MEMORY
[28]=CURLE_OPERATION_TIMEDOUT
[30]=CURLE_FTP_PORT_FAILED
[31]=CURLE_FTP_COULDNT_USE_REST
[33]=CURLE_RANGE_ERROR
[34]=CURLE_HTTP_POST_ERROR
[35]=CURLE_SSL_CONNECT_ERROR
[36]=CURLE_BAD_DOWNLOAD_RESUME
[37]=CURLE_FILE_COULDNT_READ_FILE
[38]=CURLE_LDAP_CANNOT_BIND
[39]=CURLE_LDAP_SEARCH_FAILED
[41]=CURLE_FUNCTION_NOT_FOUND
[42]=CURLE_ABORTED_BY_CALLBACK
[43]=CURLE_BAD_FUNCTION_ARGUMENT
[45]=CURLE_INTERFACE_FAILED
[47]=CURLE_TOO_MANY_REDIRECTS
[48]=CURLE_UNKNOWN_OPTION
[49]=CURLE_SETOPT_OPTION_SYNTAX
[52]=CURLE_GOT_NOTHING
[53]=CURLE_SSL_ENGINE_NOTFOUND
[54]=CURLE_SSL_ENGINE_SETFAILED
[55]=CURLE_SEND_ERROR
[56]=CURLE_RECV_ERROR
[58]=CURLE_SSL_CERTPROBLEM
[59]=CURLE_SSL_CIPHER
[60]=CURLE_PEER_FAILED_VERIFICATION
[61]=CURLE_BAD_CONTENT_ENCODING
[62]=CURLE_LDAP_INVALID_URL
[63]=CURLE_FILESIZE_EXCEEDED
[64]=CURLE_USE_SSL_FAILED
[65]=CURLE_SEND_FAIL_REWIND
[66]=CURLE_SSL_ENGINE_INITFAILED
[67]=CURLE_LOGIN_DENIED
[68]=CURLE_TFTP_NOTFOUND
[69]=CURLE_TFTP_PERM
[70]=CURLE_REMOTE_DISK_FULL
[71]=CURLE_TFTP_ILLEGAL
[72]=CURLE_TFTP_UNKNOWNID
[73]=CURLE_REMOTE_FILE_EXISTS
[74]=CURLE_TFTP_NOSUCHUSER
[75]=CURLE_CONV_FAILED
[76]=CURLE_CONV_REQD
[77]=CURLE_SSL_CACERT_BADFILE
[78]=CURLE_REMOTE_FILE_NOT_FOUND
[79]=CURLE_SSH
[80]=CURLE_SSL_SHUTDOWN_FAILED
[81]=CURLE_AGAIN
[82]=CURLE_SSL_CRL_BADFILE
[83]=CURLE_SSL_ISSUER_ERROR
[84]=CURLE_FTP_PRET_FAILED
[85]=CURLE_RTSP_CSEQ_ERROR
[86]=CURLE_RTSP_SESSION_ERROR
[87]=CURLE_FTP_BAD_FILE_LIST
[88]=CURLE_CHUNK_FAILED
[89]=CURLE_NO_CONNECTION_AVAILABLE
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
[91]=CURLE_SSL_INVALIDCERTSTATUS
[92]=CURLE_HTTP2_STREAM
[93]=CURLE_RECURSIVE_API_CALL
[94]=CURLE_AUTH_ERROR
[95]=CURLE_HTTP3
[96]=CURLE_QUIC_CONNECT_ERROR
[98]=CURLE_SSL_CLIENTCERT
[99]=CURLE_UNRECOVERABLE_POLL
)
# 20 HTTP response status codes
declare -A HTTP_RESPONSE
HTTP_RESPONSE=(
[100]="Continue"
[101]="Switching Protocols"
[103]="Early Hints"
[200]="OK"
[201]="Created"
[202]="Accepted"
[203]="Non-Authoritative Information"
[204]="No Content"
[205]="Reset Content"
[206]="Partial Content"
[300]="Multiple Choices"
[301]="Moved Permanently"
[302]="Found"
[303]="See Other"
[304]="Not Modified"
[307]="Temporary Redirect"
[308]="Permanent Redirect"
[400]="Bad Request"
[401]="Unauthorized"
[402]="Payment Required"
[403]="Forbidden"
[404]="Not Found"
[405]="Method Not Allowed"
[406]="Not Acceptable"
[407]="Proxy Authentication Required"
[408]="Request Timeout"
[409]="Conflict"
[410]="Gone"
[411]="Length Required"
[412]="Precondition Failed"
[413]="Payload Too Large"
[414]="URI Too Long"
[415]="Unsupported Media Type"
[416]="Range Not Satisfiable"
[417]="Expectation Failed"
[418]="Im a teapot"
[422]="Unprocessable Entity"
[425]="Too Early"
[426]="Upgrade Required"
[428]="Precondition Required"
[429]="Too Many Requests"
[431]="Request Header Fields Too Large"
[451]="Unavailable For Legal Reasons"
[500]="Internal Server Error"
[501]="Not Implemented"
[502]="Bad Gateway"
[503]="Service Unavailable"
[504]="Gateway Timeout"
[505]="HTTP Version Not Supported"
[506]="Variant Also Negotiates"
[507]="Insufficient Storage"
[508]="Loop Detected"
[510]="Not Extended"
[511]="Network Authentication Required"
)
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
declare -a SSL_ALERT_CODES
# B.2. Alert Messages
SSL_ALERT_CODES=(
[0]="close_notify"
[10]="unexpected_message"
[20]="bad_record_mac"
[21]="decryption_failed_RESERVED"
[22]="record_overflow"
[30]="decompression_failure_RESERVED"
[40]="handshake_failure"
[41]="no_certificate_RESERVED"
[42]="bad_certificate"
[43]="unsupported_certificate"
[44]="certificate_revoked"
[45]="certificate_expired"
[46]="certificate_unknown"
[47]="illegal_parameter"
[48]="unknown_ca"
[49]="access_denied"
[50]="decode_error"
[51]="decrypt_error"
[60]="export_restriction_RESERVED"
[70]="protocol_version"
[71]="insufficient_security"
[80]="internal_error"
[86]="inappropriate_fallback"
[90]="user_canceled"
[100]="no_renegotiation_RESERVED"
[109]="missing_extension"
[110]="unsupported_extension"
[111]="certificate_unobtainable_RESERVED"
[112]="unrecognized_name"
[113]="bad_certificate_status_response"
[114]="bad_certificate_hash_value_RESERVED"
[115]="unknown_psk_identity"
[116]="certificate_required"
[120]="no_application_protocol"
)
# https://curl.se/docs/ssl-ciphers.html
# openssl
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
openssl=openssl
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
if [ $openssl = openssl ] ; then
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
elif [ $openssl = nss ] ; then
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
fi

