bash
This commit is contained in:
parent
d29b1e4542
commit
a354df3d40
17
README.md
17
README.md
@ -1,7 +1,8 @@
|
||||
|
||||
This role builds on, and requires, ../base_role and lays down the
|
||||
basics for cntlm and socks and http and https proxies. It is required
|
||||
to be run after ../base_role
|
||||
to be run after ../base_role. Run this role even if you do not run
|
||||
behind a proxy as it sets up the proxy variables for that case.
|
||||
|
||||
Look at the variables in defaults/main.yml to customize the role, and
|
||||
double-check the settings in vars/*.yml.
|
||||
@ -11,3 +12,17 @@ athough only tested on Gentoo. To bring it up to date, just copy the
|
||||
existing files in vars and maybe tasks to the new name and edit to suit,
|
||||
but be advised that it is systemd-challenged, like its author.
|
||||
|
||||
It should support a number of different proxy situations on a host:
|
||||
|
||||
1) http_proxy and https_proxy
|
||||
|
||||
2) socks_proxy and tor proxy
|
||||
|
||||
3) CNTLM proxy
|
||||
|
||||
4) Whonix gateway
|
||||
|
||||
It should also support these different proxy situations in a container.
|
||||
|
||||
It has 2 test scripts proxy_daily.bash and proxy_daily.bash than
|
||||
run quick status checks and indepth testing respectively.
|
||||
|
@ -27,7 +27,7 @@ gpg2 --verify --keyring $keyf $BASE_PORTDIR/Manifest >/tmp/K$$.log 2>&1 || exit
|
||||
grep 'using RSA key' /tmp/K$$.log || exit 4
|
||||
grep 'Primary key fingerprint:' /tmp/K$$.log | sed -e 's/.*: //' -e 's/ //g' > /tmp/K$$.key || exit 5
|
||||
|
||||
if route | grep -q ^default ; then
|
||||
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
|
||||
. /root/bin/tor.sh
|
||||
wget -O /tmp/K$$.html https://www.gentoo.org/downloads/signatures/ || exit 0
|
||||
grep "`cat /tmp/K$$.key`" /tmp/K$$.html || {
|
||||
|
@ -2,16 +2,36 @@
|
||||
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
PREFIX=/usr/local
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
ip route | grep -q ^def || {
|
||||
WARN we are not connected
|
||||
WARN we are not connected >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
|
||||
|
||||
declare -a CURL_OPTS
|
||||
# --silent --show-error
|
||||
CURL_OPTS=( --fail-early --fail )
|
||||
|
||||
[[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
|
||||
[[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] || CURL_OPTS+=( --http0.9 )
|
||||
[[ ! "$*" =~ --retry ]] && CURL_OPTS+=( --retry 3 )
|
||||
[[ ! "$*" =~ -4 ]] && CURL_OPTS+=( -4 )
|
||||
# [[ ! "$*" =~ --http2 ]] && CURL_OPTS+=( --http2 )
|
||||
[[ ! "$*" =~ --max-redirs ]] && CURL_OPTS+=( --max-redirs 10 )
|
||||
[[ ! "$*" =~ --location ]] && CURL_OPTS+=( --location )
|
||||
[[ ! "$*" =~ --remote-time ]] && CURL_OPTS+=( --remote-time )
|
||||
[[ ! "$*" =~ --create-dirs ]] && CURL_OPTS+=( --create-dirs )
|
||||
|
||||
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
|
||||
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
|
||||
fi
|
||||
|
||||
if [[ ! "$*" =~ --proxy ]] && [ -n "$socks_proxy" ] ; then
|
||||
CURL_OPTS+=( --proxy $socks_proxy )
|
||||
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
|
||||
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
|
||||
@ -21,8 +41,14 @@ if [[ "$socks_proxy" =~ socks5://.* ]] ; then
|
||||
elif [ -n "$http_proxy" ] ; then
|
||||
CURL_OPTS+=( --proxy $http_proxy )
|
||||
fi
|
||||
export CURL_OPTS+=( -L )
|
||||
|
||||
if [ -d $HOME/.local/ ] ; then
|
||||
[ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
|
||||
[[ ! "$*" =~ --cookie-jar ]] && \
|
||||
CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
|
||||
fi
|
||||
|
||||
export CURL_OPTS+=( -L --remote-time )
|
||||
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
|
||||
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
|
||||
# #define CURLALTSVC_H2 (1<<4)
|
||||
@ -41,5 +67,6 @@ if [[ ! "$*" =~ --capath ]] && \
|
||||
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||
fi
|
||||
|
||||
echo INFO: curl $CURL_OPTS "$@"
|
||||
exec curl $CURL_OPTS "$@"
|
||||
export CURL_OPTS
|
||||
DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
|
||||
exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"
|
||||
|
@ -31,7 +31,7 @@ if [ -n "$PROXY_WLAN" ] ; then
|
||||
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||
fi
|
||||
|
||||
route | grep -q ^default || { ERROR no route ; exit 1; }
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
|
||||
[ ! -x /usr/bin/netstat ] || \
|
||||
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
|
||||
|
||||
|
@ -13,7 +13,8 @@ ROLE=proxy
|
||||
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash
|
||||
|
||||
MYID=$( id -u )
|
||||
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||
@ -34,8 +35,8 @@ rm -f $LOG_DIR/*${prog}_${ly}*.log
|
||||
|
||||
elt=doctest3
|
||||
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
|
||||
/var/local/bin/testforge_python_doctest3.bash \
|
||||
/var/local/share/doc/txt/proxy3.txt \
|
||||
$PREFIX/bin/testforge_python_doctest3.bash \
|
||||
/usr/local/share/doc/txt/proxy3.txt \
|
||||
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
|
||||
fi
|
||||
|
||||
|
@ -28,7 +28,7 @@ if [ -n "$PROXY_WLAN" ] ; then
|
||||
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||
fi
|
||||
|
||||
route | grep -q ^default || { ERROR no route ; exit 1; }
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
if [ $USER = root ] ; then
|
||||
|
@ -41,17 +41,21 @@ if [ -d /etc/pacman.d/gnupg ] ; then
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
|
||||
grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
|
||||
echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
|
||||
exit 1
|
||||
fi
|
||||
|
||||
GPG="gpg --verbose --home $HOMEDIR"
|
||||
|
||||
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
|
||||
|
||||
$GPG --refresh-keys --verbose
|
||||
|
||||
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
|
||||
|
||||
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
|
||||
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
|
||||
sed -e 's@keyserver hkp://@@' | \
|
||||
while read elt;do
|
||||
while read elt ; do
|
||||
for proxy in $PROXIES; do
|
||||
echo 1 | http_proxy=$proxy $GPG --yes \
|
||||
--debug-level guru \
|
||||
@ -61,3 +65,4 @@ grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
|
||||
done
|
||||
done
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash dirmngr
|
||||
|
@ -12,15 +12,25 @@ DEBUG=1
|
||||
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||
|
||||
. /usr/local/bin/proxy_export.bash
|
||||
PL=/usr/local/bin/proxy_ping_lib.bash
|
||||
. $PL
|
||||
PL=
|
||||
PLL=/usr/local/bin/proxy_libvirt_lib.bash
|
||||
. $PLL
|
||||
PLL=
|
||||
DEBUG=1
|
||||
|
||||
declare -a BOX_NBD_OVERLAY_EXTERNAL
|
||||
# fill this in with the ansible hosts.yml
|
||||
BOX_NBD_OVERLAY_EXTERNALS=(
|
||||
/o/var/local/src/play_tox/hosts.yml
|
||||
/o/data/TestForge/src/ansible/hosts.yml
|
||||
)
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
MYID=$( id -u )
|
||||
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||
@ -40,48 +50,113 @@ ELOG=$LOG_DIR/E${prog}_${ly}$$.log
|
||||
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
|
||||
OUT=$LOG_DIR/O${prog}_${ly}$$.log
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash
|
||||
export PATH=$PATH:/usr/local/bin
|
||||
|
||||
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
||||
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
|
||||
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
|
||||
[ -z "$MODE" ] && exit 2
|
||||
|
||||
[ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
|
||||
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
|
||||
|
||||
elt=proxy_export
|
||||
DBUG elt=$elt
|
||||
. /usr/local/bin/$elt.bash || exit 2
|
||||
DBUG http_proxy=$http_proxy
|
||||
DBUG https_proxy=$https_proxy
|
||||
DBUG socks_proxy=$socks_proxy
|
||||
|
||||
IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
|
||||
DBUG external=$IP
|
||||
GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
|
||||
DBUG gw=$GW
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
|
||||
if [ $ZERO_CONNECTED == 0 ] ; then
|
||||
/usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
|
||||
[ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
|
||||
fi
|
||||
|
||||
elt=/etc/ssl/certs
|
||||
DBUG elt=$elt
|
||||
if [ -d /etc/ssl/certs/ ] ; then
|
||||
find -L /etc/ssl/certs/ -type l | tee -a $ELOG
|
||||
find -L /etc/ssl/certs/ -type l -delete
|
||||
else
|
||||
WARN /etc/ssl/certs/ missing
|
||||
fi
|
||||
|
||||
elt=route
|
||||
DBUG elt=$elt
|
||||
# ubuntu / devuan oddball
|
||||
route | grep -q 'lo$' || \
|
||||
ip route add 127.0.0.0/8 dev lo scope host
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
|
||||
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
|
||||
NS=127.0.0.1
|
||||
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] ; then
|
||||
NS=10.0.2.2
|
||||
else
|
||||
NS=
|
||||
fi
|
||||
if [ -n "$NS" ] ; then
|
||||
elt=/etc/resolv.conf
|
||||
DBUG elt=$elt
|
||||
a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
|
||||
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
|
||||
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
|
||||
echo "nameserver $IP" > /etc/resolv.conf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $ONE_GUEST -eq 0 ] ; then
|
||||
|
||||
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
|
||||
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
|
||||
# 10.24.216.64
|
||||
elt=/etc/hosts
|
||||
DBUG elt=$elt
|
||||
if [ -n "$IP" ] ; then
|
||||
grep -q " external" /etc/hosts && \
|
||||
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
|
||||
echo "$IP external" >> /etc/hosts
|
||||
for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
|
||||
[ -f $file ] || continue
|
||||
grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
|
||||
sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
|
||||
done
|
||||
fi
|
||||
|
||||
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
|
||||
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
|
||||
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
|
||||
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
|
||||
elt=/etc/firewall.conf
|
||||
DBUG elt=$elt
|
||||
[ -f /etc/firewall.conf ] || {
|
||||
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
|
||||
xargs /usr/local/bin/base_wall.bash
|
||||
}
|
||||
|
||||
elt=iptables
|
||||
DBUG elt=$elt
|
||||
$PL proxy_iptables_save >$OUT 2>&1
|
||||
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
|
||||
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
|
||||
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
|
||||
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
|
||||
fi
|
||||
|
||||
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
|
||||
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
|
||||
if [ -d /etc/ssl/certs/ ] ; then
|
||||
find -L /etc/ssl/certs/ -type l >> $WLOG
|
||||
find -L /etc/ssl/certs/ -type l -delete
|
||||
else
|
||||
WARN /etc/ssl/certs/ missing
|
||||
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] && [ $ONE_GUEST -eq 1 ]; then
|
||||
elt=/etc/resolv.conf
|
||||
DBUG elt=$elt
|
||||
if [ $? -eq 0 -a -n "$GW" ] ; then
|
||||
if ! grep -q "$GW" /etc/resolv.conf ; then
|
||||
/usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
|
||||
echo "nameserver $GW" >> /etc/resolv.conf
|
||||
fi
|
||||
|
||||
$PL proxy_ping_firewall_check || \
|
||||
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $ONE_GUEST -eq 0 ] ; then
|
||||
|
||||
if [ "$MODE" = whonix ] ; then
|
||||
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
||||
|
||||
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
|
||||
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
|
||||
which virsh 2>/dev/null >/dev/null && \
|
||||
@ -89,18 +164,14 @@ if [ $ONE_GUEST -eq 0 ] ; then
|
||||
# sh proxy_whonix_host_tor.bash whonix
|
||||
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
|
||||
fi
|
||||
$PL proxy_libvirt_test >$OUT 2>&1
|
||||
$PLL proxy_libvirt_test >$OUT 2>&1
|
||||
retval=$?
|
||||
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
|
||||
fi
|
||||
[ $retval -gt 1 ] && \
|
||||
ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
|
||||
fi
|
||||
|
||||
[ -f /etc/firewall.conf ] || {
|
||||
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
|
||||
xargs /usr/local/bin/base_wall.bash
|
||||
}
|
||||
ifconfig | grep -q ^wlan
|
||||
if [ $? -eq 0 ] ; then
|
||||
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
|
||||
if [ -n "$wlan7" ] ; then
|
||||
grep -q $wlan7 /etc/firewall.conf || {
|
||||
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
|
||||
xargs /usr/local/bin/base_wall.bash
|
||||
@ -109,43 +180,37 @@ fi
|
||||
fi
|
||||
|
||||
[ -f /var/log/privoxy/logfile ] && \
|
||||
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
|
||||
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
|
||||
grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
|
||||
ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
|
||||
|
||||
if route | grep -q ^def ; then
|
||||
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
|
||||
$PL proxy_ping_gw_check || {
|
||||
ERROR proxy_ping_gw_check >> $ELOG
|
||||
ERROR proxy_ping_gw_check | tee -a $ELOG
|
||||
}
|
||||
$PL proxy_ping_dnsmasq_check || {
|
||||
x ERROR proxy_ping_dnsmasq_check >> $ELOG
|
||||
$PL proxy_ping_dnsmasq_check && \
|
||||
ERROR proxy_ping_dnsmasq_check || {
|
||||
ERROR proxy_ping_dnsmasq_check | tee -a $ELOG
|
||||
}
|
||||
$PL proxy_ping_firewall_check || {
|
||||
ERROR proxy_ping_firewall_check >> $ELOG
|
||||
$PL proxy_ping_firewall_check && \
|
||||
INFO proxy_ping_firewall_check || {
|
||||
ERROR proxy_ping_firewall_check | tee -a $ELOG
|
||||
}
|
||||
|
||||
$PL proxy_iptables_save >$OUT 2>&1
|
||||
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
|
||||
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
|
||||
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
|
||||
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
|
||||
fi
|
||||
$PL proxy_test_dirmngr $OUT || \
|
||||
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
|
||||
$PL proxy_test_dirmngr $OUT && \
|
||||
INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
|
||||
retval=$?
|
||||
ERROR proxy_test_dirmngr $retval | tee -a $ELOG
|
||||
}
|
||||
|
||||
if dmesg | grep --text -A 1 'martian' ; then
|
||||
dmesg | grep --text -A 1 'martian' | \
|
||||
xargs echo WARN: martians >> $WLOG
|
||||
xargs echo WARN: martians | tee -a $ELOG
|
||||
dmesg | grep --text -A 1 'martian' | \
|
||||
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
|
||||
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
|
||||
else
|
||||
INFO proxy_test_dirmngr no martians
|
||||
fi
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash dns || {
|
||||
ERROR $prog no dns >> $ELOG ;
|
||||
}
|
||||
/usr/local/bin/proxy_ping_test.bash 3128 || {
|
||||
# can be false
|
||||
WARN $prog no 3128 >> $WLOG
|
||||
}
|
||||
PROXY_WLAN=$( $PL proxy_get_if )
|
||||
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
|
||||
ps ax | grep -q wpa_supplicant && \
|
||||
@ -155,20 +220,16 @@ x ERROR proxy_ping_dnsmasq_check >> $ELOG
|
||||
wpa_cli -i "$PROXY_WLAN" blacklist $elt
|
||||
done
|
||||
|
||||
$PL proxy_ping_firewall_check || \
|
||||
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
|
||||
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
|
||||
# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
|
||||
|
||||
if [ -s $ELOG ] ; then
|
||||
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
|
||||
if [ $? -eq 0 -a $errs -ne 0 ] ; then
|
||||
ERROR $prog $errs $ly $prog errors in $ELOG
|
||||
cat $ELOG
|
||||
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
|
||||
exit $errs
|
||||
fi
|
||||
fi
|
||||
@ -177,15 +238,7 @@ fi
|
||||
[ $? -eq 0 -a $warns -ne 0 ] && \
|
||||
WARN "$warns $ly $prog warnings in $WLOG"
|
||||
|
||||
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
|
||||
if [ $? -eq 0 -a $errs -ne 0 ] ; then
|
||||
ERROR "$errs $ly $prog errors in $ELOG"
|
||||
cat $ELOG
|
||||
exit $errs
|
||||
fi
|
||||
|
||||
[ $errs -eq 0 ] && \
|
||||
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
|
||||
[ $warns -eq 0 ] && \
|
||||
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
|
||||
|
||||
|
@ -6,7 +6,7 @@ prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
route | grep -q ^default || exit 0
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || exit 0
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|
||||
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
|
||||
|
@ -5,9 +5,11 @@
|
||||
# so must be idempotemt - as its called by things it calls?
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
|
||||
[ -n "$USER" -a "$USER" = root ] && \
|
||||
|
@ -12,7 +12,11 @@ base=proxy_ping_lib
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||
BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
||||
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
|
||||
|
||||
PROXY_IFCONFIG=/sbin/ifconfig
|
||||
[ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
|
||||
@ -36,11 +40,6 @@ proxy_ifconfig () {
|
||||
$PROXY_IFCONFIG $*
|
||||
}
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||
# shellcheck disable=SC2154
|
||||
@ -136,90 +135,6 @@ proxy_whonix_get_gateway_dom_bad () {
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ;
|
||||
[ $# -eq 0 ] && set -- \
|
||||
hkp://$PROXY_GPG_KEYSERVER \
|
||||
hkp://gpg.mit.edu hkp://keys.gnupg.net
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
|
||||
|
||||
[ -h /usr/bin/dirmngr ] || {
|
||||
ERROR /usr/bin/dirmngr not a symlink
|
||||
return 2
|
||||
}
|
||||
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
|
||||
[ -f $b ] || WARN file not found $b
|
||||
done
|
||||
/usr/bin/dirmngr --version </dev/null || {
|
||||
ERROR /usr/bin/dirmngr not working --version
|
||||
return 3
|
||||
}
|
||||
# grep ^OK
|
||||
DBUG /usr/bin/dirmngr working --version
|
||||
|
||||
/etc/init.d/privoxy status || /etc/init.d/privoxy start
|
||||
/etc/init.d/privoxy status || {
|
||||
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
|
||||
}
|
||||
# /usr/local/bin/proxy_ping_test.bash 3128
|
||||
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
|
||||
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
|
||||
return 4
|
||||
}
|
||||
DBUG /etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
|
||||
route | grep -q ^default || return 0
|
||||
|
||||
gpg-connect-agent --dirmngr 'loadswdb --force' /bye </dev/null >/tmp/GpgL$$.tmp 2>&1
|
||||
retval=$?
|
||||
[ $retval -ne 0 ] && \
|
||||
ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \
|
||||
cat /tmp/GpgL$$.tmp && \
|
||||
return 5$retval
|
||||
! grep -q OK /tmp/GpgL$$.tmp && \
|
||||
ERROR gpg-connect-agent 'loadswdb --force' not OK `cat /tmp/GpgL$$.tmp` && \
|
||||
rm -f /tmp/GpgL$$.tmp && \
|
||||
return 6$retval
|
||||
DBUG gpg-connect-agent OK `cat /tmp/GpgL$$.tmp`
|
||||
rm -f /tmp/GpgL$$.tmp
|
||||
|
||||
gpg-connect-agent </dev/null --dirmngr 'keyserver' /bye >/tmp/GpgG$$.tmp 2>&1
|
||||
retval=$?
|
||||
[ $retval -ne 0 ] && \
|
||||
ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \
|
||||
rm -f /tmp/GpgG$$.tmp && \
|
||||
return 7$retval
|
||||
grep -q ^S /tmp/GpgG$$.tmp || { \
|
||||
ERROR gpg-connect-agent 'keyserver' no S `cat /tmp/GpgG$$.tmp` && \
|
||||
rm -f /tmp/GpgG$$.tmp && \
|
||||
return 8$retval
|
||||
}
|
||||
DBUG gpg-connect-agent 'keyserver' S `cat /tmp/GpgG$$.tmp`
|
||||
|
||||
if [ -d /root/.emacs.d/elpa/gnupg ] && \
|
||||
ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
|
||||
|
||||
for elt in "$@" ; do
|
||||
echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp
|
||||
gpg-connect-agent </dev/null --dirmngr --homedir /root/.emacs.d/elpa/gnupg \
|
||||
-r /tmp/GpgR$$.tmp >/tmp/GpgC$$.tmp 2>&1
|
||||
retval=$?
