emdee/proxy_role
1
0
Fork 0
Code Issues Pull Requests Wiki Activity

second

Browse Source
This commit is contained in:
emdee 2024-01-06 03:08:22 +00:00
parent 19597c9297
commit d29b1e4542
128 changed files with 15399 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
README.md Normal file
View File

@ -0,0 +1,13 @@
This role builds on, and requires, ../base_role and lays down the
basics for cntlm and socks and http and https proxies. It is required
to be run after ../base_role
Look at the variables in defaults/main.yml to customize the role, and
double-check the settings in vars/*.yml.
It is multi-target and should run on Gentoo2, Debian4, Devuan5, Ubuntu18
athough only tested on Gentoo. To bring it up to date, just copy the
existing files in vars and maybe tasks to the new name and edit to suit,
but be advised that it is systemd-challenged, like its author.

2
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash
View File

@ -1,10 +1,8 @@
#!/bin/bash
ROLE=proxy
MODE=host
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
HOST=$1

141
overlay/Linux/usr/local/bin/proxy_ping_test.bash
View File

@ -7,6 +7,7 @@ ROLE=proxy
PYVER=3
# DEBUG=1
# TRACE=1
. /usr/local/bin/proxy_ping_lib.bash || \
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
@ -19,17 +20,17 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks
proxy_ping_get_socks >/dev/null
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https
proxy_ping_get_https >/dev/null
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http
proxy_ping_get_http >/dev/null
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
@ -80,9 +81,15 @@ SCURL="/usr/local/bin/scurl.bash --output /dev/null"
NSL='nslookup -querytype=A -debug'
NETS='netstat -nl4e'
ALL=""
USAGE="$prog without arguments tests the current MODE=$MODE,
or with 0 to list the tests by number,
or one or more of the groups:
"
[ -z "$USER" ] && USER=$(id -un )
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
[ $USER = root -a -n "$TRACE" -a "$TRACE" != '0' ] && DMESG_LINES=1 || DMESG_LINES=0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
@ -91,11 +98,6 @@ PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
# fixme - required
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
MODE=$( proxy_ping_mode )
USAGE="$prog without arguments tests the current MODE=$MODE,
or 0 to list the tests by number,
or one or more of the groups:
"
DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
@ -244,20 +246,21 @@ proxy_run_as_root () { DBUG proxy_run_as_root $* ;
return 1
}
## proxy_test_pretests
proxy_test_pretests () {
if [ "$1" = panic ] ; then
# could pull these out as tests and add them to
## proxy_test_pretest_exit
proxy_test_pretest_exit () {
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
if [ "$1" = panic -o "$1" = firewall ] ; then
: dont ping on panic
proxy_ping_broken || proxy_do_ping || \
{ WARN ping failed for panic so skipping ; exit 0 ; }
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_ping_broken || proxy_do_ping || exit 3$?
proxy_ping_test_resolv $MODE ||\
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
elif [ "$1" = nat ] ; then
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
else
proxy_do_ping || exit 4$?
proxy_ping_test_resolv $MODE || \
@ -270,9 +273,25 @@ proxy_test_pretests () {
## proxy_test_help_args
proxy_test_help_args () {
declare -a elts=()
declare -a ret=()
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
local elt
if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
elts=($1 socks http dns https tordns firefail)
elif [ "$1" = torlibvirthost ] ; then
elts=($1 libvirthost socks http https tordns firefail)
elts+=($MODE)
elif [ "$1" = gateway ] ; then
elts=($1 libvirtguest socks dns http https firefail)
else
elts=($1)
fi
for elt in "${elts[@]}" ; do
# DBUG proxy_test_help_args $elt $1 >&2
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
sed -e 's/.=.*//' -e 's/.*tests.//') )
done
DBUG proxy_test_help_args "${ret[@]}" >&2
echo "${ret[@]}"
return 0
}
@ -293,9 +312,6 @@ proxy_ping_test_set_args () {
## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
aret=( 35 3 20 ) #
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = tor ] &&
aret=( 21 30 20 4 5 36 3 )
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
@ -304,15 +320,19 @@ proxy_ping_test_set_args () {
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
# aliases
# socks defines http as the target of a user using socks
[ "$1" = "$SOCKS_PORT" ] && set -- socks
# http defines http as the target of a user using http
[ "$1" = "$HTTP_PORT" ] && set -- http
# https defines http as the target of a user using https
[ "$1" = "$HTTPS_PORT" ] && set -- https
# dns defines http as the target of a user using dns
[ "$1" = "53" ] && set -- dns
# tordns defines http as the target of a user using tordns
[ "$1" = "9053" ] && set -- tordns
[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = tor ] && set -- torhost
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
@ -326,11 +346,11 @@ proxy_ping_test_set_args () {
set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
[ "$1" = selektor ] && \
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
set -- ping tordns dns socks http https torhost tordns firefail gw
[ "$1" = tor -o "$1" = selektor ] && \
set -- ping tordns dns trace torhost nmap gw
## torhost implies -
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = direct -o "$1" = '' ] && \
set -- ping dns trace nmap gw
@ -339,33 +359,34 @@ proxy_ping_test_set_args () {
# aret="${#tests[@]}"
## gw - test if we are connected to the gateway
## torhost - running tor with the firewall
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## torhost - running tor with the firewall
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## ping - connected routed test the ping to DNS hosts
## ntp - ntpdate through the firewall
## nmap - nmap sgid through the firewall - does not assume env
## iwlist - wlan scan
## iwlist - wlan scan of a wifi host
## firewall - test that the firewall blocks
## virbr1 - assumes tor or whonix
## gateway - ssh to the whonix gateway
## virbr1 - looks for virbr1 on a libvirt host torhost or whonix
## gateway - ssh to the whonix gateway from the torhost
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
r
## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
## direct - assume no firewall and no proxy - but may work depend on env
for elt in "$@" ; do
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = libvirthost -o "$elt" = torlibvirthost -o \
"$elt" = libvirtguest -o "$elt" = virbr1 -o \
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
@ -405,9 +426,8 @@ if [ $1 = '-h' -o $1 = '--help' ] ; then
set -- `proxy_ping_test_set_args "$@"`
DBUG running tests numbered "$@"
fi
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
proxy_test_pretests "$1"
proxy_test_pretest_exit "$1"
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
if [ $( id -u ) -eq 0 ] ; then
@ -471,6 +491,7 @@ while [ "$#" -gt 0 ] ; do
[ $DEBIAN -eq 0 ] && continue
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
# mode whonix implies torhost
if [ $MODE = whonix ] ; then
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
retval=$?
@ -496,14 +517,16 @@ while [ "$#" -gt 0 ] ; do
GREP="$SOCKS_PORT"
elif [ $ARG -eq 4 ] ; then
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET - tordns "
[ $HAVE_DIG = 1 ] || continue
if [ $MODE = whonix ] ; then
# test ssh to the whonix_gateway libvirt container
# and make sure that the socks proxy is runninh
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
fi
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -513,7 +536,7 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 5 ] ; then
tests[5]="nslookup_socks_as_user - tordns "
[ $HAVE_NSLOOKUP = 1 ] || continue
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
desc="$NSL -port=$SOCKS_DNS $DNS_TARGET ${DNS_HOST}"
$desc >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
@ -697,8 +720,9 @@ while [ "$#" -gt 0 ] ; do
[ $DEBIAN -eq 0 ] && continue
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null || {
retval=$? ;
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -742,11 +766,11 @@ while [ "$#" -gt 0 ] ; do
INFO $prog test=$ARG "${tests[$ARG]}"
elif [ $ARG -eq 24 ] ; then
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
tests[24]="dig_direct_or_dnsmasq dig -b $IP $DNS_TARGET - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
[ -n "$IP" ] || continue
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
dig -b $IP $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
@ -758,9 +782,9 @@ while [ "$#" -gt 0 ] ; do
[ $HAVE_NSLOOKUP = 1 ] || continue
# noenv with or without proxy
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
$NSL >/dev/null www.whatismypublicip.com || { \
$NSL >/dev/null $DNS_TARGET || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
@ -768,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 26 ] ; then
tests[26]="route_connected_ping_scan - direct "
[ $HAVE_DIG = 1 ] || continue
#? proxy_test_pretests
#? done already in proxy_test_pretest_exit
proxy_do_ping && \
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
@ -777,7 +801,7 @@ while [ "$#" -gt 0 ] ; do
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
[ $HAVE_DIG = 1 ] || continue
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
dig -b 127.0.0.1 $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
retval=$?
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
[ -z "$ALL" ] && exit $ARG$retval || continue
@ -808,9 +832,9 @@ while [ "$#" -gt 0 ] ; do
elif [ $ARG -eq 30 ] ; then
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
[ $MODE = tor -o $MODE = selektor ] || {
ERROR $prog MODE != tor test=$ARG
[ -z "$ALL" ] && exit $ARG$retval || continue
[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
# are there other roles that run tor?
WARN $prog MODE != tor test=$ARG
}
port=$SOCKS_PORT
$NETS | grep -q :$port || {
@ -834,7 +858,7 @@ while [ "$#" -gt 0 ] ; do
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
retval=$?
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
[ -z "$ALL" ] && exit $ARG$retval || continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
@ -923,7 +947,7 @@ while [ "$#" -gt 0 ] ; do
INFO $prog test=$ARG "${tests[$ARG]}"
GREP=""
elif [ $ARG -eq 38 ] ; then
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
tests[38]="qemu-guest-agent and ports - libvirthost "
[ $USER = root ] || continue
$PL proxy_libvirt_list
aret=$?
@ -932,9 +956,10 @@ while [ "$#" -gt 0 ] ; do
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
DBUG proxy_libvirt_status aret=$aret
else
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
ERROR MODE=$MODE and $GATEW_DOM not running ;
[ -z "$ALL" ] && exit $ARG$retval || continue
# was $GATEW_DOM but now can be gentoo_vm-2 etc
$PL proxy_libvirt_list 2>&1 | grep -q "running" || {
WARN MODE=$MODE and nothing libvirt running ;
continue
}
INFO $prog test=$ARG "${tests[$ARG]}"
fi
@ -959,8 +984,6 @@ exit 0
curl $D -k --proxy
3)
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
5)
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
6)
curl -k --proxy $HTTP_PORT
16)

1
overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem Symbolic link
View File

@ -0,0 +1 @@
cacert-curl.se_ca_cacert.pem

285
overlay/Linux/usr/local/etc/systemd/KickSecure.mask Executable file
View File

@ -0,0 +1,285 @@
# accounts-daemon.service
# acpid.path
# acpid.service
# acpid.socket
# acpi-support.service
# alsa-restore.service
# alsa-state.service
# alsa-utils.service
# apparmor.service
# apparmor.service.d
apt-daily.service
apt-daily.timer
apt-daily-upgrade.service
apt-daily-upgrade.timer
# autovt@.service
# basic.target
# blk-availability.service
# blockdev@.target
bluetooth.target
# bootclockrandomization.service
# boot-complete.target
# canary.service
# console-getty.service
# console-setup.service
# console-setup.service.d
# container-getty@.service
# cryptdisks-early.service
# cryptdisks.service
# cryptsetup-pre.target
# cryptsetup.target
# ctrl-alt-del.target
# dbus-org.freedesktop.hostname1.service
# dbus-org.freedesktop.locale1.service
# dbus-org.freedesktop.login1.service
# dbus-org.freedesktop.timedate1.service
# dbus.service
# dbus.socket
# debug-shell.service
# default.target
dev-hugepages.mount
# dev-mqueue.mount
# dist-skel-first-boot.service
# dm-event.service
# dm-event.socket
# e2scrub_all.service
# e2scrub_all.timer
# e2scrub_fail@.service
# e2scrub_reap.service
# e2scrub@.service
# emergency.service
# emergency.target
# exit.target
# final.target
# first-boot-complete.target
# flatpak-system-helper.service
# fstrim.service
# fstrim.timer
# gdm3.service
# gdm.service
# getty-pre.target
# getty@.service
# getty-static.service
# getty.target
# getty.target.wants
# graphical.target
# graphical.target.wants
# halt.target
# haveged.service
# haveged.service.d
# hibernate.target
# hide-hardware-info.service
# hwclock.service
# hybrid-sleep.target
# initrd-cleanup.service
# initrd-fs.target
# initrd-parse-etc.service
# initrd-root-device.target
# initrd-root-device.target.wants
# initrd-root-fs.target
# initrd-switch-root.service
# initrd-switch-root.target
# initrd.target
# initrd-udevadm-cleanup-db.service
# jitterentropy.service
# kexec.target
# keyboard-setup.service
# kmod.service
# kmod-static-nodes.service
# live-mode-apparmor.service
# live-tools.service
# local-fs-pre.target
# local-fs.target
# local-fs.target.wants
# lvm2-lvmpolld.service
# lvm2-lvmpolld.socket
# lvm2-monitor.service
# lvm2-pvscan@.service
# lvm2.service
# machine.slice
# man-db.service
# man-db.timer
# mnt-shared-kvm.service
# mnt-shared-vbox.service
# modprobe@.service
# msgcollector.service
# multi-user.target
# multi-user.target.wants
# NetworkManager-dispatcher.service
# NetworkManager.service
# NetworkManager-wait-online.service
# network-online.target
# network-pre.target
# network.target
# nss-lookup.target
# nss-user-lookup.target
# openvpn-client@.service
# openvpn@openvpn.service.d
# openvpn-server@.service
# openvpn.service
# openvpn@.service
# orca-kill-at-shutdown.service
# paths.target
# permission-hardening.service
# polkit.service
# poweroff.target
# printer.target
# proc-hidepid.service
# procps.service
# proc-sys-fs-binfmt_misc.automount
# proc-sys-fs-binfmt_misc.mount
# pulseaudio-enable-autospawn.service
# qubes-sync-time.service.d
# quotaon.service
# rc-local.service
# rc-local.service.d
# rc.service
# rcS.service
# reboot.target
# remote-cryptsetup.target
# remote-fs-pre.target
# remote-fs.target
# remount-secure.service
# remove-system-map.service
# rescue.service
# rescue.target
# rescue.target.wants
# rpcbind.target
# rsync.service
# runlevel0.target
# runlevel1.target
# runlevel1.target.wants
# runlevel2.target
# runlevel2.target.wants
# runlevel3.target
# runlevel3.target.wants
# runlevel4.target
# runlevel4.target.wants
# runlevel5.target
# runlevel5.target.wants
# runlevel6.target
sdwdate-gui-shutdown-notify.service
sdwdate-pre.service
sdwdate.service
# sdwdate.service.d
sdwdate-start-anondate-set-file-watcher.service
# serial-getty@.service
# shutdown.target
# sigpwr.target
# sleep.target
# slices.target
# smartcard.target
# sockets.target
# sockets.target.wants
# sound.target
# sound.target.wants
# sudo.service
# suspend.target
# suspend-then-hibernate.target
# swap.target
# sys-fs-fuse-connections.mount
# sysinit.target
# sysinit.target.wants
# sys-kernel-config.mount
# sys-kernel-debug.mount
# sys-kernel-tracing.mount
# syslog.socket
# systemd-ask-password-console.path
# systemd-ask-password-console.service
# systemd-ask-password-wall.path
# systemd-ask-password-wall.service
# systemd-backlight@.service
# systemd-binfmt.service
# systemd-bless-boot.service
# systemd-boot-check-no-failures.service
# systemd-boot-system-token.service
# systemd-exit.service
# systemd-fsckd.service
# systemd-fsckd.socket
# systemd-fsck-root.service
# systemd-fsck@.service
# systemd-halt.service
# systemd-hibernate-resume@.service
# systemd-hibernate.service
# systemd-hostnamed.service
# systemd-hwdb-update.service
# systemd-hybrid-sleep.service
# systemd-initctl.service
# systemd-initctl.socket
# systemd-journald-audit.socket
# systemd-journald-dev-log.socket
# systemd-journald.service
# systemd-journald@.service
# systemd-journald.socket
# systemd-journald@.socket
# systemd-journald-varlink@.socket
# systemd-journal-flush.service
# systemd-kexec.service
# systemd-localed.service
# systemd-localed.service.d
# systemd-logind.service
# systemd-machine-id-commit.service
# systemd-modules-load.service
# systemd-networkd.service
# systemd-networkd.socket
# systemd-networkd-wait-online.service
# systemd-network-generator.service
# systemd-poweroff.service
# systemd-pstore.service
# systemd-quotacheck.service
# systemd-random-seed.service
# systemd-reboot.service
# systemd-remount-fs.service
# systemd-resolved.service
# systemd-resolved.service.d
# systemd-rfkill.service
# systemd-rfkill.socket
# systemd-suspend.service
# systemd-suspend-then-hibernate.service
# systemd-sysctl.service
# systemd-sysusers.service
# systemd-timedated.service
# systemd-timesyncd.service.d
# systemd-time-wait-sync.service
# systemd-tmpfiles-clean.service
# systemd-tmpfiles-clean.timer
# systemd-tmpfiles-setup-dev.service
# systemd-tmpfiles-setup.service
# systemd-udevd-control.socket
# systemd-udevd-kernel.socket
# systemd-udevd.service
# systemd-udev-settle.service
# systemd-udev-trigger.service
# systemd-update-utmp-runlevel.service
# systemd-update-utmp.service
# systemd-user-sessions.service
# systemd-volatile-root.service
# system-systemd\x2dcryptsetup.slice
# system-update-cleanup.service
# system-update-pre.target
# system-update.target
# timers.target
# timers.target.wants
# timesanitycheck.service
# time-set.target
# time-sync.target
# tor@default.service
tor.service
tor@.service
# udev.service
# udisks2.service
# umount.target
# upower.service
# usb-gadget.target
# user-runtime-dir@.service
# user@.service
# user@.service.d
# user.slice
# user-.slice.d
# virtualbox-guest-utils.service
# whonix-legacy.service
# wpa_supplicant-nl80211@.service
# wpa_supplicant.service
# wpa_supplicant@.service
# wpa_supplicant-wired@.service
# x11-common.service

7
overlay/Linux/usr/local/etc/systemd/proxy.mask Normal file
View File

@ -0,0 +1,7 @@
multi-user.target.wants/NetworkManager.service
multi-user.target.wants/bootclockrandomization.service
multi-user.target.wants/openvpn.service
multi-user.target.wants/remote-fs.target
multi-user.target.wants/sdwdate.service
privoxy.service
sdwdate.service

33
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup Executable file
View File

@ -0,0 +1,33 @@
#!/bin/bash
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
text="\
<p>
DO NOT USE THIS YET AS A USER!
<br />
Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
<br />
Missing features the the initial release include
<ul>
<li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
<li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
<li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
</ul>
See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
<br />
Help welcome!
</p>
"
[ -d ~/.config/whonix/host-boot-popup ] || mkdir -p ~/.config/whonix/host-boot-popup
[ -z "$DISPLAY" ] || \
[ -f /usr/lib/msgcollector/one-time-popup ] || \
/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"

31
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst Executable file
View File

@ -0,0 +1,31 @@
#!/bin/bash
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
text="\
<p>
DO NOT USE THIS YET AS A USER!
<br />
Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
<br />
Missing features the the initial release include
<ul>
<li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
<li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
<li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
</ul>
See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
<br />
Help welcome!
</p>
"
mkdir -p ~/.config/whonix/host-boot-popup
/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"

92
overlay/Linux/usr/local/lib/whonix-libvirt/install Executable file
View File

@ -0,0 +1,92 @@
#!/bin/bash
[ -f /var/lib/whonix-libvirt/install.done ] && exit 0
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
set -e
## {{ Taken from qemu-system-common.postinst.
# Add the kvm group unless it's already there
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm || true
fi
## }} Taken from qemu-system-common.postinst.
## {{ Taken from libvirt-bin.postinst.
if ! getent group libvirt >/dev/null; then
addgroup --system libvirt
fi
## }} Taken from libvirt-bin.postinst.
## Existence of user "user" is not guaranteed at this point.
## XXX: Or is it?
grep -q ^kvm /etc/group || addgroup user kvm
grep -q ^libvirt /etc/group || addgroup user libvirt
## Create shared directory and adjust permissions
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
[ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
chmod 1777 /mnt/gateway-shared
chmod 1777 /mnt/workstation-shared
## TODO: proper error handling. '|| true' can probably be removed.
virsh -c qemu:///system net-autostart "default" || true
virsh -c qemu:///system net-start "default" || true
virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-External.xml" || true
virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
virsh -c qemu:///system net-autostart "Whonix-External" || true
virsh -c qemu:///system net-start "Whonix-External" || true
virsh -c qemu:///system net-autostart "Whonix-Internal" || true
virsh -c qemu:///system net-start "Whonix-Internal" || true
## Doing the following in a temporary directory to avoid modified files should
## this be interrupted in the middle.
temp_dir="$(mktemp --directory)"
cp -r /usr/local/share/whonix-libvirt/xml "$temp_dir"
if virsh capabilities | grep "<domain type='kvm'>" ; then
true "OK: found KVM"
else
## replace the 'kvm' domain type with 'qemu'
search="<domain type='kvm'>"
replace="<domain type='qemu'>"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
search="<cpu mode='host-passthrough'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
search="<pvspinlock state='on'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
fi
test -f "$temp_dir/xml/Whonix-Gateway.xml"
test -f "$temp_dir/xml/Whonix-Workstation.xml"
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
mkdir --parents /var/lib/whonix-libvirt
touch /var/lib/whonix-libvirt/install.done

90
overlay/Linux/usr/local/lib/whonix-libvirt/install.dst Executable file
View File

@ -0,0 +1,90 @@
#!/bin/bash
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
set -e
## {{ Taken from qemu-system-common.postinst.
# Add the kvm group unless it's already there
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm || true
fi
## }} Taken from qemu-system-common.postinst.
## {{ Taken from libvirt-bin.postinst.
if ! getent group libvirt >/dev/null; then
addgroup --system libvirt
fi
## }} Taken from libvirt-bin.postinst.
## Existence of user "user" is not guaranteed at this point.
## XXX: Or is it?
addgroup user kvm >/dev/null || true
addgroup user libvirt >/dev/null || true
## Create shared directory and adjust permissions
mkdir --parents /mnt/gateway-shared
mkdir --parents /mnt/workstation-shared
chmod 777 /mnt/gateway-shared
chmod 777 /mnt/workstation-shared
## TODO: proper error handling. '|| true' can probably be removed.
virsh -c qemu:///system net-autostart "default" || true
virsh -c qemu:///system net-start "default" || true
virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-External.xml" || true
virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
virsh -c qemu:///system net-autostart "Whonix-External" || true
virsh -c qemu:///system net-start "Whonix-External" || true
virsh -c qemu:///system net-autostart "Whonix-Internal" || true
virsh -c qemu:///system net-start "Whonix-Internal" || true
## Doing the following in a temporary directory to avoid modified files should
## this be interrupted in the middle.
temp_dir="$(mktemp --directory)"
cp -r /usr/share/whonix-libvirt/xml "$temp_dir"
if virsh capabilities | grep "<domain type='kvm'>" ; then
true "OK: found KVM"
else
## replace the 'kvm' domain type with 'qemu'
search="<domain type='kvm'>"
replace="<domain type='qemu'>"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
search="<cpu mode='host-passthrough'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
search="<pvspinlock state='on'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
fi
test -f "$temp_dir/xml/Whonix-Gateway.xml"
test -f "$temp_dir/xml/Whonix-Workstation.xml"
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
mkdir --parents /var/lib/whonix-libvirt
touch /var/lib/whonix-libvirt/install.done

35
overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only Executable file
View File

@ -0,0 +1,35 @@
#!/bin/bash
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Similar to persistent-mode-to-read-write.
set -x
error_handler() {
exit_code="1"
}
trap error_handler ERR
exit_code="0"
vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
for vm_name_item in $vm_names_list ; do
virt-xml "$vm_name_item" --edit --disk readonly=on
done
## https://phabricator.whonix.org/T914
if test -f "/var/lib/libvirt/images/Whonix-Gateway.qcow2" ; then
chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
fi
if test -f "/var/lib/libvirt/images/Whonix-Workstation.qcow2" ; then
chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
fi
## "chmod ugo-r" is set during build in chroot:
## https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw
exit "$exit_code"

27
overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Similar to live-mode-to-read-only.
set -x
error_handler() {
exit_code="1"
}
trap error_handler ERR
exit_code="0"
vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
for vm_name_item in $vm_names_list ; do
virt-xml "$vm_name_item" --edit --disk readonly=off
done
chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
exit "$exit_code"