56
overlay/Linux/usr/local/src/proxy_daily.bash Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
ly=daily
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
rm -f $LOG_DIR/*${prog}_${ly}*.log
elt=doctest3
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
$PREFIX/bin/testforge_python_doctest3.bash \
/usr/local/share/doc/txt/proxy3.txt \
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
fi
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$prog $warns $ly $prog warnings in $WLOG"
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
[ $? -eq 0 -a $errs -ne 0 ] && \
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
[ $errs -eq 0 ] && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors" && \
rm -f $WLOG $ELOG $OUT
exit $errs

64
overlay/Linux/usr/local/src/proxy_dirmngr.bash Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
PROXY_GPG_KEYSERVER=keys.openpgp.org
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
# ONLY disabling on the command line or
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
if [ -n "$PROXY_WLAN" ] ; then
wlan7=$PROXY_WLAN
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
fi
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
[ -z "$USER" ] && USER=$(id -un )
if [ $USER = root ] ; then
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
fi
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
[ -x /usr/bin/dirmngr.bin ] || exit 4
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
[ ! -x /usr/bin/netstat ] || \
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
# This is not enough: --disable-ipv6
# --keyserver hkps://keys.gentoo.org is required
# --http-proxy http://127.0.0.1:3128
# --keyserver $PROXY_GPG_KEYERVER_URL
# --no-use-tor is REQUIRED if you are running tor
# EVEN IF YOU DOT USE use-tor - silent dns failure
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
--options /etc/dirmngr/dirmngr.conf \
--nameserver 127.0.0.1 \
--disable-ipv6 \
--disable-ldap \
--no-use-tor \
--log-file /var/log/dirmngr.log --debug-level 4 \
"$@"

68
overlay/Linux/usr/local/src/proxy_dirmngr_test.bash Executable file
View File

@ -0,0 +1,68 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
# Dual Linux or msys64
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
exit 1
fi
GPG="gpg --verbose --home $HOMEDIR"
$GPG --refresh-keys --verbose
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
sed -e 's@keyserver hkp://@@' | \
while read elt ; do
for proxy in $PROXIES; do
echo 1 | http_proxy=$proxy $GPG --yes \
--debug-level guru \
--keyserver hkp://$elt \
--search-keys abcdefghij || exit 3$?
echo INFO: $proxy $elt
done
done
/usr/local/bin/proxy_ping_test.bash dirmngr

22
overlay/Linux/usr/local/src/proxy_dns_forward.bash Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
ERROR 127.0.0.1:53 already bound
exit 1
}
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
elif a[ "$MODE" = whonix ] ; then
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
fi

166
overlay/Linux/usr/local/src/proxy_export.bash Executable file
View File

@ -0,0 +1,166 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
#NO prog=proxy_export
. /usr/local/bin/usr_local_tput.bash || exit 2
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
# [ "$USER" != root ] && export PATH=/sbin:$PATH
## proxy_to_virbr1_15
proxy_to_virbr1_15 () {
if ifconfig | grep -q virbr1 ; then
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
[ -n "$PROXY_VIREXT_HOST" ] && \
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
export TOR_SOCKS_PORT=9050
fi
return 0
}
## proxy_http_host_httpproxy
proxy_http_host_httpproxy () {
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:3128
export RSYNC_PROXY=127.0.0.1:3128
fi
return 0
}
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
proxy_https_host_tor () {
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
export https_proxy=http://127.0.0.1:9128
fi
return 0
}
proxy_socks_host_tor () {
local file=/etc/tor/torrc
if [ -f $file ] ; then
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
return 1
fi
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
export socks_proxy=socks5://127.0.0.1:$port
fi
return 0
}
proxy_socks_host_selektor () {
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -f $file ] ; then
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
[ -z "$port" ] && port=9050
export socks_proxy=socks5://127.0.0.1:$port
return 0
else
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
echo >&2 WARN: $prog $file not found
fi
return 0
}
# proxy_export_mode
proxy_export_mode () {
ppl=/usr/local/bin/proxy_ping_lib.bash
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
[ -z "$MODE" ] && MODE=host
# $0=bash
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.15"
proxy_http_host_httpproxy
proxy_to_virbr1_15
elif [ "$MODE" = client ] ; then
# inherit the environment
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
elif [ "$MODE" = nat ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
if [ $? -eq 0 ] && [ -n "$external" ] ; then
# get the ports and PROXY_MODE of the host
export socks_proxy=socks5://$external:9050
export http_proxy=http://$external:3128
export https_proxy=http://$external:9128
fi
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
export no_proxy="localhost,127.0.0.1,10.152.152.10"
export socks_proxy=socks5://10.152.152.10:9050
proxy_http_host_httpproxy
export https_proxy=http://10.152.152.10:9128
elif [ "$MODE" = gateway ] ; then
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
export socks_proxy=socks5://10.0.2.15:9050
proxy_http_host_httpproxy
export https_proxy=http://10.0.2.15:9128
elif [ "$MODE" = selektor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_selektor
proxy_socks_host_selektor
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
export http_proxy=http://127.0.0.1:3128
export https_proxy=http://127.0.0.1:9128
export socks_proxy=http://127.0.0.1:9050
export no_proxy="localhost,127.0.0.1"
proxy_http_host_httpproxy
proxy_https_host_tor
proxy_socks_host_tor
fi
}
# echo $0 $* "$0" = 'tostop' -o
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
proxy_export_mode
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
env | grep proxy | while read line ; do debug $line ; done
elif [ -x /usr/bin/basename ] && \
[ `basename -- "$0"` = 'proxy_export.bash' -o \
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
set -- proxy_export_mode
fi
eval "$@"
exit $?
fi

8
overlay/Linux/usr/local/src/proxy_firewall_start.bash Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