|
||||
[ $retval -ne 0 ] && \
|
||||
ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \
|
||||
rm -f /tmp/GpgC$$.tmp && \
|
||||
return 9$retval
|
||||
grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \
|
||||
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
|
||||
rm -f /tmp/GpgC$$.tmp && \
|
||||
return 10
|
||||
INFO gpg-connect-agent $elt
|
||||
done
|
||||
rm -f /tmp/GpgC$$.tmp
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_get_gateway_dom
|
||||
proxy_whonix_get_gateway_dom () {
|
||||
# shellcheck disable=SC2154
|
||||
@ -262,7 +177,7 @@ proxy_ping_mode () { #
|
||||
# shellcheck disable=SC2154
|
||||
[ -n "$MODE" ] && echo "$MODE" && return 0
|
||||
|
||||
proxy_ifconfig -a > /tmp/ipconfig-a.$$
|
||||
proxy_ifconfig -a >/tmp/ipconfig-a.$$
|
||||
if grep -q /dev/vda /proc/cmdline ; then
|
||||
MODE=vda
|
||||
elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
|
||||
@ -283,7 +198,7 @@ proxy_ping_mode () { #
|
||||
MODE=$mode
|
||||
else
|
||||
host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
|
||||
[ -n "$host" ] && MODE=whonix
|
||||
[ -n "$host" ] && MODE=$host # whonix
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -851,6 +766,7 @@ proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN
|
||||
|
||||
## proxy_ping_firewall_check
|
||||
proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
|
||||
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
||||
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
|
||||
:
|
||||
elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
|
||||
@ -1473,10 +1389,10 @@ starbucks_pdnsd () {
|
||||
[ -z "$pdnsd" ] && return 0
|
||||
if [ "$pdnsd" = "dnscrypt" ] && \
|
||||
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
|
||||
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
|
||||
cp /dev/null $PREFIX/var/log/dnscrypt-proxy.log
|
||||
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
|
||||
sleep $DELAY
|
||||
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
|
||||
[ ! -s $PREFIX/var/log/dnscrypt-proxy.log ] || \
|
||||
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
|
||||
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
|
||||
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
|
||||
|
@ -11,7 +11,10 @@ PYVER=3
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
|
||||
PL=/usr/local/bin/proxy_libvirt_lib.bash
|
||||
|
||||
declare -a tests
|
||||
|
||||
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
|
||||
@ -20,22 +23,19 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
|
||||
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
|
||||
|
||||
[ -z "$prog" ] || prog=proxy_ping_test
|
||||
proxy_ping_get_socks >/dev/null
|
||||
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
|
||||
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
|
||||
SOCKS_PAIR=`proxy_ping_get_socks`
|
||||
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=`echo $SOCKS_PAIR|sed -e 's/:.*//'`
|
||||
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=`echo $SOCKS_PAIR|sed -e 's/.*://'`
|
||||
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
|
||||
HTTPS_PORT=9128
|
||||
HTTPS_HOST=127.0.0.1
|
||||
proxy_ping_get_https >/dev/null
|
||||
HTTPS_PORT=`echo $HTTPS_PAIR|sed -e 's/.*://'`
|
||||
HTTPS_HOST=`echo $HTTPS_PAIR|sed -e 's/:.*//'`
|
||||
HTTPS_PAIR=`proxy_ping_get_https`
|
||||
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
|
||||
HTTP_PORT=3128
|
||||
HTTP_PROXY_HOST=127.0.0.1
|
||||
proxy_ping_get_http >/dev/null
|
||||
HTTP_PAIR=`proxy_ping_get_http`
|
||||
HTTP_PORT=`echo $HTTP_PAIR|sed -e 's/.*://'`
|
||||
HTTP_HOST=`echo $HTTP_PAIR|sed -e 's/:.*//'`
|
||||
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
|
||||
|
||||
P="BASE_PYTHON${PYVER}_MINOR"
|
||||
PYTHON_MINOR="$(eval echo \$$P)"
|
||||
[ -n "$PYTHON_MINOR" ] || \
|
||||
@ -65,14 +65,14 @@ TIMEOUT=30
|
||||
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
|
||||
|
||||
DNS_HOST1="208.67.220.220"
|
||||
DNS_HOST2="8.8.8.8"ggggg
|
||||
DNS_HOST2="1.1.1.1"
|
||||
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
|
||||
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
|
||||
HTTP_TARGET=www.whatismypublicip.com
|
||||
|
||||
# time.nist.gov 132.163.97.3
|
||||
NTP_HOST1=132.163.97.3
|
||||
# pool.ntp.org 78.46.53.2
|
||||
# pool.ntp.org 78.46.53.2 205.206.70.7
|
||||
NTP_HOST2=78.46.53.2
|
||||
# --no-check-certificate
|
||||
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
|
||||
@ -103,6 +103,113 @@ DNS_HOST=$SOCKS_HOST
|
||||
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
|
||||
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||
declare -a GPG_KEYSERVERS=(
|
||||
hkp://$PROXY_GPG_KEYSERVER
|
||||
hkp://gpg.mit.edu
|
||||
hkp://keys.gnupg.net
|
||||
)
|
||||
## proxy_test_dirmngr
|
||||
proxy_test_dirmngr () {
|
||||
[ $# -eq 0 ] && set -- "${GPG_KEYSERVERS[@]}"
|
||||
DBUG proxy_test_dirmngr MODE=$MODE $* ;
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
|
||||
|
||||
[ -h /usr/bin/dirmngr ] || {
|
||||
WARN /usr/bin/dirmngr not a symlink
|
||||
#fixed? return 2
|
||||
}
|
||||
|
||||
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
|
||||
[ -f $b ] || WARN file not found $b in /etc/dirmngr/dirmngr.conf
|
||||
done
|
||||
/usr/bin/dirmngr --version </dev/null >/dev/null && \
|
||||
INFO /usr/bin/dirmngr working --version || {
|
||||
ERROR /usr/bin/dirmngr not working --version
|
||||
return 3
|
||||
}
|
||||
# grep ^OK
|
||||
DM=`grep ' keyserver ' /etc/dirmngr/dirmngr.conf | head -1 | sed -e 's/.* //'`
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || {
|
||||
DBUG not connected
|
||||
return 0
|
||||
}
|
||||
|
||||
echo 'loadswdb --force' /bye | \
|
||||
gpg-connect-agent --dirmngr \
|
||||
>/tmp/GpgL$$.tmp 2>&1
|
||||
retval=$?
|
||||
[ $retval -ne 0 ] && \
|
||||
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye /tmp/GpgL$$.tmp && \
|
||||
cat /tmp/GpgL$$.tmp && \
|
||||
# return 5$retval
|
||||
! grep -q OK /tmp/GpgL$$.tmp && \
|
||||
WARN gpg-connect-agent --dirmngr 'loadswdb --force' /bye OK not found /tmp/GpgL$$.tmp && \
|
||||
# return 6$retval
|
||||
|
||||
INFO elt=gpg-connect-agent --dirmngr 'loadswdb --force' OK
|
||||
rm -f /tmp/GpgL$$.tmp
|
||||
|
||||
# gpg-connect-agent --dirmngr 'help keyserver' /bye
|
||||
echo 'keyserver --resolve' /bye | \
|
||||
gpg-connect-agent --dirmngr \
|
||||
>/tmp/GpgG$$.tmp 2>&1
|
||||
retval=$?
|
||||
grep 'ERR\|failed:' /tmp/GpgG$$.tmp >> $ELOG && \
|
||||
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
|
||||
return 10
|
||||
grep -q ^S /tmp/GpgG$$.tmp || { \
|
||||
WARN gpg-connect-agent 'keyserver' no S /tmp/GpgG$$.tmp && \
|
||||
return 8$retval
|
||||
}
|
||||
INFO elt=gpg-connect-agent 'keyserver --resolve' S
|
||||
cat /tmp/GpgG$$.tmp
|
||||
rm -f /tmp/GpgG$$.tmp
|
||||
|
||||
if [ ! -d /root/.emacs.d/elpa/gnupg ] || \
|
||||
! ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
|
||||
WARN no running /root/.emacs.d/elpa/gnupg agent
|
||||
else
|
||||
INFO running /root/.emacs.d/elpa/gnupg agent
|
||||
echo keyserver --resolve | \
|
||||
gpg-connect-agent --dirmngr \
|
||||
--homedir /root/.emacs.d/elpa/gnupg \
|
||||
>/tmp/GpgC$$.tmp 2>&1
|
||||
retval=$?
|
||||
if grep 'ERR\|failed:' /tmp/GpgC$$.tmp >> $ELOG ; then
|
||||
WARN /root/.emacs.d/elpa/gnupg gpg-connect-agent `tail -1 $ELOG` && \
|
||||
cat /tmp/GpgC$$.tmp
|
||||
else
|
||||
INFO elt=gpg-connect-agent
|
||||
cat /tmp/GpgC$$.tmp
|
||||
rm -f /tmp/GpgC$$.tmp
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_test_privoxy_test
|
||||
proxy_test_privoxy_test () { DBUG proxy_test_privoxy_test $* ;
|
||||
return 0
|
||||
/etc/init.d/privoxy status || /etc/init.d/privoxy start
|
||||
/etc/init.d/privoxy status && \
|
||||
DBUG /etc/init.d/privoxy running || {
|
||||
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
|
||||
}
|
||||
# /usr/local/bin/proxy_ping_test.bash 3128
|
||||
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
|
||||
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
|
||||
return 4
|
||||
}
|
||||
INFO elt=/etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_test_netstat_dns
|
||||
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
|
||||
$NETS | grep -q ":53"
|
||||
@ -119,7 +226,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
|
||||
retval=$?
|
||||
[ $retval -eq 0 ] && return 0
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
|
||||
[ -z "$ALL" ] && exit $ARG$retval || return 1
|
||||
[ -z "$ALL" ] && exit "$ARG$retval" || return 1
|
||||
# works
|
||||
GREP="-i icmp"
|
||||
return 0
|
||||
@ -128,7 +235,7 @@ proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
|
||||
## proxy_test_dig_direct
|
||||
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
|
||||
|
||||
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
|
||||
dig @$DNS_HOST1 $NTP_HOST2 +timeout=$TIMEOUT >/dev/null
|
||||
retval=$?
|
||||
[ $retval -eq 0 ] && return 0
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
|
||||
@ -140,8 +247,8 @@ proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_test_curl_firewall_bin
|
||||
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
|
||||
## proxy_test_curl_firewall_asbin
|
||||
proxy_test_curl_firewall_asbin () { DBUG proxy_test_curl_firewall_asbin $* ;
|
||||
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
|
||||
retval=$?
|
||||
[ $retval -eq 0 ] && return 0
|
||||
@ -164,7 +271,7 @@ proxy_ping_curl () { DBUG proxy_ping_curl $* ;
|
||||
## proxy_ping_make_help
|
||||
proxy_ping_make_help () {
|
||||
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
|
||||
> /tmp/proxy_ping_test.hlp
|
||||
> /tmp/proxy_ping_test-$USER.hlp
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -260,7 +367,7 @@ proxy_test_pretest_exit () {
|
||||
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
|
||||
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
|
||||
elif [ "$1" = nat ] ; then
|
||||
: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
else
|
||||
proxy_do_ping || exit 4$?
|
||||
proxy_ping_test_resolv $MODE || \
|
||||
@ -276,19 +383,19 @@ proxy_test_help_args () {
|
||||
declare -a elts=()
|
||||
declare -a ret=()
|
||||
local elt
|
||||
if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
|
||||
elts=($1 socks http dns https tordns firefail)
|
||||
elif [ "$1" = torlibvirthost ] ; then
|
||||
elts=($1 libvirthost socks http https tordns firefail)
|
||||
if [ "$1" = selektor -o "$1" = torhost ] ; then
|
||||
elts=($1 socks dns http https dirmngr tordns firefail)
|
||||
elif [ "$1" = torlibvirthost -o "$1" = whonix ] ; then
|
||||
elts=(libvirthost socks http https dirmngr tordns firefail)
|
||||
elts+=($MODE)
|
||||
elif [ "$1" = gateway ] ; then
|
||||
elts=($1 libvirtguest socks dns http https firefail)
|
||||
elif [ "$1" = gateway -o "$1" = nat ] ; then
|
||||
elts=($1 libvirtguest socks dns http https dirmngr firefail)
|
||||
else
|
||||
elts=($1)
|
||||
fi
|
||||
for elt in "${elts[@]}" ; do
|
||||
# DBUG proxy_test_help_args $elt $1 >&2
|
||||
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
|
||||
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test-$USER.hlp | \
|
||||
sed -e 's/.=.*//' -e 's/.*tests.//') )
|
||||
done
|
||||
DBUG proxy_test_help_args "${ret[@]}" >&2
|
||||
@ -302,66 +409,88 @@ proxy_ping_test_set_args () {
|
||||
local args="$@"
|
||||
local val="$@"
|
||||
declare -a aret=()
|
||||
rm -f /tmp/proxy_ping_test.hlp
|
||||
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
|
||||
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
|
||||
rm -f /tmp/proxy_ping_test-$USER.hlp
|
||||
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
|
||||
|
||||
## to_tor - tor with the firewall host side client setup tor server - gateway
|
||||
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
|
||||
aret=( 6 13 16 ) && \
|
||||
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
|
||||
|
||||
## vda - through the Gateway with the firewall - also polipo,panic - uses env
|
||||
[ "$1" = vda ] &&
|
||||
aret=( 35 3 20 ) #
|
||||
## kick - open firewall with tor running - call dns,polipo +tor in addition
|
||||
[ "$1" = kick -o "$1" = host ] &&
|
||||
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
|
||||
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
|
||||
[ "$1" = gateway ] &&
|
||||
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
|
||||
|
||||
# aliases
|
||||
# socks defines http as the target of a user using socks
|
||||
[ "$1" = "$SOCKS_PORT" ] && set -- socks
|
||||
# http defines http as the target of a user using http
|
||||
[ "$1" = "$HTTP_PORT" ] && set -- http
|
||||
# https defines http as the target of a user using https
|
||||
[ "$1" = "$HTTPS_PORT" ] && set -- https
|
||||
# dns defines http as the target of a user using dns
|
||||
[ "$1" = "53" ] && set -- dns
|
||||
# tordns defines http as the target of a user using tordns
|
||||
[ "$1" = "9053" ] && set -- tordns
|
||||
# aliases
|
||||
# socks defines http as the target of a user using socks
|
||||
[ "$1" = "$SOCKS_PORT" ] && set -- socks
|
||||
# http defines http as the target of a user using http
|
||||
[ "$1" = "$HTTP_PORT" ] && set -- http
|
||||
# https defines http as the target of a user using https
|
||||
[ "$1" = "$HTTPS_PORT" ] && set -- https
|
||||
# dns defines http as the target of a user using dns
|
||||
[ "$1" = "53" ] && set -- dns
|
||||
# tordns defines http as the target of a user using tordns
|
||||
[ "$1" = "9053" ] && set -- tordns
|
||||
|
||||
[ "$1" = scan ] && set -- iwlist
|
||||
[ "$1" = panic ] && set -- firewall
|
||||
[ "$1" = to_gateway ] && set -- whonix
|
||||
[ "$1" = from_tor ] && set -- whonix
|
||||
[ "$1" = from_gateway ] && set -- gateway
|
||||
[ "$1" = traceroute ] && set -- = trace
|
||||
[ "$1" = connected ] && set -- wifi
|
||||
[ "$1" = clear ] && set -- direct
|
||||
# old aliases
|
||||
[ "$1" = scan ] && set -- iwlist
|
||||
[ "$1" = panic ] && set -- firewall
|
||||
[ "$1" = asbin ] && set -- firewall
|
||||
|
||||
# scenarios - modes: nat selektor
|
||||
[ "$1" = to_gateway ] && set -- whonix
|
||||
[ "$1" = from_tor ] && set -- whonix
|
||||
[ "$1" = from_gateway ] && set -- gateway
|
||||
[ "$1" = to_tor ] && set -- gateway
|
||||
[ "$1" = workstation ] && set -- ws
|
||||
|
||||
[ "$1" = traceroute ] && set -- = trace
|
||||
[ "$1" = connected ] && set -- wifi
|
||||
[ "$1" = clear ] && set -- direct
|
||||
[ "$1" = tor ] && set -- torhost
|
||||
|
||||
# scenarios - modes: nat selektor
|
||||
# wifi?
|
||||
## nat - through the Gateway via the nat
|
||||
[ "$1" = nat ] && \
|
||||
set -- ping dns socks http https tordns firefail libvirtguest
|
||||
# wifi?
|
||||
[ "$1" = whonix ] && \
|
||||
set -- ping tordns dns socks http https torhost tordns firefail gw
|
||||
[ "$1" = tor -o "$1" = selektor ] && \
|
||||
set -- ping tordns dns trace torhost nmap gw
|
||||
## torhost implies -
|
||||
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
|
||||
[ "$1" = direct -o "$1" = '' ] && \
|
||||
if [ "$1" = nat ] ; then
|
||||
set -- $1 ping dns socks http https dirmngr tordns firefail libvirtguest
|
||||
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
|
||||
## vda - through the Gateway with the firewall - also polipo,panic - uses env
|
||||
## ws - through the Gateway with the firewall - it is a vda
|
||||
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
|
||||
elif [ "$1" = vda -o "$1" = ws ] ; then
|
||||
# Fixme - guessing
|
||||
# was aret=( 35 3 20 )
|
||||
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
|
||||
## gateway - ssh to the whonix gateway from the torhost
|
||||
elif [ "$1" = gateway ] ; then
|
||||
## gateway - on the Gateway, trans firewall with tor running -
|
||||
#? looks like it had direct in gateway;
|
||||
#? aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
|
||||
set -- ping dns socks http https dirmngr tordns firefail libvirtguest
|
||||
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
|
||||
## whonix - whonix torhost with libvirt container running gateway behind firewa
|
||||
elif [ "$1" = whonix ] ; then
|
||||
set -- ping libvirtguest tordns dns socks http https dirmngr torhost tordns firefail gw
|
||||
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
|
||||
## torhost - running tor with the firewall
|
||||
[ "$1" = torhost -o "$1" = selektor ] && \
|
||||
set -- ping torhost tordns dns trace nmap gw
|
||||
[ -n "$SOCKS_PORT" ] || WARN empty "$SOCKS_PORT"
|
||||
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
|
||||
## direct - assume no firewall and no proxy - but may work depend on env
|
||||
elif [ "$1" = direct -o "$1" = '' ] ; then
|
||||
set -- ping dns trace nmap gw
|
||||
|
||||
## all - all tests not stopping on the first error
|
||||
[ "$1" = all ] && ALL=1
|
||||
# aret="${#tests[@]}"
|
||||
## all - all tests not stopping on the first error
|
||||
elif [ "$1" = all ] ; then
|
||||
ALL=1
|
||||
# aret="${#tests[@]}"
|
||||
fi
|
||||
|
||||
## gw - test if we are connected to the gateway
|
||||
## env - from the cmdline with a properly setup env
|
||||
## firefail - test the proxy without env vars to expect failure
|
||||
## torhost - running tor with the firewall
|
||||
## http - assumes torhost or whonix and env setup
|
||||
## https - assumes torhost or whonix and env setup
|
||||
## socks - assumes torhost or whonix and env setup
|
||||
@ -373,23 +502,21 @@ proxy_ping_test_set_args () {
|
||||
## iwlist - wlan scan of a wifi host
|
||||
## firewall - test that the firewall blocks
|
||||
## virbr1 - looks for virbr1 on a libvirt host torhost or whonix
|
||||
## gateway - ssh to the whonix gateway from the torhost
|
||||
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
|
||||
## wifi - test if we are connected - call scan in addition
|
||||
## libvirthost - hosting a libvirt container
|
||||
## libvirtguest - in a libvirt container
|
||||
## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
|
||||
## direct - assume no firewall and no proxy - but may work depend on env
|
||||
|
||||
for elt in "$@" ; do
|
||||
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
|
||||
if [ "$elt" = gw -o "$elt" = env -o \
|
||||
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
|
||||
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
|
||||
"$elt" = torhost -o "$elt" = 'nat' -o "$elt" = whonix -o "$elt" = selektor -o \
|
||||
"$elt" = tordns -o \
|
||||
"$elt" = libvirthost -o "$elt" = torlibvirthost -o \
|
||||
"$elt" = libvirtguest -o "$elt" = virbr1 -o \
|
||||
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
|
||||
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
|
||||
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
|
||||
"$elt" = trace -o "$elt" = wifi -o "$elt" = 'dirmngr' -o "$elt" = 'test' \
|
||||
] ; then
|
||||
aret+=( `proxy_test_help_args $elt` )
|
||||
else
|
||||
@ -407,21 +534,23 @@ if [ "$#" = 0 ] ; then
|
||||
# default to mode
|
||||
set -- $MODE
|
||||
fi
|
||||
if [ $1 = '-h' -o $1 = '--help' ] ; then
|
||||
if [ "$1" = '-h' -o $1 = '--help' ] ; then
|
||||
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
|
||||
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
|
||||
exit 0
|
||||
elif [ "$1" = 0 ] ; then
|
||||
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
|
||||
echo 0 help /tmp/proxy_ping_test.hlp
|
||||
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
|
||||
. /tmp/proxy_ping_test.hlp
|
||||
echo 0 help /tmp/proxy_ping_test-$USER.hlp
|
||||
[ -f /tmp/proxy_ping_test-$USER.hlp ] || proxy_ping_make_help
|
||||
. /tmp/proxy_ping_test-$USER.hlp
|
||||
for elt in "${!tests[@]}" ; do
|
||||
echo $elt "${tests[$elt]}"
|
||||
done
|
||||
exit 0
|
||||
elif [[ $1 =~ ^[0-9] ]] ; then
|
||||
: passthrough
|
||||
elif [ $1 = 'test' -o $1 = '--test' ] ; then
|
||||
set -- 99
|
||||
else
|
||||
set -- `proxy_ping_test_set_args "$@"`
|
||||
DBUG running tests numbered "$@"
|
||||
@ -459,7 +588,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
|
||||
[ -n "$https_proxy" ] && LARGS="" || \
|
||||
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
|
||||
$LARGS $WGET https://$HTTP_TARGET
|
||||
$LARGS $WGET https://$HTTP_TARGET 2>/dev/null
|
||||
retval=$?
|
||||
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -547,9 +676,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="$SOCKS_DNS"
|
||||
|
||||
elif [ $ARG -eq 6 ] ; then
|
||||
tests[6]="curl_https_as_user - https "
|
||||
proxy=`proxy_ping_get_https`
|
||||
desc="curl --proxy http://${proxy}"
|
||||
tests[6]="curl_https_as_user - https "
|
||||
proxy_ping_curl --proxy http://${proxy} \
|
||||
--proxy-insecure https://$HTTP_TARGET || { \
|
||||
retval=$?
|
||||
@ -630,7 +759,6 @@ while [ "$#" -gt 0 ] ; do
|
||||
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
|
||||
[ $USER = root ] || continue
|
||||
which nmap 2>/dev/null >/dev/null || continue
|
||||
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
|
||||
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
|
||||
retval=$?