677
overlay/Linux/usr/local/proxy_whonix_lib.bash Executable file
View File

@ -0,0 +1,677 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
# . /usr/local/sbin/proxy_whonix_lib.bash || { echo ERROR: loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new
proxy_guest_firewall_config () {
. /usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$?
source_config_folder
iptables_cmd="echo iptables"
ip6tables_cmd="echo # ip6tables"
main > /etc/firewall.conf.ws.new
return $?
}
## proxy_whonix_guest_config
proxy_whonix_guest_config () {
return 0
}
## proxy_whonix_guest_start
proxy_whonix_guest_start () {
local dire=$1
[ ! -f /etc/init.d/qemu-guest-agent ] || \
proxy_rc_service qemu-guest-agent status >/dev/null \
|| proxy_rc_service qemu-guest-agent start || return 2$?
return 0
}
## proxy_whonix_guest_test
proxy_whonix_guest_test () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
proxy_rc_service qemu-guest-agent status
return 0
}
## proxy_whonix_gateway_config
proxy_whonix_gateway_config () {
proxy_whonix_dnsmasq_config gateway 10.0.2.15
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
proxy_dest_port_wlan_config
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc polipo
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_polipo_config
proxy_whonix_polipo_config () {
local dire
local file
[ "$#" -eq 0 ] && { echo ERROR: proxy_whonix_polipo_config no dire ; return 1; }
dire=$1
file=/etc/polipo/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=10.0.2.15:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=${DEST}:$PORT
socksProxyType=socks5
EOF
fi
fi
return 0
}
## proxy_whonix_polipo_config
proxy_whonix_polipo_config () {
local dire
local file
dire=$1 ; shift
file=/etc/polipo/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=10.0.2.15:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=${DEST}:$PORT
socksProxyType=socks5
EOF
fi
fi
return 0
}
## proxy_whonix_privoxy_config
proxy_whonix_privoxy_config () {
local dire
local file
dire=$1 ; shift
file=/etc/privoxy/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 10.0.2.15:9050 .
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 127.0.0.1:9050 .
EOF
fi
fi
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] && set - tor
dire=$1 ; shift
proxy_dest_port_wlan_config $*
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.$dire <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_tor_config
proxy_whonix_tor_config () {
proxy_host_tor_config tor 127.0.0.1
return $?
}
## proxy_host_tor_config
proxy_host_tor_config () {
local dir
local file
dire=tor
DEST=127.0.0.1
PORT=9050
#? [ -z "$DEST" ] && proxy_dest_port_wlan_config || return 1$?
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire || return 3$?
proxy_whonix_dnsmasq_config $dire || return 4$?
if proxy_ping_online ; then
proxy_ping_test_resolv $dire || { echo ERROR: proxy_host_tor_config 5$?; return 5 ; }
fi
return 0
}
## proxy_host_from_config
proxy_host_whonix_config () {
local dire=whonix
local file
proxy_dest_port_wlan_config || return 1$?
DEST=10.0.2.15
PORT=9053
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_dnsmasq_config $dire || return 5$?
return 0
}
## proxy_host_gateway
proxy_whonix_gateway () {
local dire=gateway
debug proxy_whonix_gateway $dire
PROXY_WLAN=$( proxy_get_if ) || return 1$?
proxy_whonix_config $dire || return 2$?
# works?
proxy_ping_set_resolv gateway
return 0
}
## proxy_whonix_from_config
proxy_whonix_config () {
local dire=$1
[ -z "$DEST" ] && proxy_dest_port_wlan_config
if [ ! -f /etc/tor/torsocks.conf.$dire ] ; then
cp -p /etc/tor/torsocks.conf /etc/tor/torsocks.conf.$dire
# TorAddress 127.0.0.1
# TorPort 9050
fi
sed -e "s@^#* *TorAddress.*@TorAddress $DEST@" -i /etc/tor/torsocks.conf
sed -e "s@^#* *TorPort.*@TorPort 9050@" -i /etc/tor/torsocks.conf
# proxy_whonix_start_wget
proxy_host_${dire}_config
return $?
}
## proxy_ws_whonix_config
proxy_ws_whonix_config () {
local dir=ws
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_whonix_libvirt_status
proxy_whonix_libvirt_status () {
proxy_rc_service libvirtd status >/dev/null || \
proxy_rc_service libvirtd start || \
echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG
proxy_libvirt_status
return 0
}
## proxy_whonix_libvirt_start
proxy_whonix_libvirt_start () {
return 0
}
## proxy_whonix_libvirt_start
proxy_whonix_libvirt_start () {
local domain
[ "$#" -ge 1 ] && domain=$1
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
cp /dev/null /var/log/libvirt/libvirtd.log
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd
proxy_rc_service libvirtd start || return 3
sleep $DELAY
fi
proxy_libvirt_no_autostart
proxy_libvirt_start
proxy_libvirt_status
proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3
proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4
[ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )"
[ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \
domain=Whonix-Gateway && \
echo INFO: set proxy_testforge_get_gateway_dom $domain
proxy_libvirt_list | grep -v grep | grep "$domain" || \
virsh start $domain || {
ret=$?
echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret
return 5$ret
}
return 0
}
## proxy_whonix_test
proxy_whonix_test () {
local dire
DEBUG proxy_whonix_test $dire
[ "$#" -eq 0 ] && dire=$MODE || dire=$1
[ $dire = ws -o $dire = workstation ] && dire=vda
if [ $dire = client ] ; then
:
# dunno - look at netstat? -nle4
elif [ $dire = vda -o $dire = gateway ] ; then
proxy_whonix_guest_test
elif [ $dire = tor ] ; then
proxy_rc_service tor status >/dev/null || \
{ echo ERROR: $prog tor is not running ; return 2 ; }
/usr/local/bin/proxy_ping_test.bash to_tor || return 6$?
elif [ $dire = whonix ] ; then
proxy_libvirt_no_autostart
proxy_libvirt_clean_virbr1_rules
proxy_whonix_get_gateway_dom
[ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM
proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; }
/usr/local/bin/proxy_ping_test.bash from_tor || return 6$?
fi
#? gateway
if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then
proxy_rc_service polipo status >/dev/null >/dev/null || \
{ echo ERROR: $prog polipo not running ; return 4 ; }
/usr/local/bin/proxy_ping_test.bash polipo || return 9$?
elif [ $dire = host -o $dire = tor ] ; then
proxy_rc_service privoxy status >/dev/null >/dev/null || \
{ echo ERROR: $prog privoxy not running ; return 4 ; }
/usr/local/bin/proxy_ping_test.bash privoxy || return 9$?
fi
if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
proxy_clobber_resolv_local 10.152.152.10
elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then
proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \
{ echo ERROR: $prog dnsmasq not running ; return 5 ; }
proxy_clobber_resolv_local 127.0.0.1
fi
/usr/local/bin/proxy_ping_test.bash dns # || return 9$?
/usr/local/bin/proxy_ping_test.bash $dire || return 6$?
return 0
}
# Weher was this
## rc_host_symlink_etc_fstab
rc_host_symlink_etc_fstab () {
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 1
# else
# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \
# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab
fi
return 0
}
## proxy_vda_config
proxy_vda_config () {
rc_host_symlink_etc_fstab
sed -e 's/^#x1/x1/' -i /etc/inittab #
if false ; then
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/
fi
fi
if false ; then
[ -f /etc/firewall.conf.vda ] && \
cp -p /etc/firewall.conf.vda /etc/firewall.conf
fi
return 0
}
##
old_proxy_vda_config () {
[ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab
return 0
}
## proxy_vda_whonix_config
proxy_vda_whonix_config () {
local dir=vda
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_quest_config
proxy_quest_config () {
proxy_vda_config
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/
fi
return 0
}
## proxy_whonix_dnsmasq_start
proxy_whonix_dnsmasq_start () {
local dire
local service=dnsmasq
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
DEBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN
proxy_whonix_config $dire || return 1$?
PROXY_WLAN=$( proxy_get_if )
[ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire
if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then
proxy_rc_service dnsmasq status >/dev/null || \
proxy_ping_dnsmasq_start || return 8$?
else
proxy_rc_service dnsmasq status >/dev/null && \
proxy_ping_dnsmasq_stop
cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf
proxy_ping_dnsmasq_start || return 8$?
fi
return 0
}
## proxy_whonix_privoxy_start
proxy_whonix_polipo_start () {
local dire
local service=polipo
[ $# -eq 1 ] && dire=$1
[ -z "$dire" ] && dire="$( proxy_whonix_mode )"
DEBUG proxy_whonix_start_$service $dire
proxy_whonix_config $dire || \
echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$?
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire
if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then
cp -p /etc/polipo/config.$dire /etc/polipo/config
proxy_rc_service $service restart || return 2$?
else
proxy_rc_service $service status >/dev/null || \
proxy_rc_service $service start||return 3$
fi
return 0
}
## proxy_whonix_host_prepare_blocks
proxy_whonix_host_prepare_blocks () {
if [ ! -s /etc/firewall.conf.block ] ; then
if [ -f /usr/local/etc/firewall.conf.block ] ; then
echo "WARN: $prog copying /usr/local/etc/firewall.conf.block"
cp -p /usr/local/etc/firewall.conf.block /etc/firewall.conf.block
else
echo "ERROR: $prog missing /usr/local/etc/firewall.conf.block"
return 1
fi
fi
return 0
}
## proxy_whonix_host_add_block
proxy_whonix_host_add_block () {
local elt tab ip
# PROXY_WLAN=$( proxy_get_if )
# [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1
if [ "$#" -eq 0 ] ; then
proxy_whonix_host_prepare_blocks \| return 1$?
set - $( cat /etc/firewall.conf.block )
fi
# DEBUG "$prog adding $*"
[ -f /etc/firewall.conf.newer ] || \
cp -p /etc/firewall.conf /etc/firewall.conf.newer
for elt in wlan virbr1 ; do
[ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI
grep -q "^# blocks $elt" /etc/firewall.conf.newer || {
echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer
return 2
}
sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$
echo "# blocks $elt" >> /etc/firewall.conf.$$
for ip in $* ; do
grep -q $ip /etc/firewall.conf.block || \
grep -q $ip /etc/firewall.conf.block.newer || \
echo $ip >> /etc/firewall.conf.block.newer
grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue
echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$
DEBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP"
done
sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$
mv /etc/firewall.conf.$$ /etc/firewall.conf.newer
done
return 0
}
## proxy_whonix_host_online
proxy_whonix_host_online () {
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2
if [ -x /etc/init.d/NetworkManager ] ; then
/etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3
else
proxy_rc_service NetworkManager status >/dev/null \
|| proxy_rc_service NetworkManager start || return 3$?
fi
nm-online -t 0 -x || return 4$?
return 0
}
## proxy_whonix_down - call when the network goes down
proxy_whonix_down () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online && return 0 # dont do anything
# nothing to do?
return 0
}
## proxy_whonix_up - call when the network comes up
proxy_whonix_up () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online || return 0 # dont do anything
return 0
}
## proxy_whonix_start_wget
proxy_whonix_start_wget () {
return 0
if [ -f /etc/wgetrc ] ; then
sp=https://127.0.0.1:3128
grep -q ^https_proxy /etc/wgetrc && \
sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc
grep -q ^https_proxy /etc/wgetrc && \
echo "https_proxy = $sp" >> /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc && \
sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc || \
echo "http_proxy = $sp" >> /etc/wgetrc
fi
sp=http://127.0.0.1:3128
for elt in http https ; do
grep -q ^$elt_proxy /etc/wgetrc && \
sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \
echo "$elt_proxy = $sp" >> /etc/wgetrc
done
return 0
}
proxy_libvirt_clean_iptables () {
local i int dir dcp prot port
for dir in i ; do
for int in virbr2 virbr1; do
dcp=67
[ $dir = i ] || dcp=68
for port in 53 $dcp ; do
[ $dir = i ] && table=INP || table=OUT
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
for dir in o ; do
for int in virbr2 virbr1; do
dcp=68
[ $dir = o ] || dcp=67
for port in 53 68 ; do
table=OUT
[ $dir = i ] && table=INP
for prot in udp tcp; do
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
done
done
done
done
return 0
}
base=proxy_whonix_lib
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \
exit 0
DEBUG $base "$@"
eval "$@"
exit $?
fi

34
overlay/Linux/usr/local/sbin/debian_whonix_tor.bash Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=privacy
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
systemctl stop vanguards
systemctl stop onion-grater
sh /etc/rc.local
#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1
tor --verify-config | grep -v 'notice\|DisableNetwork'
rm -f /etc/torrc.d/*~
netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; }
cp /dev/null /run/tor/log.err
cp /dev/null /run/tor/log.log
rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
systemctl start tor || exit 4$?
sleep 10
sed -e '/configured a non-loopback address/d' /run/tor/log.*
[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5
grep % /run/tor/log.*

827
overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash Executable file
View File

@ -0,0 +1,827 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=privacy
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "/usr/local/etc/testforge/testforge.bash" ; exit 1 ; }
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
#set -- -x
DEBUG=
WHONIX_HOST=0
WHONIX_GATE=1
SSH_SERVICE=22
BOOTPC_SERVICE=68
BOOTPS_SERVICE=67
NETBIOSNS_SERVICE=137
NETBIOSDG_SERVICE=138
PRIV_WHONIX_EXTERNAL_NET=10.0.2.0/24
# 10.152.152.10 gateway
# 10.152.152.11 work
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## Copyright (C) 2014 - 2015 Jason Mehring <nrgaway@gmail.com>
## See the file COPYING for copying conditions.
ALLOW_GATEWAY_USER_USER=1
GATEWAY_ALLOW_INCOMING_SSH=0
GATEWAY_ALLOW_INCOMING_ICMP=0
#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end
## --reject-with
## http://ubuntuforums.org/showthread.php?p=12011099
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
## confusion. icmp-port-unreachable looks like a bug while
## icmp-admin-prohibited hopefully makes clear it is by design.
set -e
error_handler() {
echo "$0 ##################################################"
echo "$0 ERROR: Whonix firewall script failed!"
echo "$0 ##################################################"
exit 1
}
trap "error_handler" ERR
init() {
output_cmd "OK: Loading Whonix firewall..."
set -o pipefail
set -o errtrace
}
source_config_folder() {
shopt -s nullglob
local i
for i in \
/etc/whonix_firewall.d/*.conf \
/rw/config/whonix_firewall.d/*.conf \
/usr/local/etc/whonix_firewall.d/*.conf \
; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
output_cmd "ERROR: Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
}
variables_defaults() {
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
[ -n "$WORKSTATION_TRANSPARENT_TCP" ] || WORKSTATION_TRANSPARENT_TCP=1
[ -n "$WORKSTATION_TRANSPARENT_DNS" ] || WORKSTATION_TRANSPARENT_DNS=1
[ -n "$WORKSTATION_ALLOW_SOCKSIFIED" ] || WORKSTATION_ALLOW_SOCKSIFIED=1
[ -n "$CONTROL_PORT_FILTER_PROXY_ENABLE" ] || CONTROL_PORT_FILTER_PROXY_ENABLE=1
[ -n "$GATEWAY_ALLOW_INCOMING_DIR_PORT" ] || GATEWAY_ALLOW_INCOMING_DIR_PORT=0
[ -n "$GATEWAY_ALLOW_INCOMING_OR_PORT" ] || GATEWAY_ALLOW_INCOMING_OR_PORT=0
[ -n "$DIR_PORT" ] || DIR_PORT=80
[ -n "$OR_PORT" ] || OR_PORT=443
[ -n "$GATEWAY_TRANSPARENT_TCP" ] || GATEWAY_TRANSPARENT_TCP=0
[ -n "$GATEWAY_TRANSPARENT_UDP" ] || GATEWAY_TRANSPARENT_UDP=0
[ -n "$GATEWAY_TRANSPARENT_DNS" ] || GATEWAY_TRANSPARENT_DNS=0
[ -n "$ALLOW_GATEWAY_ROOT_USER" ] || ALLOW_GATEWAY_ROOT_USER=0
[ -n "$ALLOW_GATEWAY_USER_USER" ] || ALLOW_GATEWAY_USER_USER=0
[ -n "$GATEWAY_ALLOW_INCOMING_SSH" ] || GATEWAY_ALLOW_INCOMING_SSH=0
[ -n "$GATEWAY_ALLOW_INCOMING_ICMP" ] || GATEWAY_ALLOW_INCOMING_ICMP=0
## Get Tor username, distro specific!
[ -n "$TOR_USER" ] || TOR_USER=$PRIV_TOR_OWNER
## Get user uids.
#!? [ -n "$CLEARNET_USER" ] || CLEARNET_USER="$(id -u clearnet)"
[ -n "$USER_USER" ] || USER_USER="$(id -u user)" || true
[ -n "$ROOT_USER" ] || ROOT_USER="$(id -u root)"
#!? [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel)"
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate)"
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck)"
## No NAT for clearnet user.
[ -n "$CLEARNET_USER" ] && NO_NAT_USERS+=" $CLEARNET_USER"
## No NAT for tunnel user.
[ -n "$TUNNEL_USER" ] && NO_NAT_USERS+=" $TUNNEL_USER"
## No NAT for user user.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$ALLOW_GATEWAY_USER_USER" = "1" ]; then
if [ "$USER_USER" = "" ]; then
output_cmd "INFO: USER_USER is unset. Not adding USER_USER to NO_NAT_USERS."
else
NO_NAT_USERS+=" $USER_USER"
fi
fi
## No NAT for root user.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$ALLOW_GATEWAY_ROOT_USER" = "1" ]; then
NO_NAT_USERS+=" $ROOT_USER"
fi
## Whonix-Gateway firewall does not support TUNNEL_FIREWALL_ENABLE=true yet.
## It only supports VPN_FIREWALL="1".
## In case someone confused this setting, i.e. using TUNNEL_FIREWALL_ENABLE=true
## since this is how it is done on Whonix-Workstation, then gracefully enable
## VPN_FIREWALL="1" to prevent users shooting their own feet.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
VPN_FIREWALL="1"
fi
## No NAT for Tor itself,
## unless VPN_FIREWALL mode is enabled.
if [ "$VPN_FIREWALL" = "1" ]; then
true
else
NO_NAT_USERS+=" $TOR_USER"
fi
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
[ -n "$INT_IF" ] || INT_IF="vif+"
[ -n "$INT_TIF" ] || INT_TIF="vif+"
fi
## External interface
[ -n "$EXT_IF" ] || EXT_IF="eth0"
## Internal interface
[ -n "$INT_IF" ] || INT_IF="eth1"
## Internal "tunnel" interface, usually the same as
## the Internal interface unless using vpn tunnels
## between workstations and gateway
[ -n "$INT_TIF" ] || INT_TIF="eth1"
if [ "$NON_TOR_GATEWAY" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
NON_TOR_GATEWAY=""
else
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
NON_TOR_GATEWAY="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
## Destinations you do not routed through VPN, only for Whonix-Gateway.
if [ "$LOCAL_NET" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
10.137.0.0-10.138.255.255 \
"
else
## 10.0.2.2/24: VirtualBox DHCP
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
if [ "$WORKSTATION_DEST_SOCKSIFIED" = "" ]; then
## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP
##
## 10.137.0.0/8 - persistent Qubes-Whonix-Gateway IP range
## 10.138.0.0/8 - DispVM Qubes-Whonix-Gateway IP range
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16
## 10.152.152.10 is hardcoded in some places.
WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/16,10.138.0.0/16,10.152.152.10"
else
WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"
fi
fi
## The following ports are used
## - here in /usr/bin/whonix_firewall (package: whonix-gw-firewall)
## - by Tor in /usr/share/tor/tor-service-defaults-torrc (package: anon-gw-anonymizer-config)
##
## The following applications will be separated, preventing identity
## correlation through circuit sharing.
## Transparent Proxy Ports for Whonix-Workstation
[ -n "$TRANS_PORT_WORKSTATION" ] || TRANS_PORT_WORKSTATION="9040"
[ -n "$DNS_PORT_WORKSTATION" ] || DNS_PORT_WORKSTATION="5300"
## Transparent Proxy Ports for Whonix-Gateway
[ -n "$TRANS_PORT_GATEWAY" ] || TRANS_PORT_GATEWAY="9041"
[ -n "$DNS_PORT_GATEWAY" ] || DNS_PORT_GATEWAY="5400"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" ] || GATEWAY_ALLOW_INCOMING_FLASHPROXY="0"
[ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
## For testing purposes only.
## To test if prerouting redirection rules for socksified interfere with transparent torification.
## https://phabricator.whonix.org/T462
#[ -n "$SOCKS_PORT_HTTP" ] || SOCKS_PORT_HTTP="80"
#[ -n "$SOCKS_PORT_SSL" ] || SOCKS_PORT_SSL="443"
## Adding more Socks Ports here should no longer be necessary.
## There are already lots of custom ports prepared that you can use.
## See documentation:
## https://www.whonix.org/wiki/Stream_Isolation
##
## Additional Socks Ports for per application circuits could be
## added here, but you would have to:
## - Edit '/usr/local/etc/torrc.d/50_user.conf' to add more 'SocksPort's.
## - And 'sudo service tor@default reload' afterwards.
## - Add more socks port variables to Whonix firewall configuration.
## (For example to '/etc/whonix_firewall.d/50_user.conf'.)
## Follow the 'SOCKS_PORT_...' naming scheme.
## (For example 'SOCKS_PORT_CUSTOM_ONE', 'SOCKS_PORT_CUSTOM_TWO', etc.)
## - And issue "sudo /usr/bin/whonix_firewall" afterwards.
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
}
ipv4_defaults() {
lsmod | grep -q iptable_filter || modprobe iptable_filter
## Set secure defaults.
$iptables_cmd -P INPUT DROP
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
$iptables_cmd -P FORWARD DROP
## Will be lifted below.
$iptables_cmd -P OUTPUT DROP
}
ipv4_preparation() {
lsmod | grep -q nf_nat || modprobe nf_nat
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
## Flush old rules.
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
}
ipv4_drop_invalid_incoming_packages() {
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
## DROP INVALID
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
}
qubes() {
lsmod | grep -q xt_owner || modprobe xt_owner
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
return 0
fi
if [ -e /run/qubes/this-is-netvm ] || [ -e /run/qubes/this-is-proxyvm ]; then
local int_if_item
for int_if_item in $INT_IF; do
## Allow connections from port 8082 of internal vif interface for tinyproxy
## tinyproxy is responsible to handle TemplateVMs updates.
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp -m tcp --dport 8082 -j ACCEPT
$iptables_cmd -A OUTPUT -o "$int_if_item" -p tcp -m tcp --sport 8082 -j ACCEPT
done
## Qubes pre-routing. Will be able to intercept traffic destined for
## 10.137.255.254 to be re-routed to tinyproxy.
$iptables_cmd -t nat -N PR-QBS-SERVICES
$iptables_cmd -t nat -A PREROUTING -j PR-QBS-SERVICES
for int_if_item in $INT_IF; do
## Redirects traffic destined for 10.137.255.154 to port 8082 (tinyproxy).
$iptables_cmd -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i "$int_if_item" -p tcp -m tcp --dport 8082 -j REDIRECT
done
## Forward tinyproxy output to port 5300/9040 on internal (Tor) interface (eth1) to be
## able to connect to Internet (via Tor) to proxy updates for TemplateVM.
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
## The same for squid from qubes-updates-cache, which runs as user vm-updates.
if getent passwd vm-updates >/dev/null; then
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
fi
## https://github.com/QubesOS/qubes-issues/issues/3201#issuecomment-338646742
$iptables_cmd -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${DNS_PORT_GATEWAY}" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${TRANS_PORT_GATEWAY}" -j ACCEPT
fi
}
ipv4_input_rules() {
## Traffic on the loopback interface is accepted.
$iptables_cmd -A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
## Drop all incoming ICMP traffic by default.
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ ! "$GATEWAY_ALLOW_INCOMING_ICMP" = "1" ]; then
$iptables_cmd -A INPUT -p icmp -j DROP
fi
## Allow all incoming connections on the virtual VPN network interface,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
fi
local ext_if_item
for ext_if_item in $EXT_IF; do
## Allow incoming SSH connections on the external interface.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$GATEWAY_ALLOW_INCOMING_SSH" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 22 -j ACCEPT
fi
## Allow incoming Flash Proxy connections on the external interface.
## This has NOTHING to do with Adobe Flash.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$FLASHPROXY_PORT" -j ACCEPT
fi
local local_port_to_open
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT
done
local local_udp_port_to_open
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
done
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
$iptables_cmd -A INPUT -j ACCEPT
fi
done
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
return 0
fi
for ext_if_item in $EXT_IF; do
## Allow incoming DIRPORT connections for an optional Tor relay.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_DIR_PORT" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$DIR_PORT" -j ACCEPT
fi
## Allow incoming ORPORT connections for an optional Tor relay.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_OR_PORT" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$OR_PORT" -j ACCEPT
fi
## Custom Open Ports on external interface
## - untested, should work
## - Replace 22,9050,9051,9150,9151 with any ports you like to be open, example: 9050,9051
## or just 9050
## - $iptables_cmd v1.4.14: multiport needs -p tcp, -p udp, -p udplite, -p sctp or -p dccp
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
#$iptables_cmd -A INPUT -i "$ext_if_item" -p udp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
## OPTIONAL Allow incoming OpenVPN connections on the external interface.
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 1194 -j ACCEPT
done
local int_tif_item
local int_if_item
for int_tif_item in $INT_TIF; do
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
## Allow DNS traffic to DnsPort.
$iptables_cmd -A INPUT -i "$int_tif_item" -p udp --dport "$DNS_PORT_WORKSTATION" -j ACCEPT
fi
done
for int_if_item in $INT_IF; do
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
## Allow TCP traffic TransPort.
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp --dport "$TRANS_PORT_WORKSTATION" -j ACCEPT
fi
done
for int_tif_item in $INT_TIF; do
## Allow TCP traffic to Control Port Filter Proxy.
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j ACCEPT
fi
## Allow socksified applications.
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
for socks_port in $socks_ports_list; do
true "$socks_port: ${!socks_port}"
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "${!socks_port}" -j ACCEPT
done
## Accept ports 9152-9189 prepared for user custom applications.
## See /usr/share/tor/tor-service-defaults-torrc for more comments.
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT
fi
done
for int_if_item in $INT_IF; do
## Redirect Control Port Filter Proxy to Control Port Filter Proxy port.
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j REDIRECT --to-ports "$CONTROL_PORT_FILTER_PROXY_PORT"
fi
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
for socks_port in $socks_ports_list; do
true "$socks_port: ${!socks_port}"
## Redirect Browser/IRC/TorBirdy, etc. to SocksPort.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "${!socks_port}" -j REDIRECT --to-ports "${!socks_port}"
done
## Redirect ports 9152-9189 prepared for user custom applications.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport 9152:9189 -j REDIRECT
fi
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
## Redirect remaining DNS traffic to DNS_PORT_WORKSTATION.
## Only user installed applications not configured to use a SocksPort are affected.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_WORKSTATION"
fi
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
## Catch all remaining TCP and redirect to TransPort.
## Only user installed applications not configured to use a SocksPort are affected.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
## Optionally restrict TransPort.
## Replace above rule with a more restrictive one, e.g.:
#$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
fi
done
}
ipv4_input_defaults() {
## Log.
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
## Reject anything not explicitly allowed above.
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
## (In case someone running Whonix-Gateway on bare metal.)
$iptables_cmd -A INPUT -j DROP
}
ipv4_forward() {
## Log.
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
## Reject everything.
$iptables_cmd -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
}
ipv4_reject_invalid_outgoing_packages() {
## Drop invalid outgoing packages,
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP INVALID SYN PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
fi
}
ipv4_output() {
lsmod | grep -q xt_owner || modprobe xt_owner
## Allow outgoing traffic on VPN interface,
## if VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
fi
local no_nat_user
for no_nat_user in $NO_NAT_USERS ; do
$iptables_cmd -t nat -A OUTPUT -m owner --uid-owner "$no_nat_user" -j RETURN
done
if [ "$firewall_mode" = "full" ]; then
## Redirect of Gateway DNS traffic to DNS_PORT_GATEWAY.
## DISABLED BY DEFAULT. default. Using SocksPort instead.
if [ "$GATEWAY_TRANSPARENT_DNS" = "1" ]; then
$iptables_cmd -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_GATEWAY"
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Exclude connections to local network, Whonix-Workstation, VirtualBox from being redirected through Tor,
## unless VPN_FIREWALL mode is enabled.
## ENABLED BY DEFAULT.
if [ ! "$VPN_FIREWALL" = "1" ]; then
local non_tor_gateway_item
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
$iptables_cmd -t nat -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j RETURN
done
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Redirect all Gateway TCP traffic to TRANS_PORT_GATEWAY.
## DISABLED BY DEFAULT. Using SocksPort instead.
if [ "$GATEWAY_TRANSPARENT_TCP" = "1" ]; then
$iptables_cmd -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_GATEWAY"
fi
fi
## Existing connections are accepted.
$iptables_cmd -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
if [ "$firewall_mode" = "full" ]; then
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled.
## ENABLED BY DEFAULT.
if [ ! "$VPN_FIREWALL" = "1" ]; then
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j ACCEPT
done
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Accept outgoing connections to local network,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
local local_net_item
for local_net_item in $LOCAL_NET; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
done
fi
fi
## Prevent connections to Tor SocksPorts.
## https://phabricator.whonix.org/T533#11025
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
local socks_port_item
for socks_port_item in $socks_ports_list; do
true "$socks_port_item: ${!socks_port_item}"
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
continue
fi
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
done
fi
## Access to localhost is required even in timesync-fail-closed mode,
## otherwise breaks applications such as konsole and kwrite.
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
for no_nat_user in $NO_NAT_USERS ; do
$iptables_cmd -A OUTPUT -m owner --uid-owner "$no_nat_user" -j ACCEPT
done
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
## Otherwise in Whonix firewall full mode this rule is redundant.
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
fi
## Log.
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
## Reject all other outgoing traffic.
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
}
ipv6() {
## Policy DROP for all traffic as fallback.
$ip6tables_cmd -P INPUT DROP
$ip6tables_cmd -P OUTPUT DROP
$ip6tables_cmd -P FORWARD DROP
## Flush old rules.
$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
## Allow unlimited access on loopback.
## Not activated, since we do not need it.
#$ip6tables_cmd -A INPUT -i lo -j ACCEPT
#$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
## Log.
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
## Drop/reject all other traffic.
$ip6tables_cmd -A INPUT -j DROP
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A OUTPUT -j REJECT
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A FORWARD -j REJECT
}
status_files() {
mkdir --parents /run/whonix_firewall
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
touch /run/whonix_firewall/consecutive_run.status
return 0
fi
touch /run/whonix_firewall/first_run_current_boot.status
}
date_cmd(){
date -u +"%Y-%m-%d %T"
}
output_cmd() {
echo "$(date_cmd) - $0 - $@"
}
firewall_mode_detection() {
if [ ! "$firewall_mode" = "" ]; then
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
return 0
elif [ "$firewall_mode" = "full" ]; then
output_cmd "OK: (Full torified network access allowed.)"
return 0
else
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
error_handler
fi
fi
## Run Whonix firewall in full mode if sdwdate already succeeded.
if [ -e /run/sdwdate/first_success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/first_success exists.)"
elif [ -e /run/sdwdate/success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/success exists.)"
## /run/whonix_firewall/first_run_current_boot.status already exists,
## therefore have Whonix firewall run in full mode.
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
firewall_mode=full
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
else
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
## therefore return 'yes, timesync-fail-closed'.
firewall_mode=timesync-fail-closed
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
else
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
output_cmd "OK: (Full torified network access allowed.)"
fi
}
end() {
output_cmd "OK: Whonix firewall loaded."
exit 0
}
main() {
init
firewall_mode_detection
variables_defaults
ipv4_defaults
ipv4_preparation
ipv4_drop_invalid_incoming_packages
qubes
ipv4_input_rules
ipv4_input_defaults
ipv4_forward
ipv4_reject_invalid_outgoing_packages
ipv4_output
if [ -d /proc/sys/net/ipv6/ ]; then
ipv6
fi
status_files
end
}
source_config_folder
main

5
overlay/Linux/usr/local/sbin/proxy_firewall_start.bash Executable file
View File

@ -0,0 +1,5 @@
#!/bin/bash
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

80
overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash Executable file
View File

@ -0,0 +1,80 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=hostvms
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
. /usr/local/bin/usr_local_tput.bash || exit 3
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $# -lt 1 ] ; then
ARGS=""
elif [ $# -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $*`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
[ -z "$CMD" ] && CMD=/usr/sbin/qemu-ga && ARGS=-D
INFO $0 $HOST $CMD $ARGS
if ifconfig virbr1 | grep -q 10.0.2.2 ; then
# lrwxrwxrwx 1 root root 11 Aug 26 21:58 /dev/virtio-ports/org.qemu.guest_agent.0 -> ../vport3p2
INFO ssh user@10.0.2.15 virbr1
ssh user@10.0.2.15 ls -l /dev/virtio-ports/org.qemu.guest_agent.0 | \
grep /dev/virtio-ports/org.qemu.guest_agent.0 || \
WARN NOT ssh ls -l /dev/virtio-ports/org.qemu.guest_agent.0
# /usr/sbin/qemu-ga
ssh user@10.0.2.15 ps ax | \
grep qemu-ga || \
WARN NOT ssh ps qemu-ga
fi
DBUG virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 -a -n "$pid" ] || exit 3
# DBUG virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
#virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
# >/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
DBUG $i
done
[ $i -lt $TRIES ] || \
{ ERROR $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d - || exit 8
rm -f /tmp/{Q,R}$$.out
exit 0

29
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash Executable file
View File

@ -0,0 +1,29 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash
. /usr/local/bin/proxy_ping_lib.bash || exit 1$?
if [ -f /etc/modules-load.d/firewall.conf ] ; then
grep -v '#' /etc/modules-load.d/firewall.conf|xargs modprobe --all
fi
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
# clean
exit 0
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

13
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash
logger INFO: $0 $PWD $*
exit 0

BIN
overlay/Linux/usr/local/sbin/proxy_tor_lib.bad Executable file
View File

Binary file not shown.