572
overlay/Linux/usr/local/src/proxy_fw_laptop.bash Executable file
View File

@ -0,0 +1,572 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
# https://www.hermann-uwe.de/files/fw_laptop
#------------------------------------------------------------------------------
# File: fw_laptop
# Author: Uwe Hermann <uwe@hermann-uwe.de>
# URL: http://www.hermann-uwe.de/files/fw_laptop
# License: GNU GPL (version 2, or any later version).
# $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
#------------------------------------------------------------------------------
# A firewall script intended to be used on workstations / laptops. It basically
# blocks all incoming traffic and only allows minimal outgoing traffic.
# It helps to mitigate certains attacks, misconfigurations of local daemons,
# misbehaving local users or applications, and can prevent untrusted
# applications from "phoning home", among other things.
# Note: This is work in progress! Any comments and suggestions are welcome!
# Thanks for comments and suggestions:
# * Jean Christophe André <jean-christophe.andre@auf.org>
# * Ryan Giobbi <rgiobbi@gmail.com>
# * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------
# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"
# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"
# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"
# Unprivileged ports.
PHIGH="1024:65535"
# Common SSH source ports.
PSSH="1000:1023"
# Load required kernel modules (if automatic module loading is disabled).
#$MODPROBE ip_conntrack_ftp
#$MODPROBE ip_conntrack_irc
#------------------------------------------------------------------------------
# Mitigate ARP spoofing/poisoning and similar attacks.
# For details see:
# * http://en.wikipedia.org/wiki/ARP_spoofing
# * http://www.grc.com/nat/arp.htm
#------------------------------------------------------------------------------
# Hardcode static ARP cache entries here (e.g. for the network gateway).
# $ARP -s IP-ADDRESS MAC-ADDRESS
#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------
# Disable IP forwarding.
# Note: We turn this on and off to reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
exit 0
#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------
# Drop everything by default.
# Note: The default policies are set _before_ flushing the chains, to prevent
# a short timespan between flushing the chains and setting policies where
# any traffic would be allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
# Packets will simply pass through these tables unchanged.
# TODO: What happens if the modules aren't loaded?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
# TODO: Correct? Remove this?
# $IPTABLES -t raw -P PREROUTING ACCEPT
# $IPTABLES -t raw -P OUTPUT ACCEPT
#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------
# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z
#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------
# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).
# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
# Set the default policies (drop everything).
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null
# The mangle table can pass everything through unaltered (we don't use it).
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null
# Delete all (non-builtin) user-defined chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null
# Zero all packet and byte counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi
#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------
# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT
# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP
# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT
# A custom chain which only allows minimal (RELATED) ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG
#------------------------------------------------------------------------------
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
# For details see:
# * http://tools.ietf.org/html/792
# * http://tools.ietf.org/html/1122
# * http://www.iana.org/assignments/icmp-parameters
# * http://www.daemon.be/maarten/icmpfilter.html
#------------------------------------------------------------------------------
# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
# TODO: This section needs a lot of testing!
# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
# Allow all ESTABLISHED ICMP traffic.
# TODO: Tighten this some more?
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
# Allow some parts of the RELATED ICMP traffic, block the rest.
# TODO: FORWARD?
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
# TODO: Really do rate limiting here?
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG
#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------
# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
# For details see:
# * http://www.debian.org/doc/manuals/securing-debian-howto/
# * ftp://ftp.isi.edu/in-notes/rfc1122.txt
# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?
#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------
# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP
# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# Drop invalid outgoing traffic, too.
# Note: This may prevent you from performing certain scans. Also, see above
# comment about ICMP packets being erroneously marked as INVALID instead of
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
# This is not needed, as we use policy DROP for FORWARD, and we disabled
# ip_forward anyways. However, if we would use NAT, INVALID packets would
# bypass our rules, so we block them explicitly here, just in case.
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
# TODO: Some more anti-spoofing rules? For example:
# TODO: Test.
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# Note: You could easily block valid traffic, e.g. if your ISP uses private
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
# For details see:
# * ftp://ftp.iana.org/assignments/ipv4-address-space
# * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------
$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------
# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
# Allow outgoing NTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
# Allow outgoing requests to various proxies. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
--sport 67:68 --dport 67:68 -j ACCEPT
# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
# Allow outgoing Tor (http://tor.eff.org) requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
# Allow outgoing Bacula (http://www.bacula.org) requests.
# Unencrypted (usually), use with care.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT
# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
# TODO: ICQ, ...
#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------
# Allow incoming DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# Allow incoming HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# Allow incoming HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# Allow incoming POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
# Allow incoming POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
# Allow incoming SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# Allow incoming SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# Allow incoming FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
# Allow incoming Bacula (http://www.bacula.org) requests.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT
#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------
# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG
#------------------------------------------------------------------------------
# Testing the firewall.
#------------------------------------------------------------------------------
# You should check/test that the firewall really works, using for example
# iptables -vnL, nmap, ping, telnet, ...
#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------
exit 0

16
overlay/Linux/usr/local/src/proxy_get_if.bash Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
# on stdout - messages on stderr
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
export PATH=$PATH:/usr/local/bin
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
retval=$?
echo -n $PROXY_WLAN
exit $retval

25
overlay/Linux/usr/local/src/proxy_hosts_test.bash Executable file
View File

@ -0,0 +1,25 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
. /usr/local/bin/usr_local_tput.bash
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
[ -z "$ip" ] && continue
[ -z "$b" ] && continue
dig -x $ip | grep "$b" && \
INFO $ip $b || \
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
dig $b | grep 'IN.*\.'
dig @8.8.8.8 $b | grep 'IN.*\.'
done

245
overlay/Linux/usr/local/src/proxy_hourly.bash Executable file
View File

@ -0,0 +1,245 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
DEBUG=1
# The idea here is to run ansible_local.bash --tags daily
# and then use this to do the parsing and throwing errors based on the output.
# This was the ansible run can be free from erroring and this can be
# run repeatedly anytime outside of ansible to deal with the issues raised.
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
prog=$( basename $0 .bash )
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash >/dev/null
. /usr/local/bin/proxy_export.bash
PL=/usr/local/bin/proxy_ping_lib.bash
. $PL
PL=
PLL=/usr/local/bin/proxy_libvirt_lib.bash
. $PLL
PLL=
DEBUG=1
declare -a BOX_NBD_OVERLAY_EXTERNAL
# fill this in with the ansible hosts.yml
BOX_NBD_OVERLAY_EXTERNALS=(
/o/var/local/src/play_tox/hosts.yml
/o/data/TestForge/src/ansible/hosts.yml
)
[ -z "$USER" ] && USER=$(id -un )
MYID=$( id -u )
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
# . $PREFIX/src/var_local_src.bash
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
ly=hourly
errs=0
warns=0
elt=proxy
LOG_DIR=/usr/local/tmp
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
OUT=$LOG_DIR/O${prog}_${ly}$$.log
export PATH=$PATH:/usr/local/bin
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
[ -z "$MODE" ] && exit 2
[ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
elt=proxy_export
DBUG elt=$elt
. /usr/local/bin/$elt.bash || exit 2
DBUG http_proxy=$http_proxy
DBUG https_proxy=$https_proxy
DBUG socks_proxy=$socks_proxy
IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
DBUG external=$IP
GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
DBUG gw=$GW
grep -q "^wlan[1-9][ ]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
if [ $ZERO_CONNECTED == 0 ] ; then
/usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
[ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
fi
elt=/etc/ssl/certs
DBUG elt=$elt
if [ -d /etc/ssl/certs/ ] ; then
find -L /etc/ssl/certs/ -type l | tee -a $ELOG
find -L /etc/ssl/certs/ -type l -delete
else
WARN /etc/ssl/certs/ missing
fi
elt=route
DBUG elt=$elt
# ubuntu / devuan oddball
route | grep -q 'lo$' || \
ip route add 127.0.0.0/8 dev lo scope host
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
NS=127.0.0.1
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] ; then
NS=10.0.2.2
else
NS=
fi
if [ -n "$NS" ] ; then
elt=/etc/resolv.conf
DBUG elt=$elt
a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
echo "nameserver $IP" > /etc/resolv.conf
fi
fi
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
# 10.24.216.64
elt=/etc/hosts
DBUG elt=$elt
if [ -n "$IP" ] ; then
grep -q " external" /etc/hosts && \
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
echo "$IP external" >> /etc/hosts
for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
[ -f $file ] || continue
grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
done
fi
elt=/etc/firewall.conf
DBUG elt=$elt
[ -f /etc/firewall.conf ] || {
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
}
elt=iptables
DBUG elt=$elt
$PL proxy_iptables_save >$OUT 2>&1
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
fi
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] && [ $ONE_GUEST -eq 1 ]; then
elt=/etc/resolv.conf
DBUG elt=$elt
if [ $? -eq 0 -a -n "$GW" ] ; then
if ! grep -q "$GW" /etc/resolv.conf ; then
/usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
echo "nameserver $GW" >> /etc/resolv.conf
fi
$PL proxy_ping_firewall_check || \
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
fi
fi
if [ $ONE_GUEST -eq 0 ] ; then
if [ "$MODE" = whonix ] ; then
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
which virsh 2>/dev/null >/dev/null && \
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
# sh proxy_whonix_host_tor.bash whonix
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
fi
$PLL proxy_libvirt_test >$OUT 2>&1
retval=$?
[ $retval -gt 1 ] && \
ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
fi
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
if [ -n "$wlan7" ] ; then
grep -q $wlan7 /etc/firewall.conf || {
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
xargs /usr/local/bin/base_wall.bash
/usr/local/bin/firewall.bash
}
fi
[ -f /var/log/privoxy/logfile ] && \
grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
$PL proxy_ping_gw_check || {
ERROR proxy_ping_gw_check | tee -a $ELOG
}
$PL proxy_ping_dnsmasq_check && \
ERROR proxy_ping_dnsmasq_check || {
ERROR proxy_ping_dnsmasq_check | tee -a $ELOG
}
$PL proxy_ping_firewall_check && \
INFO proxy_ping_firewall_check || {
ERROR proxy_ping_firewall_check | tee -a $ELOG
}
$PL proxy_test_dirmngr $OUT && \
INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
retval=$?
ERROR proxy_test_dirmngr $retval | tee -a $ELOG
}
if dmesg | grep --text -A 1 'martian' ; then
dmesg | grep --text -A 1 'martian' | \
xargs echo WARN: martians | tee -a $ELOG
dmesg | grep --text -A 1 'martian' | \
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
else
INFO proxy_test_dirmngr no martians
fi
PROXY_WLAN=$( $PL proxy_get_if )
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
ps ax | grep -q wpa_supplicant && \
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
grep bssid | sed -e 's/.*= //' | \
while read elt ; do \
wpa_cli -i "$PROXY_WLAN" blacklist $elt
done
fi
fi
# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
if [ -s $ELOG ] ; then
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
if [ $? -eq 0 -a $errs -ne 0 ] ; then
ERROR $prog $errs $ly $prog errors in $ELOG
cat $ELOG
exit $errs
fi
fi
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
[ $? -eq 0 -a $warns -ne 0 ] && \
WARN "$warns $ly $prog warnings in $WLOG"
[ $errs -eq 0 ] && \
[ $warns -eq 0 ] && \
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
exit 0