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
|
||||
@ -641,9 +769,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="53"
|
||||
|
||||
elif [ $ARG -eq 13 ] ; then
|
||||
tests[13]="curl_firewall_bin - wifi "
|
||||
tests[13]="curl_firewall_bin - firewall "
|
||||
[ $USER = root ] || continue
|
||||
proxy_test_curl_firewall_bin || continue
|
||||
proxy_test_curl_firewall_asbin || continue
|
||||
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
|
||||
# works
|
||||
GREP="443"
|
||||
@ -664,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
|
||||
|
||||
elif [ $ARG -eq 16 ] ; then
|
||||
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
|
||||
tests[16]="nslookup_as_root nslookup ${DNS_HOST1} $PRIV_BIN_OWNER - firewall "
|
||||
[ $USER = root ] || continue
|
||||
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
|
||||
@ -705,7 +833,8 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="123"
|
||||
elif [ $ARG -eq 19 ] ; then
|
||||
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
|
||||
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
|
||||
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
|
||||
--noproxy "'*.*'" --connect-timeout $TIMEOUT \
|
||||
http://$HTTP_TARGET >/dev/null && {
|
||||
retval=$?
|
||||
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
|
||||
@ -782,7 +911,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||
# noenv with or without proxy
|
||||
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
|
||||
$NSL >/dev/null $DNS_TARGET || { \
|
||||
$NSL >/dev/null $DNS_TARGET ${DNS_HOST} || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
@ -832,7 +961,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
|
||||
elif [ $ARG -eq 30 ] ; then
|
||||
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
|
||||
[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
|
||||
[ $MODE = tor -o $MODE = whonix -o $MODE = gateway -o $MODE = selektor ] || {
|
||||
# are there other roles that run tor?
|
||||
WARN $prog MODE != tor test=$ARG
|
||||
}
|
||||
@ -856,9 +985,10 @@ while [ "$#" -gt 0 ] ; do
|
||||
|
||||
elif [ $ARG -eq 31 ] ; then
|
||||
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
|
||||
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
|
||||
timeout -k $TIMEOUT $TIMEOUT env - $CURL \
|
||||
--noproxy '*' http://${HTTP_TARGET} && { \
|
||||
retval=$?
|
||||
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
|
||||
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval $HTTP_TARGET
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -908,9 +1038,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
[ $USER = root ] || continue
|
||||
[ $HAVE_DIG = 1 ] || continue
|
||||
# @$DNS_HOST1
|
||||
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
|
||||
su -c "dig $NTP_HOST2 +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
|
||||
retval=$?
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig $NTP_HOST2 $PRIV_BIN_OWNER
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -918,12 +1048,12 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="53"
|
||||
|
||||
elif [ $ARG -eq 36 ] ; then
|
||||
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
|
||||
tests[36]="tor_resolve_as_user tor-resolve $NTP_HOST2 - tordns "
|
||||
[ $HAVE_TOR_RESOLVE = 1 ] || continue
|
||||
tor-resolve pool.ntp.org >/dev/null || { \
|
||||
tor-resolve $NTP_HOST2 >/dev/null || { \
|
||||
retval=$?
|
||||
# dunno Failed parsing SOCKS5 response conf?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve $NTP_HOST2
|
||||
continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -931,7 +1061,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="9053"
|
||||
|
||||
elif [ $ARG -eq 37 ] ; then
|
||||
tests[37]="qemu-guest-agent and ports - libvirtguest "
|
||||
tests[37]="qemu_guest_agent_ports - libvirtguest "
|
||||
ser=qemu-guest-agent
|
||||
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
|
||||
proxy_rc_service $ser status >/dev/null || { \
|
||||
@ -946,8 +1076,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
GREP=""
|
||||
|
||||
elif [ $ARG -eq 38 ] ; then
|
||||
tests[38]="qemu-guest-agent and ports - libvirthost "
|
||||
tests[38]="check_libvirt_running - libvirthost "
|
||||
[ $USER = root ] || continue
|
||||
$PL proxy_libvirt_list
|
||||
aret=$?
|
||||
@ -957,12 +1088,42 @@ while [ "$#" -gt 0 ] ; do
|
||||
DBUG proxy_libvirt_status aret=$aret
|
||||
else
|
||||
# was $GATEW_DOM but now can be gentoo_vm-2 etc
|
||||
$PL proxy_libvirt_list 2>&1 | grep -q "running" || {
|
||||
WARN MODE=$MODE and nothing libvirt running ;
|
||||
$PL proxy_libvirt_list 2>&1| grep -q "running" || {
|
||||
WARN MODE=$MODE and nothing libvirt running
|
||||
continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
fi
|
||||
|
||||
elif [ $ARG -eq 39 ] ; then
|
||||
tests[39]="proxy_test_dirmngr - dirmngr "
|
||||
[ $USER = root ] || continue
|
||||
proxy_test_dirmngr
|
||||
|
||||
elif [ $ARG -eq 99 ] ; then
|
||||
tests[99]="test_all_modes unfinished not sure"
|
||||
[ $USER = root ] || continue
|
||||
for elt in vda selektor ws gateway nat tor whonix; do
|
||||
INFO testing $elt
|
||||
if [ "$MODE" = vda ] ; then
|
||||
: vda
|
||||
elif [ "$MODE" = selektor ] ; then
|
||||
: selektor
|
||||
elif [ "$MODE" = ws ] ; then
|
||||
: ws
|
||||
elif [ "$MODE" = gateway ] ; then
|
||||
: gateway
|
||||
elif [ "$MODE" = nat ] ; then
|
||||
: nat
|
||||
elif [ "$MODE" = tor ] ; then
|
||||
: tor
|
||||
elif [ "$MODE" = whonix ] ; then
|
||||
: whonix
|
||||
else
|
||||
WARN unrecognized mode MODE=$elt
|
||||
fi
|
||||
done
|
||||
|
||||
elif false ; then
|
||||
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
|
||||
$NETS | grep -q :53 || {
|
||||
@ -977,21 +1138,3 @@ while [ "$#" -gt 0 ] ; do
|
||||
|
||||
done
|
||||
exit 0
|
||||
|
||||
1)
|
||||
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
|
||||
2)
|
||||
curl $D -k --proxy
|
||||
3)
|
||||
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
|
||||
6)
|
||||
curl -k --proxy $HTTP_PORT
|
||||
16)
|
||||
nslookup $PRIV_BIN_OWNER
|
||||
18)
|
||||
ntpdate as sroot
|
||||
19)
|
||||
curl raw noproxy
|
||||
0)
|
||||
usage
|
||||
|
||||
|
@ -161,8 +161,8 @@ else
|
||||
fi
|
||||
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
|
||||
|
||||
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
|
||||
analyze=/var/local/bin/analyze-ssl.pl.bash
|
||||
if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
|
||||
analyze=$PREFIX/bin/analyze-ssl.pl.bash
|
||||
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
|
||||
else
|
||||
analyze=""
|
||||
|
@ -15,7 +15,7 @@ SSL_VER=3
|
||||
. /usr/local/bin/proxy_ping_lib.bash
|
||||
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
|
||||
. /usr/local/bin/proxy_curl_lib.bash
|
||||
if ! route | grep -q ^def ; then
|
||||
if ! grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
|
||||
WARN $prog we are not connected >&2
|
||||
exit -1
|
||||
fi
|
||||
@ -51,8 +51,8 @@ LARGS+=( --proto-redir https --proto-default https --proto =https )
|
||||
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
|
||||
|
||||
SSL_LIB=openssl # nss
|
||||
if [ -x /var/local/bin/curl.bash ] ; then
|
||||
EXE=/var/local/bin/curl.bash
|
||||
if [ -x $PREFIX/bin/curl.bash ] ; then
|
||||
EXE=$PREFIX/bin/curl.bash
|
||||
elif which scurl ; then
|
||||
EXE=`which scurl`
|
||||
else
|
||||
|
@ -3,25 +3,21 @@
|
||||
|
||||
set -o pipefail || exit 1
|
||||
|
||||
# was in /usr/lib/whonix-libvirt/install
|
||||
# unlike that one, this should be idempotent
|
||||
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=base
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
. /usr/local/sbin/proxy-libvirt-install.bash
|
||||
|
||||
# was in /usr/lib/whonix-libvirt/install
|
||||
# unlike that one, this should be idempotent
|
||||
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
|
||||
|
||||
GATEW=1
|
||||
# for testforge use we only need the Gateway
|
||||
WORKS=
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
MODE=`proxy_ping_mode`
|
||||
[ $MODE = whonix ] || exit 0
|
||||
|
||||
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
|
||||
@ -29,9 +25,6 @@ MODE=`proxy_ping_mode`
|
||||
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
|
||||
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
|
||||
|
||||
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
|
||||
chmod 1777 /usr/local/var/log
|
||||
|
||||
[ -f /etc/firewall.conf.whonix ] || \
|
||||
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
|
||||
|
||||
@ -49,36 +42,14 @@ EOF
|
||||
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
|
||||
/etc/libvirt/hooks/network || exit 16
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
set -e
|
||||
|
||||
## {{ Taken from qemu-system-common.postinst.
|
||||
# Add the kvm group unless it's already there
|
||||
if ! getent group kvm >/dev/null; then
|
||||
addgroup --quiet --system kvm || true
|
||||
fi
|
||||
## }} Taken from qemu-system-common.postinst.
|
||||
|
||||
## {{ Taken from libvirt-bin.postinst.
|
||||
if ! getent group libvirt >/dev/null; then
|
||||
addgroup --system libvirt
|
||||
fi
|
||||
## }} Taken from libvirt-bin.postinst.
|
||||
|
||||
## Existence of user "user" is not guaranteed at this point.
|
||||
if grep -q ^user /etc/passwd ; then
|
||||
grep -q ^kvm /etc/group || addgroup user kvm
|
||||
grep -q ^libvirt /etc/group || addgroup user libvirt
|
||||
fi
|
||||
|
||||
## Create shared directory and adjust permissions
|
||||
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
|
||||
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
|
||||
chmod 1777 /mnt/gateway-shared
|
||||
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
|
||||
|
||||
|
||||
## networks
|
||||
proxy_virsh net-list --all | grep -q default || \
|
||||
virsh -c qemu:///system net-autostart "default" || exit 1$?
|
||||
@ -97,7 +68,6 @@ proxy_virsh net-list | grep -q Whonix-External || \
|
||||
proxy_virsh net-list | grep -q Whonix-Internal || \
|
||||
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
|
||||
|
||||
lsmod | grep -q kvm||modprobe kvm || exit 7
|
||||
temp_dir=/usr/local/etc/libvirt/qemu
|
||||
|
||||
if virsh capabilities | grep -q "<domain type='kvm'" ; then
|
||||
|
@ -111,7 +111,7 @@ proxy_vda_start () {
|
||||
ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
|
||||
#? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255
|
||||
fi
|
||||
ip route | grep -q ^default || \
|
||||
ip grep -q "^wlan[1-9][ ]00000000" /proc/net/route || \
|
||||
route add default gw $PROXY_WLAN_GW
|
||||
|
||||
# dnsmasq
|
||||
|
72
overlay/Linux/usr/local/src/curl.bash
Executable file
72
overlay/Linux/usr/local/src/curl.bash
Executable file
@ -0,0 +1,72 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
PREFIX=/usr/local
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
ip route | grep -q ^def || {
|
||||
WARN we are not connected >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
|
||||
|
||||
declare -a CURL_OPTS
|
||||
# --silent --show-error
|
||||
CURL_OPTS=( --fail-early --fail )
|
||||
|
||||
[[ "$*" =~ --http0.9 ]] || [[ "$*" =~ --http1 ]] || [[ "$*" =~ --http1.1 ]] || \
|
||||
[[ "$*" =~ --http2 ]] || [[ "$*" =~ --http3 ]] || CURL_OPTS+=( --http0.9 )
|
||||
[[ ! "$*" =~ --retry ]] && CURL_OPTS+=( --retry 3 )
|
||||
[[ ! "$*" =~ -4 ]] && CURL_OPTS+=( -4 )
|
||||
# [[ ! "$*" =~ --http2 ]] && CURL_OPTS+=( --http2 )
|
||||
[[ ! "$*" =~ --max-redirs ]] && CURL_OPTS+=( --max-redirs 10 )
|
||||
[[ ! "$*" =~ --location ]] && CURL_OPTS+=( --location )
|
||||
[[ ! "$*" =~ --remote-time ]] && CURL_OPTS+=( --remote-time )
|
||||
[[ ! "$*" =~ --create-dirs ]] && CURL_OPTS+=( --create-dirs )
|
||||
|
||||
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
|
||||
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
|
||||
fi
|
||||
|
||||
if [[ ! "$*" =~ --proxy ]] && [ -n "$socks_proxy" ] ; then
|
||||
CURL_OPTS+=( --proxy $socks_proxy )
|
||||
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
|
||||
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
|
||||
elif [ -n "$https_proxy" ] ; then
|
||||
CURL_OPTS+=( --proxy $https_proxy )
|
||||
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
|
||||
elif [ -n "$http_proxy" ] ; then
|
||||
CURL_OPTS+=( --proxy $http_proxy )
|
||||
fi
|
||||
export CURL_OPTS+=( -L )
|
||||
|
||||
if [ -d $HOME/.local/ ] ; then
|
||||
[ -f $HOME/.local/jar.cookie ] || touch $HOME/.local/jar.cookie
|
||||
[[ ! "$*" =~ --cookie-jar ]] && \
|
||||
CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie --junk-session-cookies )
|
||||
fi
|
||||
|
||||
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
|
||||
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
|
||||
# #define CURLALTSVC_H2 (1<<4)
|
||||
export CURLOPT_ALTSVC_CTRL=16
|
||||
fi
|
||||
|
||||
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
|
||||
export CURL_OPTS+=( --config $HOME/.curlrc )
|
||||
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
|
||||
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
|
||||
if [[ ! "$*" =~ --capath ]] && \
|
||||
[[ ! "$*" =~ --cacert ]] && \
|
||||
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
|
||||
# --capath /usr/local/etc/:/etc/ssl/certs
|
||||
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
|
||||
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||
fi
|
||||
|
||||
export CURL_OPTS
|
||||
DBUG /usr/bin/curl "${CURL_OPTS[@]}" "$@" >&2
|
||||
exec /usr/bin/curl "${CURL_OPTS[@]}" "$@"
|
63
overlay/Linux/usr/local/src/dirmngr.bash
Executable file
63
overlay/Linux/usr/local/src/dirmngr.bash
Executable file
@ -0,0 +1,63 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
|
||||
exec /usr/bin/dirmngr.bin --version
|
||||
return 0
|
||||
fi
|
||||
|
||||
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
|
||||
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
|
||||
|
||||
# ONLY disabling on the command line or
|
||||
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
|
||||
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
|
||||
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
|
||||
|
||||
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
|
||||
if [ -n "$PROXY_WLAN" ] ; then
|
||||
wlan7=$PROXY_WLAN
|
||||
|
||||
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
|
||||
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
|
||||
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||
fi
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
|
||||
[ ! -x /usr/bin/netstat ] || \
|
||||
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
if [ $USER = root ] ; then
|
||||
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
|
||||
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
|
||||
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
|
||||
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
|
||||
fi
|
||||
|
||||
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
|
||||
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
|
||||
|
||||
# This is not enough: --disable-ipv6
|
||||
# --keyserver hkps://keys.gentoo.org is required
|
||||
# --http-proxy http://127.0.0.1:3128
|
||||
# --keyserver $PROXY_GPG_KEYERVER_URL
|
||||
# --no-use-tor is REQUIRED if you are running tor
|
||||
# EVEN IF YOU DOT USE use-tor - silent dns failure
|
||||
|
||||
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
|
||||
--options /etc/dirmngr/dirmngr.conf \
|
||||
--nameserver 127.0.0.1 \
|
||||
--disable-ipv6 \
|
||||
--disable-ldap \
|
||||
--no-use-tor \
|
||||
--log-file /var/log/dirmngr.log --debug-level 4 \
|
||||
"$@"