217
overlay/Linux/usr/local/sbin/proxy_tor_lib.bash Executable file
View File

@ -0,0 +1,217 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
## /usr/local/bin/proxy_whonix_tor_start.bash
ROLE=proxy
[ -z "$prog" ] && prog=$( basename $0 .bash )
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
## host_tor_verify_config
. /usr/local/bin/usr_local_tput.bash || exit 3
host_tor_verify_config () {
# tor --verify-config # || exit 2$?
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
| grep -v 'notice\|DisableNetwork'
# || exit 2
return 0
}
tor_grep_log () {
local log
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
INFO grep % $log
grep % $log | grep -v 5%
return 0
}
## host_tor_is_running
host_tor_is_running () {
local retval
retval=0
if netstat -nlp4 2>&1| grep ':90.*/tor' ; then
DBUG $prog tor is already running
retval=2
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
DBUG $prog tor is already running
retval=3
elif ls -l /run/tor/socket 2>/dev/null ; then
DBUG $prog tor is already running
retval=4
fi
tor_grep_log
return $retval
}
## host_tor_start
host_tor_start () {
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
# systemd overrides these
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
chmod 2750 /run/tor/
gateway_tor_stop
# systemctl daemon-reload
rm -f /run/tor/log.err /tmp/log.err
rm -f /run/tor/log /tmp/log.log
rm -f /run/tor/tor.pid /tmp/log.pid
INFO starting tor - see /tmp/tor.err /tmp/tor.log
if false ; then
su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
else
su -c 'tor' -s /bin/sh $debian 2>/tmp/tor.err >/tmp/tor.log &
echo -n $! >/tmp/tor.pid
fi
sleep 15
return 0
}
## host_tor_stop
host_tor_stop () {
local debian
[ -s /tmp/tor.pid ] && \
DBUG $prog kill $( cat /tmp/tor.pid ) && \
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
rm /tmp/tor.pid
rm -f /tmp/tor.log /tmp/tor.err
debian=$PRIV_TOR_OWNER
pkill -u $debian
[ -s /tmp/tog.pid ] && \
kill $( cat /tmp/tog.pid ) 2>/dev/null \
&& rm /tmp/tog.pid
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
return 0
}
PROXY_ExcludeNodes="{gb},{ca}"
## proxy_tor_torrc_update
proxy_tor_torrc_update () {
local file IP
file=$1
IP=$2
grep -q "SocksPort $IP:9050" $file || \
echo "SocksPort $IP:9050" >> $file
grep -q "DNSPort $IP:9053" $file || \
echo "DNSPort $IP:9053" >> $file
if false ; then
grep -q "TransPort $IP:9040" $file || \
echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort" >> $file
fi
grep -q "HTTPTunnelPort $IP:9128" $file || \
echo "HTTPTunnelPort $IP:9128 IsolateDestAddr" >> $file
return 0
}
export TOR_LOG="/var/log/tor/log"
export TOR_DIR=/var/lib/tor/data
cmd_item_list=(
"--has-consensus"
"--current-time-in-valid-range"
"--show-valid-after"
"--show-valid-until"
"--show-middle-range"
)
#"--tor-cert-lifetime-invalid"
#"--tor-cert-valid-after"
## proxy_tor_test_ntp
proxy_tor_test_ntp () {
/usr/local/bin/proxy_ping_test.bash ntp
return $?
}
## proxy_tor_test_anondate
proxy_tor_test_anondate () {
local cmd_item outout exit_code
for cmd_item in ${cmd_item_list[@]} ; do
output="$( /usr/local/lib/helper-scripts/anondate $cmd_item $@ )"
exit_code="$?"
if [ $exit_code -eq 0 ] ; then
INFO "/usr/local/lib/helper-scripts/anondate $cmd_item $@"
echo "output: $output"
else
echo "WARN: /usr/local/lib/helper-scripts/anondate $cmd_item $@"
echo -n "exit_code: $exit_code "
echo "output: $output"
fi
done
return 0
}
host_tor_status () {
[ -f /tmp/tor.pid ] && \
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
rm /tmp/tor.pid
if [ -f /tmp/tor.pid ]; then
ps -p "$( cat /tmp/tor.pid )"
elif [ -f /run/tor/tor.pid ] ; then
ps -p "$( cat /run/tor/tor.pid )"
else
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
fi
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|| return 1
debian=$PRIV_TOR_OWNER
INFO $prog $debian processes:
ps -g $debian
guest_qemu_status || return 2$?
tor_start_not_running && return 3$?
[ ! -f /usr/local/src/helper-scripts/tor_circuit_established_check.py ] || \
a=$( python3 /usr/local/src/helper-scripts/tor_circuit_established_check.py ) \
|| return 4
[ "$a" = "1" ]|| { echo "WARN: $prog tor_circuit_established_check != 1" ;
return 5
}
return 0
}
## proxy_tor_torrc_exclude
proxy_tor_torrc_exclude () {
local file
[ $# -eq 0 ] && file=$1 || file=/etc/tor/torrc
[ -n "$file" ] || return 1
[ -f "$file" ] || return 2
[ -n "$PROXY_ExcludeNodes" ] || return 3
grep -q "ExcludeNodes.*$PROXY_ExcludeNodes" "$file" && return 0
if grep -q "ExcludeNodes" $file ; then
sed -e "s@ExcludeNodes.*@ExcludeNodes ${PROXY_ExcludeNodes}@" -i $file
else
echo "ExcludeNodes $PROXY_ExcludeNodes" >> $file
fi
return 0
}
base=proxy_tor_lib
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
eval "$@"
exit $?
fi

172
overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash Executable file
View File

@ -0,0 +1,172 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
set -o pipefail || exit 1
# was in /usr/lib/whonix-libvirt/install
# unlike that one, this should be idempotent
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=base
. /usr/local/bin/usr_local_tput.bash
GATEW=1
# for testforge use we only need the Gateway
WORKS=
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
. /usr/local/bin/usr_local_base.bash || exit 2
MODE=`proxy_ping_mode`
[ $MODE = whonix ] || exit 0
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
chmod 1777 /usr/local/var/log
[ -f /etc/firewall.conf.whonix ] || \
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
[ -f /etc/firewall.conf ] || \
cp -p /etc/firewall.conf.whonix /etc/firewall.conf || exit 16
# ERROR: proxy_ping_firewall_check /etc/firewall.conf empty
[ -x /etc/libvirt/hooks/network ] || cat > /etc/libvirt/hooks/network << \EOF
#!/bin/sh
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log
echo INFO: hooks/network $* > /usr/local/var/log/libvirt_network.log
bash /usr/local/bin/proxy_libvirt_hook_network.bash "$@" \
>> /usr/local/var/log/libvirt_network.log 2>&1
EOF
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
/etc/libvirt/hooks/network || exit 16
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
## {{ Taken from qemu-system-common.postinst.
# Add the kvm group unless it's already there
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm || true
fi
## }} Taken from qemu-system-common.postinst.
## {{ Taken from libvirt-bin.postinst.
if ! getent group libvirt >/dev/null; then
addgroup --system libvirt
fi
## }} Taken from libvirt-bin.postinst.
## Existence of user "user" is not guaranteed at this point.
if grep -q ^user /etc/passwd ; then
grep -q ^kvm /etc/group || addgroup user kvm
grep -q ^libvirt /etc/group || addgroup user libvirt
fi
## Create shared directory and adjust permissions
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
chmod 1777 /mnt/gateway-shared
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
## networks
proxy_virsh net-list --all | grep -q default || \
virsh -c qemu:///system net-autostart "default" || exit 1$?
#? virsh -c qemu:///system net-start "default" || exit 2$?
proxy_virsh net-list --all | grep -q Whonix-External || \
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-External.xml" \
|| exit 3$?
proxy_virsh net-list --all | grep -q Whonix-Internal || \
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-Internal.xml" \
|| exit 4$?
#no virsh -c qemu:///system net-autostart "Whonix-External"
proxy_virsh net-list | grep -q Whonix-External || \
virsh -c qemu:///system net-start "Whonix-External" || exit 5$?
# no virsh -c qemu:///system net-autostart "Whonix-Internal"
proxy_virsh net-list | grep -q Whonix-Internal || \
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
lsmod | grep -q kvm||modprobe kvm || exit 7
temp_dir=/usr/local/etc/libvirt/qemu
if virsh capabilities | grep -q "<domain type='kvm'" ; then
true "OK: found KVM"
else
## replace the 'kvm' domain type with 'qemu'
search="<domain type='kvm'>"
replace="<domain type='qemu'>"
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
search="<cpu mode='host-passthrough'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
search="<pvspinlock state='on'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
replace=""
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
fi
[ -z "$GATEW" ] || \
proxy_virsh list --all | grep -q Whonix-Gateway || \
virsh -c qemu:///system define "$temp_dir/Whonix-Gateway.xml" || exit 8$?
[ -z "$WORKS" ] || \
proxy_virsh list --all | grep -q Whonix-Workstation || \
virsh -c qemu:///system define "$temp_dir/Whonix-Workstation.xml" || exit 9$?
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Gateway.xml" || \
virt-xml "Whonix-Gateway" --add-device \
--filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || exit 10$?
[ -z "$WORKS" ] || \
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Workstation.xml" || \
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
[ -d /var/lib/whonix-libvirt ] || \
mkdir --parents /var/lib/whonix-libvirt
touch /var/lib/whonix-libvirt/install.done
proxy_virsh list | grep -q Whonix-Gateway || \
virsh -c qemu:///system start "Whonix-Gateway" || exit 19$?
if [ -d ~user ] ; then
# kicksecure installs ~user/.xchat2/ not owned by user and it seems to screw up X
# with "unable load load a failsafe session" unable to determine failsafe session name
# even with no-allow-failsafe in /etc/X11/Xsession.options
# Linkname:Xfce - Unable to load a failsafe session / Newbie... / Arch Linux Forums
# https://bbs.archlinux.org/viewtopic.php?id=77646
chown -R user ~user
[ -x /var/local/bin/testforge_user_profile.bash ] && \
su -c /var/local/bin/testforge_user_profile.bash -s /bin/bash user
fi
exit 0

349
overlay/Linux/usr/local/sbin/proxy_whonix_gateway_tor.bash Executable file
View File

@ -0,0 +1,349 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# was /usr/local/bin/proxy_whonix_tor_start.bash
ROLE=proxy
USAGE="config|start|stop|status|restart|verify|test"
[ $( id -u ) -eq 0 ] || { ERROR $prog you must be root ; exit 1 ; }
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 3
. /usr/local/sbin/proxy_whonix_lib.bash || exit 1
. /usr/local/sbin/proxy_tor_lib.bash || exit 2
rm -f /etc/torrc.d/*~
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
NEEDED_SCRIPTS="
/usr/local/sbin/proxy_tor_lib.bash
/usr/local/bin/proxy_ping_test.bash
"
# to stop
# 4269 ttyS0 S 0:00 su -c tor -s /bin/sh debian-tor
# 4272 ? Ss 0:00 sh -c tor
# 4273 ? S 0:02 tor
# 4355 ? S 0:00 timeout --kill-after=5s 10s /usr/lib/helper-scripts/tor_circuit_established_check.py
# 4356 ? R 0:00 /usr/bin/python3 -u /usr/lib/helper-scripts/tor_circuit_established_check.py
## gateway_tor_stop
gateway_tor_stop () {
local debian
[ -s /tmp/tor.pid ] && \
DBUG $prog kill $( cat /tmp/tor.pid ) && \
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
rm /tmp/tor.pid
rm -f /tmp/tor.log /tmp/tor.err
debian=$PRIV_TOR_OWNER
pkill -u $debian
[ -s /tmp/tog.pid ] && \
kill $( cat /tmp/tog.pid ) 2>/dev/null \
&& rm /tmp/tog.pid
systemctl stop vanguards
# systemctl start onion-grater >/dev/null && systemctl stop onion-grater
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
netstat -npet4
return 0
}
## gateway_tor_torrc
gateway_tor_torrc () {
local file IP
# file=/etc/torrc.d/50_user.conf
file=/usr/local/etc/torrc.d/50_user.conf
if [ ! -f $file ] ; then
cat > $file <<EOF
# Tor user specific configuration file
#
# Add user modifications below this line:
############################################
Socks5ProxyUsername foo
Socks5ProxyPassword bar
SafeLogging 0
SocksPort 10.0.2.15:9050
DNSPort 10.0.2.15:9053
HTTPTunnelPort 10.0.2.15:9128 IsolateDestAddr
TransPort 10.0.2.15:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DisableNetwork 0
ControlSocket /run/tor/control
EOF
else
IP=10.0.2.15
proxy_tor_torrc_update $file $IP
fi
proxy_tor_torrc_exclude $file
return 0
}
## gateway_tor_init_config_gateway_conf
gateway_tor_init_config_gateway_conf () {
local elt file
file=/etc/whonix_firewall.d/30_whonix_gateway_default.conf
for elt in GATEWAY_ALLOW_INCOMING_ICMP GATEWAY_ALLOW_INCOMING_SSH ; do
grep -q $elt=1 $file || \
sed -e "s/$elt=.*/$elt=1/" -i $file
done
for elt in 22 9050 9053 9040 9128 ; do
grep -q '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \
/etc/whonix_firewall.d/30_whonix_gateway_default.conf && continue
echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> $file
done
return 0
}
## gateway_tor_init_check_iptables
gateway_tor_init_check_iptables () {
local rule changed
changed=0
rule='-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
[ $changed -gt 0 ] && proxy_iptables -A INPUT -j DROP
return 0
}
# systemctl --no-pager status tor@default
## tor_start_not_running
tor_start_not_running () {
local retval
retval=0
if netstat -nlp4 2>&1| grep '15:90.*/tor' ; then
DBUG $prog tor is already running
retval=2
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
DBUG $prog tor is already running
retval=3
elif ls -l /run/tor/socket 2>/dev/null ; then
DBUG $prog tor is already running
retval=4
fi
tor_grep_log
return $retval
}
## gateway_tor_config_tor
gateway_tor_config_tor () {
gateway_tor_init_check_iptables || exit 2$?
gateway_tor_torrc
gateway_tor_init_config_gateway_conf
rm -f /usr/local/etc/torrc.d/*~
return $?
}
## tor_start_verify_config
tor_start_verify_config () {
# tor --verify-config # || exit 2$?
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
| grep -v 'notice\|DisableNetwork'
# || exit 2
return 0
}
## tor_prepare_to_start
tor_prepare_to_start () {
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
# systemd overrides these
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
chmod 0700 /run/tor/
gateway_tor_stop
# systemctl daemon-reload
rm -f /run/tor/log.err /tmp/log.err
rm -f /run/tor/log /tmp/log.log
rm -f /run/tor/tor.pid /tmp/log.pid
sed '/DisableNetwork/d' -i /usr/local/etc/torrc.d/50_user.conf
return 0
}
## tor_after_start
tor_after_start () {
[ -s /tmp/tor.err ] && ERROR $prog /tmp/tor.err && cat /tmp/tor.err && return 6
grep '\[warn\]' /tmp/tor.log
grep '\[err\]' /tmp/tor.log && ERROR $prog /tmp/tor.log && return 7
ls /run/tor/log* >/dev/null && \
sed -e '/configured a non-loopback address/d' -i /run/tor/log*
chmod 750 /run/tor/
chmod 640 /run/tor/log
INFO checked /tmp/tor.log /tmp/tor.err
INFO starting onion-grater
# systemctl start onion-grater
pidof /usr/lib/onion-grater || return 0
/usr/lib/onion-grater --listen-interface eth1 &
echo -n $! >/tmp/tog.pid
return 0
}
tor_grep_log () {
local log
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
INFO grep % $log
grep % $log | grep -v 5%
return 0
}
tor_test () {
tor_grep_log
tor_qemu_status || return 1$?
return 0
}
tor_qemu_status () {
local pid
pid=$( pidof /usr/sbin/qemu-ga )
[ $? -eq 0 -a -n "$pid" ] || \
{ WARN $prog qemu-qa not running; return 1 ; }
lsof -p $pid | grep -q /dev/v || \
{ WARN /usr/sbin/qemu-ga not bound to /dev ; return 1 ; }
return 0
}
tor_status () {
[ -f /tmp/tor.pid ] && \
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
rm /tmp/tor.pid
if [ -f /tmp/tor.pid ]; then
ps -p "$( cat /tmp/tor.pid )"
elif [ -f /run/tor/tor.pid ] ; then
ps -p "$( cat /run/tor/tor.pid )"
else
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
fi
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|| return 1
debian=$( grep -q ^$PRIV_TOR_OWNER /etc/passwd && echo $PRIV_TOR_OWNER || echo tor )
INFO $prog $debian processes:
ps -g $debian
tor_qemu_status || return 1$?
tor_start_not_running && return 2$?
# /usr/lib/helper-scripts/tor_circuit_established_check.py
return 0
}
gateway_tor_verify () {
tor_start_verify_config || return 1
return 0
}
gateway_tor_start () {
local debian
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
# debian-tor soft nofile 100000
# /etc/security/limits.conf
gateway_tor_config_tor || return 2$?
tor_start_not_running || return 3$?
gateway_tor_verify || return 4$?
tor_prepare_to_start
INFO startiing tor - see /tmp/tor.err /tmp/tor.log
#su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
#netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
su -c 'tor' -s /bin/sh $PRIV_TOR_OWNER 2>/tmp/tor.err >/tmp/tor.log &
echo -n $! >/tmp/tor.pid
sleep 15
tor_after_start
tor_status
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog "$USAGE"
elif [ "$d1#" = '--help' ] ; then
echo USAGE: $prog "$USAGE" or:
grep '^## ' $0 | sed -e 's/^## //'
## config
elif [ $1 = config ] ; then
INFO $prog $1
gateway_tor_config_tor || exit 1$?
## stop -
elif [ $1 = stop ] ; then
INFO $prog $1
gateway_tor_stop
exit $?
## status
elif [ $1 = status ] ; then
INFO $prog tor_status
tor_status || exit $?
exit 0
## start
elif [ "$1" = gateway -o "$1" = start ] ; then
INFO $prog tor_start
gateway_tor_start
exit $?
## restart
elif [ "$1" = restart ] ; then
INFO $prog tor_restart
gateway_tor_stop || exit 1$?
sleep 2
gateway_tor_start
exit $?
## verify
elif [ "$1" = verify ] ; then
tor_start_verify_config
elif [ "$1" = test ] ; then
tor_test
elif [ "$1" = '--help' -o "$1" = '-h' ] ; then
echo USAGE: $prog "$USAGE or:"
grep '^## ' $0 | sed -e 's/## //'
else
eval "$@" || exit $?
fi
exit 0

262
overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash Executable file
View File

@ -0,0 +1,262 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
CONN=guest
USAGE="[config|start|stop|test|verify]"
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 1; }
. /usr/local/sbin/proxy_whonix_gateway_tor.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_gateway_tor.bash ; exit 2; }
. /usr/local/bin/usr_local_tput.bash || exit 3
NSL='nslookup -querytype=A'
NETS='netstat -nl4e'
SHARED_MNTS="o"
# ELTS="onion-grater" # these work and start normally
# sdwdate should be linked to NetManager and prevents logins if not connected
# well start tor ourselves
# we dont need vanguards
DISABLE_SERVICES="sdwdate tor vanguards"
DISABLE_X_SERVICES="rads sdwdate-gui-shutdown-notify tor-control-panel"
grep -q ' text ' /proc/cmdline && \
DISABLE_SERVICES="$DISABLE_X_SERVICES $DISABLE_SERVICES"
## proxy_gateway_fix_getty_timeout
proxy_gateway_fix_getty_timeout () {
# fix_getty_timeout - wheres inittab
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
done
return 0
}
## proxy_gateway_disable_rads
proxy_gateway_disable_rads () {
# rads is really hard to kill
if [ ! -f /etc/rads.d/50_default.conf ] ; then
sed /etc/rads.d/30_default.conf > /etc/rads.d/50_default.conf \
-e 's@rads_start_display_manager=1@rads_start_display_manager=0@' \
-e 's@rads_skip_ram_test=0rads_skip_ram_test=1@' \
-e 's@rads_wait=0@rads_wait=1@' \
-e 's@rads_wait_seconds=10@rads_wait_seconds=20@' \
-e 's@rads_debug=0@rads_debug=1@'
fi
return 0
}
## proxy_gateway_install_tor
proxy_gateway_install_tor () {
# fixme parameterize?
if [ ! -f /usr/local/etc/torrc.d/50_user.conf ] ; then
cat > /usr/local/etc/torrc.d/50_user.conf << EOF
Socks5ProxyUsername foo
Socks5ProxyPassword bar
SafeLogging 0
SocksPort 10.0.2.15:9050
DnsPort 10.0.2.15:9053
HTTPTunnelPort 10.0.2.15:9128
TransPort 10.0.2.15:9040
ControlSocket /run/tor/control
ControlSocketGroupWriteable 1
DisableNetwork 0
EOF
fi
return 0
}
## proxy_gateway__shutup_verbosity
proxy_gateway_shutup_verbosity () {
for file in /etc/issue* /etc/issue.d/* ; do
[ -f $file ] || continue
[ -s $file ] && cp /dev/null $file
done
return 0
}
## proxy_gateway_install_fstab
proxy_gateway_install_fstab () {
# /etc/fstab
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
for elt in $SHARED_MNTS ; do
[ -d /mnt/$elt ] || mkdir /mnt/$elt
grep -q /mnt/$elt /etc/fstab && continue
echo "$elt /mnt/$elt 9p $options 0 0" \
>> /etc/fstab
done
return 0
}
## proxy_gateway_install_gagent
proxy_gateway_install_gagent () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
ERROR /dev/virtio-ports/org.qemu.guest_agent.0 not found
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
ERROR "or blame Pottyring's systemd"
}
[ -x /usr/sbin/qemu-ga ] && return 0
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
# /o/Cache/Apt/Debian/10.6/deb.debian.org/debian-security/pool/updates/main/q/qemu/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
fi
false && \
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
ln -s /lib/systemd/system/qemu-guest-agent.service \
/etc/systemd/system/multi-user.target.wants
return 0
}
## proxy_gateway_disable_services
proxy_gateway_disable_services () {
[ -f /usr/local/etc/local.d/local.bash ] || \
{ ERROR loading /usr/local/etc/local.d/local.bash ; return 2; }
local_systemd_stop_and_mask $DISABLE_SERVICES
return 0
}
## proxy_gateway_test
proxy_gateway_test () {
proxy_whonix_test gateway
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
grep '^nameserver 127.0.0.1' /etc/resolv.conf || \
echo 'nameserver 127.0.0.1' >> /etc/resolv.conf
proxy_gateway_disable_services || return 1$?
# /usr/local/sbin/proxy_whonix_gateway_tor.bash config || return 2$?
gateway_tor_verify || return 3$?
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
local dire=gateway
local file
proxy_dest_port_wlan_config $dire || return 1$?
DEST=10.0.2.15
PORT=9053
[ -z "$PORT" -o -z "$DEST" ] && return 2
#? proxy_whonix_polipo_config $dire
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_dnsmasq_config $dire || return 5$?
return 0
}
## proxy_gateway_start_bg
proxy_gateway_start_bg () { proxy_gateway_start $* ; }
## proxy_gateway_start
proxy_gateway_start () {
proxy_gateway_config || return 1$?
proxy_whonix_guest_start gateway
proxy_ping_dnsmasq_status || \
proxy_ping_dnsmasq_start || return 2$?
/usr/local/sbin/proxy_whonix_gateway_tor.bash start || return 3$?
#? . gateway_tor_start
#? polipo
# dnsmasq
return 0
}
## proxy_gateway_stop
proxy_gateway_stop () {
gateway_tor_stop stop || return 3$?
return 0
}
## proxy_gateway_status
proxy_gateway_status () {
if [ -f /etc/ssh/sshd_config ] ; then
rc_service sshd status
else
WARN ssh not installed
fi
# tor_grep_log || return 2$?
tor_status
#? /usr/local/bin/proxy_ping_test.bash polipo || return 3$?
/usr/local/bin/proxy_ping_test.bash gateway || return 3$?
/usr/local/bin/proxy_ping_test.bash dns || return 4$?
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
systemctl is-enabled rc.local || systemctl enable --now rc.local || return 1
# [ -f /etc/systemd/system/multi-user.target.wants/rc-local.service ] || \
# ln -s /lib/systemd/system/rc-local.service \
# /etc/systemd/system/multi-user.target.wants/rc-local.service
systemctl is-enabled tor || systemctl disable --now tor
tor_config_tor || return 1$?
return 0
}
proxy_gateway_verify () {
for elt in $( echo $USAGE | sed -e 's/|/ /' ) do ; grep ^$elt $0 ; done
tor_do_verify || return 1
return 0
}
## proxy_gateway_install
proxy_gateway_install () {
proxy_gateway_config || return 0
proxy_gateway_install_gagent
proxy_gateway_fix_getty_timeout
proxy_gateway_install_tor
proxy_gateway_shutup_verbosity
proxy_gateway_install_fstab
proxy_gateway_disable_rads
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" -o "$1" = install ] ; then
proxy_gateway_$1 || return 3$?
elif [ "$1" = verify -o "$1" = status -o "$1" = test_from -o "$1" = test ] ; then
proxy_gateway_$1 || return 4$?
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
proxy_gateway_$1 || return 5$?
else
INFO $prog "$@"
eval "$@"
exit $?
fi

161
overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash Executable file
View File

@ -0,0 +1,161 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
MODE=vda
CONN=guest
USAGE="[config|start|stop|status|restart|verify|test]"
[ $( id -u ) -eq 0 ] || { ERROR you must be root ; exit 1 ; }
prog=$( basename $0 .bash )
export PATH=$PATH:/usr/local/sbin
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_test.bash
/usr/local/sbin/proxy_whonix_gateway_tor.bash
"
. /usr/local/etc/local.d/local.bash || exit 1
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
# vda does not need dnsmasq
# $DEST resolv.conf
## proxy_vda_stop
proxy_vda_stop () {
return 0
}
## tor_init_check_iptables
proxy_vda_init_check_iptables () {
# tor_init_check_iptables || return 1$?
return 0
}
## proxy_vda_config
proxy_vda_config () {
proxy_whonix_guest_config || return 1$?
[ -f /etc/firewall.conf.vda ] && \
cp -p /usr/local/etc/firewall.conf.vda /etc/firewall.conf.vda
proxy_guest_firewall_config || return 2$?
#/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash > \
# /etc/firewall.conf.ws.new
proxy_vda_whonix_config
return 0
}
## proxy_vda_verify
proxy_vda_verify () {
for elt in $(echo $USAGE | sed -e 's/|/ /') ; do grep ^$elt $0 ; done
return 0
}
proxy_vda_grep_logs () {
return 0
}
## proxy_vda_test
proxy_vda_test () {
proxy_whonix_test vda || return 3$?
return 0
}
## proxy_vda_status
proxy_vda_status () {
netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null || \
{ [ -n "$DEBUG" ] && WARN $0 polipo not running ; return 1 ; }
[ -n "$DEBUG" ] && DBUG $0 polipo running
/usr/local/bin/proxy_ping_test.bash vda
/usr/local/bin/proxy_ping_test.bash polipo
/usr/local/bin/proxy_ping_test.bash dns
return 0
}
## proxy_vda_whonix_start
proxy_vda_whonix_start () {
local dire=vda
local ret
#? proxy_whonix_guest_start
proxy_whonix_polipo_start $dire || \
{ ret=$? ;ERROR $prog polipo not running ret=$ret ; return 4$ret ; }
return 0
}
## proxy_vda_start
proxy_vda_start () {
# local_guest_start_services
local PROXY_WLAN_GW=10.152.152.10
local IP=10.152.152.11
grep -q gateway /etc//hosts || grep $PROXY_WLAN_GW gateway >> /etc//hosts
if ! ifconfig eth0 | grep -q $IP ; then
ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
#? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255
fi
ip route | grep -q ^default || \
route add default gw $PROXY_WLAN_GW
# dnsmasq
echo nameserver $PROXY_WLAN_GW > /etc/resolv.conf
[ -f /etc/firewall.conf.vda ] || exit 2
if [ -f /etc/firewall.conf.vda -a ! -f /etc/firewall.conf ] ; then
cp -p /etc/firewall.conf.vda /etc/firewall.conf
proxy_iptables_restore < /etc/firewall.conf
elif ! diff -q /etc/firewall.conf.vda /etc/firewall.conf ; then
mv /etc/firewall.conf /etc/firewall.conf.bak
cp -p /etc/firewall.conf.vda /etc/firewall.conf
proxy_iptables -F; proxy_iptables_restore < /etc/firewall.conf
fi
proxy_iptables_save | grep -i reject || return 3
proxy_vda_whonix_start
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" = 'install' ] ; then
proxy_vda_config || exit 3$?
elif [ "$1" = verify -o "$1" = 'test' ] ; then
proxy_vda_$1 || exit 4$?
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
proxy_vda_$1 || exit 5$?
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
proxy_vda_refresh || exit 6$?
else
eval "$@"
exit $?
fi
exit 0

624
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash Executable file
View File