35
overlay/Linux/usr/local/src/proxy_jnettop.bash Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || exit 0
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
warn () { WARN "$prog " $* ; }
info () { echo "INFO: $prog " $* ; }
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
# must be run as root
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
[ $? -eq 0 ] || error 2 " error getting device $?"
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
LARGS="-i $PROXY_WLAN"
CONF=/usr/local/etc/jnettop.conf
if [ -f $CONF ] ; then
LARGS="$LARGS --config-file $CONF"
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
fi
exec jnettop $LARGS $* # 2>/dev/null

35
overlay/Linux/usr/local/src/proxy_libvirt_forward.bash Normal file
View File

@ -0,0 +1,35 @@
#!/bin/sh
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash || exit 2
if [ ! -d /run/tmp ] ; then
sudo mkdir /run/tmp
sudo chown 1777 /run/tmp
fi
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
retval=$?
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
exit $retval
fi
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
WARN 53,bind=$IP in use
for elt in 9050 9128 ; do
netstat -nle4 | grep -q $IP:$elt && {
ERROR $IP:$elt already bound
continue # exit 1
}
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
done
#else
# WARN $MODE
#fi

62
overlay/Linux/usr/local/src/proxy_libvirt_ga_test.bash Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
ROLE=proxy
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $? -gt 1 ] ; then
ARGS=""
elif [ $? -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $@`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
echo INFO: $0 $HOST $CMD $ARGS
false && echo DEBUG: virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 ] || exit 3
# echo DEBUG: virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
echo DEBUG: $i
done
[ $i -lt $TRIES ] || \
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d -
rm -f /tmp/{Q,R}$$.out
exit 0

44
overlay/Linux/usr/local/src/proxy_libvirt_hook_network.bash Executable file
View File

@ -0,0 +1,44 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# Aruments ignored: dom plugged begin
# so must be idempotemt - as its called by things it calls?
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
[ -z "$USER" ] && USER=$(id -un )
[ -n "$USER" -a "$USER" = root ] && \
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
base=$( basename $file )
[ -e /etc/modules-load.d/$base ] && continue
cp -p $file /etc/modules-load.d/$base
done
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
. /usr/local/bin/proxy_ping_lib.bash
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
# clean
exit 0

11
overlay/Linux/usr/local/src/proxy_libvirt_hook_qemu.bash Executable file
View File

@ -0,0 +1,11 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
logger INFO: $0 $PWD $*
exit 0