|
17
overlay/Linux/usr/local/src/gentoo_lis_to_urls.bash
Executable file
17
overlay/Linux/usr/local/src/gentoo_lis_to_urls.bash
Executable file
@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
# filter
|
||||
ROLE=proxy
|
||||
CACHE=/mnt/i/net/Http
|
||||
grep --text ^http:// | \
|
||||
sed -e 's@ftp://[^ ]*@@g' | \
|
||||
while read line ; do
|
||||
for url in $line ; do
|
||||
base=`basename "$url"`
|
||||
[ -e /usr/portage/distfiles/$base ] && break
|
||||
pre=`sed -e "s@http://@${CACHE}@" <<< $url`
|
||||
[ -e $pre ] && break
|
||||
echo $line
|
||||
break
|
||||
done
|
||||
done
|
||||
exit 0
|
29
overlay/Linux/usr/local/src/gentoo_swget_urls.sh
Executable file
29
overlay/Linux/usr/local/src/gentoo_swget_urls.sh
Executable file
@ -0,0 +1,29 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
ROLE=proxy
|
||||
|
||||
# filter - arguments are to wget - quoted?
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
WARGS="-xc -P /i/net/Http --tries=1 --no-hsts"
|
||||
export CURL_OPTS="-C - --retry 3 --remote-name --create-dirs"
|
||||
else
|
||||
WARGS="$@"
|
||||
export CURL_OPTS="$@"
|
||||
fi
|
||||
grep ^http | \
|
||||
sed -e 's@ftp://[^ ]*@@' \
|
||||
-e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' \
|
||||
-e 's/http:/https:/' \
|
||||
-e 's@distfiles.gentoo.org/@mirror.leaseweb.com/gentoo/@g' | \
|
||||
while read urls ; do
|
||||
url=`echo $urls|sed -e 's@ .*@@'`
|
||||
base=`basename "$url"`
|
||||
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
|
||||
for url in $urls ; do
|
||||
# wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
|
||||
scurl.bash --directory-prefix /i/net/Http --force-directories \
|
||||
-- $CURL_OPTS $url || continue
|
||||
|
||||
break
|
||||
done
|
||||
done
|
10
overlay/Linux/usr/local/src/gitproxy.bash
Executable file
10
overlay/Linux/usr/local/src/gitproxy.bash
Executable file
@ -0,0 +1,10 @@
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
# BEGIN ANSIBLE MANAGED BLOCK proxy
|
||||
exec corkscrew $1 $2
|
||||
# $1 %h $2 %p
|
||||
#? exec connect -4 -S : $(tor-resolve $1 :) $2
|
||||
# END ANSIBLE MANAGED BLOCK proxy
|
12
overlay/Linux/usr/local/src/proxy_ansible.bash
Executable file
12
overlay/Linux/usr/local/src/proxy_ansible.bash
Executable file
@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
|
||||
. /usr/local/etc/testforge/testforge.bash
|
||||
PREFIX=$PROXY_VAR_LOCAL
|
||||
|
||||
[ "$#" -eq 0 ] && set -- proxy
|
||||
|
||||
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
|
||||
|
||||
ROLE=proxy
|
401
overlay/Linux/usr/local/src/proxy_curl_lib.bash
Executable file
401
overlay/Linux/usr/local/src/proxy_curl_lib.bash
Executable file
@ -0,0 +1,401 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
|
||||
## proxy_ami_cloudflared
|
||||
proxy_ami_cloudflared() {
|
||||
[ $# -gt 0 ] || return 1
|
||||
local ip=$1
|
||||
for no in "${CLOUDFN[@]}" ; do
|
||||
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
|
||||
[[ $ip =~ ${nopat}.* ]] && {
|
||||
# WARN $url cloudflared $ip $no
|
||||
echo True
|
||||
return 0
|
||||
}
|
||||
done
|
||||
echo False
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_ami_cloudflared_py
|
||||
proxy_ami_cloudflared_py() {
|
||||
[ $# -gt 0 ] || return 1
|
||||
local ip=$1
|
||||
a=`proxy_ami_cloudflared $ip`
|
||||
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||
echo $a
|
||||
return 0
|
||||
fi
|
||||
|
||||
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
|
||||
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
|
||||
|
||||
for no in "${CLOUDFN[@]}" ; do
|
||||
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
|
||||
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||
echo $a
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
echo False
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_ami_nottlsv3
|
||||
proxy_ami_nottlsv3() {
|
||||
[ $# -gt 0 ] || return 1
|
||||
local site=$1
|
||||
for no in "${NOTLSV3[@]}" ; do
|
||||
[[ $site =~ $no ]] && echo True && return 0
|
||||
done
|
||||
echo False
|
||||
return 0
|
||||
}
|
||||
|
||||
declare -a NOTLSV3
|
||||
NOTLSV3=(
|
||||
# connection refused
|
||||
www.mirrorservice.org
|
||||
# no ipv3
|
||||
files.pythonhosted.org
|
||||
# forbidden
|
||||
download.nvidia.com
|
||||
# 500
|
||||
www.x.org
|
||||
)
|
||||
|
||||
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
|
||||
declare -a CLOUDFN
|
||||
CLOUDFN=(
|
||||
173.245.48.0/20
|
||||
103.21.244.0/22
|
||||
103.22.200.0/22
|
||||
103.31.4.0/22
|
||||
104.16.0.0/13
|
||||
104.24.0.0/14
|
||||
108.162.192.0/18
|
||||
131.0.72.0/22
|
||||
141.101.64.0/18
|
||||
162.158.0.0/15
|
||||
172.64.0.0/13
|
||||
188.114.96.0/20
|
||||
190.93.240.0/20
|
||||
197.234.240.0/22
|
||||
198.41.128.0/17
|
||||
)
|
||||
|
||||
#for no in "${CLOUDFN[@]}" ; do
|
||||
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
|
||||
#done
|
||||
|
||||
# /usr/include/openssl/x509_vfy.h
|
||||
declare -A OPENSSL_X509_V
|
||||
OPENSSL_X509_V=(
|
||||
[0]=OK
|
||||
[1]=ERR_UNSPECIFIED
|
||||
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
|
||||
[3]=ERR_UNABLE_TO_GET_CRL
|
||||
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
|
||||
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
|
||||
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
|
||||
[7]=ERR_CERT_SIGNATURE_FAILURE
|
||||
[8]=ERR_CRL_SIGNATURE_FAILURE
|
||||
[9]=ERR_CERT_NOT_YET_VALID
|
||||
[10]=ERR_CERT_HAS_EXPIRED
|
||||
[11]=ERR_CRL_NOT_YET_VALID
|
||||
[12]=ERR_CRL_HAS_EXPIRED
|
||||
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
|
||||
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
|
||||
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
|
||||
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
|
||||
[17]=ERR_OUT_OF_MEM
|
||||
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
|
||||
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
|
||||
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
|
||||
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
||||
[22]=ERR_CERT_CHAIN_TOO_LONG
|
||||
[23]=ERR_CERT_REVOKED
|
||||
[24]=ERR_INVALID_CA
|
||||
[25]=ERR_PATH_LENGTH_EXCEEDED
|
||||
[26]=ERR_INVALID_PURPOSE
|
||||
[27]=ERR_CERT_UNTRUSTED
|
||||
[28]=ERR_CERT_REJECTED
|
||||
# These are 'informational' when looking for issuer cert
|
||||
[29]=ERR_SUBJECT_ISSUER_MISMATCH
|
||||
[30]=ERR_AKID_SKID_MISMATCH
|
||||
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
|
||||
[32]=ERR_KEYUSAGE_NO_CERTSIGN
|
||||
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
|
||||
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
|
||||
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
|
||||
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
|
||||
[37]=ERR_INVALID_NON_CA
|
||||
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
|
||||
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
|
||||
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
|
||||
[41]=ERR_INVALID_EXTENSION
|
||||
[42]=ERR_INVALID_POLICY_EXTENSION
|
||||
[43]=ERR_NO_EXPLICIT_POLICY
|
||||
[44]=ERR_DIFFERENT_CRL_SCOPE
|
||||
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
|
||||
[46]=ERR_UNNESTED_RESOURCE
|
||||
[47]=ERR_PERMITTED_VIOLATION
|
||||
[48]=ERR_EXCLUDED_VIOLATION
|
||||
[49]=ERR_SUBTREE_MINMAX
|
||||
# The application is not happy
|
||||
[50]=ERR_APPLICATION_VERIFICATION
|
||||
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
|
||||
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
|
||||
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
|
||||
[54]=ERR_CRL_PATH_VALIDATION_ERROR
|
||||
# Another issuer check debug option
|
||||
[55]=ERR_PATH_LOOP
|
||||
# Suite B mode algorithm violation
|
||||
[56]=ERR_SUITE_B_INVALID_VERSION
|
||||
[57]=ERR_SUITE_B_INVALID_ALGORITHM
|
||||
[58]=ERR_SUITE_B_INVALID_CURVE
|
||||
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
|
||||
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
|
||||
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
|
||||
# Host, email and IP check errors
|
||||
[62]=ERR_HOSTNAME_MISMATCH
|
||||
[63]=ERR_EMAIL_MISMATCH
|
||||
[64]=ERR_IP_ADDRESS_MISMATCH
|
||||
# DANE TLSA errors
|
||||
[65]=ERR_DANE_NO_MATCH
|
||||
# security level errors
|
||||
[66]=ERR_EE_KEY_TOO_SMALL
|
||||
[67]=ERR_CA_KEY_TOO_SMALL
|
||||
[68]=ERR_CA_MD_TOO_WEAK
|
||||
# Caller error
|
||||
[69]=ERR_INVALID_CALL
|
||||
# Issuer lookup error
|
||||
[70]=ERR_STORE_LOOKUP
|
||||
# Certificate transparency
|
||||
[71]=ERR_NO_VALID_SCTS
|
||||
|
||||
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
|
||||
# OCSP status errors
|
||||
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
|
||||
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
|
||||
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
|
||||
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
|
||||
[77]=ERR_NO_ISSUER_PUBLIC_KEY
|
||||
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
|
||||
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
|
||||
)
|
||||
|
||||
# man 3 libcurl-errors
|
||||
declare -A CURLE
|
||||
CURLE=(
|
||||
[0]=CURLE_OK
|
||||
[1]=CURLE_UNSUPPORTED_PROTOCOL
|
||||
[2]=CURLE_FAILED_INIT
|
||||
[3]=CURLE_URL_MALFORMAT
|
||||
[4]=CURLE_NOT_BUILT_IN
|
||||
[5]=CURLE_COULDNT_RESOLVE_PROXY
|
||||
[6]=CURLE_COULDNT_RESOLVE_HOST
|
||||
[7]=CURLE_COULDNT_CONNECT
|
||||
[8]=CURLE_WEIRD_SERVER_REPLY
|
||||
[9]=CURLE_REMOTE_ACCESS_DENIED
|
||||
[10]=CURLE_FTP_ACCEPT_FAILED
|
||||
[11]=CURLE_FTP_WEIRD_PASS_REPLY
|
||||
[12]=CURLE_FTP_ACCEPT_TIMEOUT
|
||||
[13]=CURLE_FTP_WEIRD_PASV_REPLY
|
||||
[14]=CURLE_FTP_WEIRD_227_FORMAT
|
||||
[15]=CURLE_FTP_CANT_GET_HOST
|
||||
[16]=CURLE_HTTP2
|
||||
[17]=CURLE_FTP_COULDNT_SET_TYPE
|
||||
[18]=CURLE_PARTIAL_FILE
|
||||
[19]=CURLE_FTP_COULDNT_RETR_FILE
|
||||
[21]=CURLE_QUOTE_ERROR
|
||||
[22]=CURLE_HTTP_RETURNED_ERROR
|
||||
[23]=CURLE_WRITE_ERROR
|
||||
[25]=CURLE_UPLOAD_FAILED
|
||||
[26]=CURLE_READ_ERROR
|
||||
[27]=CURLE_OUT_OF_MEMORY
|
||||
[28]=CURLE_OPERATION_TIMEDOUT
|
||||
[30]=CURLE_FTP_PORT_FAILED
|
||||
[31]=CURLE_FTP_COULDNT_USE_REST
|
||||
[33]=CURLE_RANGE_ERROR
|
||||
[34]=CURLE_HTTP_POST_ERROR
|
||||
[35]=CURLE_SSL_CONNECT_ERROR
|
||||
[36]=CURLE_BAD_DOWNLOAD_RESUME
|
||||
[37]=CURLE_FILE_COULDNT_READ_FILE
|
||||
[38]=CURLE_LDAP_CANNOT_BIND
|
||||
[39]=CURLE_LDAP_SEARCH_FAILED
|
||||
[41]=CURLE_FUNCTION_NOT_FOUND
|
||||
[42]=CURLE_ABORTED_BY_CALLBACK
|
||||
[43]=CURLE_BAD_FUNCTION_ARGUMENT
|
||||
[45]=CURLE_INTERFACE_FAILED
|
||||
[47]=CURLE_TOO_MANY_REDIRECTS
|
||||
[48]=CURLE_UNKNOWN_OPTION
|
||||
[49]=CURLE_SETOPT_OPTION_SYNTAX
|
||||
[52]=CURLE_GOT_NOTHING
|
||||
[53]=CURLE_SSL_ENGINE_NOTFOUND
|
||||
[54]=CURLE_SSL_ENGINE_SETFAILED
|
||||
[55]=CURLE_SEND_ERROR
|
||||
[56]=CURLE_RECV_ERROR
|
||||
[58]=CURLE_SSL_CERTPROBLEM
|
||||
[59]=CURLE_SSL_CIPHER
|
||||
[60]=CURLE_PEER_FAILED_VERIFICATION
|
||||
[61]=CURLE_BAD_CONTENT_ENCODING
|
||||
[62]=CURLE_LDAP_INVALID_URL
|
||||
[63]=CURLE_FILESIZE_EXCEEDED
|
||||
[64]=CURLE_USE_SSL_FAILED
|
||||
[65]=CURLE_SEND_FAIL_REWIND
|
||||
[66]=CURLE_SSL_ENGINE_INITFAILED
|
||||
[67]=CURLE_LOGIN_DENIED
|
||||
[68]=CURLE_TFTP_NOTFOUND
|
||||
[69]=CURLE_TFTP_PERM
|
||||
[70]=CURLE_REMOTE_DISK_FULL
|
||||
[71]=CURLE_TFTP_ILLEGAL
|
||||
[72]=CURLE_TFTP_UNKNOWNID
|
||||
[73]=CURLE_REMOTE_FILE_EXISTS
|
||||
[74]=CURLE_TFTP_NOSUCHUSER
|
||||
[75]=CURLE_CONV_FAILED
|
||||
[76]=CURLE_CONV_REQD
|
||||
[77]=CURLE_SSL_CACERT_BADFILE
|
||||
[78]=CURLE_REMOTE_FILE_NOT_FOUND
|
||||
[79]=CURLE_SSH
|
||||
[80]=CURLE_SSL_SHUTDOWN_FAILED
|
||||
[81]=CURLE_AGAIN
|
||||
[82]=CURLE_SSL_CRL_BADFILE
|
||||
[83]=CURLE_SSL_ISSUER_ERROR
|
||||
[84]=CURLE_FTP_PRET_FAILED
|
||||
[85]=CURLE_RTSP_CSEQ_ERROR
|
||||
[86]=CURLE_RTSP_SESSION_ERROR
|
||||
[87]=CURLE_FTP_BAD_FILE_LIST
|
||||
[88]=CURLE_CHUNK_FAILED
|
||||
[89]=CURLE_NO_CONNECTION_AVAILABLE
|
||||
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
|
||||
[91]=CURLE_SSL_INVALIDCERTSTATUS
|
||||
[92]=CURLE_HTTP2_STREAM
|
||||
[93]=CURLE_RECURSIVE_API_CALL
|
||||
[94]=CURLE_AUTH_ERROR
|
||||
[95]=CURLE_HTTP3
|
||||
[96]=CURLE_QUIC_CONNECT_ERROR
|
||||
[98]=CURLE_SSL_CLIENTCERT
|
||||
[99]=CURLE_UNRECOVERABLE_POLL
|
||||
)
|
||||
|
||||
# 20 HTTP response status codes
|
||||
declare -A HTTP_RESPONSE
|
||||
HTTP_RESPONSE=(
|
||||
[100]="Continue"
|
||||
[101]="Switching Protocols"
|
||||
[103]="Early Hints"
|
||||
[200]="OK"
|
||||
[201]="Created"
|
||||
[202]="Accepted"
|
||||
[203]="Non-Authoritative Information"
|
||||
[204]="No Content"
|
||||
[205]="Reset Content"
|
||||
[206]="Partial Content"
|
||||
[300]="Multiple Choices"
|
||||
[301]="Moved Permanently"
|
||||
[302]="Found"
|
||||
[303]="See Other"
|
||||
[304]="Not Modified"
|
||||
[307]="Temporary Redirect"
|
||||
[308]="Permanent Redirect"
|
||||
[400]="Bad Request"
|
||||
[401]="Unauthorized"
|
||||
[402]="Payment Required"
|
||||
[403]="Forbidden"
|
||||
[404]="Not Found"
|
||||
[405]="Method Not Allowed"
|
||||
[406]="Not Acceptable"
|
||||
[407]="Proxy Authentication Required"
|
||||
[408]="Request Timeout"
|
||||
[409]="Conflict"
|
||||
[410]="Gone"
|
||||
[411]="Length Required"
|
||||
[412]="Precondition Failed"
|
||||
[413]="Payload Too Large"
|
||||
[414]="URI Too Long"
|
||||
[415]="Unsupported Media Type"
|
||||
[416]="Range Not Satisfiable"
|
||||
[417]="Expectation Failed"
|
||||
[418]="Im a teapot"
|
||||
[422]="Unprocessable Entity"
|
||||
[425]="Too Early"
|
||||
[426]="Upgrade Required"
|
||||
[428]="Precondition Required"
|
||||
[429]="Too Many Requests"
|
||||
[431]="Request Header Fields Too Large"
|
||||
[451]="Unavailable For Legal Reasons"
|
||||
[500]="Internal Server Error"
|
||||
[501]="Not Implemented"
|
||||
[502]="Bad Gateway"
|
||||
[503]="Service Unavailable"
|
||||
[504]="Gateway Timeout"
|
||||
[505]="HTTP Version Not Supported"
|
||||
[506]="Variant Also Negotiates"
|
||||
[507]="Insufficient Storage"
|
||||
[508]="Loop Detected"
|
||||
[510]="Not Extended"
|
||||
[511]="Network Authentication Required"
|
||||
)
|
||||
|
||||
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
|
||||
declare -a SSL_ALERT_CODES
|
||||
# B.2. Alert Messages
|
||||
SSL_ALERT_CODES=(
|
||||
[0]="close_notify"
|
||||
[10]="unexpected_message"
|
||||
[20]="bad_record_mac"
|
||||
[21]="decryption_failed_RESERVED"
|
||||
[22]="record_overflow"
|
||||
[30]="decompression_failure_RESERVED"
|
||||
[40]="handshake_failure"
|
||||
[41]="no_certificate_RESERVED"
|
||||
[42]="bad_certificate"
|
||||
[43]="unsupported_certificate"
|
||||
[44]="certificate_revoked"
|
||||
[45]="certificate_expired"
|
||||
[46]="certificate_unknown"
|
||||
[47]="illegal_parameter"
|
||||
[48]="unknown_ca"
|
||||
[49]="access_denied"
|
||||
[50]="decode_error"
|
||||
[51]="decrypt_error"
|
||||
[60]="export_restriction_RESERVED"
|
||||
[70]="protocol_version"
|
||||
[71]="insufficient_security"
|
||||
[80]="internal_error"
|
||||
[86]="inappropriate_fallback"
|
||||
[90]="user_canceled"
|
||||
[100]="no_renegotiation_RESERVED"
|
||||
[109]="missing_extension"
|
||||
[110]="unsupported_extension"
|
||||
[111]="certificate_unobtainable_RESERVED"
|
||||
[112]="unrecognized_name"
|
||||
[113]="bad_certificate_status_response"
|
||||
[114]="bad_certificate_hash_value_RESERVED"
|
||||
[115]="unknown_psk_identity"
|
||||
[116]="certificate_required"
|
||||
[120]="no_application_protocol"
|
||||
)
|
||||
|
||||
# https://curl.se/docs/ssl-ciphers.html
|
||||
|
||||
# openssl
|
||||
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
|
||||
|
||||
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
|
||||
openssl=openssl
|
||||
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
|
||||
if [ $openssl = openssl ] ; then
|
||||
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
|
||||
elif [ $openssl = nss ] ; then
|
||||
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
|
||||
fi
|
||||
|
56
overlay/Linux/usr/local/src/proxy_daily.bash
Executable file
56
overlay/Linux/usr/local/src/proxy_daily.bash
Executable file
@ -0,0 +1,56 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
# The idea here is to run ansible_local.bash --tags daily
|
||||
# and then use this to do the parsing and throwing errors based on the output.
|
||||
# This was the ansible run can be free from erroring and this can be
|
||||
# run repeatedly anytime outside of ansible to deal with the issues raised.
|
||||
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash
|
||||
|
||||
MYID=$( id -u )
|
||||
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||
|
||||
# . $PREFIX/src/var_local_src.bash
|
||||
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
|
||||
|
||||
ly=daily
|
||||
errs=0
|
||||
warns=0
|
||||
|
||||
elt=proxy
|
||||
LOG_DIR=/usr/local/tmp
|
||||
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
|
||||
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
|
||||
OUT=$LOG_DIR/O${prog}_${ly}$$.log
|
||||
rm -f $LOG_DIR/*${prog}_${ly}*.log
|
||||
|
||||
elt=doctest3
|
||||
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
|
||||
$PREFIX/bin/testforge_python_doctest3.bash \
|
||||
/usr/local/share/doc/txt/proxy3.txt \
|
||||
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
|
||||
fi
|
||||
|
||||
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
|
||||
[ $? -eq 0 -a $warns -ne 0 ] && \
|
||||
WARN "$prog $warns $ly $prog warnings in $WLOG"
|
||||
|
||||
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
|
||||
[ $? -eq 0 -a $errs -ne 0 ] && \
|
||||
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
|
||||
|
||||
[ $errs -eq 0 ] && \
|
||||
[ $warns -eq 0 ] && \
|
||||
INFO "$prog No $ly errors" && \
|
||||
rm -f $WLOG $ELOG $OUT
|
||||
|
||||
exit $errs
|
64
overlay/Linux/usr/local/src/proxy_dirmngr.bash
Executable file
64
overlay/Linux/usr/local/src/proxy_dirmngr.bash
Executable file
@ -0,0 +1,64 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
|
||||
|
||||
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
|
||||
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
|
||||
|
||||
# ONLY disabling on the command line or
|
||||
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
|
||||
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
|
||||
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
|
||||
|
||||
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
|
||||
if [ -n "$PROXY_WLAN" ] ; then
|
||||
wlan7=$PROXY_WLAN
|
||||
|
||||
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
|
||||
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
|
||||
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||
fi
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || { ERROR no route ; exit 1; }
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
if [ $USER = root ] ; then
|
||||
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
|
||||
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
|
||||
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
|
||||
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
|
||||
fi
|
||||
|
||||
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
|
||||
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
|
||||
[ -x /usr/bin/dirmngr.bin ] || exit 4
|
||||
|
||||
[ ! -x /usr/bin/netstat ] || \
|
||||
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
|
||||
[ ! -x /usr/bin/netstat ] || \
|
||||
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
|
||||
|
||||
# This is not enough: --disable-ipv6
|
||||
# --keyserver hkps://keys.gentoo.org is required
|
||||
# --http-proxy http://127.0.0.1:3128
|
||||
# --keyserver $PROXY_GPG_KEYERVER_URL
|
||||
# --no-use-tor is REQUIRED if you are running tor
|
||||
# EVEN IF YOU DOT USE use-tor - silent dns failure
|
||||
|
||||
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
|
||||
--options /etc/dirmngr/dirmngr.conf \
|
||||
--nameserver 127.0.0.1 \
|
||||
--disable-ipv6 \
|
||||
--disable-ldap \
|
||||
--no-use-tor \
|
||||
--log-file /var/log/dirmngr.log --debug-level 4 \
|
||||
"$@"
|
68
overlay/Linux/usr/local/src/proxy_dirmngr_test.bash
Executable file
68
overlay/Linux/usr/local/src/proxy_dirmngr_test.bash
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# Dual Linux or msys64
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
ROLE=proxy
|
||||
|
||||
PREFIX=/usr/local
|
||||
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||
&& . /usr/local/etc/testforge/testforge.bash
|
||||
|
||||
# Dual Linux or msys64
|
||||
|
||||
PROXIES=""
|
||||
if [ -d /etc/pacman.d/gnupg ] ; then
|
||||
ROLE=msys64
|
||||
HOMEDIR=/etc/pacman.d/gnupg
|
||||
# proxy or striaght through
|
||||
PROXIES="10.152.152.12"
|
||||
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
|
||||
ROLE=q
|
||||
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
|
||||
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||
[ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||
if [ "$MODE" = tor ] ; then
|
||||
PROXIES="127.0.0.1:3128"
|
||||
elif [ "$MODE" = whonix ] ; then
|
||||
PROXIES="10.0.2.15:9128"
|
||||
elif [ "$MODE" = gateway ] ; then
|
||||
PROXIES="10.0.2.15:9128"
|
||||
elif ps ax | grep -q polipo ; then
|
||||
PROXIES="127.0.0.1:3128"
|
||||
else
|
||||
echo ERROR: unknown proxy
|
||||
exit 2
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/dirmngr/dirmngr.conf ] || \
|
||||
grep ^keyserver /etc/dirmngr/dirmngr.conf ; then
|
||||
echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf
|
||||
exit 1
|
||||
fi
|
||||
|
||||
GPG="gpg --verbose --home $HOMEDIR"
|
||||
$GPG --refresh-keys --verbose
|
||||
|
||||
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
|
||||
|
||||
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf | \
|
||||
sed -e 's@keyserver hkp://@@' | \
|
||||
while read elt ; do
|
||||
for proxy in $PROXIES; do
|
||||
echo 1 | http_proxy=$proxy $GPG --yes \
|
||||
--debug-level guru \
|
||||
--keyserver hkp://$elt \
|
||||
--search-keys abcdefghij || exit 3$?