@ -0,0 +1,624 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
ROLE=proxy
MODE=all
iptables_cmd='echo iptables'
ip6tables_cmd='echo iptables >/dev/null'
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end
## NOTE: If you make changes to this firewall, think about, if it would
## make sense to add the changes to Whonix-Gateway script as well.
## Some things like dropping invalid packages, should be shared.
## TODO:
## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).
## source for some rules:
## http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
set -e
error_handler() {
echo "$0 ##################################################"
echo "$0 ERROR: Whonix firewall script failed!"
echo "$0 ##################################################"
exit 1
}
# trap "error_handler" ERR
init() {
output_cmd "OK: Loading Whonix firewall..."
set -o pipefail
set -o errtrace
}
source_config_folder() {
shopt -s nullglob
local i
for i in \
/etc/whonix_firewall.d/*.conf \
/usr/local/etc/whonix_firewall.d/*.conf \
; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
output_cmd "ERROR: Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
}
variables_defaults() {
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
## Legacy.
if [ "$VPN_FIREWALL" = "1" ]; then
TUNNEL_FIREWALL_ENABLE="true"
fi
## Not in use/defined yet.
## INT_IF could be the internal network.
## EXT_IF could be an additional virtual network adapter,
## such as OnionCat or OpenVPN.
## External interface
[ -n "$EXT_IF" ] || EXT_IF="eth0"
## Internal interface
[ -n "$INT_IF" ] || INT_IF="eth1"
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## Would fail if netvm is set to 'none',
## which is the case in Qubes R4 TemplateVMs.
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway 2>/dev/null)" || GATEWAY_IP="127.0.0.1"
else
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="10.152.152.10"
fi
## Since hardcoded in anon-ws-disable-stacked-tor.
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
[ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel 2>/dev/null)" || true
[ -n "$NOTUNNEL_USER" ] || NOTUNNEL_USER="$(id -u notunnel 2>/dev/null)" || true
[ -n "$UPDATESPROXYCHECK_USER" ] || UPDATESPROXYCHECK_USER="$(id -u updatesproxycheck 2>/dev/null)" || true
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate 2>/dev/null)" || true
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck 2>/dev/null)" || true
[ -n "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" ] || TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER="true"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$qubes_updates_proxy_port" ] || qubes_updates_proxy_port="8082"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
## Destinations you do not routed through VPN.
if [ "$LOCAL_NET" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
10.137.0.0-10.138.255.255 \
"
else
## 10.0.2.2/24: VirtualBox DHCP
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
}
ipv4_defaults() {
## Set secure defaults.
$iptables_cmd -P INPUT DROP
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
$iptables_cmd -P FORWARD DROP
## Will be lifted below.
$iptables_cmd -P OUTPUT DROP
}
ipv4_preparation() {
## Flush old rules.
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
}
ipv4_drop_invalid_incoming_packages() {
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j DROP
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j DROP
## DROP INVALID
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
}
qubes() {
## Not yet required. Just so Whonix-Workstation firewall can be more similar
## to Whonix-Gateway firewall.
true
}
qubes_dns() {
local counter
counter=0
## Using '2>/dev/null' because 'qubesdb-read' DNS would fail in Qubes R4
## TemplateVMs, because these are non-networked by default.
if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2>/dev/null)" ; then
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
counter=$(( counter + 1 ))
fi
if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2>/dev/null)" ; then
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
counter=$(( counter + 1 ))
fi
if [ "$counter" -ge "2" ]; then
output_cmd "OK: Qubes DNS firewall rules ok."
else
$iptables_cmd -A OUTPUT -p udp --dport 53 -j ACCEPT
fi
}
ipv4_input_rules() {
## Traffic on the loopback interface is accepted.
$iptables_cmd -A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
## Allow all incoming connections on the virtual VPN network interface,
## when TUNNEL_FIREWALL_ENABLE mode is enabled.
## DISABLED BY DEFAULT.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS."
else
local local_port_to_open
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
$iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT
done
local local_udp_port_to_open
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
done
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
$iptables_cmd -A INPUT -j ACCEPT
fi
fi
}
ipv4_input_defaults() {
## Log.
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
## Required for Control Port Filter Proxy Connection.
## https://phabricator.whonix.org/T112
$iptables_cmd -A INPUT -p tcp -j REJECT --reject-with tcp-reset
## Reject anything not explicitly allowed above.
$iptables_cmd -A INPUT -j REJECT --reject-with icmp-port-unreachable
}
ipv4_forward() {
## Log.
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
$iptables_cmd -A FORWARD -j DROP
}
ipv4_reject_invalid_outgoing_packages() {
## Drop invalid outgoing packages,
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP INVALID SYN PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
fi
}
qubes_updates_proxy() {
## Detect Qubes.
if ! command -v "qubesdb-read" >/dev/null 2>&1 ; then
return 0
fi
## Detect being run inside TemplateVM.
if [ ! -f "/run/qubes/this-is-templatevm" ]; then
return 0
fi
## Detect if torified Qubes updates proxy was detected.
if test -f "/run/qubes-service/whonix-secure-proxy" ; then
output_cmd "OK: Torified Qubes Updates Proxy check ok. Full access to Qubes Updates Proxy."
return 0
fi
output_cmd "OK: Torified Qubes Updates Proxy check not done yet. Limiting access to Qubes Updates Proxy to user 'updatesproxycheck'."
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
}
ipv4_output() {
## Prevent connections to Tor SocksPorts.
## https://phabricator.whonix.org/T533#11025
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
local socks_port_item
for socks_port_item in $socks_ports_list; do
true "$socks_port_item: ${!socks_port_item}"
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
continue
fi
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
done
fi
qubes_updates_proxy
## Access to localhost is required even in timesync-fail-closed mode,
## otherwise breaks applications such as konsole and kwrite.
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
## Allow outgoing traffic on VPN interface,
## if TUNNEL_FIREWALL_ENABLE mode is enabled.
## DISABLED BY DEFAULT.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting user $TUNNEL_USER traffic."
else
true "firewall_mode is $firewall_mode, therefore allowing user $TUNNEL_USER traffic."
## Connections to VPN servers are allowed,
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$TUNNEL_USER" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_SDWDATE_USER" = "true" ]; then
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" = "true" ]; then
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
## Accept outgoing connections to local network.
if [ "$TUNNEL_FIREWALL_ALLOW_LOCAL_NET" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
local local_net_item
for local_net_item in $LOCAL_NET; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
done
fi
fi
if [ "$TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY" = "true" ]; then
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_TB_UPDATER" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
local socks_port_tbb
for socks_port_tbb in $SOCKS_PORT_TBB_DOWNLOAD $SOCKS_PORT_TBB_GPG ; do
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
done
fi
fi
if [ "$TUNNEL_FIREWALL_ALLOW_WHONIXCHECK" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
fi
else
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting DNS traffic."
else
true "firewall_mode is $firewall_mode, therefore allowing DNS traffic."
## Allow Whonix-Workstation to query Whonix-Gateway for DNS.
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
qubes_dns
fi
fi
## Not sure about the next one. UDP is not supported by Tor, why not
## block any outgoing UDP. Might have unwanted side effects when tunneling
## UDP over Tor.
## https://www.whonix.org/wiki/Tunnel_UDP_over_Tor
##
## All other non-TCP protocol traffic gets rejected.
## iptables knows 7 different protocols and all.
## (tcp, udp, udplite, icmp, esp, ah, sctp or all)
##
## (1) ping torproject.org
## 4 packets transmitted, 0 received, 100% packet loss, time 3000ms
##
## (2) ping torproject.org
## From 10.152.152.11 icmp_seq=1 Destination Port Unreachable
## 0 packets transmitted, 0 received, +100 errors
##
## The next rule ensures, that only tcp can leave and achieves the desired result from (2).
$iptables_cmd -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting all outgoing traffic."
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
## Otherwise in Whonix firewall full mode this rule is redundant.
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
else
true "firewall_mode is $firewall_mode, therefore allowing all outgoing traffic."
## Allow full outgoing connection but no incoming stuff.
$iptables_cmd -A OUTPUT -j ACCEPT
fi
## Log.
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
## Reject all other outgoing traffic.
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
fi
}
ipv6() {
## Policy DROP for all traffic as fallback.
$ip6tables_cmd -P INPUT DROP
$ip6tables_cmd -P OUTPUT DROP
$ip6tables_cmd -P FORWARD DROP
## Flush old rules.
$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
## Allow unlimited access on loopback.
$ip6tables_cmd -A INPUT -i lo -j ACCEPT
$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
## Log.
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
## Drop/reject all other traffic.
$ip6tables_cmd -A INPUT -j DROP
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A FORWARD -j DROP
}
status_files() {
mkdir --parents /run/whonix_firewall
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
touch /run/whonix_firewall/consecutive_run.status
return 0
fi
touch /run/whonix_firewall/first_run_current_boot.status
}
date_cmd(){
date -u +"%Y-%m-%d %T"
}
output_cmd() {
echo "$(date_cmd) - $0 - $@"
}
firewall_mode_detection() {
if [ ! "$firewall_mode" = "" ]; then
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
return 0
elif [ "$firewall_mode" = "full" ]; then
output_cmd "OK: (Full torified network access allowed.)"
return 0
else
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
error_handler
fi
fi
## Run Whonix firewall in full mode if sdwdate already succeeded.
if [ -e /run/sdwdate/first_success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/first_success exists.)"
elif [ -e /run/sdwdate/success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/success exists.)"
## /run/whonix_firewall/first_run_current_boot.status already exists,
## therefore have Whonix firewall run in full mode.
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
firewall_mode=full
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
else
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
## therefore return 'yes, timesync-fail-closed'.
firewall_mode=timesync-fail-closed
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
else
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
output_cmd "OK: (Full torified network access allowed.)"
fi
}
end() {
output_cmd "OK: Whonix firewall loaded."
exit 0
}
main() {
init
firewall_mode_detection
variables_defaults
ipv4_defaults
ipv4_preparation
ipv4_drop_invalid_incoming_packages
qubes
ipv4_input_rules
ipv4_input_defaults
ipv4_forward
ipv4_reject_invalid_outgoing_packages
ipv4_output
if [ -d /proc/sys/net/ipv6/ ]; then
ipv6
fi
status_files
end
}
if [ -x /usr/bin/basename ] && [ $( basename -- $0 ) = 'proxy_whonix_guest_workstation-firewall.bash' ] ; then
source_config_folder
iptables_cmd="echo iptables"
ip6tables_cmd="echo # ip6tables"
main
fi

195
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash Executable file
View File

@ -0,0 +1,195 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
[ -n "$prog" ] || prog= # no qa
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
USAGE="[config|start|stop|status|restart|test]"
SHARED_MNTS="o"
[ "$#" -eq 0 ] && set -- install
## proxy_workstation_fix_getty_timeout
proxy_workstation_fix_getty_timeout () {
# fix_getty_timeout - wheres inittab
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
done
return 0
}
## proxy_workstation__shutup_verbosity
proxy_workstation_shutup_verbosity () {
for file in /etc/issue* /etc/issue.d/* ; do
[ -f $file ] || continue
[ -s $file ] && cp /dev/null $file
done
return 0
}
## proxy_workstation_install_fstab
proxy_workstation_install_fstab () {
# /etc/fstab
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
for elt in $SHARED_MNTS ; do
[ -d /mnt/$elt ] || mkdir /mnt/$elt
grep -q /mnt/$elt /etc/fstab && continue
echo "$elt /mnt/$elt 9p $options 0 0" \
>> /etc/fstab
done
# root
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent () {
[ -d /etc/apt ] && proxy_workstation_install_gagent_debian || return 1$?
[ -d /etc/gentoo ] && proxy_workstation_install_gagent_gentoo || return 2$?
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent_gentoo () {
[ -x /usr/bin/qemu-ga -a -x /etc/init.d/qemu-guest-agent ] || \
emerge -vb app-emulation/qemu-guest-agent || return 1$?
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent_debian () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
echo ERROR: /dev/virtio-ports/org.qemu.guest_agent.0 not found
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
ERROR "or blame Pottyring's systemd"
}
[ -x /usr/sbin/qemu-ga ] && return 0
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
fi
# start guest-service - its failing on the device prerequisite
systemctl is-enabled qemu-guest-agent || systemctl enable --now qemu-guest-agent
false && \
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
ln -s /lib/systemd/system/qemu-guest-agent.service \
/etc/systemd/system/multi-user.target.wants
return 0
}
## proxy_workstation_test
proxy_workstation_test () {
service qemu-guest-agent status >/dev/null || return 1$?
proxy_whonix_test ws || return 2$?
return 0
}
## proxy_workstation_config
proxy_workstation_config () {
proxy_whonix_guest_config || return 1$?
proxy_guest_firewall_config || return 2$?
proxy_ws_whonix_config ws || return 3$?
variables_defaults
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
return 0
}
## proxy_workstation_start_bg
proxy_workstation_start_bg () { proxy_workstation_start $* ; }
## proxy_workstation_start
proxy_workstation_start () {
local dire=ws
proxy_workstation_config || return 1$?
proxy_whonix_guest_start
proxy_whonix_polipo_start $dire || \
{ ret=$? ;echo ERROR: $prog polipo not started ret=$ret; return 4$ret ; }
return 0
}
## proxy_workstation_stop
proxy_workstation_stop () {
service qemu-guest-agent status >/dev/null \
&& service qemu-guest-agent stop || return 2$?
return 0
}
## proxy_workstation_install
proxy_workstation_install () {
proxy_workstation_install_gagent
proxy_workstation_fix_getty_timeout
proxy_workstation_shutup_verbosity
proxy_workstation_install_fstab
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" = install ] ; then
proxy_workstation_install || return 3$?
elif [ "$1" = verify -o "$1" = test ] ; then
proxy_workstation_test || return 4$?
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
proxy_workstation_$1 || return 5$?
else
eval "$@"
exit $?
fi

769
overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash Executable file
View File

@ -0,0 +1,769 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
VER=10
set -o pipefail || { ERROR use bash ; exit 1 ; } #! illegal option
. /usr/local/bin/proxy_ping_lib.bash || exit 2
# unlike the original script, this just generates the rules
# and writes the to an output file
OUT=/tmp/I4$$.iptables
cp /dev/null $OUT4
ip4_tables () {
# now unused
echo "$@" >> $OUT4
return 0
}
ip6_tables () {
[ -d /proc/sys/net/ipv6/ ] || return 0
echo "$@" >> $OUT6
return 0
}
. /usr/local/bin/proxy_ping_lib.bash || exit 2
# sysctl net.ipv4.conf.all.accept_redirects != 1 in /etc/sysctl.d/70_testforge_harden_lynis.conf
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
# || { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 3 ; }
if [ "$#" -eq 1 -a "$1" = test ] ; then
bash /usr/local/bin/proxy_ping_test.bash 2>&1| grep ' 0% packet loss' \
|| { echo ERROR: ping ; exit 4 ; }
exit 0
fi
#set -- -x
# leave empty for debugging
[ "$DEBUG" = "1" ] && HUSH="" || HUSH="#D#"
WHONIX_HOST=1
# leave it in anyway
LOCAL_TOR=1
if [ -f /etc/firewall.conf.block ] ; then
BLOCK_IPS=`cat /etc/firewall.conf.block`
else
BLOCK_IPS="37.191.192.147 51.79.22.22"
fi
NOW=$( date +%c )
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 2 ; }
[ -n "$PROXY_WLAN" ] || { echo ERROR: " error getting device $PROXY_WLAN" ; exit 3 ; }
## External interface
[ -n "$WLAN_IF" ] || WLAN_IF="$PROXY_WLAN"
[ -n "$IP" ] && WLAN_NET=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.0/' )/24
[ -n "$PROXY_WLAN_GW" ] && PROXY_WLAN_GW=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.1/' )
[ -z "$PRIV_NTP_OWNER" ] && PRIV_NTP_OWNER=ntp
PRIV_NTP_GID=$( grep ^$PRIV_NTP_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_TOR_OWNER" ] && PRIV_TOR_OWNER=tor
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
[ $LOCAL_TOR -ne 0 ] && CLEARNET_GIDS="$PRIV_BIN_GID $PRIV_TOR_GID" || CLEARNET_GIDS="$PRIV_BIN_GID"
[ -z "$PRIV_TOR_SOCKSPORT" ] && PRIV_TOR_SOCKSPORT=9050
[ -z "$PRIV_TOR_CONTROLPORT" ] && PRIV_TOR_CONTROLPORT=9051
[ -z "$PRIV_TOR_DNSSPORT" ] && PRIV_TOR_DNSSPORT=9053
[ -z "$PRIV_POLIPO_PROXYPORT" ] && PRIV_POLIPO_PROXYPORT=3128
[ -z "$PRIV_TOR_PROXYPORT" ] && PRIV_TOR_PROXYPORT=9128
[ -z "$PRIV_NAT_TRANSPORT" ] && PRIV_NAT_TRANSPORT="9040"
PRIV_NAT_TRANSHOST="$PROXY_WLAN"
SSH_SERVICE=22
BOOTPC_SERVICE=68
BOOTPS_SERVICE=67
[ -z "$PRIV_SERVICE_NTPPORT" ] && PRIV_SERVICE_NTPPORT=123
NETBIOSNS_SERVICE=137
NETBIOSDG_SERVICE=138
NETBIOSSS_SERVICE=139
WLAN_ALLOW_SERVICES="$PRIV_SERVICE_NTPPORT $BOOTPC_SERVICE $BOOTPS_SERVICE"
WLAN_DROP_SERVICES="$NETBIOSNS_SERVICE $NETBIOSDG_SERVICE $NETBIOSSS_SERVICE"
NAT_SERVICES_TO_LO_TCP=""
EXT_ALLOW_SERVICES_IN_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
EXT_ALLOW_SERVICES_IN_UDP="$PRIV_TOR_DNSSPORT"
# $PRIV_NAT_TRANSPORT
EXT_ALLOW_SERVICES_OUT_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
EXT_ALLOW_SERVICES_OUT_UDP="$PRIV_TOR_DNSSPORT"
EXT_VNET=virbr1
PRIV_WHONIX_EXTERNAL_NET="10.0.2.0/24"
# 10.152.152.10 gateway
# 10.152.152.11 work
# 10.16.238.0.0
INT_VNET=virbr2
# gateway is 10.152.152.10
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
PRIVATE_NET="" # 192.168.1.0/24
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
VPN_FIREWALL="0"
LIBVIRT_FW=1 # 0 or 1 or 2
# I think this is still needed - dnsmasq is on 127:
LOCALHOST_DNS=1
HOST_ALLOW_INCOMING_ICMP=1
HOST_ALLOW_OUTGOING_ICMP=1
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
VPN_FIREWALL="0"
LIBVIRT_FW=1 # 0 or 1 or 2
#override
HOST_nat_TRANS="";PRIV_NAT_TRANSPORT="";PRIV_NAT_TRANSHOST=""
INFO "Loading Whonix firewall for $PROXY_WLAN IP=$IP LIBVIRT_FW=$LIBVIRT_FW"
if ifconfig -a | grep -q $EXT_VNET && proxy_virsh list | grep Whonix-Gateway ; then
# on the host - does this work?
ifconfig -a | grep -q inet # || ifconfig $EXT_VNET 10.0.2.2 up
HOST_WHONIX_GATE=1
fi
if ifconfig -a | grep -q $INT_VNET && proxy_virsh list | grep Whonix-Workstation ; then
# on the host
ifconfig -a | grep -q inet #? || ifconfig $INT_VNET 10.152.152.10 up
HOST_WHONIX_WORK=1
fi
HOST_WHONIX_GATE=1
HOST_WHONIX_WORK=1
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
###########################
## debugging
###########################
#set -x
###########################
## error_handler
###########################
error_handler() {
echo "##################################################"
echo "Whonix firewall script failed!" see $OUT4
echo "##################################################"
exit 1
}
#? trap "error_handler" ERR
###########################
## source config folder
###########################
shopt -s nullglob || exit 1
for i in /etc/whonix_firewall.d/*.conf /usr/local/etc/whonix_firewall.d/*.conf; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
ERROR "Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
###########################
## comments
###########################
## --reject-with
## http://ubuntuforums.org/showthread.php?p=12011099
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
## confusion. icmp-port-unreachable looks like a bug while
## icmp-admin-prohibited hopefully makes clear it is by design.
###########################
## /usr/bin/whonix_firewall
###########################
###########################
## interfaces
###########################
INFO "Loading Whonix firewall for $WLAN_IF"
###########################
DBUG NON_TOR_GATEWAY
###########################
#me these defaults should be in the .conf files
## Destinations you do not routed through VPN, only for Whonix-Gateway.
## 10.0.2.2/24: VirtualBox DHCP
[ -n "$NON_TOR_GATEWAY" ] || NON_TOR_GATEWAY="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
################
## VPN related #
################
## Space separated list of VPN servers,
## which Whonix-Gateway is allowed to connect to.
[ -n "$VPN_SERVERS" ] || VPN_SERVERS="198.252.153.26"
VPN_SERVERS=
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
VPN_INTERFACE=
## Destinations you do not routed through VPN, only for Whonix-Gateway.
## $PRIV_WHONIX_EXTERNAL_NET: VirtualBox DHCP
[ -n "$LOCAL_NET" ] || LOCAL_NET="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
###########################
DBUG IPv4 DEFAULTS
###########################
lsmod | grep -q iptable_filter || modprobe iptable_filter
###########################
DBUG IPv4 PREPARATIONS
###########################
# FixMe: nf or xt?
lsmod | grep -q nf_nat || modprobe nf_nat
lsmod | grep -q iptable_filter || modprobe iptable_filter
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
## Flush old rules. We now let the caller do that when it uses the rules
# mangle comes before filter, before nat
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -t filter -F
# iptables -t filter -X
# iptables -t nat -F
# iptables -t nat -X
DBUG MANGLE COMES BEFORE FILTER
cat >> $OUT4 << EOF
# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
# firewall.bash.libvirt.$VER
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
:LIBVIRT_PRT - [0:0]
${HUSH}-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
EOF
cat >> $OUT4 << EOF
COMMIT
EOF
cat >> $OUT4 << EOF
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
EOF
cat >> $OUT4 << EOF
:LIBVIRT_PRT - [0:0]
EOF
# iptables: No chain/target/match by that name.
false && \
[ $LOCALHOST_DNS -gt 0 ] && \
cat >> $OUT4 << EOF
# was ! -o lo
# let resolve.conf redirect to lo - this rule cannot be removed
#-A OUTPUT -o $WLAN_IF -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
#-A OUTPUT -o $WLAN_IF -p udp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
EOF
#?
for elt in $NAT_SERVICES_TO_LO_TCP ; do
cat >> $OUT4 << EOF
-A OUTPUT ! -o lo -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$elt
EOF
done
if [ $LOCAL_TOR -ne 0 -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" -a "$PRIV_NAT_VIRTUAL_NET" != "" ] ; then
NO=""
else
NO="#"
fi
cat >> $OUT4 << EOF
# .onion mapped addresses redirection to Tor.
${NO}-A OUTPUT -d $PRIV_NAT_VIRTUAL_NET -p tcp -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
EOF
if [ -n "$HOST_nat_TRANS" -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" ] ; then
cat >> $OUT4 << EOF
# nat REDIRECT ALL REMAINING TCP TRAFFIC TO TOR.
# was ! -o lo
-A OUTPUT -o $WLAN_IF -j LOG --log-uid --log-prefix "iptables_nat_TRANS: "
-A OUTPUT -o $WLAN_IF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
EOF
fi
cat >> $OUT4 << EOF
## Log.
${HUSH}-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
EOF
lsmod | grep -q nft_masq || modprobe nft_masq
#4 lsmod | grep -q xt_MASQUERADE|| modprobe xt_MASQUERADE
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -j MASQUERADE
EOF
cat >> $OUT4 << EOF
COMMIT
EOF
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
lsmod | grep -q xt_state || modprobe xt_state
cat >> $OUT4 << EOF
# SET SECURE DEFAULTS FOR INPUT FILTER
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
${HUSH}-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.bash.libvirt.$VER" --log-uid
# blocks wlan
EOF
for elt in $BLOCK_IPS ; do
cat >> $OUT4 << EOF
-A INPUT -s $elt -p tcp -j DROP
EOF
done
DBUG IPv4 DROP INVALID INCOMING PACKAGES
cat >> $OUT4 << EOF
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
## DROP INVALID
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
EOF
cat >> $OUT4 << EOF
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
-A INPUT -m state --state ESTABLISHED -j ACCEPT
EOF
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
DBUG Drop all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
-A INPUT -i $WLAN_IF -p icmp -j DROP
EOF
else
DBUG Accept all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
### this is required for outgoing pings
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i $WLAN_IF -p icmp -j ACCEPT
EOF
fi
## Allow all incoming connections on the virtual VPN network interface,
## when VPN_FIREWALL mode is enabled. DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
cat >> $OUT4 << EOF
-A INPUT -i "$VPN_INTERFACE" -j ACCEPT
EOF
fi
#root@Flati:# su -c '/usr/sbin/ntpdate 132.163.97.3' -s /bin/sh ntp
#12 Nov 21:39:14 ntpdate[4085]: bind() fails: Permission denied
#root@Flati:# ls -l `which ntpdate`
#-rwxr-sr-x 1 root ntp 85016 Jun 29 17:18 /usr/sbin/ntpdate
lsmod | grep -q xt_owner || modprobe xt_owner
cat >> $OUT4 << EOF
# these are NOT needed
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
EOF
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
for elt in $CLEARNET_GIDS ; do
cat >> $OUT4 << EOF
# these are NOT needed
#!-A INPUT -i $WLAN_IF -p tcp -m owner --gid-owner $elt -j ACCEPT
EOF
done
cat >> $OUT4 << EOF
#?# let dhcp through?
#?-A INPUT -p udp --sport $BOOTPC_SERVICE -j ACCEPT
#?-A INPUT -p udp --sport $BOOTPS_SERVICE -j ACCEPT
EOF
# was ACCEPT - try DROP - should be up in mangle as REJECT?
for elt in $WLAN_DROP_SERVICES ; do
cat >> $OUT4 << EOF
-A INPUT -i $WLAN_IF -p udp --sport $elt -j DROP
EOF
done
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
DBUG Drop all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
-A INPUT -i $EXT_VNET -p icmp -j DROP
EOF
else
DBUG Accept all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
### this is required for outgoing pings
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i $EXT_VNET -p icmp -j ACCEPT
EOF
fi
DBUG use the gateway as a proxy box, including ssh INPUT
# works -i virbr1 and -sport not -dport
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
for elt in $EXT_ALLOW_SERVICES_IN_TCP ; do
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j ACCEPT
EOF
done
for elt in $EXT_ALLOW_SERVICES_IN_UDP ; do
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p udp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
-A INPUT -i $EXT_VNET -p udp --sport $elt -j ACCEPT
EOF
done
## Reject anything not explicitly allowed above.
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
## (In case someone running Whonix-Gateway on bare metal.)
cat >> $OUT4 << EOF
-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
-A INPUT -j DROP
EOF
# FixMe: DROP?
[ may = be ] && \
cat >> $OUT4 << EOF
#?-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
#?-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
EOF
###########################
## IPv4 OUTPUT
###########################
cat >> $OUT4 << EOF
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
EOF
## Allow outgoing traffic on VPN interface,
## if VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
cat >> $OUT4 << EOF
-A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
EOF
fi
## Connections to VPN servers are allowed,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
for SERVER in $VPN_SERVERS; do
cat >> $OUT4 << EOF
-A OUTPUT -d $SERVER -j ACCEPT
EOF
done
fi
## Drop all incoming ICMP traffic by default.
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ "$HOST_ALLOW_OUTGOING_ICMP" != "1" ]; then
DBUG Drop all outcoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-o: " --log-uid
-A OUTPUT -o $WLAN_IF -p icmp -j DROP
EOF
else
DBUG Accept all outcoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o $WLAN_IF -p icmp -j ACCEPT
EOF
fi
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. ENABLED BY DEFAULT.
#? WHY?!
if [ "$VPN_FIREWALL" != "1" ]; then
for NET in $NON_TOR_GATEWAY; do
cat >> $OUT4 << EOF
#?-A OUTPUT -d $NET -j ACCEPT
EOF
done
fi
# required sufficient works - not for user ntp
[ -n "$PRIV_NTP_GID" ] && \
cat >> $OUT4 << EOF
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
EOF
cat >> $OUT4 << EOF
# ssh - specifically forbid ssh out the wlan
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j REJECT --reject-with icmp-port-unreachable
EOF
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
for elt in $CLEARNET_GIDS ; do
cat >> $OUT4 << EOF
# necessary and sufficient
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $elt -j ACCEPT
EOF
done
if [ "$HOST_ALLOW_OUTGOING_ICMP" == "1" ]; then
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o $EXT_VNET -p icmp -j ACCEPT
EOF
fi
DBUG use the gateway as a proxy box, including ssh OUTPUT host to guest
# works -i virbr1 and -sport not -dport
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
for elt in $EXT_ALLOW_SERVICES_OUT_TCP ; do
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j ACCEPT
EOF
done
for elt in $EXT_ALLOW_SERVICES_OUT_UDP ; do
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j ACCEPT
EOF
done
cat >> $OUT4 << EOF
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
EOF
if [ $LIBVIRT_FW -ge 1 ] ; then
cat >> $OUT4 << EOF
-A OUTPUT -j LIBVIRT_OUT
# block virbr1
EOF
for elt in $BLOCK_IPS ; do
cat >> $OUT4 << EOF
-A LIBVIRT_FWI -s $elt -p tcp -j DROP
EOF
done
cat >> $OUT4 << EOF
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o $INT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d $PRIV_WHONIX_EXTERNAL_NET -o $EXT_VNET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
#blocks
-A LIBVIRT_FWI -o $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i $INT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i $INT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s $PRIV_WHONIX_EXTERNAL_NET -i $EXT_VNET -j ACCEPT
-A LIBVIRT_FWO -i $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i $INT_VNET -o $INT_VNET -j ACCEPT
-A LIBVIRT_FWX -i $EXT_VNET -o $EXT_VNET -j ACCEPT
# FixMe: sic this is what libvirt did -i --dport
# FixMe: I will disable them as I dont think theyre needed or wanted
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 67 -j ACCEPT
#no
#no # FixMe:sic this is what libvirt did -i --dport
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 67 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 68 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 68 -j ACCEPT
EOF
fi
cat >> $OUT4 << EOF
# added
-A LIBVIRT_FWX -o $EXT_VNET -s 10.0.2.2 -d 10.0.2.15 -j ACCEPT
${HUSH}-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
${HUSH}-A OUTPUT -j DROP
EOF
cat >> $OUT4 << EOF
COMMIT
# Generated $NOW
EOF
# IPV6
if [ ! -e /proc/net/if_inet6 ] ; then
[ -f /etc/sysctl.d/70_testforge_harden_lynis.conf ] && \
sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
else
# nft_reject nft_reject_inet nf_reject_ipv4 nft_reject_ipv4 ipt_REJECT
for elt in nf_reject_ipv6 nft_reject_ipv6 ip6t_REJECT ; do
lsmod | grep -q $elt || modprobe $elt
done
sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
# ACTIVE
## Log.
proxy_ip6tables -A INPUT -j LOG --log-prefix "IPTABLES_Whonix blocked input6: "
proxy_ip6tables -A OUTPUT -j LOG --log-prefix "IPTABLES_Whonix blocked output6: "
proxy_ip6tables -A FORWARD -j LOG --log-prefix "IPTABLES_Whonix blocked forward6: "
## Drop/reject all other traffic.
proxy_ip6tables -A INPUT -j DROP
#### --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
proxy_ip6tables -A OUTPUT -j REJECT
## --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
proxy_ip6tables -A FORWARD -j REJECT
fi
###########################
## End
###########################
proxy_iptables_restore -tv < $OUT4 >/tmp/I$$.log 2>&1
retval=$?
if [ $retval -ne 0 ] ;then
ERROR "$prog firewall - $retval see /tmp/I$$.log"
exit $retval
fi
echo "# Whonix firewall for wlan=$PROXY_WLAN LIBVIRT_FW=$LIBVIRT_FW" >> $OUT4
if [ `id -u` -eq 0 ] && ls /etc/sysctl.d/*.conf 2>/dev/null >/dev/null; then
# hardcore
sed -i \
-e 's/forward = 0/forward = 1 ##libvirt/' \
-e 's/forwarding = 0/forwarding = 1 ##libvirt/' \
/etc/sysctl.d/*.conf
grep -l forward /etc/sysctl.d/*f | xargs sysctl -p | grep forward >/dev/null
fi
# mv $OUT4 /etc/firewall.conf.new || { echo ERROR: ; exit 9 ; }
INFO "OK Whonix firewall - mv $OUT4 /etc/firewall.conf.new"
exit 0