285
overlay/Linux/usr/local/src/proxy_libvirt_lib.bash Executable file
View File

@ -0,0 +1,285 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
base=proxy_libvirt_lib
# shellcheck disable=SC2154
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
. /usr/local/bin/usr_local_tput.bash || exit 2
. /usr/local/bin/proxy_ping_lib.bash || exit 2
## proxy_libvirt_test_dnsmasq
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
proxy_rc_service libvirtd status </dev/null >/dev/null || {
DBUG $prog libvirtd not running ; return 0
}
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
dbug $prog checking libvirtd dnsmasq conf
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
for file in /var/lib/libvirt/dnsmasq/*conf ; do
if ! grep -q $elt $file ; then
[ -f $file.$$ ] || cp -p $file $file.$$
echo $elt >> $file
fi
done
done
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
dbug $prog restarting libvirtd dnsmasq conf
# FixMe: use virsh net-update net-edit
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
[ -f $pid ] || dbug $prog no pid-file in $file && continue
pid=$( cat $pid )
dbug $prog HUPing libvirtd dnsmasq $pid
kill -HUP $pid || WARN $prog error killing $file $pid && continue
done
fi
fi
return 0
}
## proxy_libvirt_clean_virbr1_rules
proxy_libvirt_clean_virbr1_rules () {
local line
proxy_iptables_save | \
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
sed -e 's/-A/-D/' | while read line ; do
proxy_iptables $line
done
return 0
}
## proxy_libvirt_no_autostart
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
proxy_libvirt_hung || return 1
proxy_virsh net-list --autostart | while read n s a p ; do
[ "$a" = yes ] || continue
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
dbug $prog net-autostart $n --disable
[ "$s" = active ] || continue
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
dbug $prog net-destroy $n
done
return 0
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
if ! proxy_rc_service libvirtd status >/dev/null ; then
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 3$?
fi
if ! proxy_rc_service libvirtd status >/dev/null ; then
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
return 4
fi
if [ ! -e /run/libvirt/libvirt-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
fi
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
fi
# virtlockd-sock
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
proxy_libvirt_list | grep -q $GATEW_DOM
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
#? && return 3
else
WARN proxy_libvirt_status null GATEW_DOM
fi
return 0
}
## proxy_libvirt_restart
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
# tests restarts
proxy_libvirt_start || return 3$?
proxy_libvirt_test || return 4$?
[ -x /etc/libvirt/hooks/network ] || return 7$?
/etc/libvirt/hooks/network || return 8$?
proxy_ping_firewall_restart
# /etc/modules-load.d/firewall.conf
return 0
}
## proxy_libvirt_start_guest
proxy_libvirt_start_guest () {
local dire=$1
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
proxy_rc_service qemu-guest-agent status >/dev/null \
|| proxy_rc_service qemu-guest-agent start || return 2$?
return $?
}
# proxy_libvirt_test_host
proxy_libvirt_test_host () {
local dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
if [ $MODE = tor ] ; then
proxy_rc_service tor status >/dev/null || \
{ echo ERROR: $prog tor is not running ; return 2 ; }
# different for selector
fi
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
return $?
}
# proxy_libvirt_test_guest
proxy_libvirt_test_guest () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
proxy_rc_service qemu-guest-agent status
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
proxy_libvirt_test_host
return $?
}
## proxy_libvirt_status tests and checks logs - noisy
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
proxy_libvirt_status || return 1$?
[ -f /var/log/libvirt/libvirtd.log ] && \
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
tail /var/log/libvirt/libvirtd.log
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
if [ -n "$GATEW_DOM" ] ; then
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
tail /var/log/libvirt/qemu/$GATEW_DOM.log
else
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
fi
else
WARN proxy_libvirt_test null GATEW_DOM
fi
proxy_libvirt_test_dnsmasq || return 6$?
return 0
}
## proxy_libvirt_start
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
proxy_ping_firewall_modules
proxy_libvirt_hung || return 2
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
proxy_rc_service libvirtd start || return 3$?
return 0
}
## proxy_libvirt_hung
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
# 1 means hung
[ -f /etc/init.d/libvirtd ] || return 0
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
proxy_rc_service libvirtd start || return 1
sleep $DELAY
fi
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
# hung processes will hang proxy_virsh list
[ $? -eq 0 -a $a -gt 1 ] && {
WARN proxy_libvirt_hung - too many subprocesses $a
return 1
}
# ├─ 820 /usr/sbin/libvirtd
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
return 0
}
## proxy_libvirt_list
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
local a
proxy_libvirt_hung || return 10
proxy_virsh list
return $?
}
## proxy_libvirt_clean_iptables
proxy_libvirt_clean_iptables () {
local i int dir dcp prot port
for dir in i ; do
for int in virbr2 virbr1; do
dcp=67
[ $dir = i ] || dcp=68
for port in 53 $dcp ; do
[ $dir = i ] && table=INP || table=OUT
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
for dir in o ; do
for int in virbr2 virbr1; do
dcp=68
[ $dir = o ] || dcp=67
for port in 53 68 ; do
table=OUT
[ $dir = i ] && table=INP
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
return 0
}
# DBUG 0=$0
base=proxy_libvirt_lib
if [ -x /usr/bin/basename ] && \
[ $( basename -- "$0" .bash ) = $base \
-o $( basename -- "$0" .sh ) = $base ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
"$@"
exit $?
fi

51
overlay/Linux/usr/local/src/proxy_nm_wireless_clean.bash Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
PREFIX=/usr/local
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
LOG=/tmp/I$$.log
JSON=/tmp/I$$.json
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
fi
[ -d /etc/NetworkManager/system-connections ] || exit 0
cd /etc/NetworkManager/system-connections/ || exit 6
pgrep NetworkManager >/dev/null || \
/etc/init.d/network-manager start # || exit 7
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
which yq 2>/dev/null >/dev/null && \
for file in *.nmconnection; do
elt=$( basename "$file" .nmconnection )
grep -q "$elt" "$LOG" || continue
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
[ -z "$L" ] && continue
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
INFO $prog $PWD/$file
done
rm -f /tmp/I$$.log
[ "$#" -eq 0 ] && exit 0
[ $1 = connect ] && nmtui-connect
[ $1 = edit ] && nmtui-edit

55
overlay/Linux/usr/local/src/proxy_pacman_gpg_test.bash Executable file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# Dual Linux or msys64
prog=$( basename $0 .bash )
ROLE=proxy
PREFIX=/usr/local
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
[ -f $PREFIX/etc/testforge/testforge.bash ] \
&& . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/usr_local_tput.bash || exit 2
PROXIES=""
if [ -d /etc/pacman.d/gnupg ] ; then
ROLE=msys64
HOMEDIR=/etc/pacman.d/gnupg
# proxy or striaght through
PROXIES="10.152.152.12"
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
ROLE=q
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
ppl=/usr/local/bin/proxy_ping_lib.bash
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
[ "$USER" != root ] && export PATH=/sbin:$PATH
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
if [ "$MODE" = tor ] ; then
PROXIES="127.0.0.1:3128"
elif [ "$MODE" = whonix ] ; then
PROXIES="10.0.2.15:9128"
elif [ "$MODE" = gateway ] ; then
PROXIES="10.0.2.15:9128"
elif ps ax | grep -q polipo ; then
PROXIES="127.0.0.1:3128"
else
echo ERROR: unknown proxy
exit 2
fi
fi
GPG="gpg --verbose --home $HOMEDIR"
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
ERROR you need a private kepair with $GPG --quick-gen-key
exit 3
fi
# shellcheck disable=SC2154
$GPG --list-keys | grep -B 1 unknown && \
WARN un-signed keys in pacman && \
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"

1416
overlay/Linux/usr/local/src/proxy_ping_lib.bash Executable file
View File

File diff suppressed because it is too large Load Diff

1140
overlay/Linux/usr/local/src/proxy_ping_test.bash Executable file
View File

File diff suppressed because it is too large Load Diff

10
overlay/Linux/usr/local/src/proxy_sdwdate.bash Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"

69
overlay/Linux/usr/local/src/proxy_ssl_certs.bash Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_ping_mode
#? . /usr/local/bin/proxy_export.bash $MODE
. /usr/local/bin/usr_local_base.bash || exit 2
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
openssl=openssl
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
elif [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
# check /etc/tor/torsocks.conf
openssl='torsocks openssl'
fi
OUTR=/tmp/$prog$$
for item in "$@" ; do
i=0
OUTRF=$OUTR.$item
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
</dev/null 2>$OUTRF.err >$OUTRF.out
[ $? -eq 0 ] || {
retval=$?
ERROR $prog $retval see $OUTRF.err
cat $OUTRF.err
exit 1$retval
}
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
DBUG $prog Certificate chain:
grep '^ [0-9][0-9]* ' $OUTRF.chain
INFO $prog Base64 Certificate sha256 digests:
rest=$( cat $OUTRF.chain )
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary | openssl enc -base64
done
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
done
exit 0