|
||||
echo INFO: $proxy $elt
|
||||
done
|
||||
done
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash dirmngr
|
22
overlay/Linux/usr/local/src/proxy_dns_forward.bash
Executable file
22
overlay/Linux/usr/local/src/proxy_dns_forward.bash
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
|
||||
ERROR 127.0.0.1:53 already bound
|
||||
exit 1
|
||||
}
|
||||
|
||||
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||
|
||||
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
|
||||
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
|
||||
elif a[ "$MODE" = whonix ] ; then
|
||||
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
|
||||
fi
|
||||
|
166
overlay/Linux/usr/local/src/proxy_export.bash
Executable file
166
overlay/Linux/usr/local/src/proxy_export.bash
Executable file
@ -0,0 +1,166 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
#NO prog=proxy_export
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
|
||||
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
|
||||
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||
|
||||
# [ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||
|
||||
## proxy_to_virbr1_15
|
||||
proxy_to_virbr1_15 () {
|
||||
if ifconfig | grep -q virbr1 ; then
|
||||
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
|
||||
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
|
||||
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
|
||||
[ -n "$PROXY_VIREXT_HOST" ] && \
|
||||
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
|
||||
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
|
||||
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
|
||||
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
|
||||
export TOR_SOCKS_PORT=9050
|
||||
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_http_host_httpproxy
|
||||
proxy_http_host_httpproxy () {
|
||||
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
|
||||
export http_proxy=http://127.0.0.1:3128
|
||||
export https_proxy=http://127.0.0.1:3128
|
||||
export RSYNC_PROXY=127.0.0.1:3128
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
|
||||
proxy_https_host_tor () {
|
||||
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
|
||||
export https_proxy=http://127.0.0.1:9128
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_socks_host_tor () {
|
||||
local file=/etc/tor/torrc
|
||||
if [ -f $file ] ; then
|
||||
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
|
||||
[ -z "$port" ] && port=9050
|
||||
export socks_proxy=socks5://127.0.0.1:$port
|
||||
return 0
|
||||
else
|
||||
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||
echo >&2 WARN: $prog $file not found
|
||||
return 1
|
||||
fi
|
||||
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
|
||||
export socks_proxy=socks5://127.0.0.1:$port
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_socks_host_selektor () {
|
||||
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
|
||||
if [ -f $file ] ; then
|
||||
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
|
||||
[ -z "$port" ] && port=9050
|
||||
export socks_proxy=socks5://127.0.0.1:$port
|
||||
return 0
|
||||
else
|
||||
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||
echo >&2 WARN: $prog $file not found
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# proxy_export_mode
|
||||
proxy_export_mode () {
|
||||
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||
|
||||
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||
[ -z "$MODE" ] && MODE=host
|
||||
|
||||
# $0=bash
|
||||
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
|
||||
|
||||
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
|
||||
export no_proxy="localhost,127.0.0.1,10.0.2.15"
|
||||
proxy_http_host_httpproxy
|
||||
proxy_to_virbr1_15
|
||||
|
||||
elif [ "$MODE" = client ] ; then
|
||||
# inherit the environment
|
||||
proxy_http_host_httpproxy
|
||||
proxy_https_host_tor
|
||||
proxy_socks_host_tor
|
||||
|
||||
elif [ "$MODE" = nat ] ; then
|
||||
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
|
||||
# get external
|
||||
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
||||
if [ $? -eq 0 ] && [ -n "$external" ] ; then
|
||||
# get the ports and PROXY_MODE of the host
|
||||
export socks_proxy=socks5://$external:9050
|
||||
export http_proxy=http://$external:3128
|
||||
export https_proxy=http://$external:9128
|
||||
fi
|
||||
|
||||
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
|
||||
export no_proxy="localhost,127.0.0.1,10.152.152.10"
|
||||
export socks_proxy=socks5://10.152.152.10:9050
|
||||
proxy_http_host_httpproxy
|
||||
export https_proxy=http://10.152.152.10:9128
|
||||
|
||||
elif [ "$MODE" = gateway ] ; then
|
||||
|
||||
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
|
||||
export socks_proxy=socks5://10.0.2.15:9050
|
||||
proxy_http_host_httpproxy
|
||||
export https_proxy=http://10.0.2.15:9128
|
||||
|
||||
elif [ "$MODE" = selektor ] ; then
|
||||
export http_proxy=http://127.0.0.1:3128
|
||||
export https_proxy=http://127.0.0.1:9128
|
||||
export no_proxy="localhost,127.0.0.1"
|
||||
|
||||
proxy_http_host_httpproxy
|
||||
proxy_https_host_selektor
|
||||
proxy_socks_host_selektor
|
||||
|
||||
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
|
||||
|
||||
export http_proxy=http://127.0.0.1:3128
|
||||
export https_proxy=http://127.0.0.1:9128
|
||||
export socks_proxy=http://127.0.0.1:9050
|
||||
export no_proxy="localhost,127.0.0.1"
|
||||
proxy_http_host_httpproxy
|
||||
proxy_https_host_tor
|
||||
proxy_socks_host_tor
|
||||
fi
|
||||
}
|
||||
|
||||
# echo $0 $* "$0" = 'tostop' -o
|
||||
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
|
||||
proxy_export_mode
|
||||
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||
env | grep proxy | while read line ; do debug $line ; done
|
||||
elif [ -x /usr/bin/basename ] && \
|
||||
[ `basename -- "$0"` = 'proxy_export.bash' -o \
|
||||
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
|
||||
|
||||
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
|
||||
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
|
||||
|
||||
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
|
||||
set -- proxy_export_mode
|
||||
fi
|
||||
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
8
overlay/Linux/usr/local/src/proxy_firewall_start.bash
Executable file
8
overlay/Linux/usr/local/src/proxy_firewall_start.bash
Executable file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
|
||||
proxy_ping_firewall_restart $*
|
572
overlay/Linux/usr/local/src/proxy_fw_laptop.bash
Executable file
572
overlay/Linux/usr/local/src/proxy_fw_laptop.bash
Executable file
@ -0,0 +1,572 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
# https://www.hermann-uwe.de/files/fw_laptop
|
||||
#------------------------------------------------------------------------------
|
||||
# File: fw_laptop
|
||||
# Author: Uwe Hermann <uwe@hermann-uwe.de>
|
||||
# URL: http://www.hermann-uwe.de/files/fw_laptop
|
||||
# License: GNU GPL (version 2, or any later version).
|
||||
# $Id: fw_laptop 529 2006-06-10 15:11:40Z uh1763 $
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# A firewall script intended to be used on workstations / laptops. It basically
|
||||
# blocks all incoming traffic and only allows minimal outgoing traffic.
|
||||
# It helps to mitigate certains attacks, misconfigurations of local daemons,
|
||||
# misbehaving local users or applications, and can prevent untrusted
|
||||
# applications from "phoning home", among other things.
|
||||
|
||||
# Note: This is work in progress! Any comments and suggestions are welcome!
|
||||
|
||||
# Thanks for comments and suggestions:
|
||||
# * Jean Christophe André <jean-christophe.andre@auf.org>
|
||||
# * Ryan Giobbi <rgiobbi@gmail.com>
|
||||
# * Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Configuration.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# For debugging use iptables -v.
|
||||
IPTABLES="/sbin/iptables"
|
||||
IP6TABLES="/sbin/ip6tables"
|
||||
MODPROBE="/sbin/modprobe"
|
||||
RMMOD="/sbin/rmmod"
|
||||
ARP="/usr/sbin/arp"
|
||||
|
||||
# Logging options.
|
||||
# Note: We use --log-level debug, so that the messages are not output
|
||||
# to all virtual consoles (which would be quite annoying).
|
||||
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
|
||||
# /etc/init.d/klogd startup-script.
|
||||
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
|
||||
LOG="$LOG --log-ip-options"
|
||||
|
||||
# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
|
||||
# TODO: What is a good value for --limit and --limit-burst?
|
||||
# TODO: Test rate limiting.
|
||||
RLIMIT="-m limit --limit 3/s --limit-burst 8"
|
||||
|
||||
# Unprivileged ports.
|
||||
PHIGH="1024:65535"
|
||||
|
||||
# Common SSH source ports.
|
||||
PSSH="1000:1023"
|
||||
|
||||
# Load required kernel modules (if automatic module loading is disabled).
|
||||
#$MODPROBE ip_conntrack_ftp
|
||||
#$MODPROBE ip_conntrack_irc
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Mitigate ARP spoofing/poisoning and similar attacks.
|
||||
# For details see:
|
||||
# * http://en.wikipedia.org/wiki/ARP_spoofing
|
||||
# * http://www.grc.com/nat/arp.htm
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Hardcode static ARP cache entries here (e.g. for the network gateway).
|
||||
# $ARP -s IP-ADDRESS MAC-ADDRESS
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Kernel configuration.
|
||||
# For details see:
|
||||
# * http://www.securityfocus.com/infocus/1711
|
||||
# * http://www.linuxgazette.com/issue77/lechnyr.html
|
||||
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
|
||||
# * /usr/src/linux/Documentation/filesystems/proc.txt
|
||||
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Disable IP forwarding.
|
||||
# Note: We turn this on and off to reset all settings to their defaults.
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# Enable IP spoofing protection (i.e. source address verification).
|
||||
# Note: This is special, as it seems to only be enabled if you set
|
||||
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
|
||||
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
|
||||
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done
|
||||
|
||||
# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
|
||||
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
||||
|
||||
# Ignore all incoming ICMP echo requests (i.e. disable ping).
|
||||
# Usually not a good idea, as some protocols and users need/want this.
|
||||
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
|
||||
|
||||
# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
|
||||
# want to participate in smurf (and similar) DoS attacks.
|
||||
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
||||
|
||||
# Log packets with impossible addresses.
|
||||
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done
|
||||
|
||||
# Don't log invalid responses to broadcast frames, they just clutter the logs.
|
||||
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
||||
|
||||
# Don't accept or send ICMP redirects.
|
||||
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
|
||||
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done
|
||||
|
||||
# Don't accept source routed packets.
|
||||
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done
|
||||
|
||||
# Disable multicast routing. Should not be needed, usually.
|
||||
# TODO: This throws an "Operation not permitted" error. Why?
|
||||
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done
|
||||
|
||||
# Disable proxy_arp. Should not be needed, usually.
|
||||
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done
|
||||
|
||||
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
|
||||
# listed in the default gateway list. Helps against MITM attacks.
|
||||
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done
|
||||
|
||||
# Disable bootp_relay. Should not be needed, usually.
|
||||
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done
|
||||
|
||||
# TODO: These may mitigate ARP poisoning attacks?
|
||||
# /proc/sys/net/ipv4/neigh/*/locktime
|
||||
# /proc/sys/net/ipv4/neigh/*/gc_stale_time
|
||||
|
||||
# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
|
||||
# Are there any security-relevant options I missed? Check especially:
|
||||
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.
|
||||
|
||||
exit 0
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Default policies.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Drop everything by default.
|
||||
# Note: The default policies are set _before_ flushing the chains, to prevent
|
||||
# a short timespan between flushing the chains and setting policies where
|
||||
# any traffic would be allowed.
|
||||
$IPTABLES -P INPUT DROP
|
||||
$IPTABLES -P FORWARD DROP
|
||||
$IPTABLES -P OUTPUT DROP
|
||||
|
||||
# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
|
||||
# Packets will simply pass through these tables unchanged.
|
||||
# TODO: What happens if the modules aren't loaded?
|
||||
$IPTABLES -t nat -P PREROUTING ACCEPT
|
||||
$IPTABLES -t nat -P OUTPUT ACCEPT
|
||||
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
||||
|
||||
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
||||
$IPTABLES -t mangle -P INPUT ACCEPT
|
||||
$IPTABLES -t mangle -P FORWARD ACCEPT
|
||||
$IPTABLES -t mangle -P OUTPUT ACCEPT
|
||||
$IPTABLES -t mangle -P POSTROUTING ACCEPT
|
||||
|
||||
# TODO: Correct? Remove this?
|
||||
# $IPTABLES -t raw -P PREROUTING ACCEPT
|
||||
# $IPTABLES -t raw -P OUTPUT ACCEPT
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Cleanup.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Delete all rules.
|
||||
$IPTABLES -F
|
||||
$IPTABLES -t nat -F
|
||||
$IPTABLES -t mangle -F
|
||||
|
||||
# Delete all (non-builtin) user-defined chains.
|
||||
$IPTABLES -X
|
||||
$IPTABLES -t nat -X
|
||||
$IPTABLES -t mangle -X
|
||||
|
||||
# Zero all packet and byte counters.
|
||||
$IPTABLES -Z
|
||||
$IPTABLES -t nat -Z
|
||||
$IPTABLES -t mangle -Z
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Completely disable IPv6.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
|
||||
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
|
||||
# Note: The safest way to prevent IPv6 traffic is to not enable support for
|
||||
# IPv6 in the kernel in the first place (neither built-in nor as a module).
|
||||
|
||||
# If the ip6tables command is available, try to block all IPv6 traffic.
|
||||
if test -x $IP6TABLES; then
|
||||
# Set the default policies (drop everything).
|
||||
$IP6TABLES -P INPUT DROP 2>/dev/null
|
||||
$IP6TABLES -P FORWARD DROP 2>/dev/null
|
||||
$IP6TABLES -P OUTPUT DROP 2>/dev/null
|
||||
|
||||
# The mangle table can pass everything through unaltered (we don't use it).
|
||||
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
|
||||
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
|
||||
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
|
||||
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
|
||||
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null
|
||||
|
||||
# Delete all rules.
|
||||
$IP6TABLES -F 2>/dev/null
|
||||
$IP6TABLES -t mangle -F 2>/dev/null
|
||||
|
||||
# Delete all (non-builtin) user-defined chains.
|
||||
$IP6TABLES -X 2>/dev/null
|
||||
$IP6TABLES -t mangle -X 2>/dev/null
|
||||
|
||||
# Zero all packet and byte counters.
|
||||
$IP6TABLES -Z 2>/dev/null
|
||||
$IP6TABLES -t mangle -Z 2>/dev/null
|
||||
fi
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Custom user-defined chains.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# LOG packets, then ACCEPT them.
|
||||
$IPTABLES -N ACCEPTLOG
|
||||
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
|
||||
$IPTABLES -A ACCEPTLOG -j ACCEPT
|
||||
|
||||
# LOG packets, then DROP them.
|
||||
$IPTABLES -N DROPLOG
|
||||
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
|
||||
$IPTABLES -A DROPLOG -j DROP
|
||||
|
||||
# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
|
||||
$IPTABLES -N REJECTLOG
|
||||
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
|
||||
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
|
||||
$IPTABLES -A REJECTLOG -j REJECT
|
||||
|
||||
# A custom chain which only allows minimal (RELATED) ICMP types
|
||||
# (destination-unreachable, time-exceeded, and parameter-problem).
|
||||
# TODO: Rate-limit this traffic?
|
||||
# TODO: Allow fragmentation-needed?
|
||||
# TODO: Test.
|
||||
$IPTABLES -N RELATED_ICMP
|
||||
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
|
||||
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
|
||||
$IPTABLES -A RELATED_ICMP -j DROPLOG
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
|
||||
# For details see:
|
||||
# * http://tools.ietf.org/html/792
|
||||
# * http://tools.ietf.org/html/1122
|
||||
# * http://www.iana.org/assignments/icmp-parameters
|
||||
# * http://www.daemon.be/maarten/icmpfilter.html
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Note: Be careful if you're using kernels older than 2.4.29. Some locally
|
||||
# generated ICMP error types (going through OUTPUT) are erroneously tagged
|
||||
# as INVALID (instead of RELATED).
|
||||
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.
|
||||
|
||||
# TODO: This section needs a lot of testing!
|
||||
|
||||
# First, drop all fragmented ICMP packets (almost always malicious).
|
||||
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
|
||||
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
|
||||
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG
|
||||
|
||||
# Allow all ESTABLISHED ICMP traffic.
|
||||
# TODO: Tighten this some more?
|
||||
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
|
||||
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
|
||||
|
||||
# Allow some parts of the RELATED ICMP traffic, block the rest.
|
||||
# TODO: FORWARD?
|
||||
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
|
||||
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
|
||||
|
||||
# Allow incoming ICMP echo requests (ping), but only rate-limited.
|
||||
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
|
||||
|
||||
# Allow outgoing ICMP echo requests (ping), but only rate-limited.
|
||||
# TODO: Really do rate limiting here?
|
||||
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT
|
||||
|
||||
# Drop any other ICMP traffic.
|
||||
$IPTABLES -A INPUT -p icmp -j DROPLOG
|
||||
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
|
||||
$IPTABLES -A FORWARD -p icmp -j DROPLOG
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Selectively allow certain special types of traffic.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Allow all incoming and outgoing connections on the loopback interface.
|
||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow incoming connections related to existing allowed connections.
|
||||
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Allow outgoing connections related to existing allowed connections.
|
||||
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Uncomment this (and comment the above line) to allow all outgoing
|
||||
# connections (except for INVALID ones).
|
||||
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
|
||||
# For details see:
|
||||
# * http://www.debian.org/doc/manuals/securing-debian-howto/
|
||||
# * ftp://ftp.isi.edu/in-notes/rfc1122.txt
|
||||
|
||||
# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Miscellaneous.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
|
||||
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
|
||||
$IPTABLES -A INPUT -p tcp -m multiport \
|
||||
--dports 135,137,138,139,445,1433,1434 -j DROP
|
||||
$IPTABLES -A INPUT -p udp -m multiport \
|
||||
--dports 135,137,138,139,445,1433,1434 -j DROP
|
||||
|
||||
# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
|
||||
$IPTABLES -A INPUT -m state --state INVALID -j DROP
|
||||
|
||||
# Drop invalid outgoing traffic, too.
|
||||
# Note: This may prevent you from performing certain scans. Also, see above
|
||||
# comment about ICMP packets being erroneously marked as INVALID instead of
|
||||
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
|
||||
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
|
||||
|
||||
# This is not needed, as we use policy DROP for FORWARD, and we disabled
|
||||
# ip_forward anyways. However, if we would use NAT, INVALID packets would
|
||||
# bypass our rules, so we block them explicitly here, just in case.
|
||||
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
|
||||
|
||||
# Hinder portscanners a bit.
|
||||
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
|
||||
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
|
||||
|
||||
# TODO: Some more anti-spoofing rules? For example:
|
||||
# TODO: Test.
|
||||
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
|
||||
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
|
||||
# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
|
||||
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Drop any traffic from IANA-reserved IPs.
|
||||
# Note: You could easily block valid traffic, e.g. if your ISP uses private
|
||||
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
|
||||
# For details see:
|
||||
# * ftp://ftp.iana.org/assignments/ipv4-address-space
|
||||
# * http://www.cymru.com/Documents/bogon-bn-agg.txt
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
|
||||
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
|
||||
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
|
||||
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
|
||||
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
|
||||
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
|
||||
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
|
||||
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
|
||||
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
|
||||
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
|
||||
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
|
||||
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
|
||||
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
|
||||
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
|
||||
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
|
||||
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
|
||||
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Selectively allow certain outbound connections, block the rest.
|
||||
# TODO: This could be tightened a bit more (limit source/dest port ranges).
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Allow outgoing DNS requests. Few things will work without this.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
|
||||
|
||||
# Allow outgoing HTTP requests. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# Allow outgoing HTTPS requests.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
|
||||
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT
|
||||
|
||||
# Allow outgoing "submission" requests.
|
||||
# Submission (RFC 2476) is used for sending email, and uses port 587.
|
||||
# This can be encrypted or unencrypted, depending on the server (I think).
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT
|
||||
|
||||
# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
|
||||
|
||||
# Allow outgoing SSH requests.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
# Allow outgoing FTP requests. Unencrypted, use with care.
|
||||
# Note: This usually needs the ip_conntrack_ftp kernel module.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
|
||||
|
||||
# Allow outgoing NNTP requests. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
|
||||
|
||||
# Allow outgoing NTP requests. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
|
||||
|
||||
# Allow outgoing IRC requests. Unencrypted, use with care.
|
||||
# Note: This usually needs the ip_conntrack_irc kernel module.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT
|
||||
|
||||
# Allow outgoing requests to various proxies. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT
|
||||
|
||||
# Allow outgoing DHCP requests. Unencrypted, use with care.
|
||||
# TODO: This is completely untested, I have no idea whether it works!
|
||||
# TODO: I think this can be tightened a bit more.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
|
||||
--sport 67:68 --dport 67:68 -j ACCEPT
|
||||
|
||||
# Allow outgoing CVS requests. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT
|
||||
|
||||
# Allow outgoing SVN requests. Unencrypted, use with care.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT
|
||||
|
||||
# Allow outgoing Tor (http://tor.eff.org) requests.
|
||||
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT
|
||||
|
||||
# Allow outgoing Bacula (http://www.bacula.org) requests.
|
||||
# Unencrypted (usually), use with care.
|
||||
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
|
||||
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
|
||||
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT
|
||||
|
||||
# Allow outgoing OpenVPN requests.
|
||||
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT
|
||||
|
||||
# TODO: ICQ, ...
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Selectively allow certain inbound connections, block the rest.