534
overlay/Linux/usr/local/sbin/proxy_whonix_host.bash Executable file
View File

@ -0,0 +1,534 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
DELAY=10
prog=proxy_whonix_host
PL=$PREFIX/bin/proxy_libvirt_lib.bash
USAGE="config|from_tor|to_tor|start|status|test|refresh|update"
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
. /usr/local/bin/proxy_ping_lib.bash || exit 3
prog=proxy_whonix_host
[ -z "$MODE" ] && MODE=`proxy_ping_mode`
HTTP_PROXY_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] || SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] || SOCKS_PORT=9050
proxy_ping_get_https
proxy_ping_get_http
WD=$PWD
NEEDED_DIRS=""
# /usr/local/lib/helper-scripts
# /usr/local/etc/ssl
NEEDED_SCRIPTS="
/usr/local/bin/proxy_get_if.bash
/usr/local/bin/proxy_libvirt_hook_qemu.bash
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
/usr/local/etc/jnettop.conf
/usr/local/lib/helper-scripts/tor_bootstrap_check.py
/usr/local/lib/helper-scripts/tor_bootstrap_check.bsh
/usr/local/etc/ssl/cacert-testforge.pem
/usr/local/sbin/Whonix-Gateway.rc
/usr/local/sbin/debian_cache_to_archives.bash
/usr/local/sbin/debian_elts_to_uris.bash
/usr/local/sbin/debian_uris_to_urls.bash
/usr/local/sbin/proxy_libvirt_ga_test.bash
/usr/local/sbin/proxy_whonix_gateway_tor.bash
/usr/local/sbin/proxy_whonix_guest_gateway.bash
/usr/local/sbin/proxy_whonix_host-firewall.bash
/usr/local/sbin/proxy_whonix_host_lib.bash
/usr/local/sbin/proxy_whonix_host.bash
/usr/local/sbin/proxy_whonix_host_tor.bash
/usr/local/sbin/root_nm_wireless.bash
"
proxy_install_package () {
for pkg in $* ; do
if [ -d /etc/apt ] ; then
[ "$pkg" = guestfish ] && pkg=libguestfs-tools
apt-get install -y $pkg || return $?
elif [ -d /etc/portage ] ; then
apt-get install -y $pkg || return $?
fi
done
return 0
}
## proxy_whonix_host_dmesg_blocks
proxy_whonix_host_dmesg_blocks () {
local retval=0
[ -f /etc/firewall.conf.block ] || touch /etc/firewall.conf.block
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
ERROR $prog null interface && return 1
}
dmesg|tail -1000 | grep IPTABLES_FWI_REJECT-o| \
sed -e 's/.*SRC=//' -e 's/ .*//'|sort -u| \
while read elt ; do
grep -q $elt /etc/firewall.conf.block && continue
grep -q $elt /etc/firewall.conf && continue
echo $elt >> /etc/firewall.conf.block
done
[ -s /etc/firewall.conf.block ] || proxy_whonix_host_prepare_blocks || return 1$?
proxy_whonix_host_add_block $( cat /etc/firewall.conf.block ) || return 2$?
if [ ! -f /etc/firewall.conf.$$ -o ! -f /etc/firewall.conf ] ; then
return 3
elif diff /etc/firewall.conf.$$ /etc/firewall.conf ; then
return 4
else
base_wall.bash WARN: $prog BLOCKING \
$(diff /etc/firewall.conf.$$ /etc/firewall.conf | grep -v , | cut -f 7 -d ' ') \
in /etc/firewall.conf.block
proxy_ping_wlan_config /etc/firewall.conf.$$
mv /etc/firewall.conf /etc/firewall.conf.bak && \
mv /etc/firewall.conf.$$ /etc/firewall.conf && \
/usr/local/bin/proxy_libvirt_hook_network.bash
fi
return 0
}
## proxy_whonix_host_refresh
proxy_whonix_host_refresh () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
if [ $dire = whonix ] ; then
$PL proxy_libvirt_clean_iptables
proxy_whonix_host_dmesg_blocks
fi
return 0
}
## proxy_whonix_host_update
proxy_whonix_host_update () {
local copy_in
# use nbd instead
return 0
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$DOM" ] && \
WARN proxy_whonix_host_update empty DOM from proxy_whonix_get_gateway_dom && \
DOM=Whonix-Gateway
cd /usr/local/sbin/
cp -p $PWD/$DOM.rc rc.local
copy_in="copy-in $PWD/rc.local /etc"
for dir in $NEEDED_DIRS ; do
copy_in="$copy_in
mkdir $dir
"
done
for file in $NEEDED_SCRIPTS ; do
dir=$( dirname $file )
copy_in="$copy_in
copy-in $file $dir
"
done
QCOW=/var/lib/libvirt/images/$DOM.qcow2
if [ -f $QCOW ] ; then
which virsh 2>/dev/null >/dev/null || proxy_install_package libvirt
proxy_virsh list | grep -q $DOM && virsh shutdown $DOM && echo sleep 60 && sleep 60
which guestfish 2>/dev/null >/dev/null || proxy_install_package guestfish
INFO copying in $( echo $NEEDED_SCRIPTS| wc -w ) files
guestfish -a $QCOW << EOF
run
mount /dev/sda1 /
$copy_in
umount /
EOF
fi
rm -f rc.local
return 0
}
## proxy_whonix_host_config
proxy_whonix_host_config () {
local dire
local retval=0
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
DBUG proxy_whonix_host_config dire=$dire
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
ERROR proxy_whonix_host_config null interface && return 1
}
proxy_ping_firewall_restart
proxy_ping_firewall_check || {
ERROR /etc/firewall.conf missing $? ; return 2 ;
}
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_privoxy_config $dire
proxy_ping_dnsmasq_config $dire || return 3$?
if [ -f /etc/inittab ] ; then
grep -q '^x1' /etc/inittab || \
sed -e 's/^x1/#x1/' -i /etc/inittab
# x1:12345:respawn:/sbin/agetty
fi
proxy_ping_firewall_modules
if [ "$dire" = whonix ] ; then
[ -f /var/lib/libvirt/images/Whonix-Gateway.qcow2 ] || \
WARN /var/lib/libvirt/images/Whonix-Gateway.qcow2 - mount /mnt/linuxKick150154
if [ -s /etc/firewall.conf.$dire ] ; then
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
proxy_iptables_restore /etc/firewall.conf || return 3
fi
elif [ -s /etc/firewall.conf ] ; then
iptables-save |grep -q virbr1 || {
proxy_iptables_restore /etc/firewall.conf || return 4
}
else
[ -s /etc/firewall.conf.new ] || \
/usr/local/sbin/privacy_whonix_host-firewall.bash || \
{ ERROR " $prog privacy_whonix_host-firewall.bash failed " ; return 5 ; }
[ -s /etc/firewall.conf.new ] || \
{ ERROR " /etc/firewall.conf.new missing " ; return 6 ; }
[ -s /etc/firewall.conf ] || cp -p /etc/firewall.conf.new /etc/firewall.conf
proxy_iptables_restore < /etc/firewall.conf || return 7
fi
proxy_host_whonix_config $dire
elif [ "$dire" = selektor -o "$dire" = tor ] ; then
proxy_host_selektor_config $dire
fi
return 0
}
proxy_host_selektor_config () { DBUG proxy_host_selektor_config ;
local dire=$1
# /var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -s /etc/firewall.conf.$dire ] ; then
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
proxy_iptables_restore /etc/firewall.conf || return 8
elif [ -s /etc/firewall.conf ] ; then
iptables-save |grep -q gid-owner || \
proxy_iptables_restore /etc/firewall.conf || return 9
else
{ ERROR " /etc/firewall.conf.$dire missing " ; return 7 ; }
fi
fi
return 0
}
## proxy_whonix_host_install
proxy_whonix_host_install () { DBUG proxy_whonix_host_install $* ;
if [ $dire = host ] ; then
ERROR proxy_whonix_host_install host
return 1
elif [ $dire = whonix ] ; then
proxy_whonix_libvirt_start
proxy_whonix_gateway_start $dire
else
if /etc/init.d/libvirtd status ; then
proxy_virsh list | grep -q Whonix-Gateway && \
proxy_virsh shutdown Whonix-Gateway
fi
fi
/usr/local/sbin/proxy_whonix_host_tor.bash $dire || return 7$?
return 0
}
## proxy_host_from_config
proxy_host_from_config () {
#? rm -f /etc/modules_load.d/vda*conf
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$DOM" ] && \
WARN proxy_host_whonix_config empty DOM assuming Whonix-Gateway && \
DOM=Whonix-Gateway
if [ -d /etc/libvirt/qemu/ -a /etc/libvirt/qemu/$DOM.xml ] ; then
if [ ! -f /etc/libvirt/qemu/$DOM.xml.dst ] ; then
cd /etc/libvirt/qemu/
cp -p /etc/libvirt/qemu/$DOM.xml /etc/libvirt/qemu/$DOM.xml.dst
for file in $WD/$DOM.xml.?.diff ; do
[ -f /etc/libvirt/qemu/$DOM.xml ] || \
ERROR $prog /etc/libvirt/qemu/$DOM.xml missing ; return 2
patch /etc/libvirt/qemu/$DOM.xml < $file
done
cd $WD
fi
fi
return 0
}
## proxy_host_from_config
proxy_host_whonix_config () {
local dire=whonix
local file
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || return 1
if false && ! [ -x /etc/libvirt/hooks/network ] ; then
cat > /etc/libvirt/hooks/network <<EOF
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
[ ! -f /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
/usr/local/bin/proxy_libvirt_hook_network.bash
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
EOF
chmod 755 /etc/libvirt/hooks/network
fi
return 0
}
## proxy_whonix_host_verify
proxy_whonix_host_verify () {
$0 --help > /dev/null || return 6
$0 -h > /dev/null || return 7
for elt in $( echo $USAGE | sed -e 's/|/ /g' ) ; do
grep -q ^proxy_whonix_host_$elt $0 || { WARN proxy_whonix_host_$elt NOT in $0 ; return 8 ; }
done
return 0
}
## proxy_whonix_host_status
proxy_whonix_host_status () { proxy_whonix_host_test "$@" ; }
## proxy_whonix_host_test
proxy_whonix_host_test () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
proxy_whonix_host_verify
proxy_ping_status
/usr/local/bin/proxy_ping_test.bash $dire || \
WARN $prog proxy_ping_test.bash FAILED $dire
if [ "$dire" = whonix ] ; then
grep "`date +%Y-%m-%d`.* error :" /var/local/log/libvirtd.log
proxy_whonix_host_tor.bash proxy_libvirt_test || return 1
proxy_virsh list | grep running || return 2
# FixMe look in /etc/libvirt/qemu
for elt in Whonix-Gateway Whonix-Workstation Pen19-1 Kick15-1 ; do
proxy_virsh list | grep -q $elt || continue
# /usr/local/sbin/proxy_libvirt_ga_test.bash $elt /bin/netstat -lnp4 ||
/usr/local/sbin/proxy_libvirt_ga_test.bash $elt ls /dev/virtio-ports/ || \
WARN $prog $elt not responding
# fallsover with
# error: internal error: unable to execute QEMU agent command 'guest-exec-status': Invalid parameter 'pid'
done
fi
return 0
}
## proxy_whonix_host_restart
proxy_whonix_host_restart () {
local dire
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
proxy_whonix_host_start $dire || return 1$?
proxy_whonix_host_status $dire || return 2$?
return 0
}
## proxy_whonix_host_selektor
proxy_whonix_host_selektor () {
local dire=selektor
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_host_from_tor
proxy_whonix_host_from_tor () {
local dire=whonix
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_host_to_tor
proxy_whonix_host_to_tor () {
local dire=tor
proxy_virsh list | grep -q Whonix-Gateway && proxy_virsh shutdown Whonix-Gateway
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_stop
proxy_whonix_stop () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
DBUG proxy_whonix_stop $*
if [ $dire = whonix -o $dire = host -o $dire = tor ] ; then
proxy_whonix_host_stop $dire
fi
return 0
}
## proxy_whonix_libvirt_stop
proxy_whonix_libvirt_stop () {
proxy_virsh net-list | grep -q Whonix-External && \
virsh net-destroy Whonix-External
proxy_virsh net-list | grep -q Whonix-Internal && \
virsh net-destroy Whonix-Internal
proxy_virsh list | grep -q Whonix-Gateway && \
virsh shutdown Whonix-Gateway
proxy_virsh list | grep -q Whonix-Gateway && \
virsh destroy Whonix-Gateway
return 0
}
## proxy_whonix_host_stop
proxy_whonix_host_stop () {
local dire=$1
DBUG $prog proxy_whonix_host_stop $*
if [ $dire = whonix ] ; then
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
proxy_whonix_libvirt_stop || return 3$?
elif [ $dire = tor ] ; then
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
fi
return 0
}
## proxy_whonix_gateway_start - start whonix on a host
proxy_whonix_gateway_start () {
local dire
[ "$#" -gt 0 ] && dire=$1
# proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
proxy_whonix_libvirt_start || return 3$?
proxy_virsh net-list | grep -q Whonix-External || \
virsh net-start Whonix-External || return 4$?
ifconfig virbr1 || return 5$?
proxy_virsh net-list | grep -q Whonix-Internal || \
virsh net-start Whonix-Internal|| return 6$?
ifconfig virbr2 || return 7$?
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$GATEW_DOM" ] && \
WARN $prog empty DOM from proxy_whonix_get_gateway_dom && \
DOM=Whonix-Gateway
proxy_virsh list | grep -q $DOM || \
{ INFO $prog virsh starting $DOM ; virsh start $DOM ; } || \
return 8$?
return 0
}
## proxy_whonix_host_start - start either whonix or tor on a host
proxy_whonix_host_start () { DBUG $prog proxy_whonix_host_start $* ;
local dire
[ "$#" -gt 0 ] && dire=$1
proxy_whonix_host_config $dire || return 2$?
proxy_whonix_host_install $dire || return 4$?
proxy_clobber_resolv_local
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' -o "$1" = '--help' -o "$1" = 'host' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_config $MODE || exit 2$?
elif [ "$1" = start ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_start $MODE || exit 2$?
elif [ "$1" = selektor ] ; then
MODE=$1
proxy_whonix_host_start $MODE
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_to_tor || exit 3$?
elif [ "$1" = from -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_from_tor || exit 4$?
elif [ "$1" = verify -o "$1" = 'install' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_$1 $MODE || exit 5$?
elif [ "$1" = 'test' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_test $MODE || exit 4$?
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_$1 $MODE || exit 5$?
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_refresh || exit 6$?
else
DBUG $base "$@"
eval "$@"
exit $?
fi
exit 0

3
overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
exec bash /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_test "$@"

257
overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash Executable file
View File

@ -0,0 +1,257 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
USAGE="[to_tor|from_tor|test_to|test_from|verify]"
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
. /usr/local/sbin/proxy_tor_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_tor_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
#ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' && \
# ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' | sed -e 's/ .*//' \
# | xargs kill
[ $USER != root ] || proxy_iptables_save | grep -qi reject || \
proxy_ping_firewall_restart || exit 2$?
# bash /usr/local/sbin/base_firewall_start.bash
## proxy_whonix_or_tor
proxy_whonix_or_tor () { DBUG proxy_whonix_or_tor $* ;
local a dire debian file
dire=$1
file=/etc/tor/torrc
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -n "$PROXY_WLAN" ] || return 2$?
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
true || \
proxy_ping_online || {
wlan7=$PROXY_WLAN
base_wlan_modules_unload $PROXY_WLAN
proxy_base_wlan_modules_load $PROXY_WLAN
ERROR not online ret=$? ; return 3 ;
}
proxy_whonix_copy_files $dire
## proxy_whonix_to_tor
}
proxy_whonix_to_selektor () { DBUG proxy_whonix_to_selektor $* ;
local a dire file
dire=selektor
file=
proxy_whonix_or_tor $dire
if ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
:
elif ! proxy_route_check ; then
return $?
elif tty >/dev/null ; then
/var/local/bin/selektor.bash &
fi
}
proxy_whonix_to_tor () { DBUG proxy_whonix_to_tor $* ;
local a dire debian file
dire=tor
file=/etc/tor/torrc
proxy_whonix_or_tor $dire || return 2$?
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
proxy_tor_torrc_update /etc/tor/torrc 127.0.0.1
proxy_tor_torrc_exclude /etc/tor/torrc
# proxy_rc_service tor status >/dev/null || proxy_rc_service tor start
# weaker - includes running from cmdline
debian=$PRIV_TOR_OWNER
ps ax -g $debian | grep -v grep | grep -q ' tor ' || \
proxy_rc_service tor start || \
{ ERROR not service start ret=$? ; return 3 ; }
proxy_whonix_privoxy_start tor || {
echo WARN: $prog privoxy NOT running ret=$?
# return 4 ;
}
proxy_whonix_dnsmasq_start tor || {
echo WARN: proxy_whonix_to_tor dnsmasq NOT started retval=$?
# return 5$? ;
}
# proxy_whonix_start_wget
proxy_iptables_save | grep -q 'udp --dport 53 -j DNAT --to-destination 127.0.0.1:9053' || \
proxy_rc_service dnsmasq status >/dev/null || \
{ ERROR $prog dnsmasq not running ; return 6 ; }
netstat -nlp4 | grep 127.0.0.1:9 || return 9
return 0
}
## proxy_tor_clean
proxy_tor_clean () {
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
if [ "$MODE" = whonix ] ; then
proxy_whonix_get_gateway_dom || exit 8
if [ -z "$GATEW_DOM" ] ; then
proxy_virsh list | grep -q $GATEW_DOM && \
proxy_libvirt_clean_virbr1_rules
fi
fi
return 0
}
## proxy_tor_test
proxy_tor_test () {
local dire
[ $# -eq 1 ] && dire=$1
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
if [ $dire = tor -o $dire = whonix -o $dire = host ] ; then
# is vda a host?
proxy_tor_test_ntp || return 2$?
proxy_tor_test_anondate # || return 3$?
fi
proxy_whonix_test $dire || return 1$?
return 0
}
starbucks_torrc () { proxy_whonix_host_tor_install $* ; }
## proxy_whonix_host_install
proxy_whonix_host_tor_install () { DBUG proxy_whonix_host_tor_install $* ;
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -n "$PROXY_WLAN_IP" ] || PROXY_WLAN_IP=$( proxy_get_wlan_ip ) || \
{ ERROR proxy_whonix_host_tor_install ifconfig $PROXY_WLAN ; return 7 ; }
[ -z "$PROXY_WLAN_IP" ] && return 0
for file in /etc/tor/torrc /etc/tor/torrc-defaults ; do
[ -f $file ] || continue
grep -q "SocksPolicy accept " /etc/tor/torrc || continue
grep -q "SocksPolicy accept $PROXY_WLAN_IP" /etc/tor/torrc || continue
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $PROXY_WLAN_IP@" \
-i $file
done
return 0
}
proxy_whonix_host_whonix () { proxy_whonix_from_tor $* ; }
## proxy_whonix_from_tor
proxy_whonix_from_tor () {
local dire=whonix
local ret
DBUG proxy_whonix_from_tor $*
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
# ; return 2$ret
proxy_whonix_config $dire || { ret=$? ; ERROR proxy_whonix_from_tor failed proxy_whonix_config ret=$ret ; return 2$ret ; }
proxy_whonix_libvirt_start || {
ret=$? ;
ERROR proxy_whonix_from_tor failed proxy_whonix_libvirt_start ret=$ret ;
return 3$ret
}
a=$( proxy_iptables_save | grep -e '-A OUTPUT -o .* -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT' | grep -c -v grep )
[ $? -eq 0 ] && [ -n "$a" ] && [ "$a" -gt 0 ] && \
WARN proxy_iptables -D OUTPUT -o $PROXY_WLAN -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT
proxy_whonix_copy_files $dire
# netstat -nlp4e | grep 127.0.0.1:53 && { ERROR dns still running ; return 3;}
if false; then
proxy_rc_service pdnsd status >/dev/null && proxy_rc_service pdnsd stop
[ -f /etc/pdnsd/pdnsd.conf.whonix ] && \
cp -p /etc/pdnsd/pdnsd.conf.whonix /etc/pdnsd/pdnsd.conf
# proxy_whonix_start_wget
proxy_whonix_dnsmasq_start $dire || \
{ ret=$? ; echo WARN: proxy_whonix_from_tor dnsmasq NOT started $ret ; }
fi
proxy_whonix_privoxy_start $dire || \
{ ret=$?; echo WARN: proxy_privoxy_from_tor polipo not started $ret ; }
proxy_whonix_host_tor_install
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = 'help' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_to_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
elif [ "$1" = 'selektor' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_to_selektor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
elif [ "$1" = 'from' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_from_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
elif [ "$1" = 'gateway' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
proxy_whonix_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 4$ret ; }
elif [ "$1" = 'test_from' -o "$1" = 'test_whonix' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_tor_test whonix || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'test_gateway' -o "$1" = 'test_gateway' ] ; then
proxy_tor_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'test_to' -o "$1" = 'test_tor' ] ; then
proxy_tor_test tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 7$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'direct' -o "$1" = 'test_direct' ] ; then
/usr/local/bin/proxy_ping_test.bash direct
elif [ "$1" = 'verify' ] ; then
/usr/local/bin/proxy_ping_test.bash panic || exit 7
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
proxy_whonix_test $MODE || \
{ ret=$? ; ERROR "$prog host='$GATEW_DOM' retval=$ret" ; exit 8$ret ; }
elif [ "$1" = 'clean' -o "$1" = 'stop' ] ; then
proxy_whonix_$1
/usr/local/bin/proxy_ping_test.bash panic || exit 8
elif [ "$1" = 'config' ] ; then
ERROR $prog not implemented $1;exit 1
else
eval "$@"
exit $?
fi

742
overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash Executable file
View File