351
overlay/Linux/usr/local/src/proxy_test_ssl.bash Executable file
View File

@ -0,0 +1,351 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
NOW=$( date -u +%y-%m-%d_%H%m )
DEBUG=1
PROXY_WLAN=wlan4
prog=$( basename $0 .bash )
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
PATH=$PATH:/sbin
BADSSL_SITES=(
self-signed.badssl.com
expired.badssl.com
mixed.badssl.com
rc4.badssl.com
hsts.badssl.com
)
badssl=0
[ "$#" -eq 0 ] && badssl=1
# tests="$MODE"
tests=""
nodig=1
verbosity=2
outdir=/tmp
timeout=20
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
# . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
else
CERT=$( proxy_ping_update_cacert )
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
fi
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
if [ "$MODE" = tor ] ; then
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
if ip route | grep ^def ; then
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
fi
fi
usage() {
echo "Usage: $0 [OPTIONS] dirs-or-files"
echo
echo " -B | --badssl - test badssl.org sites"
echo " -D | --nodig - no dig sites"
echo " -T | --tests - ping tests to run first"
echo " -o | --outdir=/tmp - output directory"
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
}
SHORTOPTS="hVBDT:v:"
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
HOSTS=
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
eval set -- "$ARGS"
while true; do
case "$1" in
# -t --tests
-o|--outdir)
shift
outdir="$1"
;;
-v|--verbosity)
shift
verbosity="$1"
;;
-B|--badssl)
badssl=1
;;
-D|--nodig)
nodig=1
;;
-T|--tests)
shift
tests="$1"
;;
-V|--version)
usage
exit 0
;;
-h|--help)
usage
exit 0
;;
'--')
shift
HOSTS="$*"
break
;;
*)
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
break
;;
esac
shift
done
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
kill_time=$( expr $timeout + 10 )
[ -z "$tests" ] || \
for elt in $tests ; do
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
done
if which sslscan 2>/dev/null ; then
sslscan='sslscan'
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
else
# no proxy support
sslscan=''
fi
# sslscan --show-client-cas - no proxy
openssl=openssl
OPENSSL_ARGS="-4 -bugs -showcerts"
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
testssl='testssl.bash'
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
#? --ssl-native
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
else
# no proxy support
testssl=''
fi
if [ -f /usr/local/bin/scurl.bash ] ; then
curl="/usr/local/bin/scurl.bash -- -s -S"
else
curl='curl -s -S'
fi
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
analyze=$PREFIX/bin/analyze-ssl.pl.bash
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
else
analyze=""
fi
warns=0
OUTR=$outdir/$prog-$NOW
if [ $nodig -eq 0 ] ; then
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ $MODE = tor ] ; then
torresolve $item > $OUTRF.dig.out 2>&1
retval=$?
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
elif false ; then
nslookup $item > $OUTRF.nslookup.out 2>&1
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
else
dig $item > $OUTRF.dig.out 2>&1
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
fi
done
fi
# [ -r /etc/tor/torrc ]
# was https take precedence over socks
if [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
openssl='torsocks openssl'
# --interface lo --dns-interface lo
[ -n "$analyze" ] && analyze="torsocks $analyze"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
if [ $MODE = tor -o $MODE = selektor ] ; then
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
fi
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
CURL_ARGS="$CURL_ARGS --interface"
fi
if netstat -nle4 | grep 127.0.1:53 ; then
CURL_ARGS="$CURL_ARGS --dns-interface lo"
fi
elif [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
[ -n "$testssl" ] && testssl="torsocks $testssl"
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
else
: direct
fi
TENVS="DNS_VIA_PROXY=true"
errs=0
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
for item in $HOSTS ; do
i=0
OUTRF=$OUTR.$item
if [ -n "$openssl" ] ; then
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
echo $openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null > $OUTRF.s_client.out
timeout ${kill_time}s \
$openssl s_client \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
< /dev/null >> $OUTRF.s_client.out 2>&1
# :error:\|
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
elif [ $? -ne 0 ] ; then
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='unable to get local issuer certificate' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='Cipher is (NONE)' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
elif str='SSL handshake has read 0 bytes' && \
grep "$str" $OUTRF.s_client.out; then
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
i=$( expr $i + 1 )
else
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
timeout ${kill_time}s \
$openssl s_client -showcerts \
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
> $OUTRF.s_client.certs 2>&1
fi
fi
if [ -n "$sslscan" ] ; then
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
timeout ${kill_time}s \
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
elif [ $? -ne 0 ] ; then
WARN "sslscan failed $? see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
WARN "sslscan failed see $OUTRF.sslscan.out "
i=$( expr $i + 1 )
else
INFO "$sslscan $SSLSCAN_ARGS $item"
fi
fi
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
if [ $? -ne 0 ] ; then
WARN "testssl failed $? see $OUTRF.testssl.out"
i=$( expr $i + 1 )
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
WARN "testssl failure see $OUTRF.testssl.out"
i=$( expr $i + 1 )
else
INFO "$testssl $TESTSSL_ARGS $item"
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
fi
fi
if [ -n "$curl" ] ; then
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
if [ $? -eq 0 ] ; then
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
i=$( expr $i + 1 ) ; } || \
INFO $curl $CURL_ARGS $item
else
INFO $curl $CURL_ARGS $item
fi
fi
if [ -n "$analyze" ] ; then
timeout ${kill_time}s \
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
> $OUTRF.analyze-ssl.out 2>&1
# certificate verified : ok
if [ $? -eq 124 ] ; then
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
elif [ $? -eq 0 ] ; then
INFO "$analyze $ANALYZE_ARGS $item"
else
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
i=$( expr $i + 1 )
fi
fi
[ $i -eq 0 ] && continue
WARN "$i failures for $item"
errs=$(expr $errs + $i )
DBUG $OUTRF.*.out
done
done
find $OUTRF.* -type f -empty -delete
exit $errs

20100
overlay/Linux/usr/local/src/proxy_testssl_lib.bash Executable file
View File

File diff suppressed because it is too large Load Diff

137
overlay/Linux/usr/local/src/proxy_whonix.bash Executable file
View File

@ -0,0 +1,137 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
#. /usr/local/bin/proxy_ping_lib.bash || \
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
proxy_whonix_mode
## proxy_whonix_test_mode - proxy_whonix_host.bash test
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
fi
return 0
}
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
return 0
}
## proxy_whonix_refresh
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
local USAGE="python|pip"
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
/usr/local/bin/testforge_clean_usr_local_lib.bash
elif [ "$1" = 'pip' ] ; then
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
base_sheebang_after_pip.bash
else
:
fi
}
UPGRADE_USAGE="python|pip"
## proxy_whonix_update - $UPGRADE_USAGE
proxy_whonix_update() {
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $UPGRADE_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'python' ] ; then
:
elif [ "$1" = 'pip' ] ; then
:
else
:
fi
}
TEST_USAGE="ssl|ping|mode|libvirt|ga"
## proxy_whonix_test - test $TEST_USAGE
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $TEST_USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
elif [ "$1" = 'ssl' ] ; then
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
elif [ "$1" = 'mode' ] ; then
proxy_whonix_test_mode || exit 4$?
elif [ "$1" = 'ping' ] ; then
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
elif [ "$1" = 'libvirt' ] ; then
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
elif [ "$1" = 'ga' ] ; then
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
else
:
fi
return 0
}
WD=$PWD
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
exit 0
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
exit 0
elif [ "$1" = client ] ; then
shift
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
[ $1 = ws ] && arg=workstation || arg=$1
shift
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = host ] ; then
shift
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
arg=$1;shift
proxy_whonix_$arg "$@"
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
:
else
DBUG $prog $*
eval "$@"
exit $?
fi
exit 0