|
||||
# TODO: This could be tightened a bit more (limit source/dest port ranges).
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Allow incoming DNS requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
|
||||
|
||||
# Allow incoming HTTP requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
|
||||
|
||||
# Allow incoming HTTPS requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
|
||||
|
||||
# Allow incoming POP3 requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
|
||||
|
||||
# Allow incoming POP3S requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
|
||||
|
||||
# Allow incoming SMTP requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
|
||||
|
||||
# Allow incoming SSH requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
# Allow incoming FTP requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
|
||||
|
||||
# Allow incoming NNTP requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT
|
||||
|
||||
# Allow incoming BitTorrent requests.
|
||||
# TODO: Are these already handled by ACCEPTing established/related traffic?
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT
|
||||
|
||||
# Allow incoming nc requests.
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT
|
||||
|
||||
# Allow incoming Bacula (http://www.bacula.org) requests.
|
||||
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
|
||||
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Explicitly log and reject everything else.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# Use REJECT instead of REJECTLOG if you don't need/want logging.
|
||||
$IPTABLES -A INPUT -j REJECTLOG
|
||||
$IPTABLES -A OUTPUT -j REJECTLOG
|
||||
$IPTABLES -A FORWARD -j REJECTLOG
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Testing the firewall.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
# You should check/test that the firewall really works, using for example
|
||||
# iptables -vnL, nmap, ping, telnet, ...
|
||||
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Exit gracefully.
|
||||
#------------------------------------------------------------------------------
|
||||
|
||||
exit 0
|
||||
|
||||
|
16
overlay/Linux/usr/local/src/proxy_get_if.bash
Executable file
16
overlay/Linux/usr/local/src/proxy_get_if.bash
Executable file
@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||
|
||||
# on stdout - messages on stderr
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
export PATH=$PATH:/usr/local/bin
|
||||
|
||||
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
|
||||
retval=$?
|
||||
echo -n $PROXY_WLAN
|
||||
|
||||
exit $retval
|
25
overlay/Linux/usr/local/src/proxy_hosts_test.bash
Executable file
25
overlay/Linux/usr/local/src/proxy_hosts_test.bash
Executable file
@ -0,0 +1,25 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# Dual Linux or msys64
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
ROLE=proxy
|
||||
|
||||
PREFIX=/usr/local
|
||||
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||
&& . /usr/local/etc/testforge/testforge.bash
|
||||
|
||||
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
|
||||
[ -z "$ip" ] && continue
|
||||
[ -z "$b" ] && continue
|
||||
dig -x $ip | grep "$b" && \
|
||||
INFO $ip $b || \
|
||||
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
|
||||
dig $b | grep 'IN.*\.'
|
||||
dig @8.8.8.8 $b | grep 'IN.*\.'
|
||||
done
|
245
overlay/Linux/usr/local/src/proxy_hourly.bash
Executable file
245
overlay/Linux/usr/local/src/proxy_hourly.bash
Executable file
@ -0,0 +1,245 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
DEBUG=1
|
||||
|
||||
# The idea here is to run ansible_local.bash --tags daily
|
||||
# and then use this to do the parsing and throwing errors based on the output.
|
||||
# This was the ansible run can be free from erroring and this can be
|
||||
# run repeatedly anytime outside of ansible to deal with the issues raised.
|
||||
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||
|
||||
. /usr/local/bin/proxy_export.bash
|
||||
PL=/usr/local/bin/proxy_ping_lib.bash
|
||||
. $PL
|
||||
PL=
|
||||
PLL=/usr/local/bin/proxy_libvirt_lib.bash
|
||||
. $PLL
|
||||
PLL=
|
||||
DEBUG=1
|
||||
|
||||
declare -a BOX_NBD_OVERLAY_EXTERNAL
|
||||
# fill this in with the ansible hosts.yml
|
||||
BOX_NBD_OVERLAY_EXTERNALS=(
|
||||
/o/var/local/src/play_tox/hosts.yml
|
||||
/o/data/TestForge/src/ansible/hosts.yml
|
||||
)
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
MYID=$( id -u )
|
||||
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||
|
||||
# . $PREFIX/src/var_local_src.bash
|
||||
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
|
||||
|
||||
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
|
||||
|
||||
ly=hourly
|
||||
errs=0
|
||||
warns=0
|
||||
|
||||
elt=proxy
|
||||
LOG_DIR=/usr/local/tmp
|
||||
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
|
||||
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
|
||||
OUT=$LOG_DIR/O${prog}_${ly}$$.log
|
||||
|
||||
export PATH=$PATH:/usr/local/bin
|
||||
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
||||
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
|
||||
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
|
||||
[ -z "$MODE" ] && exit 2
|
||||
|
||||
[ ! -d $LOG_DIR/ ] && mkdir -p $LOG_DIR && chmod 1777 $LOG_DIR
|
||||
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete
|
||||
|
||||
elt=proxy_export
|
||||
DBUG elt=$elt
|
||||
. /usr/local/bin/$elt.bash || exit 2
|
||||
DBUG http_proxy=$http_proxy
|
||||
DBUG https_proxy=$https_proxy
|
||||
DBUG socks_proxy=$socks_proxy
|
||||
|
||||
IP=`ifconfig|grep -A1 'eth\|wlan'|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
|
||||
DBUG external=$IP
|
||||
GW=`ip route | grep ^def | sed -e 's/.*via //' -e 's/ .*//'`
|
||||
DBUG gw=$GW
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route && ZERO_CONNECTED=0 || ZERO_CONNECTED=1
|
||||
if [ $ZERO_CONNECTED == 0 ] ; then
|
||||
/usr/local/bin/proxy_ping_test.bash $MODE 2>&1| grep ERROR: | tee $ELOG
|
||||
[ -s $ELOG ] || INFO /usr/local/bin/proxy_ping_test.bash $MODE
|
||||
fi
|
||||
|
||||
elt=/etc/ssl/certs
|
||||
DBUG elt=$elt
|
||||
if [ -d /etc/ssl/certs/ ] ; then
|
||||
find -L /etc/ssl/certs/ -type l | tee -a $ELOG
|
||||
find -L /etc/ssl/certs/ -type l -delete
|
||||
else
|
||||
WARN /etc/ssl/certs/ missing
|
||||
fi
|
||||
|
||||
elt=route
|
||||
DBUG elt=$elt
|
||||
# ubuntu / devuan oddball
|
||||
route | grep -q 'lo$' || \
|
||||
ip route add 127.0.0.0/8 dev lo scope host
|
||||
|
||||
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
|
||||
NS=127.0.0.1
|
||||
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] ; then
|
||||
NS=10.0.2.2
|
||||
else
|
||||
NS=
|
||||
fi
|
||||
if [ -n "$NS" ] ; then
|
||||
elt=/etc/resolv.conf
|
||||
DBUG elt=$elt
|
||||
a=`grep nameserver /etc/resolv.conf | grep -v "nameserver $IP" | wc -l`
|
||||
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
|
||||
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
|
||||
echo "nameserver $IP" > /etc/resolv.conf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = selektor ] ; then
|
||||
# 10.24.216.64
|
||||
elt=/etc/hosts
|
||||
DBUG elt=$elt
|
||||
if [ -n "$IP" ] ; then
|
||||
grep -q " external" /etc/hosts && \
|
||||
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
|
||||
echo "$IP external" >> /etc/hosts
|
||||
for file in "${BOX_NBD_OVERLAY_EXTERNALS[@]}" ; do
|
||||
[ -f $file ] || continue
|
||||
grep -q "BOX_NBD_OVERLAY_EXTERNAL.*" $file && continue
|
||||
sed -i -e "s/BOX_NBD_OVERLAY_EXTERNAL:.*/BOX_NBD_OVERLAY_EXTERNAL: \"$IP\"/" $file
|
||||
done
|
||||
fi
|
||||
|
||||
elt=/etc/firewall.conf
|
||||
DBUG elt=$elt
|
||||
[ -f /etc/firewall.conf ] || {
|
||||
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
|
||||
xargs /usr/local/bin/base_wall.bash
|
||||
}
|
||||
|
||||
elt=iptables
|
||||
DBUG elt=$elt
|
||||
$PL proxy_iptables_save >$OUT 2>&1
|
||||
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
|
||||
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
|
||||
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
|
||||
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
|
||||
fi
|
||||
|
||||
elif [ "$MODE" = nat -o "$MODE" = vda -o "$MODE" = ws ] && [ $ONE_GUEST -eq 1 ]; then
|
||||
elt=/etc/resolv.conf
|
||||
DBUG elt=$elt
|
||||
if [ $? -eq 0 -a -n "$GW" ] ; then
|
||||
if ! grep -q "$GW" /etc/resolv.conf ; then
|
||||
/usr/local/bin/base_wall.bash "CRIT: $GW not in /etc/resolv.conf"
|
||||
echo "nameserver $GW" >> /etc/resolv.conf
|
||||
fi
|
||||
|
||||
$PL proxy_ping_firewall_check || \
|
||||
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ $ONE_GUEST -eq 0 ] ; then
|
||||
|
||||
if [ "$MODE" = whonix ] ; then
|
||||
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
|
||||
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
|
||||
which virsh 2>/dev/null >/dev/null && \
|
||||
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
|
||||
# sh proxy_whonix_host_tor.bash whonix
|
||||
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
|
||||
fi
|
||||
$PLL proxy_libvirt_test >$OUT 2>&1
|
||||
retval=$?
|
||||
[ $retval -gt 1 ] && \
|
||||
ERROR $prog proxy_libvirt_test retval=$retval | tee -a $ELOG
|
||||
fi
|
||||
|
||||
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
|
||||
if [ -n "$wlan7" ] ; then
|
||||
grep -q $wlan7 /etc/firewall.conf || {
|
||||
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
|
||||
xargs /usr/local/bin/base_wall.bash
|
||||
/usr/local/bin/firewall.bash
|
||||
}
|
||||
fi
|
||||
|
||||
[ -f /var/log/privoxy/logfile ] && \
|
||||
grep -i fatal /var/log/privoxy/logfile | tee -a $ELOG && \
|
||||
ERROR Fatal in /var/log/privoxy/logfile |tee -a $ELOG
|
||||
|
||||
if grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
|
||||
$PL proxy_ping_gw_check || {
|
||||
ERROR proxy_ping_gw_check | tee -a $ELOG
|
||||
}
|
||||
$PL proxy_ping_dnsmasq_check && \
|
||||
ERROR proxy_ping_dnsmasq_check || {
|
||||
ERROR proxy_ping_dnsmasq_check | tee -a $ELOG
|
||||
}
|
||||
$PL proxy_ping_firewall_check && \
|
||||
INFO proxy_ping_firewall_check || {
|
||||
ERROR proxy_ping_firewall_check | tee -a $ELOG
|
||||
}
|
||||
|
||||
$PL proxy_test_dirmngr $OUT && \
|
||||
INFO proxy_test_dirmngr $retval | tee -a $ELOG || {
|
||||
retval=$?
|
||||
ERROR proxy_test_dirmngr $retval | tee -a $ELOG
|
||||
}
|
||||
|
||||
if dmesg | grep --text -A 1 'martian' ; then
|
||||
dmesg | grep --text -A 1 'martian' | \
|
||||
xargs echo WARN: martians | tee -a $ELOG
|
||||
dmesg | grep --text -A 1 'martian' | \
|
||||
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' | tee -a $ELOG
|
||||
else
|
||||
INFO proxy_test_dirmngr no martians
|
||||
fi
|
||||
|
||||
PROXY_WLAN=$( $PL proxy_get_if )
|
||||
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
|
||||
ps ax | grep -q wpa_supplicant && \
|
||||
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
|
||||
grep bssid | sed -e 's/.*= //' | \
|
||||
while read elt ; do \
|
||||
wpa_cli -i "$PROXY_WLAN" blacklist $elt
|
||||
done
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
# [ -s $OUT ] && grep WARN: $OUT | tee -a $ELOG
|
||||
|
||||
if [ -s $ELOG ] ; then
|
||||
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
|
||||
if [ $? -eq 0 -a $errs -ne 0 ] ; then
|
||||
ERROR $prog $errs $ly $prog errors in $ELOG
|
||||
cat $ELOG
|
||||
exit $errs
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
|
||||
[ $? -eq 0 -a $warns -ne 0 ] && \
|
||||
WARN "$warns $ly $prog warnings in $WLOG"
|
||||
|
||||
[ $errs -eq 0 ] && \
|
||||
[ $warns -eq 0 ] && \
|
||||
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
|
||||
|
||||
exit 0
|
35
overlay/Linux/usr/local/src/proxy_jnettop.bash
Executable file
35
overlay/Linux/usr/local/src/proxy_jnettop.bash
Executable file
@ -0,0 +1,35 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
grep -q "^wlan[1-9][ ]00000000" /proc/net/route || exit 0
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|
||||
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
|
||||
|
||||
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
|
||||
warn () { WARN "$prog " $* ; }
|
||||
info () { echo "INFO: $prog " $* ; }
|
||||
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
|
||||
|
||||
# must be run as root
|
||||
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
|
||||
|
||||
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
|
||||
[ $? -eq 0 ] || error 2 " error getting device $?"
|
||||
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
|
||||
|
||||
LARGS="-i $PROXY_WLAN"
|
||||
CONF=/usr/local/etc/jnettop.conf
|
||||
if [ -f $CONF ] ; then
|
||||
LARGS="$LARGS --config-file $CONF"
|
||||
|
||||
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
|
||||
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
|
||||
fi
|
||||
|
||||
exec jnettop $LARGS $* # 2>/dev/null
|
35
overlay/Linux/usr/local/src/proxy_libvirt_forward.bash
Normal file
35
overlay/Linux/usr/local/src/proxy_libvirt_forward.bash
Normal file
@ -0,0 +1,35 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
if [ ! -d /run/tmp ] ; then
|
||||
sudo mkdir /run/tmp
|
||||
sudo chown 1777 /run/tmp
|
||||
fi
|
||||
|
||||
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
|
||||
retval=$?
|
||||
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
|
||||
exit $retval
|
||||
fi
|
||||
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
|
||||
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
|
||||
WARN 53,bind=$IP in use
|
||||
for elt in 9050 9128 ; do
|
||||
netstat -nle4 | grep -q $IP:$elt && {
|
||||
ERROR $IP:$elt already bound
|
||||
continue # exit 1
|
||||
}
|
||||
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
|
||||
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
|
||||
done
|
||||
#else
|
||||
# WARN $MODE
|
||||
#fi
|
||||
|
62
overlay/Linux/usr/local/src/proxy_libvirt_ga_test.bash
Executable file
62
overlay/Linux/usr/local/src/proxy_libvirt_ga_test.bash
Executable file
@ -0,0 +1,62 @@
|
||||
#!/bin/bash
|
||||
|
||||
ROLE=proxy
|
||||
|
||||
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
|
||||
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
|
||||
|
||||
HOST=$1
|
||||
shift
|
||||
CMD=$1
|
||||
shift
|
||||
# FixMe
|
||||
if [ $? -gt 1 ] ; then
|
||||
ARGS=""
|
||||
elif [ $? -gt 1 ] ; then
|
||||
ARGS=`sed -e 's/ /","/g' <<< $@`
|
||||
else
|
||||
ARGS="$1"
|
||||
fi
|
||||
|
||||
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
|
||||
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
|
||||
|
||||
echo INFO: $0 $HOST $CMD $ARGS
|
||||
|
||||
false && echo DEBUG: virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
|
||||
virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
|
||||
>/tmp/Q$$.out || exit 1$?
|
||||
|
||||
grep -q return /tmp/Q$$.out || exit 2
|
||||
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
|
||||
[ $? -eq 0 ] || exit 3
|
||||
|
||||
# echo DEBUG: virsh qemu-agent-command $HOST \
|
||||
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
|
||||
virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||
>/tmp/R$$.out || exit 4$?
|
||||
|
||||
TRIES=10
|
||||
i=0
|
||||
while [ $i -lt $TRIES ] ; do
|
||||
i=`expr $i + 1`
|
||||
virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||
>/tmp/R$$.out || exit 4$i$?
|
||||
grep -q '"exitcode":0' /tmp/R$$.out && break
|
||||
sleep 5
|
||||
echo DEBUG: $i
|
||||
done
|
||||
[ $i -lt $TRIES ] || \
|
||||
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
|
||||
|
||||
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
|
||||
[ $? -eq 0 ] || exit 6
|
||||
[ -n "$b64" ] || exit 7
|
||||
|
||||
echo $b64 | base64 -d -
|
||||
rm -f /tmp/{Q,R}$$.out
|
||||
exit 0
|
44
overlay/Linux/usr/local/src/proxy_libvirt_hook_network.bash
Executable file
44
overlay/Linux/usr/local/src/proxy_libvirt_hook_network.bash
Executable file
@ -0,0 +1,44 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# Aruments ignored: dom plugged begin
|
||||
# so must be idempotemt - as its called by things it calls?
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
|
||||
[ -n "$USER" -a "$USER" = root ] && \
|
||||
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
|
||||
base=$( basename $file )
|
||||
[ -e /etc/modules-load.d/$base ] && continue
|
||||
cp -p $file /etc/modules-load.d/$base
|
||||
done
|
||||
|
||||
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
|
||||
/etc/init.d/libvirtd status
|
||||
retval=$?
|
||||
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
|
||||
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
|
||||
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash
|
||||
proxy_ping_firewall_restart
|
||||
retval=$?
|
||||
if [ $retval -eq 0 ] ; then
|
||||
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
|
||||
else
|
||||
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
|
||||
exit $retval
|
||||
fi
|
||||
|
||||
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
|
||||
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
|
||||
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
|
||||
|
||||
# clean
|
||||
exit 0
|
11
overlay/Linux/usr/local/src/proxy_libvirt_hook_qemu.bash
Executable file
11
overlay/Linux/usr/local/src/proxy_libvirt_hook_qemu.bash
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
logger INFO: $0 $PWD $*
|
||||
|
||||
exit 0
|
||||
|
285
overlay/Linux/usr/local/src/proxy_libvirt_lib.bash
Executable file
285
overlay/Linux/usr/local/src/proxy_libvirt_lib.bash
Executable file
@ -0,0 +1,285 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
base=proxy_libvirt_lib
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || exit 2
|
||||
|
||||
## proxy_libvirt_test_dnsmasq
|
||||
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
|
||||
proxy_rc_service libvirtd status </dev/null >/dev/null || {
|
||||
DBUG $prog libvirtd not running ; return 0
|
||||
}
|
||||
|
||||
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
|
||||
dbug $prog checking libvirtd dnsmasq conf
|
||||
PROXY_WLAN=$( proxy_get_if )
|
||||
retval=$?
|
||||
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
||||
ERROR proxy_get_if empty wlan7 retval=$retval
|
||||
return 2$retval
|
||||
}
|
||||
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
|
||||
for file in /var/lib/libvirt/dnsmasq/*conf ; do
|
||||
if ! grep -q $elt $file ; then
|
||||
[ -f $file.$$ ] || cp -p $file $file.$$
|
||||
echo $elt >> $file
|
||||
fi
|
||||
done
|
||||
done
|
||||
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
|
||||
dbug $prog restarting libvirtd dnsmasq conf
|
||||
# FixMe: use virsh net-update net-edit
|
||||
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
|
||||
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
|
||||
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
|
||||
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
|
||||
[ -f $pid ] || dbug $prog no pid-file in $file && continue
|
||||
pid=$( cat $pid )
|
||||
dbug $prog HUPing libvirtd dnsmasq $pid
|
||||
kill -HUP $pid || WARN $prog error killing $file $pid && continue
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_clean_virbr1_rules
|
||||
proxy_libvirt_clean_virbr1_rules () {
|
||||
local line
|
||||
proxy_iptables_save | \
|
||||
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
|
||||
sed -e 's/-A/-D/' | while read line ; do
|
||||
proxy_iptables $line
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_no_autostart
|
||||
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
|
||||
proxy_libvirt_hung || return 1
|
||||
|
||||
proxy_virsh net-list --autostart | while read n s a p ; do
|
||||
[ "$a" = yes ] || continue
|
||||
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
|
||||
dbug $prog net-autostart $n --disable
|
||||
[ "$s" = active ] || continue
|
||||
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
|
||||
dbug $prog net-destroy $n
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_status tests and checks logs - noisy
|
||||
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
|
||||
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
|
||||
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
|
||||
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
|
||||
|
||||
if ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
|
||||
proxy_rc_service libvirtd start || return 3$?
|
||||
fi
|
||||
|
||||
if ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
|
||||
return 4
|
||||
fi
|
||||
if [ ! -e /run/libvirt/libvirt-sock ] ; then
|
||||
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
|
||||
fi
|
||||
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
|
||||
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
|
||||
fi
|
||||
# virtlockd-sock
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
|
||||
if [ -n "$GATEW_DOM" ] ; then
|
||||
proxy_libvirt_list | grep -q $GATEW_DOM
|
||||
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
|
||||
#? && return 3
|
||||
else
|
||||
WARN proxy_libvirt_status null GATEW_DOM
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_restart
|
||||
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
|
||||
# tests restarts
|
||||
|
||||
proxy_libvirt_start || return 3$?
|
||||
proxy_libvirt_test || return 4$?
|
||||
|
||||
[ -x /etc/libvirt/hooks/network ] || return 7$?
|
||||
/etc/libvirt/hooks/network || return 8$?
|
||||
|
||||
proxy_ping_firewall_restart
|
||||
# /etc/modules-load.d/firewall.conf
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_start_guest
|
||||
proxy_libvirt_start_guest () {
|
||||
local dire=$1
|
||||
|
||||
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
|
||||
proxy_rc_service qemu-guest-agent status >/dev/null \
|
||||
|| proxy_rc_service qemu-guest-agent start || return 2$?