@ -0,0 +1,742 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
prog=$( basename $0 .bash )
export PATH=$PATH:$PREFIX/sbin:$PREFIX/bin
. $PREFIX/bin/usr_local_tput.bash
PL=$PREFIX/bin/proxy_libvirt_lib.bash
# . $PREFIX/sbin/proxy_whonix_lib.bash || { echo ERROR: loading $PREFIX/sbin/proxy_whonix_lib.bash ; exit 2; }
. $PREFIX/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading $PREFIX/bin/proxy_ping_lib.bash ; exit 2; }
base=proxy_whonix_lib
starbucks_torrc () {
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
[ -z "$ip" ] && return 0
for file in /etc/tor/torrc /etc/tor/torrc-default ; do
grep -q "^SocksPolicy accept " /etc/tor/torrc || continue
grep -q "^SocksPolicy accept $ip$" /etc/tor/torrc && continue
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
-i $file
done
return
}
starbucks_set () {
if [ -f /etc/init.d/network-manager ] ; then
NetworkManager=network-manager
elif [ -f /etc/init.d/NetworkManager ] ; then
NetworkManager=NetworkManager
elif [ -f /lib/systemd/system/NetworkManager ] ; then
NetworkManager=NetworkManager
else
NetworkManager=network-manager
fi
mgr=$NetworkManager
mgr=wicd
[ -x /mnt/linuxBack52/usr/bin/macchanger ] && \
macchanger=/mnt/linuxBack52/usr/bin/macchanger || \
macchanger=macchanger
# may be empty wlan7
# ifconfig wlan7 2>/dev/null && wlan7=wlan7 || wlan7=wlp3s0
if [ -z "$wlan7" ] ; then
echo ERROR: null wlan7 ;exit 1
fi
INFO starbucks_set wlan7=$wlan7 mgr=$mgr macchanger=$macchanger
if [ -z "$wlan7" ] ; then
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
elif [ $wlan7 = wlan4 ] ; then
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
elif [ $wlan7 = wlan6 -o $wlan7 = wlan7 ] ; then
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
fi
sleep 5
return 0
}
starbucks_ip () {
local wlan7
[ $# -eq 0 -o -z "$1" ] && return 1
wlan7=$1
base_wlan_modules_unload $wlan7 || return 1$?
base_wlan_modules_load $wlan7 || return 2$?
cd /etc
grep -l 'wlan[0-9]' * */* 2>/dev/null|grep -v ~$|xargs sed -e "s/wlan[0-9]/$wlan7/g" -i
local_rc_service dbus start;local_rc_service wicd start
return 0
}
starbucks_start_services () {
[ -z "$MODE" ] && echo ERROR: $0 unknown MODE && return 2
$PREFIX/sbin/proxy_whonix_host.bash start || return 3$?
# $PREFIX/sbin/proxy_whonix_host.bash proxy_whonix_host_start $MODE || return 5$?
[ "$MODE" != tor ] || starbucks_torrc || return 5$?
return 0
}
starbucks_stop () {
[ "$#" -eq 0 ] && set -- stop
starbucks_restart stop
}
# old tor only
starbucks_restart () {
[ "$#" -eq 0 ] && set -- start
if [ -x /bin/systemctl ] ; then
# [ -e /etc/tor/torrc ] && /bin/systemctl $1 tor >/dev/null
[ -e /etc/pdnsd.conf ] && /bin/systemctl $1 pdnsd >/dev/null
[ -e /etc/polipo.conf ] && /bin/systemctl $1 polipo >/dev/null
/bin/systemctl $1 $mgr
else
# [ -e /etc/tor/torrc ] && /etc/init.d/tor $1
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd $1
[ -e /etc/polipo.conf ] && /etc/init.d/polipo $1
/etc/init.d/$mgr $1
fi
return 0
}
starbucks_pdnsd () {
if [ "$pdnsd" = "dnscrypt" ] && \
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
sleep $DELAY
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
if [ -x /bin/systemctl ] ; then
[ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null
else
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop
fi
fi
}
starbucks_torrc () {
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
[ -z "$ip" ] || \
grep -q "SocksPolicy accept $ip@" /etc/tor/torrc || \
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
-i /etc/tor/torrc
}
## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new
proxy_guest_firewall_config () {
. $PREFIX/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$?
source_config_folder
iptables_cmd="echo iptables"
ip6tables_cmd="echo # ip6tables"
main > /etc/firewall.conf.ws.new
return $?
}
## proxy_whonix_guest_config
proxy_whonix_guest_config () {
return 0
}
## proxy_whonix_guest_start
proxy_whonix_guest_start () {
$PL proxy_libvirt_start_guest
return $?
}
## proxy_whonix_test_guest
proxy_whonix_test_guest () {
$PL proxy_libvirt_test_guest
return $?
}
## proxy_whonix_gateway_config
proxy_whonix_gateway_config () {
proxy_whonix_dnsmasq_config gateway 10.0.2.15
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
proxy_dest_port_wlan_config
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc polipo
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_polipo_config
proxy_whonix_polipo_config () {
local dire
local file
[ "$#" -eq 0 ] && { echo ERROR: proxy_whonix_polipo_config no dire ; return 1; }
dire=$1
file=/etc/polipo/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=10.0.2.15:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
elif [ $dire = nat ]; then
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
#? . /usr/local/bin/proxy_export.bash
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=$external
proxyPort=3128
proxyName=$external
socksParentProxy=$external:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=${DEST}:$PORT
socksProxyType=socks5
EOF
fi
fi
return 0
}
## proxy_whonix_privoxy_config
proxy_whonix_privoxy_config () {
local dire
local file
dire=$1 ; shift
file=/etc/privoxy/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 10.0.2.15:9050 .
EOF
fi
elif [ $dire = nat ]; then
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
#? . /usr/local/bin/proxy_export.bash
if [ ! -f $file.$dire ] ; then
cp /dev/null $file.$dire
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 127.0.0.1:9050 .
EOF
fi
fi
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] && set -- tor
dire=$1 ; shift
proxy_dest_port_wlan_config $*
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.$dire <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_tor_config
proxy_whonix_tor_config () {
proxy_host_tor_config tor 127.0.0.1
return $?
}
## proxy_host_tor_config
proxy_host_tor_config () {
local dir
local file
dire=tor
DEST=127.0.0.1
PORT=9050
#? [ -z "$DEST" ] && proxy_dest_port_wlan_config || return 1$?
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire || return 3$?
proxy_whonix_dnsmasq_config $dire || return 4$?
if proxy_ping_online ; then
proxy_ping_test_resolv $dire || { echo ERROR: proxy_host_tor_config 5$?; return 5 ; }
fi
return 0
}
## proxy_host_from_config
proxy_host_whonix_config () {
local dire=whonix
local file
proxy_dest_port_wlan_config || return 1$?
DEST=10.0.2.15
PORT=9053
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_dnsmasq_config $dire || return 5$?
return 0
}
## proxy_host_gateway
proxy_whonix_gateway () {
local dire=gateway
debug proxy_whonix_gateway $dire
PROXY_WLAN=$( proxy_get_if ) || return 1$?
s proxy_whonix_config $dire || return 2$?
# works?
proxy_ping_set_resolv gateway
return 0
}
## proxy_whonix_from_config
proxy_whonix_config () {
local dire=$1
[ -z "$DEST" ] && proxy_dest_port_wlan_config
if [ ! -f /etc/tor/torsocks.conf.$dire ] ; then
cp -p /etc/tor/torsocks.conf /etc/tor/torsocks.conf.$dire
# TorAddress 127.0.0.1
# TorPort 9050
fi
sed -e "s@^#* *TorAddress.*@TorAddress $DEST@" -i /etc/tor/torsocks.conf
sed -e "s@^#* *TorPort.*@TorPort 9050@" -i /etc/tor/torsocks.conf
# proxy_whonix_start_wget
proxy_host_${dire}_config
return $?
}
## proxy_ws_whonix_config
proxy_ws_whonix_config () {
local dir=ws
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_whonix_libvirt_status
proxy_whonix_libvirt_status () {
proxy_rc_service libvirtd status >/dev/null || \
proxy_rc_service libvirtd start || \
echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG
$PL proxy_libvirt_status
return 0
}
## proxy_whonix_libvirt_start
proxy_whonix_libvirt_start () {
local domain
[ "$#" -ge 1 ] && domain=$1
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
cp /dev/null /var/log/libvirt/libvirtd.log
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd
proxy_rc_service libvirtd start || return 3
sleep $DELAY
fi
$PL proxy_libvirt_no_autostart
$PL proxy_libvirt_start
$PL proxy_libvirt_status
proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3
proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4
[ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )"
[ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \
domain=Whonix-Gateway && \
INFO set proxy_testforge_get_gateway_dom $domain
$PL proxy_libvirt_list | grep -v grep | grep "$domain" || \
virsh start $domain || {
ret=$?
echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret
return 5$ret
}
return 0
}
## proxy_whonix_test
proxy_whonix_test () {
local dire
DBUG proxy_whonix_test $dire
[ "$#" -eq 0 ] && dire=$MODE || dire=$1
[ $dire = ws -o $dire = workstation ] && dire=vda
if [ $dire = client ] ; then
:
# dunno - look at netstat? -nle4
elif [ $dire = nat ] ; then
$PL proxy_libvirt_test_guest
elif [ $dire = vda -o $dire = gateway ] ; then
proxy_whonix_test_guest
elif [ $dire = tor ] ; then
$PL proxy_libvirt_test_host
elif [ $dire = whonix ] ; then
$PL proxy_libvirt_no_autostart
$PL proxy_libvirt_clean_virbr1_rules
proxy_whonix_get_gateway_dom
[ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM
proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; }
$PREFIX/bin/proxy_ping_test.bash from_tor || return 6$?
fi
#? gateway
if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then
proxy_rc_service polipo status >/dev/null >/dev/null || \
{ echo ERROR: $prog polipo not running ; return 4 ; }
$PREFIX/bin/proxy_ping_test.bash polipo || return 9$?
elif [ $dire = host -o $dire = tor ] ; then
proxy_rc_service privoxy status >/dev/null >/dev/null || \
{ echo ERROR: $prog privoxy not running ; return 4 ; }
$PREFIX/bin/proxy_ping_test.bash privoxy || return 9$?
fi
if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
proxy_clobber_resolv_local 10.152.152.10
elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then
proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \
{ echo ERROR: $prog dnsmasq not running ; return 5 ; }
proxy_clobber_resolv_local 127.0.0.1
fi
$PREFIX/bin/proxy_ping_test.bash dns # || return 9$?
$PREFIX/bin/proxy_ping_test.bash $dire || return 6$?
return 0
}
# Weher was this
## rc_host_symlink_etc_fstab
rc_host_symlink_etc_fstab () {
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 1
# else
# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \
# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab
fi
return 0
}
## proxy_vda_config
proxy_vda_config () {
rc_host_symlink_etc_fstab
sed -e 's/^#x1/x1/' -i /etc/inittab #
if false ; then
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/
fi
fi
if false ; then
[ -f /etc/firewall.conf.vda ] && \
cp -p /etc/firewall.conf.vda /etc/firewall.conf
fi
return 0
}
##
old_proxy_vda_config () {
[ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab
return 0
}
## proxy_vda_whonix_config
proxy_vda_whonix_config () {
local dir=vda
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_quest_config
proxy_quest_config () {
proxy_vda_config
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/
fi
return 0
}
## proxy_whonix_dnsmasq_start
proxy_whonix_dnsmasq_start () {
local dire
local service=dnsmasq
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
DBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN
proxy_whonix_config $dire || return 1$?
PROXY_WLAN=$( proxy_get_if )
[ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire
if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then
proxy_rc_service dnsmasq status >/dev/null || \
proxy_ping_dnsmasq_start || return 8$?
else
proxy_rc_service dnsmasq status >/dev/null && \
proxy_ping_dnsmasq_stop
cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf
proxy_ping_dnsmasq_start || return 8$?
fi
return 0
}
## proxy_whonix_privoxy_start
proxy_whonix_polipo_start () {
local dire
local service=polipo
[ $# -eq 1 ] && dire=$1
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
DBUG proxy_whonix_start_$service $dire
proxy_whonix_config $dire || \
echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$?
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire
if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then
cp -p /etc/polipo/config.$dire /etc/polipo/config
proxy_rc_service $service restart || return 2$?
else
proxy_rc_service $service status >/dev/null || \
proxy_rc_service $service start||return 3$
fi
return 0
}
## proxy_whonix_host_prepare_blocks
proxy_whonix_host_prepare_blocks () {
if [ ! -s /etc/firewall.conf.block ] ; then
if [ -f $PREFIX/etc/firewall.conf.block ] ; then
echo "WARN: $prog copying $PREFIX/etc/firewall.conf.block"
cp -p $PREFIX/etc/firewall.conf.block /etc/firewall.conf.block
else
ERROR "$prog missing $PREFIX/etc/firewall.conf.block"
return 1
fi
fi
return 0
}
## proxy_whonix_host_add_block
proxy_whonix_host_add_block () {
local elt tab ip
# PROXY_WLAN=$( proxy_get_if )
# [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1
if [ "$#" -eq 0 ] ; then
proxy_whonix_host_prepare_blocks \| return 1$?
set -- $( cat /etc/firewall.conf.block )
fi
# DBUG "$prog adding $*"
[ -f /etc/firewall.conf.newer ] || \
cp -p /etc/firewall.conf /etc/firewall.conf.newer
for elt in wlan virbr1 ; do
[ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI
grep -q "^# blocks $elt" /etc/firewall.conf.newer || {
echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer
return 2
}
sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$
echo "# blocks $elt" >> /etc/firewall.conf.$$
for ip in $* ; do
grep -q $ip /etc/firewall.conf.block || \
grep -q $ip /etc/firewall.conf.block.newer || \
echo $ip >> /etc/firewall.conf.block.newer
grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue
echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$
DBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP"
done
sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$
mv /etc/firewall.conf.$$ /etc/firewall.conf.newer
done
return 0
}
## proxy_whonix_host_online
proxy_whonix_host_online () {
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2
if [ -x /etc/init.d/NetworkManager ] ; then
/etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3
else
proxy_rc_service NetworkManager status >/dev/null \
|| proxy_rc_service NetworkManager start || return 3$?
fi
nm-online -t 0 -x || return 4$?
return 0
}
## proxy_whonix_down - call when the network goes down
proxy_whonix_down () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online && return 0 # dont do anything
# nothing to do?
return 0
}
## proxy_whonix_up - call when the network comes up
proxy_whonix_up () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online || return 0 # dont do anything
return 0
}
## proxy_whonix_start_wget
proxy_whonix_start_wget () {
return 0
if [ -f /etc/wgetrc ] ; then
sp=https://127.0.0.1:3128
grep -q ^https_proxy /etc/wgetrc && \
sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc
grep -q ^https_proxy /etc/wgetrc && \
echo "https_proxy = $sp" >> /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc && \
sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc || \
echo "http_proxy = $sp" >> /etc/wgetrc
fi
sp=http://127.0.0.1:3128
for elt_proxy in http https ; do
grep -q ^$elt_proxy /etc/wgetrc && \
sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \
echo "$elt_proxy = $sp" >> /etc/wgetrc
done
return 0
}
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \
exit 0
DBUG $base "$@"
eval "$@"
exit $?
fi

2
overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash Executable file
View File

@ -0,0 +1,2 @@
#!/bin/bash
exec sh proxy_whonix_gateway_tor.bash "$@"

93
overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt Normal file
View File

@ -0,0 +1,93 @@
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
== testserver box testing ==
>>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE
This is a Python doctest file that is executable documentation.
It is built to run in the host against a Vagranted VirtualBox, and is run
from the directory that contains the box's {{{.vagrant}}} subdirectory.
>>> import subprocess
>>> import sys
>>> import time
And, now run tests against the box.
>>> sys.stderr.write("Running tests against box" +'\n')
26
=== Box settings ===
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
>>> import yaml
>>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read()
>>> assert sFacts
>>> dFacts = yaml.safe_load(sFacts)
=== .gitconfig ===
We have a .gitconfig file in this directory that has our template
of what we need up in the box to checkout from https://git.example.com
You can edit the file and customize it, and we will use it as a
Python string template, so look out for the {{{%()s}}} template fields.
>>> sDir = os.path.dirname(__file__)
>>> sFile = os.path.join(sDir, example.gitconfig')
>>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile
>>> sGitConfig = open(sFile, 'r').read()
>>> assert sGitConfig, "ERROR: Nothing in " +sFile
We will look for the environment variables:
* {{{AAA_CERT}}} for the filename of your example certificate
* {{{AAA_KEY}}} for the filename of your example key
>>> sCertFile = os.environ.get('AAA_CERT')
>>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment"
>>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file"
>>> sKeyFile = os.environ.get('AAA_KEY')
>>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment"
>>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file"
>>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa')
>>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file"
The directory we push to should have been created by Ansible.
>>> sBoxHome = dFacts['BOX_HOME']
>>> sDir = sBoxHome +'/etc/ssl/keys'
>>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None
We will push these files up to the box so that we can use them.
>>> sUser = os.environ.get('USERNAME') or os.environ.get('USER')
>>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sKeyFile) or None
>>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sCertFile) or None
>>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sIdentityFile) or None
>>> sToDir = '%s/%s@*' % (sDir, sUser,)
>>> run( "chown 600 " +sToDir) or None
Now we have the cert and key up we can write our templated {{{~/.gitconfig}}}
>>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp'
>>> assert os.path.isdir(sTempDir)
>>> sFile = os.path.join(sTempDir, '.gitconfig')
>>> oFile = open(sFile, 'w')
>>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir,
... BOX_HOME=sBoxHome)
>>> try:
... oFile.write(sGitConfig)
... finally:
... oFile.close()
>>> assert os.path.isfile(sFile)
>>> sTo = sBoxHome +'/.gitconfig'
>>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None
>>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n')
QED.

93
overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt Normal file
View File

@ -0,0 +1,93 @@
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
== testserver box testing ==
>>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE
This is a Python doctest file that is executable documentation.
It is built to run in the host against a Vagranted VirtualBox, and is run
from the directory that contains the box's {{{.vagrant}}} subdirectory.
>>> import subprocess
>>> import sys
>>> import time
And, now run tests locally
>>> sys.stderr.write("Running tests locally" +'\n')
22
=== Box settings ===
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
>>> import yaml
>>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read()
>>> assert sFacts
>>> dFacts = yaml.safe_load(sFacts)
=== .gitconfig ===
We have a .gitconfig file in this directory that has our template
of what we need up in the box to checkout from https://git.example.com
You can edit the file and customize it, and we will use it as a
Python string template, so look out for the {{{%()s}}} template fields.
>>> sDir = '/var/local/share/doc/txt'
>>> sFile = os.path.join(sDir, 'example.gitconfig')
>>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile
>>> sGitConfig = open(sFile, 'r').read()
>>> assert sGitConfig, "ERROR: Nothing in " +sFile
We will look for the environment variables:
* {{{AAA_CERT}}} for the filename of your example certificate
* {{{AAA_KEY}}} for the filename of your example key
>>> sCertFile = os.environ.get('AAA_CERT')
>>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment"
>>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file"
>>> sKeyFile = os.environ.get('AAA_KEY')
>>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment"
>>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file"
>>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa')
>>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file"
The directory we push to should have been created by Ansible.
>>> sBoxHome = dFacts['BOX_HOME']
>>> sDir = sBoxHome +'/etc/ssl/keys'
>>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None
We will push these files up to the box so that we can use them.
>>> sUser = os.environ.get('USERNAME') or os.environ.get('USER')
>>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sKeyFile) or None
>>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sCertFile) or None
>>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,)
>>> ssh_run_with_stdin(sTo, sIdentityFile) or None
>>> sToDir = '%s/%s@*' % (sDir, sUser,)
>>> run( "chown 600 " +sToDir) or None
Now we have the cert and key up we can write our templated {{{~/.gitconfig}}}
>>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp'
>>> assert os.path.isdir(sTempDir)
>>> sFile = os.path.join(sTempDir, '.gitconfig')
>>> oFile = open(sFile, 'w')
>>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir,
... BOX_HOME=sBoxHome)
>>> try:
... oFile.write(sGitConfig)
... finally:
... oFile.close()
>>> assert os.path.isfile(sFile)
>>> sTo = sBoxHome +'/.gitconfig'
>>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None
>>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n')
QED.

21
overlay/Linux/usr/local/share/doc/txt/proxy2.txt Normal file
View File

@ -0,0 +1,21 @@
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
== proxy box testing ==
This is a Python doctest file that is executable documentation.
It is built to run against a Vagranted VirtualBox, and is run from the
directory that contains the box's {{{.vagrant}}} subdirectory.
>>> import subprocess
>>> import sys
>>> import time
And, now run tests against the box.
>>> print("Running tests against box", file=sys.stderr)
We should be able to get a page from our proxy
>>> sUrl = 'http://' +myip +':3128/'
>>> print ssh_run('wget -O - -q %s | grep Polipo | head -1' % (sUrl,))
<title>Welcome to Polipo</title>

47
overlay/Linux/usr/local/share/doc/txt/proxy3.txt Normal file
View File

@ -0,0 +1,47 @@
#!/var/local/bin/testforge_run_doctest3.bash
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
== proxy testing ==
This is a Python doctest file that is executable documentation.
>>> import os,sys # doctest: +REPORT_ONLY_FIRST_FAILURE
And, now run tests against the box.
>>> sys.stderr.write("Running tests against box" +'\n')
2...
=== Box settings ===
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
>>> import yaml
>>> sFacts = run('cat /usr/local/etc/testforge/testforge.yml')
>>> assert sFacts
>>> dFacts = yaml.safe_load(sFacts)
=== /var/local/bin/proxy_hourly.bash ===
>>> os.system("/usr/local/bin/proxy_hourly.bash")
0
=== /var/local/src check ===
>>> os.chdir ('/usr/local/src')
>>> os.system('sh usr_local_proxy.bash check')
0
=== /var/local/src test ===
>>> os.chdir ('/usr/local/src')
>>> os.system('sh usr_local_proxy.bash test')
0
=== /var/local/src lint ===
>>> os.chdir ('/usr/local/src')
>>> os.system('sh usr_local_proxy.bash lint')
0

7
overlay/Linux/usr/local/share/sed/fact_to_bash.sed Normal file
View File

@ -0,0 +1,7 @@
# ROLE=proxy
s@u*'@@g
s@^ *@@
s@\[@"@
s@\]@"@
s@, @ @g
s@^@export @

80
overlay/Linux/usr/local/share/whonix-libvirt/xml/Kicksecure.xml Normal file
View File

@ -0,0 +1,80 @@
<domain type='kvm'>
<name>Kicksecure</name>
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
<genid/>
<memory dumpCore='off' unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<allocation mode='ondemand'/>
<discard/>
<nosharepages/>
</memoryBacking>
<blkiotune>
<weight>250</weight>
</blkiotune>
<vcpu placement='static' cpuset='1'>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<hap/>
<pvspinlock state='on'/>
<pmu state='off'/>
<vmport state='off'/>
</features>
<cpu mode='host-passthrough'/>
<clock offset='utc'>
<timer name='rtc' present='no'/>
<timer name='kvmclock' present='no'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
<timer name='hypervclock' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Kicksecure.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='network'>
<source network='default'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
<controller type='virtio-serial' index='0'/>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<graphics type='spice' autoport='yes'>
<clipboard copypaste='no'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<sound model='ich6'>
<codec type='output'/>
</sound>
<video>
<model type='virtio' heads='1' primary='yes'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
</rng>
</devices>
</domain>

80
overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml Normal file
View File

@ -0,0 +1,80 @@
<domain type='kvm'>
<name>Whonix-Custom-Workstation</name>
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
<genid/>
<memory dumpCore='off' unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<allocation mode='ondemand'/>
<discard/>
<nosharepages/>
</memoryBacking>
<blkiotune>
<weight>250</weight>
</blkiotune>
<vcpu placement='static' cpuset='1'>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<hap/>
<pvspinlock state='on'/>
<pmu state='off'/>
<vmport state='off'/>
</features>
<cpu mode='host-passthrough'/>
<clock offset='utc'>
<timer name='rtc' present='no'/>
<timer name='kvmclock' present='no'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
<timer name='hypervclock' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Whonix-Custom-Workstation.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='network'>
<source network='Whonix-Internal'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
<controller type='virtio-serial' index='0'/>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<graphics type='spice' autoport='yes'>
<clipboard copypaste='no'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<sound model='ich6'>
<codec type='output'/>
</sound>
<video>
<model type='virtio' heads='1' primary='yes'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
</rng>
</devices>
</domain>

6
overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-External.xml Normal file
View File

@ -0,0 +1,6 @@
<network>
<name>Whonix-External</name>
<forward mode='nat'/>
<bridge name='virbr1' stp='on' delay='0'/>
<ip address='10.0.2.2' netmask='255.255.255.0'/>
</network>

82
overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Gateway.xml Normal file
View File

@ -0,0 +1,82 @@
<domain type='kvm'>
<name>Whonix-Gateway</name>
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
<genid/>
<memory dumpCore='off' unit='KiB'>524288</memory>
<currentMemory unit='KiB'>524288</currentMemory>
<memoryBacking>
<allocation mode='ondemand'/>
<discard/>
<nosharepages/>
</memoryBacking>
<blkiotune>
<weight>250</weight>
</blkiotune>
<vcpu placement='static' cpuset='0'>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<hap/>
<pvspinlock state='on'/>
<pmu state='off'/>
<vmport state='off'/>
</features>
<cpu mode='host-passthrough'/>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup' track='guest'/>
<timer name='kvmclock' present='yes'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
<timer name='hypervclock' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='network'>
<source network='Whonix-External'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
<interface type='network'>
<source network='Whonix-Internal'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
<controller type='virtio-serial' index='0'/>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<graphics type='spice' autoport='yes'>
<clipboard copypaste='yes'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<video>
<model type='virtio' heads='1' primary='yes'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
</rng>
</devices>
</domain>

4
overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml Normal file
View File

@ -0,0 +1,4 @@
<network>
<name>Whonix-Internal</name>
<bridge name='virbr2' stp='on' delay='0'/>
</network>

80
overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Workstation.xml Normal file
View File

@ -0,0 +1,80 @@
<domain type='kvm'>
<name>Whonix-Workstation</name>
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
<genid/>
<memory dumpCore='off' unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<memoryBacking>
<allocation mode='ondemand'/>
<discard/>
<nosharepages/>
</memoryBacking>
<blkiotune>
<weight>250</weight>
</blkiotune>
<vcpu placement='static' cpuset='1'>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<hap/>
<pvspinlock state='on'/>
<pmu state='off'/>
<vmport state='off'/>
</features>
<cpu mode='host-passthrough'/>
<clock offset='utc'>
<timer name='rtc' present='no'/>
<timer name='kvmclock' present='no'/>
<timer name='pit' present='no'/>
<timer name='hpet' present='no'/>
<timer name='hypervclock' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/Whonix-Workstation.qcow2'/>
<target dev='vda' bus='virtio'/>
</disk>
<interface type='network'>
<source network='Whonix-Internal'/>
<model type='virtio'/>
<driver name='qemu'/>
</interface>
<controller type='virtio-serial' index='0'/>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<graphics type='spice' autoport='yes'>
<clipboard copypaste='no'/>
<filetransfer enable='no'/>
<gl enable='no'/>
</graphics>
<sound model='ich6'>
<codec type='output'/>
</sound>
<video>
<model type='virtio' heads='1' primary='yes'/>
</video>
<memballoon model='none'/>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
</rng>
</devices>
</domain>

300
overlay/Linux/usr/local/src/helper-scripts/anondate Executable file
View File

@ -0,0 +1,300 @@
#!/bin/bash
## Copyright (C) Amnesia <amnesia at boum dot org>
## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -o pipefail
export TOR_LOG="/var/log/tor/log"
if [ -d /var/lib/tor/data ] ; then
export TOR_DIR=/var/lib/tor/data
elif [ -d /var/lib/tor ] ; then
export TOR_DIR=/var/lib/tor
fi
USAGE="
--has-consensus
--current-time-in-valid-range
--show-valid-after
--show-valid-until
--show-middle-range
--tor-cert-lifetime-invalid
--tor-cert-valid-after
--verified-only
--prefer-verified
--unverified-only
--user-permission
--group-permission
"
variables () {
[ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
[ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
[ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
[ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
[ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
[ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
[ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
[ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
}
parse_cmd_options() {
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035
while :
do
case $1 in
--verbose)
echo "$SCRIPTNAME verbose output..."
echo "Script running as $(whoami)"
set -x
true "$0: $@"
shift
;;
--has-consensus)
has_consensus_="true"
shift
;;
--current-time-in-valid-range)
current_time_in_valid_range_="true"
shift
;;
--show-valid-after)
show_valid_after_="true"
shift
;;
--show-valid-until)
show_valid_until_="true"
shift
;;
--show-middle-range)
show_middle_range_="true"
shift
;;
--tor-cert-lifetime-invalid)
tor_cert_lifetime_invalid_="true"
shift
;;
--tor-cert-valid-after)
tor_cert_valid_after_="true"
shift
;;
--verified-only)
verified_only_="true"
shift
;;
--prefer-verified)
prefer_verified_="true"
shift
;;
--unverified-only)
unverified_only_="true"
shift
;;
--user-permission)
user_permission_="true"
shift
;;
--group-permission)
group_permission_="true"
shift
;;
--)
shift
break
;;
-*)
echo "$SCRIPTNAME unknown option: $1" >&2
exit 111
;;
*)
break
;;
esac
done
## If there are input files (for example) that follow the options, they
## will remain in the "$@" positional parameters.
if [ "$verified_only_" = "true" ]; then
consensus="$TOR_CONSENSUS"
elif [ "$prefer_verified_" = "true" ]; then
if [ -e "${TOR_CONSENSUS}" ]; then
consensus="$TOR_CONSENSUS"
else
consensus="$TOR_UNVERIFIED_CONSENSUS"
fi
elif [ "$unverified_only_" = "true" ]; then
consensus="$TOR_UNVERIFIED_CONSENSUS"
else
consensus="$TOR_CONSENSUS"
fi
if [ "$has_consensus_" = "true" ]; then
has_consensus
exit "$?"
fi
if [ "$current_time_in_valid_range_" = "true" ]; then
current_time_is_in_valid_range
exit "$?"
fi
if [ "$show_valid_after_" = "true" ]; then
show-valid-after
exit "$?"
fi
if [ "$show_valid_until_" = "true" ]; then
show-valid-until
exit "$?"
fi
if [ "$show_middle_range_" = "true" ]; then
show-middle-range
exit "$?"
fi
if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
tor_cert_lifetime_invalid
exit "$?"
fi
if [ "$tor_cert_valid_after_" = "true" ]; then
tor_cert_valid_after
exit "$?"
fi
if [ "$user_permission_" = "true" ]; then
user_permission
exit "$?"
fi
if [ "$group_permission_" = "true" ]; then
group_permission
exit "$?"
fi
echo "USAGE: $0 $USAGE"
exit 1
}
root_check() {
if [ "$(id -u)" != "0" ]; then
echo "ERROR: Must run as root."
exit 112
fi
}
has_consensus() {
if [ ! -r "$consensus" ]; then
exit 4
fi
local grep_exit_code="0"
grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
if [ "$grep_exit_code" = "0" ]; then
return 0
else
return 1
fi
}
show-valid-after() {
vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
if [ "$show_valid_after_" = "true" ]; then
echo "$vstart"
fi
}
show-valid-until() {
vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
if [ "$show_valid_until_" = "true" ]; then
echo "$vend"
fi
}
show-middle-range() {
show-valid-after
show-valid-until
vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
if [ "$show_middle_range_" = "true" ]; then
echo "$vmid"
fi
}
current_time_is_in_valid_range() {
show-middle-range
## {{ Sanity Test
## Debugging.
#vend="2099-09-03 09:41:29"
vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
if [ ! "${vend}" = "${vendchk}" ]; then
echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
return 1
fi
## Sanity Test
curdate="$(date -u +'%F %T')"
## Debugging.
#curdate="2099-09-03 09:41:29"
vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
order="${vstart}
${curdate}
${vendcons}"
ordersrt="$(echo "${order}" | sort)"
if [ "${order}" = "${ordersrt}" ]; then
return 0
fi
echo WARN: failed Sanity Test
echo INFO: 'expected' $order
echo INFO: 'got ' $ordersrt
return 1
}
tor_cert_lifetime_invalid() {
if [ ! -r "$TOR_LOG" ]; then
return 3
fi
## TODO:
## To be sure that we only grep relevant information, we
## should delete the log when Tor is started, which we do
## TODO:
## in 10-tor.sh.
## Example Tor log:
## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
## The log severity will be "warn" if bootstrapping with
## authorities and "info" with bridges.
grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
if [ "$?" = "0" ]; then
return 0
else
return 1
fi
}
tor_cert_valid_after() {
if [ ! -r "$TOR_LOG" ]; then
return 3
fi
## Only print the last = freshest match
sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
## Example output:
## Jun 16 00:00:00 2014 GMT
## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
return 0
}
user_permission() {
stat -c "%U" "$consensus"
}
group_permission() {
stat -c "%G" "$consensus"
}
root_check
variables
parse_cmd_options "$@"

27
overlay/Linux/usr/local/src/helper-scripts/anondate-tester Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
export TOR_LOG="/var/log/tor/log"
export TOR_DIR=/var/lib/tor/data
cmd_item_list=(
"--has-consensus"
"--current-time-in-valid-range"
"--show-valid-after"
"--show-valid-until"
"--show-middle-range"
"--tor-cert-lifetime-invalid"
"--tor-cert-valid-after"
)
for cmd_item in ${cmd_item_list[@]} ; do
output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
exit_code="$?"
if [ $exit_code -eq 0 ] ; then
echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
echo "output: $output"
else
echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
echo -n "exit_code: $exit_code "
echo "output: $output"
fi
done

45
overlay/Linux/usr/local/src/helper-scripts/anondate-tester.diff Normal file
View File

@ -0,0 +1,45 @@
*** anondate-tester.dst 2015-10-21 00:00:00.000000000 +0000
--- anondate-tester 2020-12-20 22:02:49.000000000 +0000
***************
*** 1,8 ****
--- 1,9 ----
#!/bin/bash
export TOR_LOG="/var/log/tor/log"
+ export TOR_DIR=/var/lib/tor/data
cmd_item_list=(
"--has-consensus"
"--current-time-in-valid-range"
"--show-valid-after"
***************
*** 11,22 ****
"--tor-cert-lifetime-invalid"
"--tor-cert-valid-after"
)
for cmd_item in ${cmd_item_list[@]} ; do
! echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
exit_code="$?"
! echo "output: $output"
! echo "exit_code: $exit_code"
! echo "----------"
done
--- 12,27 ----
"--tor-cert-lifetime-invalid"
"--tor-cert-valid-after"
)
for cmd_item in ${cmd_item_list[@]} ; do
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
exit_code="$?"
! if [ $exit_code -eq 0 ] ; then
! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
! echo "output: $output"
! else
! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
! echo -n "exit_code: $exit_code "
! echo "output: $output"
! fi
done

22
overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
export TOR_LOG="/var/log/tor/log"
cmd_item_list=(
"--has-consensus"
"--current-time-in-valid-range"
"--show-valid-after"
"--show-valid-until"
"--show-middle-range"
"--tor-cert-lifetime-invalid"
"--tor-cert-valid-after"
)
for cmd_item in ${cmd_item_list[@]} ; do
echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
exit_code="$?"
echo "output: $output"
echo "exit_code: $exit_code"
echo "----------"
done