254
overlay/Linux/usr/local/src/scurl.bash Executable file
View File

@ -0,0 +1,254 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# must not use stdout
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
prog=scurl
umask 022
RETRIES=2
SSL_VER=3
. /usr/local/bin/proxy_ping_lib.bash
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
. /usr/local/bin/proxy_curl_lib.bash
if ! grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
WARN $prog we are not connected >&2
exit -1
fi
usage="curls with some wget options
Usage: $prog options -- curl-options
Options:
-P, --directory-prefix
-X, --force-directories create directories to download to
-C, --cacert CA certs in .pem
-M, --mode proxy_ping_mode
-S, --ssl ssl version 2=tls1.2 3=tls1.3
-Y, --ciphers comma sep list of ciphers
-Q, --quiet --silent --show-error
-h, --help display this help and exit
"
if [[ $? -ne 0 ]]; then
echo "$usage"
exit 2
fi
declare -a LARGS
# --location is required to follow redirects
# im not sure about --http2
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
LARGS+=( --retry-delay 10 --show-error --fail )
# --proto-redir https --proto =https is required to prevent protocol downgrades
LARGS+=( --proto-redir https --proto-default https --proto =https )
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
SSL_LIB=openssl # nss
if [ -x $PREFIX/bin/curl.bash ] ; then
EXE=$PREFIX/bin/curl.bash
elif which scurl ; then
EXE=`which scurl`
else
EXE=curl
fi
SHORT=M:QP:XC:F:hS:
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
#? export POSIXLY_CORRECT=1
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
eval set -- "$PARSED"
P="$PWD"
X="0"
# echo DEBUG: WD=$WD rest=$*
LOGF=/tmp/$prog$$.err
SSL_CIPHERS=""
while true; do
case "$1" in
-P|--directory-prefix)
shift
P="$1"
shift
# echo DEBUG: P=$WD rest=$*
;;
-X|--force-directories)
X=1
shift
;;
-S|--ssl)
shift
SSL_VER="$1"
shift
;;
-Y|--ciphers)
shift
SSL_CIPHERS="$1"
shift
;;
-C|--cacert|-Z|--ca-cert)
shift
CA_CERT="$1"
shift
;;
-M|--mode)
shift
MODE="$1"
shift
;;
-Q|--quiet)
shift
LARGS="$LARGS --silent --show-error"
;;
-h|--help)
echo USAGE: "$usage"
exit 0
;;
--)
shift
break
;;
*)
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
break
;;
esac
done
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
LARGS+=( --tlsv1.$SSL_VER )
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
fi
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
[ $SSL_LIB = openssl ] && \
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
[ $SSL_LIB = nss ] && \
SSL_CIPHERS="aes_256_gcm_sha_384"
fi
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
netstat -nle4 | grep -q 127.0.0.1:53 ; then
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
else
debug 127.0.0.1:53 not running MODE=$MODE
fi
if ! uname -a | grep -q 'Devuan\|Debian' ; then
if [ -f $HOME/.local/ ] ; then
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
LARGS+=( --alt-svc $HOME/.local/alt.svc )
# #define CURLALTSVC_H2 (1<<4)
fi
export CURLOPT_ALTSVC_CTRL=16
fi
declare -a RARGS
RARGS=("$@")
DBUG "$#" "${RARGS[*]}" >&2
i=0
while [ $i -le $RETRIES ] ; do
# assumes one URL
if [ "${#RARGS[@]}" -eq 1 ] ; then
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
else
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
fi
RARGS[-1]="$the_url"
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
i=`expr $i + 1`
if [ "$X" = 1 ] ; then
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
LARGS+=( --output "$output" --create-dirs )
fi
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
retval=$?
if [ "$retval" -eq 22 ] || \
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
# on 22 - change to HTTP code
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
if [ "$code" = 416 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
retval=$code
elif [ "$code" = 429 ] ; then
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
exit $retval
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
# 403 Cloudflare
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
retval=$code
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
else
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
fi
elif [ "$retval" = 35 ] ; then
# 35 CURLE_SSL_CONNECT_ERROR
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
# feedback to scurl_urls.sh
NOTLSV3+=( $site )
elif [ "$retval" = 1 ] ; then
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" = 92 ] ; then
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
continue
elif [ "$retval" -ne 0 ] ; then
# curl: (3) URL using bad/illegal format or missing URL - worked
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
continue
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
continue
else
INFO "$prog $output = $LOGF" >&2
# rm -f $LOGF
fi
break
# "$P/$rel_file"
# if [ $retval -gt 0 ] ; then
# The requested URL returned error: 416
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
# fi
done
exit $retval

18
overlay/Linux/usr/local/src/sdwdate.bash Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
PREFIX=/usr/local
ROLE=proxy
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
if virsh|grep Whonix-Gateway ; then
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
else
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
fi
fi
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"

19
overlay/Linux/usr/local/src/usr_local_proxy.bash Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
[ -z "$prog" ] && prog=`basename $0 .bash`
[ -z "$USER" ] && USER=$( id -un )
ROLE=proxy
[ -f /usr/local/bin/usr_local_tput.bash ] && \
. /usr/local/bin/usr_local_tput.bash
. /usr/local/src/usr_local_src.bash
base=usr_local_proxy
# DBUG 0=$0
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
eval "$@"
exit $?
fi

8
tasks/Gentoo.yml
View File

@ -19,8 +19,8 @@
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
retval=0
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{proxy_pkgs_bootstrap}} \
{{proxy_pkgs_inst}} \
{{' '.join(proxy_pkgs_bootstrap)}} \
{{' '.join(proxy_pkgs_inst)}} \
&& exit 0
retval=$?
echo WARN: $retval
@ -35,8 +35,8 @@
shell: |
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{ proxy_pkgs_bootstrap }} \
{{ proxy_pkgs_inst_guest }} \
{{ ' '.join(proxy_pkgs_bootstrap) }} \
{{ ' '.join(proxy_pkgs_inst_guest) }} \
|| exit $?
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:

2
tasks/Gentoo/Gentoo/main.yml
View File

@ -13,4 +13,4 @@
#- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml
#- include_tasks: Gentoo/Pentoo/accept_keywords.yml