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
# proxy_libvirt_test_host
|
||||
proxy_libvirt_test_host () {
|
||||
local dire=$1
|
||||
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
|
||||
[ -n "$MODE" ] || MODE=host
|
||||
if [ $MODE = tor ] ; then
|
||||
proxy_rc_service tor status >/dev/null || \
|
||||
{ echo ERROR: $prog tor is not running ; return 2 ; }
|
||||
# different for selector
|
||||
fi
|
||||
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
|
||||
return $?
|
||||
}
|
||||
|
||||
# proxy_libvirt_test_guest
|
||||
proxy_libvirt_test_guest () {
|
||||
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
|
||||
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
|
||||
proxy_rc_service qemu-guest-agent status
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_libvirt_status tests and checks logs - noisy
|
||||
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
|
||||
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
|
||||
proxy_libvirt_test_host
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_libvirt_status tests and checks logs - noisy
|
||||
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
|
||||
proxy_libvirt_status || return 1$?
|
||||
|
||||
[ -f /var/log/libvirt/libvirtd.log ] && \
|
||||
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
|
||||
tail /var/log/libvirt/libvirtd.log
|
||||
# shellcheck disable=SC2154
|
||||
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
|
||||
if [ -n "$GATEW_DOM" ] ; then
|
||||
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
|
||||
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||
tail /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||
else
|
||||
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||
fi
|
||||
else
|
||||
WARN proxy_libvirt_test null GATEW_DOM
|
||||
fi
|
||||
proxy_libvirt_test_dnsmasq || return 6$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_start
|
||||
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
|
||||
proxy_ping_firewall_modules
|
||||
proxy_libvirt_hung || return 2
|
||||
|
||||
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
|
||||
proxy_rc_service libvirtd start || return 3$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_hung
|
||||
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
|
||||
# 1 means hung
|
||||
[ -f /etc/init.d/libvirtd ] || return 0
|
||||
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
|
||||
proxy_rc_service libvirtd start || return 1
|
||||
sleep $DELAY
|
||||
fi
|
||||
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
|
||||
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
|
||||
# hung processes will hang proxy_virsh list
|
||||
[ $? -eq 0 -a $a -gt 1 ] && {
|
||||
WARN proxy_libvirt_hung - too many subprocesses $a
|
||||
return 1
|
||||
}
|
||||
# ├─ 820 /usr/sbin/libvirtd
|
||||
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
|
||||
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
|
||||
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_libvirt_list
|
||||
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
|
||||
local a
|
||||
proxy_libvirt_hung || return 10
|
||||
proxy_virsh list
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_libvirt_clean_iptables
|
||||
proxy_libvirt_clean_iptables () {
|
||||
local i int dir dcp prot port
|
||||
|
||||
for dir in i ; do
|
||||
for int in virbr2 virbr1; do
|
||||
dcp=67
|
||||
[ $dir = i ] || dcp=68
|
||||
for port in 53 $dcp ; do
|
||||
[ $dir = i ] && table=INP || table=OUT
|
||||
for prot in udp tcp; do
|
||||
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
for dir in o ; do
|
||||
for int in virbr2 virbr1; do
|
||||
dcp=68
|
||||
[ $dir = o ] || dcp=67
|
||||
for port in 53 68 ; do
|
||||
table=OUT
|
||||
[ $dir = i ] && table=INP
|
||||
for prot in udp tcp; do
|
||||
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# DBUG 0=$0
|
||||
base=proxy_libvirt_lib
|
||||
if [ -x /usr/bin/basename ] && \
|
||||
[ $( basename -- "$0" .bash ) = $base \
|
||||
-o $( basename -- "$0" .sh ) = $base ] ; then
|
||||
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
|
||||
"$@"
|
||||
exit $?
|
||||
fi
|
51
overlay/Linux/usr/local/src/proxy_nm_wireless_clean.bash
Executable file
51
overlay/Linux/usr/local/src/proxy_nm_wireless_clean.bash
Executable file
@ -0,0 +1,51 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
PREFIX=/usr/local
|
||||
|
||||
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
|
||||
|
||||
LOG=/tmp/I$$.log
|
||||
JSON=/tmp/I$$.json
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
|
||||
if [ -z "$PROXY_WLAN" ] ; then
|
||||
PROXY_WLAN=$( proxy_get_if )
|
||||
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
|
||||
fi
|
||||
|
||||
[ -d /etc/NetworkManager/system-connections ] || exit 0
|
||||
cd /etc/NetworkManager/system-connections/ || exit 6
|
||||
|
||||
pgrep NetworkManager >/dev/null || \
|
||||
/etc/init.d/network-manager start # || exit 7
|
||||
|
||||
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
|
||||
|
||||
which yq 2>/dev/null >/dev/null && \
|
||||
for file in *.nmconnection; do
|
||||
elt=$( basename "$file" .nmconnection )
|
||||
grep -q "$elt" "$LOG" || continue
|
||||
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
|
||||
[ -z "$L" ] && continue
|
||||
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
|
||||
|
||||
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
|
||||
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
|
||||
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
|
||||
|
||||
INFO $prog $PWD/$file
|
||||
|
||||
done
|
||||
rm -f /tmp/I$$.log
|
||||
|
||||
[ "$#" -eq 0 ] && exit 0
|
||||
[ $1 = connect ] && nmtui-connect
|
||||
[ $1 = edit ] && nmtui-edit
|
55
overlay/Linux/usr/local/src/proxy_pacman_gpg_test.bash
Executable file
55
overlay/Linux/usr/local/src/proxy_pacman_gpg_test.bash
Executable file
@ -0,0 +1,55 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# Dual Linux or msys64
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
ROLE=proxy
|
||||
PREFIX=/usr/local
|
||||
|
||||
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||
&& . /usr/local/etc/testforge/testforge.bash
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
|
||||
PROXIES=""
|
||||
if [ -d /etc/pacman.d/gnupg ] ; then
|
||||
ROLE=msys64
|
||||
HOMEDIR=/etc/pacman.d/gnupg
|
||||
# proxy or striaght through
|
||||
PROXIES="10.152.152.12"
|
||||
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
|
||||
ROLE=q
|
||||
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
|
||||
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||
[ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||
if [ "$MODE" = tor ] ; then
|
||||
PROXIES="127.0.0.1:3128"
|
||||
elif [ "$MODE" = whonix ] ; then
|
||||
PROXIES="10.0.2.15:9128"
|
||||
elif [ "$MODE" = gateway ] ; then
|
||||
PROXIES="10.0.2.15:9128"
|
||||
elif ps ax | grep -q polipo ; then
|
||||
PROXIES="127.0.0.1:3128"
|
||||
else
|
||||
echo ERROR: unknown proxy
|
||||
exit 2
|
||||
fi
|
||||
|
||||
fi
|
||||
GPG="gpg --verbose --home $HOMEDIR"
|
||||
|
||||
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
|
||||
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
|
||||
ERROR you need a private kepair with $GPG --quick-gen-key
|
||||
exit 3
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
$GPG --list-keys | grep -B 1 unknown && \
|
||||
WARN un-signed keys in pacman && \
|
||||
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"
|
||||
|
1416
overlay/Linux/usr/local/src/proxy_ping_lib.bash
Executable file
1416
overlay/Linux/usr/local/src/proxy_ping_lib.bash
Executable file
File diff suppressed because it is too large
Load Diff
1140
overlay/Linux/usr/local/src/proxy_ping_test.bash
Executable file
1140
overlay/Linux/usr/local/src/proxy_ping_test.bash
Executable file
File diff suppressed because it is too large
Load Diff
10
overlay/Linux/usr/local/src/proxy_sdwdate.bash
Executable file
10
overlay/Linux/usr/local/src/proxy_sdwdate.bash
Executable file
@ -0,0 +1,10 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
|
||||
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
|
||||
|
||||
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"
|
69
overlay/Linux/usr/local/src/proxy_ssl_certs.bash
Executable file
69
overlay/Linux/usr/local/src/proxy_ssl_certs.bash
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
proxy_ping_mode
|
||||
#? . /usr/local/bin/proxy_export.bash $MODE
|
||||
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
CERT=$( proxy_ping_update_cacert )
|
||||
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
|
||||
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||
|
||||
openssl=openssl
|
||||
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
|
||||
if [ -n "$https_proxy" ] ; then
|
||||
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
|
||||
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||
|
||||
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
|
||||
elif [ -n "$socks_proxy" ] ; then
|
||||
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
|
||||
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||
# check /etc/tor/torsocks.conf
|
||||
openssl='torsocks openssl'
|
||||
fi
|
||||
|
||||
OUTR=/tmp/$prog$$
|
||||
for item in "$@" ; do
|
||||
i=0
|
||||
OUTRF=$OUTR.$item
|
||||
|
||||
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
|
||||
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
|
||||
</dev/null 2>$OUTRF.err >$OUTRF.out
|
||||
[ $? -eq 0 ] || {
|
||||
retval=$?
|
||||
ERROR $prog $retval see $OUTRF.err
|
||||
cat $OUTRF.err
|
||||
exit 1$retval
|
||||
}
|
||||
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
|
||||
|
||||
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
|
||||
DBUG $prog Certificate chain:
|
||||
grep '^ [0-9][0-9]* ' $OUTRF.chain
|
||||
INFO $prog Base64 Certificate sha256 digests:
|
||||
rest=$( cat $OUTRF.chain )
|
||||
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
|
||||
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
|
||||
rest=${rest#*-----END CERTIFICATE-----}
|
||||
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
|
||||
openssl x509 -pubkey -noout |
|
||||
openssl rsa -pubin -outform der 2>/dev/null |
|
||||
openssl dgst -sha256 -binary | openssl enc -base64
|
||||
done
|
||||
|
||||
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
|
||||
done
|
||||
|
||||
exit 0
|
351
overlay/Linux/usr/local/src/proxy_test_ssl.bash
Executable file
351
overlay/Linux/usr/local/src/proxy_test_ssl.bash
Executable file
@ -0,0 +1,351 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
NOW=$( date -u +%y-%m-%d_%H%m )
|
||||
DEBUG=1
|
||||
PROXY_WLAN=wlan4
|
||||
prog=$( basename $0 .bash )
|
||||
|
||||
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
|
||||
|
||||
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
|
||||
PATH=$PATH:/sbin
|
||||
BADSSL_SITES=(
|
||||
self-signed.badssl.com
|
||||
expired.badssl.com
|
||||
mixed.badssl.com
|
||||
rc4.badssl.com
|
||||
hsts.badssl.com
|
||||
)
|
||||
|
||||
badssl=0
|
||||
[ "$#" -eq 0 ] && badssl=1
|
||||
# tests="$MODE"
|
||||
tests=""
|
||||
nodig=1
|
||||
verbosity=2
|
||||
outdir=/tmp
|
||||
timeout=20
|
||||
|
||||
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
# . /usr/local/etc/testforge/testforge.bash
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||
|
||||
|
||||
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
|
||||
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||
else
|
||||
CERT=$( proxy_ping_update_cacert )
|
||||
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
|
||||
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||
fi
|
||||
|
||||
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
|
||||
|
||||
if [ "$MODE" = tor ] ; then
|
||||
|
||||
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
|
||||
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
|
||||
|
||||
if ip route | grep ^def ; then
|
||||
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
|
||||
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
|
||||
fi
|
||||
fi
|
||||
|
||||
usage() {
|
||||
echo "Usage: $0 [OPTIONS] dirs-or-files"
|
||||
echo
|
||||
echo " -B | --badssl - test badssl.org sites"
|
||||
echo " -D | --nodig - no dig sites"
|
||||
echo " -T | --tests - ping tests to run first"
|
||||
echo " -o | --outdir=/tmp - output directory"
|
||||
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
|
||||
echo
|
||||
echo " -V | --version - print version of this script"
|
||||
echo " -h | --help - print this help"
|
||||
}
|
||||
|
||||
SHORTOPTS="hVBDT:v:"
|
||||
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
|
||||
HOSTS=
|
||||
|
||||
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
|
||||
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
|
||||
|
||||
eval set -- "$ARGS"
|
||||
|
||||
while true; do
|
||||
case "$1" in
|
||||
# -t --tests
|
||||
-o|--outdir)
|
||||
shift
|
||||
outdir="$1"
|
||||
;;
|
||||
-v|--verbosity)
|
||||
shift
|
||||
verbosity="$1"
|
||||
;;
|
||||
-B|--badssl)
|
||||
badssl=1
|
||||
;;
|
||||
-D|--nodig)
|
||||
nodig=1
|
||||
;;
|
||||
-T|--tests)
|
||||
shift
|
||||
tests="$1"
|
||||
;;
|
||||
-V|--version)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
'--')
|
||||
shift
|
||||
HOSTS="$*"
|
||||
break
|
||||
;;
|
||||
*)
|
||||
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
|
||||
break
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
|
||||
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
|
||||
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
|
||||
kill_time=$( expr $timeout + 10 )
|
||||
|
||||
[ -z "$tests" ] || \
|
||||
for elt in $tests ; do
|
||||
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
|
||||
done
|
||||
|
||||
if which sslscan 2>/dev/null ; then
|
||||
sslscan='sslscan'
|
||||
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
|
||||
else
|
||||
# no proxy support
|
||||
sslscan=''
|
||||
fi
|
||||
# sslscan --show-client-cas - no proxy
|
||||
|
||||
openssl=openssl
|
||||
OPENSSL_ARGS="-4 -bugs -showcerts"
|
||||
|
||||
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
|
||||
testssl='testssl.bash'
|
||||
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
|
||||
#? --ssl-native
|
||||
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
|
||||
else
|
||||
# no proxy support
|
||||
testssl=''
|
||||
fi
|
||||
|
||||
if [ -f /usr/local/bin/scurl.bash ] ; then
|
||||
curl="/usr/local/bin/scurl.bash -- -s -S"
|
||||
else
|
||||
curl='curl -s -S'
|
||||
fi
|
||||
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
|
||||
|
||||
if [ -f $PREFIX/bin/analyze-ssl.pl.bash ] ; then
|
||||
analyze=$PREFIX/bin/analyze-ssl.pl.bash
|
||||
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
|
||||
else
|
||||
analyze=""
|
||||
fi
|
||||
|
||||
warns=0
|
||||
OUTR=$outdir/$prog-$NOW
|
||||
if [ $nodig -eq 0 ] ; then
|
||||
for item in $HOSTS ; do
|
||||
i=0
|
||||
OUTRF=$OUTR.$item
|
||||
if [ $MODE = tor ] ; then
|
||||
torresolve $item > $OUTRF.dig.out 2>&1
|
||||
retval=$?
|
||||
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
|
||||
elif false ; then
|
||||
nslookup $item > $OUTRF.nslookup.out 2>&1
|
||||
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
|
||||
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
|
||||
else
|
||||
dig $item > $OUTRF.dig.out 2>&1
|
||||
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
|
||||
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# [ -r /etc/tor/torrc ]
|
||||
# was https take precedence over socks
|
||||
if [ -n "$socks_proxy" ] ; then
|
||||
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
|
||||
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||
|
||||
openssl='torsocks openssl'
|
||||
|
||||
# --interface lo --dns-interface lo
|
||||
[ -n "$analyze" ] && analyze="torsocks $analyze"
|
||||
[ -n "$testssl" ] && testssl="torsocks $testssl"
|
||||
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
|
||||
if [ $MODE = tor -o $MODE = selektor ] ; then
|
||||
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
|
||||
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
|
||||
fi
|
||||
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
|
||||
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
|
||||
CURL_ARGS="$CURL_ARGS --interface"
|
||||
fi
|
||||
if netstat -nle4 | grep 127.0.1:53 ; then
|
||||
CURL_ARGS="$CURL_ARGS --dns-interface lo"
|
||||
fi
|
||||
elif [ -n "$https_proxy" ] ; then
|
||||
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
|
||||
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||
|
||||
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
|
||||
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
|
||||
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
|
||||
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
|
||||
[ -n "$testssl" ] && testssl="torsocks $testssl"
|
||||
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
|
||||
|
||||
|
||||
else
|
||||
: direct
|
||||
fi
|
||||
|
||||
TENVS="DNS_VIA_PROXY=true"
|
||||
errs=0
|
||||
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
|
||||
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
|
||||
for item in $HOSTS ; do
|
||||
i=0
|
||||
OUTRF=$OUTR.$item
|
||||
|
||||
if [ -n "$openssl" ] ; then
|
||||
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
|
||||
echo $openssl s_client \
|
||||
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
|
||||
< /dev/null > $OUTRF.s_client.out
|
||||
timeout ${kill_time}s \
|
||||
$openssl s_client \
|
||||
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
|
||||
< /dev/null >> $OUTRF.s_client.out 2>&1
|
||||
# :error:\|
|
||||
if [ $? -eq 124 ] ; then
|
||||
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
|
||||
elif [ $? -ne 0 ] ; then
|
||||
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
|
||||
i=$( expr $i + 1 )
|
||||
elif str='unable to get local issuer certificate' && \
|
||||
grep "$str" $OUTRF.s_client.out; then
|
||||
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||
i=$( expr $i + 1 )
|
||||
elif str='Cipher is (NONE)' && \
|
||||
grep "$str" $OUTRF.s_client.out; then
|
||||
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||
i=$( expr $i + 1 )
|
||||
elif str='SSL handshake has read 0 bytes' && \
|
||||
grep "$str" $OUTRF.s_client.out; then
|
||||
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||
i=$( expr $i + 1 )
|
||||
else
|
||||
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
|
||||
timeout ${kill_time}s \
|
||||
$openssl s_client -showcerts \
|
||||
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
|
||||
> $OUTRF.s_client.certs 2>&1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$sslscan" ] ; then
|
||||
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
|
||||
timeout ${kill_time}s \
|
||||
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
|
||||
if [ $? -eq 124 ] ; then
|
||||
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
|
||||
elif [ $? -ne 0 ] ; then
|
||||
WARN "sslscan failed $? see $OUTRF.sslscan.out "
|
||||
i=$( expr $i + 1 )
|
||||
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
|
||||
WARN "sslscan failed see $OUTRF.sslscan.out "
|
||||
i=$( expr $i + 1 )
|
||||
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
|
||||
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
|
||||
WARN "sslscan failed see $OUTRF.sslscan.out "
|
||||
i=$( expr $i + 1 )
|
||||
else
|
||||
INFO "$sslscan $SSLSCAN_ARGS $item"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
|
||||
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
|
||||
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
|
||||
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
|
||||
if [ $? -ne 0 ] ; then
|
||||
WARN "testssl failed $? see $OUTRF.testssl.out"
|
||||
i=$( expr $i + 1 )
|
||||
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
|
||||
WARN "testssl failure see $OUTRF.testssl.out"
|
||||
i=$( expr $i + 1 )
|
||||
else
|
||||
INFO "$testssl $TESTSSL_ARGS $item"
|
||||
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
|
||||
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$curl" ] ; then
|
||||
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
|
||||
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
|
||||
if [ $? -eq 0 ] ; then
|
||||
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
|
||||
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
|
||||
i=$( expr $i + 1 ) ; } || \
|
||||
INFO $curl $CURL_ARGS $item
|
||||
else
|
||||
INFO $curl $CURL_ARGS $item
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$analyze" ] ; then
|
||||
timeout ${kill_time}s \
|
||||
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
|
||||
> $OUTRF.analyze-ssl.out 2>&1
|
||||
# certificate verified : ok
|
||||
if [ $? -eq 124 ] ; then
|
||||
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
|
||||
elif [ $? -eq 0 ] ; then
|
||||
INFO "$analyze $ANALYZE_ARGS $item"
|
||||
else
|
||||
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
|
||||
i=$( expr $i + 1 )
|
||||
fi
|
||||
fi
|
||||
|
||||
[ $i -eq 0 ] && continue
|
||||
WARN "$i failures for $item"
|
||||
errs=$(expr $errs + $i )
|
||||
DBUG $OUTRF.*.out
|
||||
done
|
||||
done
|
||||
|
||||
find $OUTRF.* -type f -empty -delete
|
||||
|
||||
exit $errs
|
20100
overlay/Linux/usr/local/src/proxy_testssl_lib.bash
Executable file
20100
overlay/Linux/usr/local/src/proxy_testssl_lib.bash
Executable file
File diff suppressed because it is too large
Load Diff
137
overlay/Linux/usr/local/src/proxy_whonix.bash
Executable file
137
overlay/Linux/usr/local/src/proxy_whonix.bash
Executable file
@ -0,0 +1,137 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
|
||||
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
|
||||
#. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
proxy_whonix_mode
|
||||
|
||||
## proxy_whonix_test_mode - proxy_whonix_host.bash test
|
||||
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
|
||||
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
|
||||
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
|
||||
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
|
||||
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_refresh
|
||||
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
|
||||
local USAGE="python|pip"
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
elif [ "$1" = 'python' ] ; then
|
||||
/usr/local/bin/testforge_clean_usr_local_lib.bash
|
||||
elif [ "$1" = 'pip' ] ; then
|
||||
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
|
||||
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
|
||||
base_sheebang_after_pip.bash
|
||||
else
|
||||
:
|
||||
fi
|
||||
}
|
||||
|
||||
UPGRADE_USAGE="python|pip"
|
||||
## proxy_whonix_update - $UPGRADE_USAGE
|
||||
proxy_whonix_update() {
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $UPGRADE_USAGE
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
elif [ "$1" = 'python' ] ; then
|
||||
:
|
||||
elif [ "$1" = 'pip' ] ; then
|
||||
:
|
||||
else
|
||||
:
|
||||
fi
|
||||
}
|
||||
|
||||
TEST_USAGE="ssl|ping|mode|libvirt|ga"
|
||||
## proxy_whonix_test - test $TEST_USAGE
|
||||
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $TEST_USAGE
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
elif [ "$1" = 'ssl' ] ; then
|
||||
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
|
||||
elif [ "$1" = 'mode' ] ; then
|
||||
proxy_whonix_test_mode || exit 4$?
|
||||
elif [ "$1" = 'ping' ] ; then
|
||||
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
|
||||
elif [ "$1" = 'libvirt' ] ; then
|
||||
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
|
||||
elif [ "$1" = 'ga' ] ; then
|
||||
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
|
||||
else
|
||||
:
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
WD=$PWD
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
exit 0
|
||||
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
exit 0
|
||||
|
||||
elif [ "$1" = client ] ; then
|
||||
shift
|
||||
|
||||
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
|
||||
[ $1 = ws ] && arg=workstation || arg=$1
|
||||
shift
|
||||
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
|
||||
|
||||
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
|
||||
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
|
||||
|
||||
elif [ "$1" = host ] ; then
|
||||
shift
|
||||
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
|
||||
|
||||
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
|
||||
arg=$1;shift
|
||||
proxy_whonix_$arg "$@"
|
||||
|
||||
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
|
||||
arg=$1;shift
|
||||
proxy_whonix_$arg "$@"
|
||||
|
||||
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
|
||||
:
|
||||
|
||||
else
|
||||
DBUG $prog $*
|
||||
eval "$@"
|
||||
exit $?