307
overlay/Linux/usr/local/src/helper-scripts/anondate.diff Normal file
View File

@ -0,0 +1,307 @@
*** anondate.dst 2015-10-21 00:00:00.000000000 +0000
--- anondate-tester 2020-12-20 22:02:49.000000000 +0000
***************
*** 1,275 ****
#!/bin/bash
! ## Copyright (C) Amnesia <amnesia at boum dot org>
! ## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
! ## See the file COPYING for copying conditions.
! set -o pipefail
!
! variables() {
! [ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
! [ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
! [ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
! [ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
! [ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
! [ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
! [ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
! [ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
! }
!
! parse_cmd_options() {
! ## Thanks to:
! ## http://mywiki.wooledge.org/BashFAQ/035
!
! while :
! do
! case $1 in
! --verbose)
! echo "$SCRIPTNAME verbose output..."
! echo "Script running as $(whoami)"
! set -x
! true "$0: $@"
! shift
! ;;
! --has-consensus)
! has_consensus_="true"
! shift
! ;;
! --current-time-in-valid-range)
! current_time_in_valid_range_="true"
! shift
! ;;
! --show-valid-after)
! show_valid_after_="true"
! shift
! ;;
! --show-valid-until)
! show_valid_until_="true"
! shift
! ;;
! --show-middle-range)
! show_middle_range_="true"
! shift
! ;;
! --tor-cert-lifetime-invalid)
! tor_cert_lifetime_invalid_="true"
! shift
! ;;
! --tor-cert-valid-after)
! tor_cert_valid_after_="true"
! shift
! ;;
! --verified-only)
! verified_only_="true"
! shift
! ;;
! --prefer-verified)
! prefer_verified_="true"
! shift
! ;;
! --unverified-only)
! unverified_only_="true"
! shift
! ;;
! --user-permission)
! user_permission_="true"
! shift
! ;;
! --group-permission)
! group_permission_="true"
! shift
! ;;
! --)
! shift
! break
! ;;
! -*)
! echo "$SCRIPTNAME unknown option: $1" >&2
! exit 111
! ;;
! *)
! break
! ;;
! esac
! done
!
! ## If there are input files (for example) that follow the options, they
! ## will remain in the "$@" positional parameters.
!
! if [ "$verified_only_" = "true" ]; then
! consensus="$TOR_CONSENSUS"
! elif [ "$prefer_verified_" = "true" ]; then
! if [ -e "${TOR_CONSENSUS}" ]; then
! consensus="$TOR_CONSENSUS"
! else
! consensus="$TOR_UNVERIFIED_CONSENSUS"
fi
! elif [ "$unverified_only_" = "true" ]; then
! consensus="$TOR_UNVERIFIED_CONSENSUS"
! else
! consensus="$TOR_CONSENSUS"
! fi
!
! if [ "$has_consensus_" = "true" ]; then
! has_consensus
! exit "$?"
! fi
! if [ "$current_time_in_valid_range_" = "true" ]; then
! current_time_is_in_valid_range
! exit "$?"
! fi
! if [ "$show_valid_after_" = "true" ]; then
! show-valid-after
! exit "$?"
! fi
! if [ "$show_valid_until_" = "true" ]; then
! show-valid-until
! exit "$?"
! fi
! if [ "$show_middle_range_" = "true" ]; then
! show-middle-range
! exit "$?"
! fi
! if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
! tor_cert_lifetime_invalid
! exit "$?"
! fi
! if [ "$tor_cert_valid_after_" = "true" ]; then
! tor_cert_valid_after
! exit "$?"
! fi
! if [ "$user_permission_" = "true" ]; then
! user_permission
! exit "$?"
! fi
! if [ "$group_permission_" = "true" ]; then
! group_permission
! exit "$?"
! fi
!
! echo "No option chosen." 2>&1
! exit 1
! }
!
! root_check() {
! if [ "$(id -u)" != "0" ]; then
! echo "ERROR: Must run as root."
! exit 112
! fi
! }
!
! has_consensus() {
! if [ ! -r "$consensus" ]; then
! exit 4
! fi
! local grep_exit_code="0"
! grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
! if [ "$grep_exit_code" = "0" ]; then
! return 0
! else
! return 1
! fi
! }
!
! show-valid-after() {
! vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
! if [ "$show_valid_after_" = "true" ]; then
! echo "$vstart"
! fi
! }
!
! show-valid-until() {
! vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
! if [ "$show_valid_until_" = "true" ]; then
! echo "$vend"
! fi
! }
!
! show-middle-range() {
! show-valid-after
! show-valid-until
! vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
! if [ "$show_middle_range_" = "true" ]; then
! echo "$vmid"
! fi
! }
!
! current_time_is_in_valid_range() {
! show-middle-range
!
! ## {{ Sanity Test
! ## Debugging.
! #vend="2099-09-03 09:41:29"
! vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
! if [ ! "${vend}" = "${vendchk}" ]; then
! echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
! exit 1
! fi
! ## }} Sanity Test
!
! curdate="$(date -u +'%F %T')"
! ## Debugging.
! #curdate="2099-09-03 09:41:29"
!
! vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
! order="${vstart}
! ${curdate}
! ${vendcons}"
! ordersrt="$(echo "${order}" | sort)"
!
! if [ "${order}" = "${ordersrt}" ]; then
! exit 0
! else
! exit 1
! fi
! }
!
! tor_cert_lifetime_invalid() {
! if [ ! -r "$TOR_LOG" ]; then
! exit 3
! fi
!
! ## TODO:
! ## To be sure that we only grep relevant information, we
! ## should delete the log when Tor is started, which we do
! ## TODO:
! ## in 10-tor.sh.
!
! ## Example Tor log:
! ## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
! ## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
!
! ## The log severity will be "warn" if bootstrapping with
! ## authorities and "info" with bridges.
! grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
! if [ "$?" = "0" ]; then
! return 0
! else
! return 1
! fi
! }
!
! tor_cert_valid_after() {
! if [ ! -r "$TOR_LOG" ]; then
! exit 3
! fi
!
! ## Only print the last = freshest match
! sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
!
! ## Example output:
! ## Jun 16 00:00:00 2014 GMT
! ## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
! }
!
! user_permission() {
! stat -c "%U" "$consensus"
! }
!
! group_permission() {
! stat -c "%G" "$consensus"
! }
!
! root_check
! variables
! parse_cmd_options "$@"
--- 1,27 ----
#!/bin/bash
! export TOR_LOG="/var/log/tor/log"
! export TOR_DIR=/var/lib/tor/data
! cmd_item_list=(
! "--has-consensus"
! "--current-time-in-valid-range"
! "--show-valid-after"
! "--show-valid-until"
! "--show-middle-range"
! "--tor-cert-lifetime-invalid"
! "--tor-cert-valid-after"
! )
!
! for cmd_item in ${cmd_item_list[@]} ; do
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
! exit_code="$?"
! if [ $exit_code -eq 0 ] ; then
! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
! echo "output: $output"
! else
! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
! echo -n "exit_code: $exit_code "
! echo "output: $output"
fi
! done

275
overlay/Linux/usr/local/src/helper-scripts/anondate.dst Executable file
View File

@ -0,0 +1,275 @@
#!/bin/bash
## Copyright (C) Amnesia <amnesia at boum dot org>
## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -o pipefail
variables() {
[ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
[ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
[ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
[ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
[ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
[ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
[ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
[ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
}
parse_cmd_options() {
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035
while :
do
case $1 in
--verbose)
echo "$SCRIPTNAME verbose output..."
echo "Script running as $(whoami)"
set -x
true "$0: $@"
shift
;;
--has-consensus)
has_consensus_="true"
shift
;;
--current-time-in-valid-range)
current_time_in_valid_range_="true"
shift
;;
--show-valid-after)
show_valid_after_="true"
shift
;;
--show-valid-until)
show_valid_until_="true"
shift
;;
--show-middle-range)
show_middle_range_="true"
shift
;;
--tor-cert-lifetime-invalid)
tor_cert_lifetime_invalid_="true"
shift
;;
--tor-cert-valid-after)
tor_cert_valid_after_="true"
shift
;;
--verified-only)
verified_only_="true"
shift
;;
--prefer-verified)
prefer_verified_="true"
shift
;;
--unverified-only)
unverified_only_="true"
shift
;;
--user-permission)
user_permission_="true"
shift
;;
--group-permission)
group_permission_="true"
shift
;;
--)
shift
break
;;
-*)
echo "$SCRIPTNAME unknown option: $1" >&2
exit 111
;;
*)
break
;;
esac
done
## If there are input files (for example) that follow the options, they
## will remain in the "$@" positional parameters.
if [ "$verified_only_" = "true" ]; then
consensus="$TOR_CONSENSUS"
elif [ "$prefer_verified_" = "true" ]; then
if [ -e "${TOR_CONSENSUS}" ]; then
consensus="$TOR_CONSENSUS"
else
consensus="$TOR_UNVERIFIED_CONSENSUS"
fi
elif [ "$unverified_only_" = "true" ]; then
consensus="$TOR_UNVERIFIED_CONSENSUS"
else
consensus="$TOR_CONSENSUS"
fi
if [ "$has_consensus_" = "true" ]; then
has_consensus
exit "$?"
fi
if [ "$current_time_in_valid_range_" = "true" ]; then
current_time_is_in_valid_range
exit "$?"
fi
if [ "$show_valid_after_" = "true" ]; then
show-valid-after
exit "$?"
fi
if [ "$show_valid_until_" = "true" ]; then
show-valid-until
exit "$?"
fi
if [ "$show_middle_range_" = "true" ]; then
show-middle-range
exit "$?"
fi
if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
tor_cert_lifetime_invalid
exit "$?"
fi
if [ "$tor_cert_valid_after_" = "true" ]; then
tor_cert_valid_after
exit "$?"
fi
if [ "$user_permission_" = "true" ]; then
user_permission
exit "$?"
fi
if [ "$group_permission_" = "true" ]; then
group_permission
exit "$?"
fi
echo "No option chosen." 2>&1
exit 1
}
root_check() {
if [ "$(id -u)" != "0" ]; then
echo "ERROR: Must run as root."
exit 112
fi
}
has_consensus() {
if [ ! -r "$consensus" ]; then
exit 4
fi
local grep_exit_code="0"
grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
if [ "$grep_exit_code" = "0" ]; then
return 0
else
return 1
fi
}
show-valid-after() {
vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
if [ "$show_valid_after_" = "true" ]; then
echo "$vstart"
fi
}
show-valid-until() {
vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
if [ "$show_valid_until_" = "true" ]; then
echo "$vend"
fi
}
show-middle-range() {
show-valid-after
show-valid-until
vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
if [ "$show_middle_range_" = "true" ]; then
echo "$vmid"
fi
}
current_time_is_in_valid_range() {
show-middle-range
## {{ Sanity Test
## Debugging.
#vend="2099-09-03 09:41:29"
vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
if [ ! "${vend}" = "${vendchk}" ]; then
echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
exit 1
fi
## }} Sanity Test
curdate="$(date -u +'%F %T')"
## Debugging.
#curdate="2099-09-03 09:41:29"
vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
order="${vstart}
${curdate}
${vendcons}"
ordersrt="$(echo "${order}" | sort)"
if [ "${order}" = "${ordersrt}" ]; then
exit 0
else
exit 1
fi
}
tor_cert_lifetime_invalid() {
if [ ! -r "$TOR_LOG" ]; then
exit 3
fi
## TODO:
## To be sure that we only grep relevant information, we
## should delete the log when Tor is started, which we do
## TODO:
## in 10-tor.sh.
## Example Tor log:
## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
## The log severity will be "warn" if bootstrapping with
## authorities and "info" with bridges.
grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
if [ "$?" = "0" ]; then
return 0
else
return 1
fi
}
tor_cert_valid_after() {
if [ ! -r "$TOR_LOG" ]; then
exit 3
fi
## Only print the last = freshest match
sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
## Example output:
## Jun 16 00:00:00 2014 GMT
## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
}
user_permission() {
stat -c "%U" "$consensus"
}
group_permission() {
stat -c "%G" "$consensus"
}
root_check
variables
parse_cmd_options "$@"

8
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
kill -s sigterm "$1"
exit 0

37
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate Executable file
View File

@ -0,0 +1,37 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Required to run apt-get dist-upgrade --simulate as user (non-root).
## Required for whonixcheck function check_operating_system.
## Exception to run /usr/bin/apt-get-update as user
## is defined in /etc/sudoers.d/.
sigterm_trap() {
if [ "$lastpid" = "" ]; then
exit 0
fi
ps -p "$lastpid" >/dev/null 2>&1
if [ ! "$?" = "0" ]; then
## Already terminated.
exit 0
fi
kill -s sigterm "$lastpid"
exit "$?"
}
trap "sigterm_trap" SIGTERM SIGINT
timeout_after="10"
kill_after="5"
timeout \
--kill-after="$kill_after" \
"$timeout_after" \
apt-get dist-upgrade --simulate &
lastpid="$!"
wait "$lastpid"
exit "$?"

32
overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator Executable file
View File

@ -0,0 +1,32 @@
#!/bin/bash
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## This script gets `source`ed.
## Using both 'return 0' and 'exit 0' to support both, `source`ing as well as
## executing this script.
if [ -z "$PS1" ]; then
true "If not running interactively, don't do anything."
return 0
exit 0
fi
shopt -q login_shell
var="$?"
if [ "$var" = "0" ]; then
true "running in a login shell, don't do anything."
## Login shells are greeted by /etc/motd.
return 0
exit 0
fi
## We run in a terminal emulator.
if ! test -d /etc/update-motd.d ; then
return 0
exit 0
fi
run-parts /etc/update-motd.d || true

111
overlay/Linux/usr/local/src/helper-scripts/first-boot-skel Executable file
View File

@ -0,0 +1,111 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
set -e
if command -v qubesdb-read >/dev/null 2>&1 ; then
qubes_vm_type="$(qubesdb-read /qubes-vm-type)"
fi
cache_folder="/var/cache/anon-base-files"
if [ "$qubes_vm_type" = "TemplateVM" ]; then
## Separate done file for Qubes TemplateVMs to make this work with the
## current home folder population for Qubes DispVMs.
## https://github.com/QubesOS/qubes-core-agent-linux/blob/f380c346cf9af3f058b8ece853d7d4a5ece28815/misc/dispvm-prerun.sh#L6-L12
done_file="$cache_folder/first-boot-skel.TemplateVM.done"
else
## Non-Qubes-Whonix or non-Qubes TemplateVMs
done_file="$cache_folder/first-boot-skel.done"
fi
if [ -e "$done_file" ]; then
exit 0
fi
user_name="user"
home_dir="/home/$user_name"
if [ ! -d "$home_dir" ]; then
exit 0
fi
skel_folder="/etc/skel"
if [ ! -d "$skel_folder" ]; then
exit 0
fi
pushd "$skel_folder"
mkdir -p "$cache_folder"
shopt -s dotglob
shopt -s nullglob
for fso in ./* ; do
true "fso: $fso"
## Technically below for 'cp' it would also be possible to use '$fso' rather
## than '$fso_basename', but the latter produces a prettier xtrace.
fso_basename="${fso##*/}"
if [ ".bashrc" = "$fso_basename" ]; then
## We do not need /home/user/.bashrc.
## /home/user/.bashrc is handled below.
continue
fi
if [ ".bashrc.whonix" = "$fso_basename" ]; then
## We do not need /home/user/.bashrc.whonix.
## /home/user/.bashrc is handled below.
continue
fi
if [ ".bashrc.whonix-orig" = "$fso_basename" ]; then
## We do not need /home/user/.bashrc.whonix-orig.
## /home/user/.bashrc is handled below.
continue
fi
if [ -d "$fso" ]; then
true "folder: yes"
cp --verbose --no-clobber --archive --parents --recursive "$fso_basename" "$home_dir"
chown --changes --recursive "$user_name:$user_name" "$home_dir/$fso_basename"
else
true "folder: no"
## Require '--dereference' otherwise the 'chown' below could fail.
cp --verbose --no-clobber --archive --dereference "$fso_basename" "$home_dir"
chown --changes "$user_name:$user_name" "$home_dir/$fso_basename"
fi
done
if [ ! -f "$skel_folder/.bashrc.whonix-orig" ]; then
touch "$done_file"
exit 0
fi
if [ ! -f "$skel_folder/.bashrc.whonix" ]; then
touch "$done_file"
exit 0
fi
if [ ! -f "$skel_folder/.bashrc" ]; then
touch "$done_file"
exit 0
fi
if diff "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc" >/dev/null ; then
## no diff found
true "Already using Whonix $skel_folder/.bashrc.whonix. No need to copy $skel_folder/.bashrc.whonix."
touch "$done_file"
exit 0
fi
if diff "$skel_folder/.bashrc.whonix-orig" "$home_dir/.bashrc" >/dev/null ; then
## no diff found
true "Overwriting default $home_dir/.bashrc ( which matches $skel_folder/.bashrc.whonix-orig ) with $skel_folder/.bashrc.whonix."
cp --verbose --archive "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc"
chown --changes "$user_name:$user_name" "$home_dir/.bashrc"
else
## a diff was found
true "User customized $home_dir/.bashrc. Keeping it."
fi
touch "$done_file"

24
overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py Executable file
View File

@ -0,0 +1,24 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from scapy.all import *
#define the target gateway & data payload
target = "scanme.nmap.org"
#target = "45.33.32.156"
data = "testing"
#define packet
ip = IP()
#define packet parameters
ip.dst = target
#loop through all IP packet types
for ip_type in range(0,255):
ip.proto = ip_type
send(ip/data)

61
overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py Executable file
View File

@ -0,0 +1,61 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
# Since it will be useful to know something about the script,
# for the later tests, the terms are defined here:
# (A discussion of Python language structure is beyond
# the scope of this document)
# [1] http://en.wikipedia.org/wiki/Ipv4
# [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
# [3] http://en.wikipedia.org/wiki/IP_routing
# [4] http://en.wikipedia.org/wiki/Ping
# [5] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#List_of_permitted_control_messages_.28incomplete_list.29
# [6] http://www.secdev.org/projects/scapy/doc/usage.html#send-and-receive-packets-sr
# [7] http://www.secdev.org/projects/scapy/doc/usage.html#stacking-layers
import sys
from scapy.all import *
# define the target gateway & data payload
target = "10.152.152.10"
#target = "45.33.32.156"
data = "testing"
# define packets
# These define two variables, that are set to the object types IP
# and ICMP respectively. These objects in Scapy define the protocol
# type for IP (default IPv4) [1] and ICMP [2] respectively.
# And will send packets on the wire of these types when used.
ip = IP()
icmp = ICMP()
# define packet parameters
ip.dst = target
# IP packets are used for routing [3] between networks on the Internet.
# So, we assign the destination (dst) in the IP portion of the
# packet we are going to assemble and send out.
icmp.type = 8
icmp.code = 0
# Defines the type of ICMP message to send out. The ..8 type.. is
# a type defined as ..echo request.., e.g. a simple ping [4].
# See a list here of various types of ICMP [5] messages here.
# The sr1() [6] command will ..send and receive network traffic,
# returning the 1st packet received...
# The notation of ..ip/icmp/data.. is the notation for encapsulation
# of various instances of networking protocols [7].
# Read it right to left: ..data encapsulated inside an ICMP message
# and encapsulated inside an IP datagram...
test_ping = sr1(ip/icmp/data)
if isinstance(test_ping, types.NoneType):
print("No response")
else:
# Prints a short report on the packet received (if any).
test_ping.summary()

25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py Executable file
View File

@ -0,0 +1,25 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from scapy.all import *
#define the target gateway & data payload
target = "scanme.nmap.org"
#target = "45.33.32.156"
data = "testing"
#define packets
ip = IP()
tcp = TCP()
#define packet parameters
ip.dst = target
#loop through all TCP ports
for tcp_port in range(0,65535):
tcp.dport = tcp_port
send(ip/tcp/data)

25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py Executable file
View File

@ -0,0 +1,25 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from scapy.all import *
#define the target gateway & data payload
target = "scanme.nmap.org"
#target = "45.33.32.156"
data = "testing"
#define packets
ip = IP()
udp = UDP()
#define packet parameters
ip.dst = target
#loop through all TCP ports
for udp_port in range(0,65535):
udp.dport = udp_port
send(ip/udp/data)

58
overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
check_package_manager_running_helper() {
if [ -f "/run/package_manager_lock" ]; then
check_apt_get_exit_code="/run/package_manager_lock exists."
package_manager_waiting_msg="Lock file \
/run/package_manager_lock exists. Waiting for it to be removed..."
package_manager_waiting_msg_x="$package_manager_waiting_msg"
return 0
fi
local fuser_exit_code
fuser_exit_code=0
sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock &>/dev/null || { fuser_exit_code="$?" ; true; };
## If a package manager is running:
## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $?
## /var/lib/dpkg/lock: 15601
## /var/cache/apt/archives/lock: 15601
## 0
##
## If no package manager is running:
## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $?
## 1
if [ "$fuser_exit_code" = "0" ]; then
check_apt_get_exit_code="1"
else
check_apt_get_exit_code="0"
fi
if [ ! "$check_apt_get_exit_code" = "0" ]; then
## package_manager_waiting_msg used by cli-only applications.
package_manager_waiting_msg="A package manager (such as apt-get) is currently running. Waiting for it to finish...
If you are not aware of any package mangers running, exit now, find out if there are any issues with dpkg or apt-get. Run in the terminal for example:
sudo dpkg --audit
sudo dpkg --configure -a
sudo apt-get dist-upgrade
Technical Info:
\"sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock\" exit code: $fuser_exit_code"
## package_manager_waiting_msg_x used applications using msgcollector.
package_manager_waiting_msg_x="<p>A package manager (such as <code>apt-get</code>) is currently running. Waiting for it to finish...
<br></br>
If you are not aware of any package mangers running, exit now, find out if there are any issues with <code>dpkg</code> or <code>apt-get</code>. Run in the terminal for example:
<code>sudo dpkg --audit</code>
<code>sudo dpkg --configure -a</code>
<code>sudo apt-get dist-upgrade</code>
<br></br>
Technical Info:
\"<code>sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock</code>\" exit code: <code>$fuser_exit_code</code></p>"
else
package_manager_waiting_msg="No package manger currently running. \
You should not see this message. Please report this bug!"
package_manager_waiting_msg_x="$package_manager_waiting_msg"
fi
}

276
overlay/Linux/usr/local/src/helper-scripts/pre.bsh Executable file
View File

@ -0,0 +1,276 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## The idea of this bash fragment is:
## Say nothing, if everything goes well, but dump everything on error.
## It allows to easily look inside the xtrace of a (Debian maintainer) script,
## when the DEBDEBUG environment variable is set to 1.
## To use it in other scripts, use something like this:
# if [ -f /usr/local/lib64/helper-scripts/pre.bsh ]; then
# source /usr/local/lib64/helper-scripts/pre.bsh
# fi
## Error log:
## - implement trap ERR if function errorhandlergeneral does not exist
## - implements a simple error handler if non exists
## - run silent by default
## - write xtrace to temporary log
## - show full xtrace on unexpected non-zero exit code
## - show exit code on unexpected non-zero exit code
## - run syntax check "bash -n" on this script
## - run syntax check "bash -n" on the script that sourced this script
## DEBDEBUG:
##
## enable xtrace (-x) for maintainer script when DEBDEBUG environment
## variable is set to 1.
## For example:
## sudo DEBDEBUG=1 dpkg -i /path/to/package.deb
## SKIP_SCRIPTS
##
## The SKIP_SCRIPTS environment variable to skip scripts by name
## For example:
## sudo DEBDEBUG=1 SKIP_SCRIPTS=" security-misc.postinst " dpkg -i /path/to/package.deb
##
## another example:
##
## export DEBDEBUG=1
## export SKIP_SCRIPTS+=" security-misc.postinst "
## sudo -E dpkg -i /path/to/package.deb
## Colorful output: provides color function
## Shell options: enables errtrace
## Configuration Folders
##
## For example if the name of the package is 'security-misc':
## - /etc/security-misc_maint.d/*.conf
## - /usr/local/etc/security-misc_maint.d/*.conf
##
## For example if the name of the script is 'panic-on-oops':
## - /etc/panic-on-oops_pre.d/*.conf
## - /usr/local/etc/panic-on-oops_pre.d/*.conf
## {{{ pre.bsh 1.0
## bash script fragment
colors() {
if [ "$TERM" = "" ]; then
return 0
fi
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/037
## Variables for terminal requests.
[[ -t 2 ]] && {
alt=$( tput smcup || tput ti ) # Start alt display
ealt=$( tput rmcup || tput te ) # End alt display
hide=$( tput civis || tput vi ) # Hide cursor
show=$( tput cnorm || tput ve ) # Show cursor
save=$( tput sc ) # Save cursor
load=$( tput rc ) # Load cursor
bold=$( tput bold || tput md ) # Start bold
stout=$( tput smso || tput so ) # Start stand-out
estout=$( tput rmso || tput se ) # End stand-out
under=$( tput smul || tput us ) # Start underline
eunder=$( tput rmul || tput ue ) # End underline
reset=$( tput sgr0 || tput me ) # Reset cursor
blink=$( tput blink || tput mb ) # Start blinking
italic=$( tput sitm || tput ZH ) # Start italic
eitalic=$( tput ritm || tput ZR ) # End italic
[[ $TERM != *-m ]] && {
red=$( tput setaf 1|| tput AF 1 )
green=$( tput setaf 2|| tput AF 2 )
yellow=$( tput setaf 3|| tput AF 3 )
blue=$( tput setaf 4|| tput AF 4 )
magenta=$( tput setaf 5|| tput AF 5 )
cyan=$( tput setaf 6|| tput AF 6 )
}
white=$( tput setaf 7|| tput AF 7 )
default=$( tput op )
eed=$( tput ed || tput cd ) # Erase to end of display
eel=$( tput el || tput ce ) # Erase to end of line
ebl=$( tput el1 || tput cb ) # Erase to beginning of line
ewl=$eel$ebl # Erase whole line
draw=$( tput -S <<< ' enacs
smacs
acsc
rmacs' || { \
tput eA; tput as;
tput ac; tput ae; } ) # Drawing characters
back=$'\b'
} 2>/dev/null ||:
}
source_config_folder() {
## dpkg sets environment variables
## example:
## DPKG_MAINTSCRIPT_PACKAGE=security-misc
if [ "$DPKG_MAINTSCRIPT_PACKAGE" = "" ]; then
pre_bsh_settings_folder="${own_filename}_pre.d"
else
pre_bsh_settings_folder="${DPKG_MAINTSCRIPT_PACKAGE}_maint.d"
fi
## example:
## pre_bsh_settings_folder=security-misc_maint.d
shopt -s nullglob
local i
## example:
## /etc/panic-on-oops_pre.d/*.conf
## /usr/local/etc/panic-on-oops_pre.d/*.conf
true "folder 1: /etc/${pre_bsh_settings_folder}/*.conf"
true "folder 2: /usr/local/etc/${pre_bsh_settings_folder}/*.conf"
for i in /etc/${pre_bsh_settings_folder}/*.conf /usr/local/etc/${pre_bsh_settings_folder}/*.conf; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
force_output "Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
rm -f "$TEMP_FILE_PRE_BSH"
exit 1
fi
source "$i"
done
shopt -u nullglob
}
check_scripts_to_skip() {
local skip_script
for skip_script in $SKIP_SCRIPTS; do
if [ "$skip_script" = "$own_filename" ]; then
force_output "INFO: Skipping $own_filename, because SKIP_SCRIPTS includes it."
rm -f "$TEMP_FILE_PRE_BSH"
exit 0
fi
done
}
disable_echo() {
if [ "$disabled_echo" = "true" ]; then
return 0
fi
exec 5>&1 1>> "$TEMP_FILE_PRE_BSH"
exec 6>&2 2>> "$TEMP_FILE_PRE_BSH"
disabled_echo=true
}
enable_echo() {
if [ "$disabled_echo" = "true" ]; then
exec 1>&5
exec 2>&6
disabled_echo=false
fi
}
force_output() {
if [ "$disabled_echo" = "true" ]; then
redisable_echo="true"
enable_echo
fi
echo "$@"
if [ "$redisable_echo" = "true" ]; then
disable_echo
fi
}
error_handler_pre() {
local exit_code="$?"
local last_err="$BASH_COMMAND"
if [ ! "$DEBDEBUG" = "1" ]; then
local output
output="$(cat "$TEMP_FILE_PRE_BSH")"
fi
if [ "$output" = "" ]; then
output="## See above."
fi
force_output "
####################################################################
## ${red}${bold}BEGIN ERROR in $0 detected!${reset}
##
## ${under}ERROR LOG${reset}:
$output
##
## ${under}BASH_COMMAND${reset}: $BASH_COMMAND
## ${under}EXIT_CODE${reset}: $exit_code
##
## ${red}${bold}END ERROR in $0 detected!${reset}
## ${red}${bold}Please report this bug!${reset}
####################################################################
" 1>&2
rm -f "$TEMP_FILE_PRE_BSH"
exit 1
}
## config-package-dev doesn't like 'set -o pipefail'
## http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html
#set -o pipefail
set -o errtrace
TEMP_FILE_PRE_BSH="$(mktemp)"
if test -o xtrace ; then
true "INFO: Setting DEBDEBUG to 1, because xtrace (-x) is set."
DEBDEBUG="1"
fi
if [ "$DEBDEBUG" = "1" ]; then
set -x
fi
if [ "$disable_echo" = "true" ]; then
disable_echo
fi
colors
## {{ Set up error handler.
if [ "$(type -t errorhandlergeneral)" = "function" ]; then
## Function errorhandlergeneral exists (declared in
## help-steps/pre). Prefer to use the more feature rich version of the error
## handler.
trap "errorhandlergeneral" ERR
else
## Function errorhandlergeneral does not exist.
## Check if any trap is already declared.
if [ "$(trap -p ERR)" = "" ]; then
## No trap exist yet.
## Fall back to a simpler error handler.
trap "error_handler_pre" ERR
fi
fi
## }}
## syntax check this script
bash -n "$BASH_SOURCE"
## syntax check script that sourced this script
bash -n "$0"
own_filename="${0##*/}"
source_config_folder
check_scripts_to_skip
## }}}