72
tasks/Gentoo/Pentoo/use.yml
View File

@ -13,6 +13,14 @@
block: |
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
- name: "/etc/portage/package.use/2023-01-01_world.txt"
blockinfile:
dest: /etc/portage/package.use/2023-01-01_world.txt
create: true
marker: "# {mark} Ansible Managed Block proxy curl"
block: |
net-misc/curl static-libs
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
blockinfile:
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
@ -21,22 +29,6 @@
block: |
app-arch/unzip natspec
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
blockinfile:
dest: /etc/portage/package.use/2019-02_rkhunter.txt
@ -53,3 +45,51 @@
block: |
sys-process/lsof -ipv6
- name: "/etc/portage/package.use/2020-01_sqlite.txt"
blockinfile:
dest: /etc/portage/package.use/2020-01_sqlite.txt
create: true
marker: "# {mark} Ansible Managed Block proxy eix"
block: |
app-portage/eix sqlite
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy socat"
block: |
net-misc/socat -ipv6
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy privoxy"
block: |
net-proxy/privoxy -ipv6
- name: "/etc/portage/package.use/2021-07_privoxy.txt"
blockinfile:
dest: /etc/portage/package.use/2021-07_privoxy.txt
create: true
marker: "# {mark} Ansible Managed Block proxy privoxy"
block: |
net-proxy/privoxy brotli whitelists -mbedtls openssl zlib external-filters
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig

13
tasks/dns.yml
View File

@ -67,11 +67,22 @@
nameserver 127.0.0.1
when:
- PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
- PROXY_MODE in ['tor', 'selektor', 'whonix']
# stop dhclient from overwriting resolv.conf
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
# FixMe: /etc/dhcp/dhcp-client.conf?
- name: "/etc/resolv.conf"
blockinfile:
dest: /etc/resolv.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
create: yes
block: |
nameserver 10.0.2.2
when:
- PROXY_MODE in ['nat']
- "'{{BOX_NBD_OVERLAY_BR}}' == 'virbr1'"
# dnscrypt is not a system service
- name: "service disable not {{PROXY_DNS_PROXY}}"
service:

2
tasks/hourly.yml
View File

@ -86,6 +86,8 @@
umask 0027
echo "INFO: proxy_log_hourly"
cd {{USR_LOCAL}}/bin
export MODE={{PROXY_MODE}}
. proxy_export.bash
[ -x proxy_hourly.bash ] || exit 0
bash proxy_hourly.bash
register: proxy_log_hourly

33
tasks/main.yml
View File

@ -113,7 +113,7 @@
/usr/local/sbin/base_patch_from_diff.bash *
when:
- true or ansible_distribution == 'Gentoo'
- false and ansible_distribution == 'Gentoo'
- name: install proxy pips 2
changed_when: false
@ -168,7 +168,6 @@
environment: "{{ shell_proxy_env }}"
shell: |
umask 0002
#? usr_local_python.bash
[ ! -f usr_local_proxy.bash ] && exit 1
bash usr_local_python.bash \
{{ 'check' if ansible_check_mode }}
@ -248,17 +247,6 @@
loop_control:
loop_var: LOOP_USER
- name: "/usr/local/etc/testforge/testforge.ini BOF"
lineinfile:
dest: "/usr/local/etc/testforge/testforge.ini"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "# -.- mode: sh; tab-width: 0; coding: utf-8-unix -.-"
line: "# -*- mode: sh; tab-width: 0; coding: utf-8-unix -*-"
- name: /usr/local/etc/testforge/testforge.ini proxy
blockinfile:
dest: /usr/local/etc/testforge/testforge.ini
@ -306,6 +294,25 @@
- true or CORP_NTLM_PROXY|default('') != ''
notify: update facts
- block:
- name: external
delegate_to: localhost
shell: |
grep ' external$' /etc/hosts | sed -e 's/ .*//'
register: external_out
check_mode: false
- name: BASE_EXTERNAL_IP
set_fact:
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
when: external_out.rc|default(1) == 0
check_mode: false
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
- name: "include dns.yml tasks"
include_tasks: "dns.yml"
when:

2
tasks/proxy_mode.yml
View File

@ -147,4 +147,4 @@
check_mode: false
rescue:
- debug:
msg: "WARN: error including proxy_export.txt"
msg: "WARN: RESCUE error including proxy_export.txt"

35
tasks/users.yml
View File

@ -40,44 +40,11 @@
- block:
# dont change the environment for everyone with env.d/70proxy
# manually include tor.sh
- name: "/usr/local/share/scripts/box_proxy_tor.bash no_proxy /bin/sh"
lineinfile:
path: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
create: yes
owner: "{{ item.owner }}"
mode: "{{ item.mode }}"
insertafter: BOF
line: "#!/bin/sh"
regexp: "#./bin/sh"
with_items:
- dest: "~{{LOOP_USER}}/bin"
owner: "{{ LOOP_USER }}"
mode: "0755"
# unused?
- name: ~/bin/box_proxy_tor.bash no_proxy
blockinfile:
dest: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy noproxy"
insertafter: "#./bin/sh"
mode: "{{ item.mode }}"
block: |
[ -f {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash ] && . {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash
[ -n "$no_proxy" ] && export no_proxy=$no_proxy || export no_proxy={{ NO_PROXY }}
when:
- "LOOP_USER != 'portage'"
with_items:
- dest: "~{{LOOP_USER}}/bin"
owner: "{{ LOOP_USER }}"
mode: "0755"
- name: /etc/dirmngr/dirmngr.conf
shell: |
[ -e "/etc/dirmngr/dirmngr.conf" ] || exit 0
[ -e "{{ item|expanduser }}" ] && exit 0
[ -d "`dirname {{ item|expanduser }}`" ] || exit 0
ln -s "/etc/dirmngr/dirmngr.conf" "{{ item|expanduser }}"
with_items:
- "~{{LOOP_USER}}/.gpg/dirmngr.conf"

13
tasks/whonix_guest.yml
View File

@ -28,19 +28,6 @@
shell: |
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]
- name: external
delegate_to: localhost
shell: |
grep ' external$' /etc/hosts | sed -e 's/ .*//'
register: external_out
check_mode: false
- name: BASE_EXTERNAL_IP
set_fact:
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
when: external_out.rc|default(1) == 0
check_mode: false
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']

2
tasks/whonix_host.yml
View File

@ -233,7 +233,7 @@
- name: /usr/local/src/secbrowser.bash
shell: |
[ -f /usr/local/src/secbrowser.bash ] && exit 0
/local/src/secbrowser.bash
/usr/local/local/src/secbrowser.bash
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure'
when:

4
templates/etc/firewall.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/sh
for file in * ; do mv $file $file.bak ; cp -p /etc/$file . ; done

1
vars/Gentoo2.yml
View File

@ -26,6 +26,7 @@ proxy_pkgs_bootstrap:
- linux-firmware
- net-dns/bind-tools
- net-misc/socat
- app-portage/gentoolkit
proxy_pkgs_inst:
# move these to testforge - epecially gnupg for static