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
254
overlay/Linux/usr/local/src/scurl.bash
Executable file
254
overlay/Linux/usr/local/src/scurl.bash
Executable file
@ -0,0 +1,254 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
# must not use stdout
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
prog=scurl
|
||||
umask 022
|
||||
|
||||
RETRIES=2
|
||||
SSL_VER=3
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash
|
||||
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
|
||||
. /usr/local/bin/proxy_curl_lib.bash
|
||||
if ! grep -q "^wlan[1-9][ ]00000000" /proc/net/route ; then
|
||||
WARN $prog we are not connected >&2
|
||||
exit -1
|
||||
fi
|
||||
|
||||
usage="curls with some wget options
|
||||
|
||||
Usage: $prog options -- curl-options
|
||||
|
||||
Options:
|
||||
-P, --directory-prefix
|
||||
-X, --force-directories create directories to download to
|
||||
-C, --cacert CA certs in .pem
|
||||
-M, --mode proxy_ping_mode
|
||||
-S, --ssl ssl version 2=tls1.2 3=tls1.3
|
||||
-Y, --ciphers comma sep list of ciphers
|
||||
-Q, --quiet --silent --show-error
|
||||
-h, --help display this help and exit
|
||||
"
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "$usage"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
declare -a LARGS
|
||||
# --location is required to follow redirects
|
||||
# im not sure about --http2
|
||||
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
|
||||
LARGS+=( --retry-delay 10 --show-error --fail )
|
||||
# --proto-redir https --proto =https is required to prevent protocol downgrades
|
||||
LARGS+=( --proto-redir https --proto-default https --proto =https )
|
||||
|
||||
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
|
||||
|
||||
SSL_LIB=openssl # nss
|
||||
if [ -x $PREFIX/bin/curl.bash ] ; then
|
||||
EXE=$PREFIX/bin/curl.bash
|
||||
elif which scurl ; then
|
||||
EXE=`which scurl`
|
||||
else
|
||||
EXE=curl
|
||||
fi
|
||||
|
||||
SHORT=M:QP:XC:F:hS:
|
||||
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
|
||||
|
||||
#? export POSIXLY_CORRECT=1
|
||||
|
||||
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
|
||||
eval set -- "$PARSED"
|
||||
|
||||
P="$PWD"
|
||||
X="0"
|
||||
# echo DEBUG: WD=$WD rest=$*
|
||||
LOGF=/tmp/$prog$$.err
|
||||
SSL_CIPHERS=""
|
||||
|
||||
while true; do
|
||||
case "$1" in
|
||||
-P|--directory-prefix)
|
||||
shift
|
||||
P="$1"
|
||||
shift
|
||||
# echo DEBUG: P=$WD rest=$*
|
||||
;;
|
||||
-X|--force-directories)
|
||||
X=1
|
||||
shift
|
||||
;;
|
||||
-S|--ssl)
|
||||
shift
|
||||
SSL_VER="$1"
|
||||
shift
|
||||
;;
|
||||
-Y|--ciphers)
|
||||
shift
|
||||
SSL_CIPHERS="$1"
|
||||
shift
|
||||
;;
|
||||
-C|--cacert|-Z|--ca-cert)
|
||||
shift
|
||||
CA_CERT="$1"
|
||||
shift
|
||||
;;
|
||||
-M|--mode)
|
||||
shift
|
||||
MODE="$1"
|
||||
shift
|
||||
;;
|
||||
-Q|--quiet)
|
||||
shift
|
||||
LARGS="$LARGS --silent --show-error"
|
||||
;;
|
||||
-h|--help)
|
||||
echo USAGE: "$usage"
|
||||
exit 0
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
|
||||
LARGS+=( --tlsv1.$SSL_VER )
|
||||
|
||||
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
|
||||
[ $SSL_LIB = openssl ] && \
|
||||
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
|
||||
[ $SSL_LIB = nss ] && \
|
||||
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
|
||||
fi
|
||||
|
||||
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
|
||||
[ $SSL_LIB = openssl ] && \
|
||||
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
|
||||
[ $SSL_LIB = nss ] && \
|
||||
SSL_CIPHERS="aes_256_gcm_sha_384"
|
||||
fi
|
||||
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
|
||||
|
||||
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
|
||||
netstat -nle4 | grep -q 127.0.0.1:53 ; then
|
||||
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
|
||||
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
|
||||
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
|
||||
else
|
||||
debug 127.0.0.1:53 not running MODE=$MODE
|
||||
fi
|
||||
|
||||
if ! uname -a | grep -q 'Devuan\|Debian' ; then
|
||||
if [ -f $HOME/.local/ ] ; then
|
||||
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
|
||||
LARGS+=( --alt-svc $HOME/.local/alt.svc )
|
||||
# #define CURLALTSVC_H2 (1<<4)
|
||||
fi
|
||||
export CURLOPT_ALTSVC_CTRL=16
|
||||
fi
|
||||
|
||||
declare -a RARGS
|
||||
RARGS=("$@")
|
||||
DBUG "$#" "${RARGS[*]}" >&2
|
||||
|
||||
i=0
|
||||
while [ $i -le $RETRIES ] ; do
|
||||
# assumes one URL
|
||||
if [ "${#RARGS[@]}" -eq 1 ] ; then
|
||||
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
|
||||
else
|
||||
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
|
||||
fi
|
||||
RARGS[-1]="$the_url"
|
||||
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
|
||||
|
||||
i=`expr $i + 1`
|
||||
if [ "$X" = 1 ] ; then
|
||||
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
|
||||
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
|
||||
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
|
||||
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
|
||||
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
|
||||
LARGS+=( --output "$output" --create-dirs )
|
||||
fi
|
||||
|
||||
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
|
||||
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
|
||||
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
|
||||
retval=$?
|
||||
|
||||
if [ "$retval" -eq 22 ] || \
|
||||
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
|
||||
# on 22 - change to HTTP code
|
||||
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
|
||||
if [ "$code" = 416 ] ; then
|
||||
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
|
||||
retval=$code
|
||||
elif [ "$code" = 429 ] ; then
|
||||
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||
retval=$code
|
||||
exit $retval
|
||||
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
|
||||
# 403 Cloudflare
|
||||
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||
retval=$code
|
||||
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
|
||||
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||
else
|
||||
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
|
||||
fi
|
||||
|
||||
elif [ "$retval" = 35 ] ; then
|
||||
# 35 CURLE_SSL_CONNECT_ERROR
|
||||
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
|
||||
# feedback to scurl_urls.sh
|
||||
NOTLSV3+=( $site )
|
||||
|
||||
elif [ "$retval" = 1 ] ; then
|
||||
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
|
||||
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||
continue
|
||||
|
||||
elif [ "$retval" = 92 ] ; then
|
||||
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
|
||||
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||
continue
|
||||
|
||||
elif [ "$retval" -ne 0 ] ; then
|
||||
# curl: (3) URL using bad/illegal format or missing URL - worked
|
||||
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||
|
||||
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
|
||||
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
|
||||
continue
|
||||
|
||||
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
|
||||
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
|
||||
continue
|
||||
|
||||
else
|
||||
INFO "$prog $output = $LOGF" >&2
|
||||
# rm -f $LOGF
|
||||
fi
|
||||
break
|
||||
# "$P/$rel_file"
|
||||
# if [ $retval -gt 0 ] ; then
|
||||
# The requested URL returned error: 416
|
||||
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
|
||||
# fi
|
||||
done
|
||||
|
||||
exit $retval
|
18
overlay/Linux/usr/local/src/sdwdate.bash
Executable file
18
overlay/Linux/usr/local/src/sdwdate.bash
Executable file
@ -0,0 +1,18 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
PREFIX=/usr/local
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
|
||||
if virsh|grep Whonix-Gateway ; then
|
||||
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
|
||||
else
|
||||
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
|
||||
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
|
||||
fi
|
||||
fi
|
||||
|
||||
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
|
||||
|
||||
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"
|
19
overlay/Linux/usr/local/src/usr_local_proxy.bash
Normal file
19
overlay/Linux/usr/local/src/usr_local_proxy.bash
Normal file
@ -0,0 +1,19 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
[ -z "$prog" ] && prog=`basename $0 .bash`
|
||||
[ -z "$USER" ] && USER=$( id -un )
|
||||
ROLE=proxy
|
||||
[ -f /usr/local/bin/usr_local_tput.bash ] && \
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
. /usr/local/src/usr_local_src.bash
|
||||
|
||||
base=usr_local_proxy
|
||||
# DBUG 0=$0
|
||||
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
|
||||
[ "$#" -eq 0 ] && exit 0
|
||||
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
@ -19,8 +19,8 @@
|
||||
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
|
||||
retval=0
|
||||
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
|
||||
{{proxy_pkgs_bootstrap}} \
|
||||
{{proxy_pkgs_inst}} \
|
||||
{{' '.join(proxy_pkgs_bootstrap)}} \
|
||||
{{' '.join(proxy_pkgs_inst)}} \
|
||||
&& exit 0
|
||||
retval=$?
|
||||
echo WARN: $retval
|
||||
@ -35,8 +35,8 @@
|
||||
shell: |
|
||||
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
|
||||
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
|
||||
{{ proxy_pkgs_bootstrap }} \
|
||||
{{ proxy_pkgs_inst_guest }} \
|
||||
{{ ' '.join(proxy_pkgs_bootstrap) }} \
|
||||
{{ ' '.join(proxy_pkgs_inst_guest) }} \
|
||||
|| exit $?
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
|
@ -13,4 +13,4 @@
|
||||
|
||||
#- include_tasks: Gentoo/Pentoo/mask.yml
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/accept_keywords.yml
|
||||
#- include_tasks: Gentoo/Pentoo/accept_keywords.yml
|
||||
|
@ -13,6 +13,14 @@
|
||||
block: |
|
||||
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
|
||||
|
||||
- name: "/etc/portage/package.use/2023-01-01_world.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2023-01-01_world.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy curl"
|
||||
block: |
|
||||
net-misc/curl static-libs
|
||||
|
||||
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
|
||||
@ -21,22 +29,6 @@
|
||||
block: |
|
||||
app-arch/unzip natspec
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2021-00_verify-sig.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap verify-sig
|
||||
|
||||
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2019-02_rkhunter.txt
|
||||
@ -53,3 +45,51 @@
|
||||
block: |
|
||||
sys-process/lsof -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2020-01_sqlite.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-01_sqlite.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy eix"
|
||||
block: |
|
||||
app-portage/eix sqlite
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy socat"
|
||||
block: |
|
||||
net-misc/socat -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy privoxy"
|
||||
block: |
|
||||
net-proxy/privoxy -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2021-07_privoxy.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2021-07_privoxy.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy privoxy"
|
||||
block: |
|
||||
net-proxy/privoxy brotli whitelists -mbedtls openssl zlib external-filters
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2021-00_verify-sig.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap verify-sig
|
||||
|
||||
|
@ -67,11 +67,22 @@
|
||||
nameserver 127.0.0.1
|
||||
when:
|
||||
- PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat']
|
||||
|
||||
- PROXY_MODE in ['tor', 'selektor', 'whonix']
|
||||
# stop dhclient from overwriting resolv.conf
|
||||
# with scripts in /lib/dhcpcd/dhcpcd-hooks/
|
||||
# FixMe: /etc/dhcp/dhcp-client.conf?
|
||||
|
||||
- name: "/etc/resolv.conf"
|
||||
blockinfile:
|
||||
dest: /etc/resolv.conf
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
|
||||
create: yes
|
||||
block: |
|
||||
nameserver 10.0.2.2
|
||||
when:
|
||||
- PROXY_MODE in ['nat']
|
||||
- "'{{BOX_NBD_OVERLAY_BR}}' == 'virbr1'"
|
||||
|
||||
# dnscrypt is not a system service
|
||||
- name: "service disable not {{PROXY_DNS_PROXY}}"
|
||||
service:
|
||||
|
@ -86,6 +86,8 @@
|
||||
umask 0027
|
||||
echo "INFO: proxy_log_hourly"
|
||||
cd {{USR_LOCAL}}/bin
|
||||
export MODE={{PROXY_MODE}}
|
||||
. proxy_export.bash
|
||||
[ -x proxy_hourly.bash ] || exit 0
|
||||
bash proxy_hourly.bash
|
||||
register: proxy_log_hourly
|
||||
|
@ -113,7 +113,7 @@
|
||||
/usr/local/sbin/base_patch_from_diff.bash *
|
||||
|
||||
when:
|
||||
- true or ansible_distribution == 'Gentoo'
|
||||
- false and ansible_distribution == 'Gentoo'
|
||||
|
||||
- name: install proxy pips 2
|
||||
changed_when: false
|
||||
@ -168,7 +168,6 @@
|
||||
environment: "{{ shell_proxy_env }}"
|
||||
shell: |
|
||||
umask 0002
|
||||
#? usr_local_python.bash
|
||||
[ ! -f usr_local_proxy.bash ] && exit 1
|
||||
bash usr_local_python.bash \
|
||||
{{ 'check' if ansible_check_mode }}
|
||||
@ -248,17 +247,6 @@
|
||||
loop_control:
|
||||
loop_var: LOOP_USER
|
||||
|
||||
- name: "/usr/local/etc/testforge/testforge.ini BOF"
|
||||
lineinfile:
|
||||
dest: "/usr/local/etc/testforge/testforge.ini"
|
||||
insertbefore: BOF
|
||||
mode: 0755
|
||||
owner: "{{BOX_ROOT_USER}}"
|
||||
group: "{{BOX_ROOT_GROUP}}"
|
||||
create: yes
|
||||
regexp: "# -.- mode: sh; tab-width: 0; coding: utf-8-unix -.-"
|
||||
line: "# -*- mode: sh; tab-width: 0; coding: utf-8-unix -*-"
|
||||
|
||||
- name: /usr/local/etc/testforge/testforge.ini proxy
|
||||
blockinfile:
|
||||
dest: /usr/local/etc/testforge/testforge.ini
|
||||
@ -306,6 +294,25 @@
|
||||
- true or CORP_NTLM_PROXY|default('') != ''
|
||||
notify: update facts
|
||||
|
||||
- block:
|
||||
|
||||
- name: external
|
||||
delegate_to: localhost
|
||||
shell: |
|
||||
grep ' external$' /etc/hosts | sed -e 's/ .*//'
|
||||
register: external_out
|
||||
check_mode: false
|
||||
|
||||
- name: BASE_EXTERNAL_IP
|
||||
set_fact:
|
||||
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
|
||||
when: external_out.rc|default(1) == 0
|
||||
check_mode: false
|
||||
|
||||
when:
|
||||
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
|
||||
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
|
||||
|
||||
- name: "include dns.yml tasks"
|
||||
include_tasks: "dns.yml"
|
||||
when:
|
||||
|
@ -147,4 +147,4 @@
|
||||
check_mode: false
|
||||
rescue:
|
||||
- debug:
|
||||
msg: "WARN: error including proxy_export.txt"
|
||||
msg: "WARN: RESCUE error including proxy_export.txt"
|
||||
|
@ -40,44 +40,11 @@
|
||||
|
||||
- block:
|
||||
|
||||
# dont change the environment for everyone with env.d/70proxy
|
||||
# manually include tor.sh
|
||||
- name: "/usr/local/share/scripts/box_proxy_tor.bash no_proxy /bin/sh"
|
||||
lineinfile:
|
||||
path: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
|
||||
create: yes
|
||||
owner: "{{ item.owner }}"
|
||||
mode: "{{ item.mode }}"
|
||||
insertafter: BOF
|
||||
line: "#!/bin/sh"
|
||||
regexp: "#./bin/sh"
|
||||
with_items:
|
||||
- dest: "~{{LOOP_USER}}/bin"
|
||||
owner: "{{ LOOP_USER }}"
|
||||
mode: "0755"
|
||||
|
||||
# unused?
|
||||
- name: ~/bin/box_proxy_tor.bash no_proxy
|
||||
blockinfile:
|
||||
dest: "{{ item.dest|expanduser }}/box_proxy_tor.bash"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy noproxy"
|
||||
insertafter: "#./bin/sh"
|
||||
mode: "{{ item.mode }}"
|
||||
block: |
|
||||
[ -f {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash ] && . {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash
|
||||
[ -n "$no_proxy" ] && export no_proxy=$no_proxy || export no_proxy={{ NO_PROXY }}
|
||||
when:
|
||||
- "LOOP_USER != 'portage'"
|
||||
with_items:
|
||||
- dest: "~{{LOOP_USER}}/bin"
|
||||
owner: "{{ LOOP_USER }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: /etc/dirmngr/dirmngr.conf
|
||||
shell: |
|
||||
[ -e "/etc/dirmngr/dirmngr.conf" ] || exit 0
|
||||
[ -e "{{ item|expanduser }}" ] && exit 0
|
||||
[ -d "`dirname {{ item|expanduser }}`" ] || exit 0
|
||||
ln -s "/etc/dirmngr/dirmngr.conf" "{{ item|expanduser }}"
|
||||
with_items:
|
||||
- "~{{LOOP_USER}}/.gpg/dirmngr.conf"
|
||||
|
@ -28,19 +28,6 @@
|
||||
shell: |
|
||||
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]
|
||||
|
||||
- name: external
|
||||
delegate_to: localhost
|
||||
shell: |
|
||||
grep ' external$' /etc/hosts | sed -e 's/ .*//'
|
||||
register: external_out
|
||||
check_mode: false
|
||||
|
||||
- name: BASE_EXTERNAL_IP
|
||||
set_fact:
|
||||
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
|
||||
when: external_out.rc|default(1) == 0
|
||||
check_mode: false
|
||||
|
||||
when:
|
||||
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
|
||||
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
|
||||
|
@ -233,7 +233,7 @@
|
||||
- name: /usr/local/src/secbrowser.bash
|
||||
shell: |
|
||||
[ -f /usr/local/src/secbrowser.bash ] && exit 0
|
||||
/local/src/secbrowser.bash
|
||||
/usr/local/local/src/secbrowser.bash
|
||||
when:
|
||||
- BOX_OS_FLAVOR|default('') == 'KickSecure'
|
||||
when:
|
||||
|
4
templates/etc/firewall.sh
Normal file
4
templates/etc/firewall.sh
Normal file
@ -0,0 +1,4 @@
|
||||
#!/bin/sh
|
||||
|
||||
for file in * ; do mv $file $file.bak ; cp -p /etc/$file . ; done
|
||||
|
@ -26,6 +26,7 @@ proxy_pkgs_bootstrap:
|
||||
- linux-firmware
|
||||
- net-dns/bind-tools
|
||||
- net-misc/socat
|
||||
- app-portage/gentoolkit
|
||||
|
||||
proxy_pkgs_inst:
|
||||
# move these to testforge - epecially gnupg for static
|
||||
|
Loading…
Reference in New Issue
Block a user