77
overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py Executable file
View File

@ -0,0 +1,77 @@
#!/usr/bin/python3 -u
## Copyright (C) 2018 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import os
whonix = os.path.exists('/usr/share/anon-gw-base-files/gateway')
if whonix:
torrc_file_path = '/usr/local/etc/torrc.d/40_tor_control_panel.conf'
torrc_user_file_path = '/usr/local/etc/torrc.d/50_user.conf'
else:
torrc_file_path = '/etc/torrc.d/40_tor_control_panel.conf'
torrc_user_file_path = '/etc/torrc.d/50_user.conf'
torrc_text = '# Do not edit this file!\n\
# Please add modifications to the following file instead:\n'
user_text = '# Tor user specific configuration file\n\
#\n\
# Add user modifications below this line:\n\
############################################\n'
'''Guarantee the existence of /etc/torrc.d/
and the existence of /usr/local/etc/torrc.d/ if required.
'''
if not os.path.exists('/etc/torrc.d/'):
os.makedirs('/etc/torrc.d/')
if whonix and not os.path.exists('/usr/local/etc/torrc.d/'):
os.makedirs('/usr/local/etc/torrc.d/')
'''Guarantee the existence of:
1. /etc/torrc.d/95_whonix.conf
2. /etc/tor/torrc
3. "%include /etc/torrc.d/95_whonix.conf" line in /etc/tor/torrc file
In addition, we create 40_tor_control_panel.conf
and 50_user.conf here if they do not exist.
'''
whonix_torrcd_path = '/etc/torrc.d/95_whonix.conf'
if not os.path.exists('/etc/tor/torrc'):
with open('/etc/tor/torrc', "w+") as f:
if whonix:
f.write('%include {0}\n'.format(whonix_torrcd_path))
else:
f.write('%include {0}\n'.format(torrc_file_path))
f.write('%include {0}\n'.format(torrc_user_file_path))
else:
torrcd_line_exists = 'include /etc/torrc.d' in open('/etc/tor/torrc', "r").read()
if not torrcd_line_exists:
with open('/etc/tor/torrc', "a") as f:
if whonix:
f.write('%include {0}\n'.format(whonix_torrcd_path))
else:
f.write('%include {0}\n'.format(torrc_file_path))
f.write('%include {0}\n'.format(torrc_user_file_path))
if whonix and not os.path.exists(whonix_torrcd_path):
with open(whonix_torrcd_path, "w+") as f:
f.write('%include {0}\n'.format(torrc_file_path))
f.write('%include {0}\n'.format(torrc_user_file_path))
torrc_text = '%s# %s\n' % (torrc_text, torrc_user_file_path)
if not whonix:
torrc_text = (torrc_text +
'Log notice file /run/tor/log\n')
if not os.path.exists(torrc_file_path):
with open(torrc_file_path, "w+") as f:
f.write(torrc_text)
if not os.path.exists(torrc_user_file_path):
with open(torrc_user_file_path, "w+") as f:
f.write(user_text)

15
overlay/Linux/usr/local/src/helper-scripts/settings_echo Executable file
View File

@ -0,0 +1,15 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
## provides: check_tor_bootstrap_helper_variables
source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh
check_tor_bootstrap_helper_variables
echo "\
GATEWAY_IP=\"$GATEWAY_IP\"
gateway_control_port=\"$gateway_control_port\""

15
overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst Executable file
View File

@ -0,0 +1,15 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
## provides: check_tor_bootstrap_helper_variables
source /usr/local/lib/helper-scripts/tor_bootstrap_check.bsh
check_tor_bootstrap_helper_variables
echo "\
GATEWAY_IP=\"$GATEWAY_IP\"
gateway_control_port=\"$gateway_control_port\""

8
overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
/usr/local/lib64/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file

8
overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update.dst Executable file
View File

@ -0,0 +1,8 @@
#!/bin/bash
## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
/usr/local/lib/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file

233
overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check Executable file
View File

@ -0,0 +1,233 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Exit codes of this script get interpreted by sdwdate.
## exit 0
## exit 1: wait, retry and warning icon
## exit 2: wait, retry and error icon
set -o pipefail
set -e errtrace
error_handler() {
local exit_code="$?"
echo "\
BASH_COMMAND: $BASH_COMMAND
exit_code: $exit_code"
}
trap "error_handler" ERR
source /usr/local/lib64/helper-scripts/tor_enabled_check
source /usr/local/lib64/helper-scripts/pkg_manager_running_check
source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh
te_pe_tb_check() {
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
VM="Gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
VM="Workstation"
else
VM="Could not determine if this is gateway or workstation. Please report this bug."
fi
clock_causes="\
<br><br>Possible causes:<br>
- The host clock is wrong -> shut down the VM, fix the clock in the host and restart the VM.<br>
- The VM clock is wrong -> manually fix the clock. Restart Tor if necessary. Then restart sdwdate.<br>
- A host clock attack succeeded.<br>
- A hardware issue (for example bios clock issues).<br>"
## Debugging.
true "$FUNCNAME: CURL: $CURL"
true "$FUNCNAME: LD_PRELOAD: $LD_PRELOAD"
if [ -e /usr/share/timesanitycheck/shared ]; then
## provides: time_sanity_check
## sets: time_sanity_check_exit_code
## sets: time_sanity_check_msg_static
source /usr/share/timesanitycheck/shared
time_sanity_check
if [ "$time_sanity_check_exit_code" = "0" ]; then
echo "$time_sanity_check_msg_static" >&2
else
echo "$time_sanity_check_msg_static
$clock_causes"
timesanitycheck_static_timestamp_based_failed="true"
if [ "$VM" = "Gateway" ]; then
exit 1
fi
fi
fi
## Sets: TOR_ENABLED
check_tor_enabled_do
if [ "$TOR_ENABLED" = "1" ]; then
## Ok.
true
else
if [ -f /usr/share/whonix/marker ]; then
echo "<b>Tor is disabled.</b> Please enable Tor using whonixsetup.<br> \
Start Menu -> System -> Anon Connection Wizard or in Terminal: sudo whonixsetup"
else
echo "Tor is disabled. Please enable Tor in the Tor config."
fi
exit 1
fi
## sets: check_apt_get_exit_code
## sets: package_manager_waiting_msg
#check_package_manager_running_helper ## pkg_manager_running_check
#if [ "$check_apt_get_exit_code" = "0" ]; then
#true "Package manager not busy, ok."
#else
#echo "$package_manager_waiting_msg"
#exit 2
#fi
## sets: check_bootstrap_helper_script
## sets: lastpid
## sets: tor_bootstrap_percent
## sets: tor_bootstrap_status
check_tor_circuit_established ## tor_bootstrap_check.bsh
## $tor_circuit_established_check_exit_code on timeout returns:
## - 124 if sigterm was sufficient
## - 137 if needed to use kill.
for invalid_exit_code in "124" "137" "254" ; do
if [ "$tor_circuit_established_check_exit_code" = "$invalid_exit_code" ]; then
echo "Tor Bootstrap Result: \
<b>ERROR ($tor_circuit_established_check_exit_code).</b><br> Please report this bug!"
exit 1
fi
done
if [ "$tor_circuit_established_check_exit_code" = "255" ]; then
if [ "$VM" = "Gateway" ]; then
echo "Tor Bootstrap Result: \
<b>Tor's Control Port could not be reached.</b><br>"
elif [ "$VM" = "Workstation" ]; then
if [ -f /usr/share/whonix/marker ]; then
echo "Tor Bootstrap Result: \
<b>Tor's Control Port could not be reached.</b><br> \
<br>Did you start Gateway beforehand? \
<br>Please run whonixcheck on Gateway."
else
echo "Tor Bootstrap Result: \
<b>Tor's Control Port could not be reached.</b><br> \
<br>Did you start Gateway beforehand?"
fi
else
if [ -f /usr/share/whonix/marker ]; then
echo "Tor Bootstrap Result: \
<b>Tor's Control Port could not be reached.</b><br> \
<br>Did you start Gateway beforehand? \
<br>Please run whonixcheck on Gateway.
<br>$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!"
else
echo "Tor Bootstrap Result: \
<b>Tor's Control Port could not be reached.</b><br> \
<br>Did you start Gateway beforehand?
<br>$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!"
fi
fi
exit 1
fi
if [ "$VM" = "Gateway" ]; then
check_tor_bootstrap_status
fi
## When using an old Tor consensus which might be the case when no Tor
## circuit has been established yet, there is no point to check Tor
## consensus time as it might be outdated leading to concluding that the
## clock is fast.
if [ "$tor_circuit_established" = "0" ]; then
if [ "$VM" = "Gateway" ]; then
echo "<b>Tor is not yet fully bootstrapped.</b> $tor_bootstrap_percent % done.\
<br>Tor reports: $tor_bootstrap_status"
else
echo "<b>Tor is not yet fully bootstrapped.</b> Tor circuit: $tor_circuit_established_word."
fi
exit "2"
fi
## If the static timestamp based time sanity check failed, there is no
## need to run the Tor consensus based time sanity check. Avoiding
## duplicate output.
if [ ! "$timesanitycheck_static_timestamp_based_failed" = "true" ]; then
## sets: tor_consensus_valid_after_exit_code
## sets: tor_consensus_valid_after_output
## sets: tor_consensus_valid_after_unixtime
tor_consensus_valid-after
## sets: tor_consensus_valid_until_exit_code
## sets: tor_consensus_valid_until_output
## sets: tor_consensus_valid_until_unixtime
tor_consensus_valid-until
current_unixtime="$(date +"%s")"
if [ "$tor_consensus_valid_after_exit_code" = "0" ] && [ "$tor_consensus_valid_until_exit_code" = "0" ]; then
clock_tor_consensus_check_result="ok"
if [ "$current_unixtime" -ge "$tor_consensus_valid_after_unixtime" ]; then
true
else
clock_tor_consensus_check_result="slow"
clock_tor_consensus_check_msg="The clock might be too slow. Clock is slower than consensus/valid-after $tor_consensus_valid_after_output. $clock_causes"
fi
if [ "$current_unixtime" -ge "$tor_consensus_valid_until_unixtime" ]; then
clock_tor_consensus_check_result="fast"
clock_tor_consensus_check_msg="The clock might be too fast. Clock is faster than consensus/valid-until $tor_consensus_valid_until_output. $clock_causes"
else
true
fi
elif [ "$tor_consensus_valid_after_exit_code" = "277" ] && [ "$tor_consensus_valid_until_exit_code" = "277" ]; then
clock_tor_consensus_check_result="noneyet"
clock_tor_consensus_check_msg="Might not have downloaded a Tor consensus yet."
else
clock_tor_consensus_check_result="error"
clock_tor_consensus_check_msg="Consensus time sanity check failed. $clock_causes"
fi
if [ "$clock_tor_consensus_check_result" = "ok" ]; then
clock_tor_consensus_check_result="ok"
clock_tor_consensus_check_msg="Clock within consensus parameters consensus/valid-after $tor_consensus_valid_after_output and consensus/valid-until $tor_consensus_valid_until_output."
fi
if [ "$clock_tor_consensus_check_result" = "ok" ]; then
echo "<p>$clock_tor_consensus_check_msg</p>" >&2
else
echo "<p>$clock_tor_consensus_check_msg</p>"
fi
## TODO
## Would have to parse tor_bootstrap_status.
## In case Tor cannot fetch Tor consensus $tor_consensus_valid_after_exit_code /
## $tor_consensus_valid_until_exit_code may be zero but $tor_consensus_valid_until_output
## may be empty.
#if [ ! "$clock_tor_consensus_check_result" = "ok" ]; then
# if [ "$VM" = "Gateway" ]; then
# exit "1"
# fi
#fi
fi
if [ "$tor_circuit_established" = "1" ]; then
echo "<p>Tor fully bootstrapped.</p>"
exit "0"
fi
echo "Tor Bootstrap Result: \
<b>ERROR tor_circuit_established is neither 0 nor 1. tor_circuit_established: $tor_circuit_established</b><br> Please report this bug!" >&2
exit "0"
}
te_pe_tb_check "$@"

73
overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -x
set -e
if [ -e "/etc/alternatives/x-terminal-emulator" ]; then
## Lets see where for example /etc/alternatives/aptitude links to.
if readlink_result="$(readlink "/etc/alternatives/x-terminal-emulator")" ; then
## Symlink could be read. Lets use it.
etc_alternatives_x_terminal_emulator_full_path="$readlink_result"
etc_alternatives_x_terminal_emulator_base_name="${etc_alternatives_x_terminal_emulator_full_path##*/}"
fi
fi
supported_terminal_emulator_apps="
xfce4-terminal
xterm
konsole
"
for terminal_emulator_app_supported in $supported_terminal_emulator_apps ; do
if [ "$etc_alternatives_x_terminal_emulator_base_name" = "$terminal_emulator_app_supported" ]; then
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="$terminal_emulator_app_supported"
fi
done
if command -v xfce4-terminal >/dev/null 2>&1; then
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="xfce4-terminal"
elif command -v xterm >/dev/null 2>&1; then
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="xterm"
elif command -v konsole >/dev/null 2>&1; then
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="konsole"
elif [ ! "$etc_alternatives_x_terminal_emulator_base_name" = "" ]; then
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="$etc_alternatives_x_terminal_emulator_base_name"
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e"
else
error_message="$0: No supported terminal_emulator_app installed! Please install either:
$supported_terminal_emulator_apps
PPID: $PPID
$0 was called by: $(ps --no-headers -o command $PPID)" || true
kdialog --sorry "$error_message" >/dev/null 2>&1 || true
zenity --error --text "$error_message" >/dev/null 2>&1 || true
echo "$error_message" >&2
fi
if [ "$terminal_emulator_app" = "xfce4-terminal" ]; then
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--execute"
fi
if [ "$terminal_emulator_app" = "xterm" ]; then
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e"
fi
if command -v qubesdb-read >/dev/null 2>&1; then
## Qubes.
if [ "$terminal_emulator_app" = "konsole" ]; then
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e"
fi
else
## Non-Qubes.
if [ "$terminal_emulator_app" = "konsole" ]; then
## Do not use '--fullscreen' since this starts the window without window
## controls (no window close button) which is confusing.
## '-e' needs to be the last paramater.
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e"
fi
fi
$terminal_emulator_app $terminal_emulator_extra_args $@

156
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh Executable file
View File

@ -0,0 +1,156 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
check_tor_bootstrap_helper_variables() {
if command -v qubesdb-read >/dev/null 2>&1 ; then
local qubes_vm_type
qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true
if [ "$qubes_vm_type" = "TemplateVM" ] || [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
## 'qubesdb-read /qubes-gateway' could fail if NetVM is set to 'none'.
if [ "$GATEWAY_IP" = "" ]; then
gateway_ip_error=""
qubesdb_read_qubes_gateway_result="$(qubesdb-read /qubes-gateway 2>/dev/null)" || { gateway_ip_error="qubesdb_read_failed" ; qubesdb_read_qubes_gateway_result="127.0.0.1" ; };
GATEWAY_IP="$qubesdb_read_qubes_gateway_result"
fi
if [ "$gateway_control_port" = "" ]; then
gateway_control_port="9051"
fi
fi
fi
if [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
if [ "$GATEWAY_IP" = "" ]; then
GATEWAY_IP="10.152.152.10"
fi
if [ "$gateway_control_port" = "" ]; then
gateway_control_port="9051"
fi
fi
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
if [ "$GATEWAY_IP" = "" ]; then
GATEWAY_IP="127.0.0.1"
fi
fi
if [ "$gateway_control_port" = "" ]; then
gateway_control_port="9051"
fi
if [ "$GATEWAY_IP" = "" ]; then
GATEWAY_IP="127.0.0.1"
fi
}
check_tor_bootstrap_helper_run_helper_script() {
if [ "$TEMP_DIR" = "" ]; then
echo "Variable TEMP_DIR was empty." >&2
TEMP_DIR="$(mktemp --directory)"
fi
check_tor_bootstrap_helper_variables
check_tor_bootstrap_helper_kill_after="5s"
check_tor_bootstrap_helper_timeout_after="10s"
check_bootstrap_helper_bootstrap_file="$TEMP_DIR/tor_check_bootstrap_helper_bootstrap_file"
rm --force "$check_bootstrap_helper_bootstrap_file"
check_bootstrap_helper_script_exit_code="0"
timeout \
--kill-after="$check_tor_bootstrap_helper_kill_after" \
"$check_tor_bootstrap_helper_timeout_after" \
$check_bootstrap_helper_script \
> "$check_bootstrap_helper_bootstrap_file" \
2>&1 \
&
lastpid="$!"
wait "$lastpid" || { check_bootstrap_helper_script_exit_code="$?" ; true; };
if [ -f "$check_bootstrap_helper_bootstrap_file" ]; then
check_bootstrap_helper_script_output="$(cat "$check_bootstrap_helper_bootstrap_file")"
if [ "$check_bootstrap_helper_script_output" = "" ]; then
check_bootstrap_helper_script_output="Variable check_bootstrap_helper_script_output is empty."
check_bootstrap_helper_script_exit_code="277"
fi
else
check_bootstrap_helper_script_output="ERROR: File '$check_bootstrap_helper_bootstrap_file' does not exist. check_bootstrap_helper_script: '$check_bootstrap_helper_script' Please report this Whonix bug!"
fi
}
check_tor_bootstrap_helper() {
check_tor_bootstrap_status
check_tor_circuit_established
}
check_tor_bootstrap_status() {
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_bootstrap_check.py"
## sets: check_bootstrap_helper_script_exit_code
## sets: check_bootstrap_helper_script_output
check_tor_bootstrap_helper_run_helper_script
tor_bootstrap_percent="$check_bootstrap_helper_script_exit_code"
tor_bootstrap_status="$check_bootstrap_helper_script_output"
## `timeout` returns:
## - 124 if sigterm was sufficient
## - 137 if needed to use kill.
if [ "$check_bootstrap_helper_script_exit_code" = "124" ]; then
tor_bootstrap_timeout_type="sigterm"
elif [ "$check_bootstrap_helper_script_exit_code" = "137" ]; then
tor_bootstrap_timeout_type="sigkill"
else
tor_bootstrap_timeout_type="none"
fi
}
check_tor_circuit_established() {
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_circuit_established_check.py"
## sets: check_bootstrap_helper_script_exit_code
## sets: check_bootstrap_helper_script_output
check_tor_bootstrap_helper_run_helper_script
tor_circuit_established_check_exit_code="$check_bootstrap_helper_script_exit_code"
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
tor_circuit_established="$check_bootstrap_helper_script_output"
if [ "$tor_circuit_established" = "1" ]; then
tor_circuit_established_word="established"
else
tor_circuit_established_word="not established"
fi
else
tor_circuit_established="0"
tor_circuit_established_word="not established"
fi
}
tor_consensus_valid-after() {
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-after.py"
## sets: check_bootstrap_helper_script_exit_code
## sets: check_bootstrap_helper_script_output
check_tor_bootstrap_helper_run_helper_script
tor_consensus_valid_after_exit_code="$check_bootstrap_helper_script_exit_code"
tor_consensus_valid_after_output="$check_bootstrap_helper_script_output"
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
tor_consensus_valid_after_unixtime="$(date --date="$tor_consensus_valid_after_output" +"%s")" || true
fi
}
tor_consensus_valid-until() {
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-until.py"
## sets: check_bootstrap_helper_script_exit_code
## sets: check_bootstrap_helper_script_output
check_tor_bootstrap_helper_run_helper_script
tor_consensus_valid_until_exit_code="$check_bootstrap_helper_script_exit_code"
tor_consensus_valid_until_output="$check_bootstrap_helper_script_output"
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
tor_consensus_valid_until_unixtime="$(date --date="$tor_consensus_valid_until_output" +"%s")" || true
fi
}

37
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py Executable file
View File

@ -0,0 +1,37 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from stem.connection import connect
import re
controller = connect()
if not controller:
sys.exit(255)
bootstrap_status = controller.get_info("status/bootstrap-phase")
## Possible answer, if network cable has been removed:
## 250-status/bootstrap-phase=WARN BOOTSTRAP PROGRESS=80 TAG=conn_or SUMMARY="Connecting to the Tor network" WARNING="No route to host" REASON=NOROUTE COUNT=26 RECOMMENDATION=warn
## Possible answer:
## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=85 TAG=handshake_or SUMMARY="Finishing handshake with first hop"
## Possible answer, when done:
## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
## TODO: parse the messages above.
## 0
print(format(bootstrap_status))
progress_percent = re.match('.* PROGRESS=([0-9]+).*', bootstrap_status)
exit_code = int(progress_percent.group(1))
controller.close()
sys.exit(exit_code)

26
overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from stem.connection import connect
controller = connect()
if not controller:
sys.exit(255)
circuit_established = controller.get_info("status/circuit-established")
## Possible answer, if established:
## 1
## Possible answer, if not established:
## 0
print(format(circuit_established))
controller.close()
sys.exit(0)

20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from stem.connection import connect
controller = connect()
if not controller:
sys.exit(255)
output = controller.get_info("consensus/valid-after")
print(format(output))
controller.close()
sys.exit(0)

20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from stem.connection import connect
controller = connect()
if not controller:
sys.exit(255)
output = controller.get_info("consensus/valid-until")
print(format(output))
controller.close()
sys.exit(0)

65
overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
check_tor_enabled_do() {
## Fallback.
TOR_ENABLED="0"
## Skip this test, if not running on Whonix-Gateway.
if [ ! -e "/usr/share/anon-gw-base-files/gateway" ]; then
TOR_ENABLED="1"
return 0
fi
## Skip this test, if running in Qubes TemplateVM.
if command -v qubesdb-read >/dev/null 2>&1 ; then
local qubes_vm_type
qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true
if [ "$qubes_vm_type" = "TemplateVM" ]; then
TOR_ENABLED="1"
return 0
fi
fi
local line file_name file_name_list i
shopt -s globstar
shopt -s nullglob
if [ -f /usr/share/tor/tor-service-defaults-torrc ]; then
file_name_list+="/usr/share/tor/tor-service-defaults-torrc"
file_name_list+=" "
fi
if [ -f /etc/tor/torrc ]; then
file_name_list+="/etc/tor/torrc"
file_name_list+=" "
fi
for i in /etc/torrc.d/* ; do
file_name_list+="$i"
file_name_list+=" "
done
for i in /usr/local/etc/torrc.d/* ; do
file_name_list+="$i"
file_name_list+=" "
done
for file_name in $file_name_list ; do
if ! test -f "$file_name" ; then
continue
fi
true "file_name: '$file_name'"
while read -r line || [ -n "$line" ]; do
if [ "$line" = "DisableNetwork 0" ]; then
TOR_ENABLED="1"
fi
if [ "$line" = "DisableNetwork 1" ]; then
TOR_ENABLED="0"
fi
done < "$file_name"
unset line
done
}

20
overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py Executable file
View File

@ -0,0 +1,20 @@
#!/usr/bin/python3 -u
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
import sys
from stem.connection import connect
from stem.control import Controller
from stem import Signal
controller = connect()
if not controller:
sys.exit(255)
controller.signal(Signal.NEWNYM)
controller.close()
sys.exit(0)

36
overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload Executable file
View File

@ -0,0 +1,36 @@
#!/bin/sh
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Must be an sh, not bash script, because /etc/cron.weekly/tor is a sh script,
## that sources /etc/default/tor, which sources this script.
## Cope up with "set -o nounset".
: "${DEBDEBUG:="0"}"
: "${LD_PRELOAD:=""}"
if [ "$DEBDEBUG" = "1" ]; then
set -x
fi
if [ "$DEBDEBUG" = "1" ]; then
true "LD_PRELOAD: $LD_PRELOAD"
fi
## Remove /usr/lib/torsocks/libtorsocks.so from LD_PRELOAD.
LD_PRELOAD="$(echo "$LD_PRELOAD" | sed 's/\/usr\/lib\/torsocks\/libtorsocks.so//g')"
if [ "$DEBDEBUG" = "1" ]; then
true "exit code: $?"
fi
export LD_PRELOAD
if [ "$DEBDEBUG" = "1" ]; then
true "exit code: $?"
true "LD_PRELOAD: $LD_PRELOAD"
fi
## Don't use exit at the end, since this script can be sourced by others.

24
overlay/Linux/usr/local/src/proxy_local_src.bash Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=`basename $0 .bash`
PREFIX=/usr/local
ROLE=proxy
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ `id -u` -eq 0 ] || echo ERROR: $prog should be run as root && exit 2
DESC=""
cd $PREFIX/src || exit 4
which sdwdate >/dev/null 2>/dev/null || \
[ -f $PREFIX/bin/sdwdate.bash ] || \
sh sdwdate.bash
[ -f testssl.sh ] || \
sh testssl.bash || exit 7$?
[ -x ../bin/analyze-ssl.pl.bash ] || \
sh analyze-ssl.bash
exit 0

BIN
overlay/Linux/usr/local/src/wicd-new.zip Normal file
View File

Binary file not shown.

38
overlay/Ubuntu/etc/ca-certificates/update.d/jks-keystore.diff Normal file
View File

@ -0,0 +1,38 @@
*** jks-keystore.dst 2016-03-30 01:41:20.000000000 +0300
--- jks-keystore 2019-10-25 05:12:39.275249418 +0300
***************
*** 33,48 ****
if ! mountpoint -q /proc; then
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
exit 1
fi
! for jvm in java-7-openjdk-$arch java-7-openjdk \
! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
! java-8-openjdk-$arch java-8-openjdk \
oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
java-9-openjdk-$arch java-9-openjdk \
! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch; do
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
break
fi
done
export JAVA_HOME=/usr/lib/jvm/$jvm
--- 33,49 ----
if ! mountpoint -q /proc; then
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
exit 1
fi
! for jvm in java-8-openjdk-$arch java-8-openjdk \
oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
java-9-openjdk-$arch java-9-openjdk \
! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
! java-7-openjdk-$arch java-7-openjdk \
! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
! ; do
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
break
fi
done
export JAVA_HOME=/usr/lib/jvm/$jvm

117
tasks/Debian.yml Normal file
View File

@ -0,0 +1,117 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Debian.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
# the apt-cache (not needed in a container) and disable translation fetching...
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
blockinfile:
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
force-unsafe-io
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::http {No-Cache=True;};
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::http {No-Cache=False;};
when:
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
- name: "/etc/apt/apt.conf.d/no-lang"
blockinfile:
dest: /etc/apt/apt.conf.d/no-lang
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::Languages "none";
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
shell: |
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
exit 0
- name: /etc/apt/apt.conf.d/70insecure.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70insecure.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
block: |
Acquire::AllowInsecureRepositories false;
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ item }}"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- item != '' and item != []
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
with_items:
- "{{ proxy_debs_inst }}"
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- false
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: CODESET, val: "Uni2" }
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "28x14" }
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
block: |
APT::Install-Recommends false;
APT::Install-Suggests false;
#APT::AutoRemove::RecommendsImportant false;
#APT::AutoRemove::SuggestsImportant false;
APT::Periodic::Enable 0;

40
tasks/Debian_post.yml Normal file
View File

@ -0,0 +1,40 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
Acquire::tor::Timeout 60;
when:
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
- name: "/etc/sdwdate.d/30_default.conf"
lineinfile:
dest: /etc/sdwdate.d/30_default.conf
create: true
regexp: "^#*{{ item.name }}.*"
line: "{{ item.name }}={{ item.val }}"
with_items:
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }

137
tasks/Devuan.yml Normal file
View File

@ -0,0 +1,137 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Devuan.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Devuan.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
# the apt-cache (not needed in a container) and disable translation fetching...
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
blockinfile:
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
force-unsafe-io
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-redirect
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
# https://lists.debian.org/debian-security-announce/2019/msg00010.html
Acquire::http::AllowRedirect=false update;
Acquire::http::AllowRedirect=false upgrade;
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::http {No-Cache=True;};
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "/etc/apt/apt.conf.d/no-cache"
blockinfile:
dest: /etc/apt/apt.conf.d/no-cache
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::http {No-Cache=False;};
when:
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
- name: "/etc/apt/apt.conf.d/no-lang"
blockinfile:
dest: /etc/apt/apt.conf.d/no-lang
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::Languages "none";
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
shell: |
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
exit 0
- name: /etc/apt/apt.conf.d/70insecure.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70insecure.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
block: |
Acquire::AllowInsecureRepositories false;
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ item }}"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- item != '' and item != []
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
with_items:
- "{{proxy_debs_inst}}"
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- false
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
create: yes
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: CODESET, val: "Uni2" }
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "28x14" }
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
block: |
APT::Install-Recommends false;
APT::Install-Suggests false;
#APT::AutoRemove::RecommendsImportant false;
#APT::AutoRemove::SuggestsImportant false;
APT::Periodic::Enable 0;
- name: //usr/share/tor/tor-service-defaults-torrc
shell: |
[ -f /usr/share/tor/tor-service-defaults-torrc ] &&
[ -h /usr/share/tor/tor-service-defaults-torrc ] && return 0
[ -f /usr/share/tor/tor-service-defaults-torrc ] || return 0
mv /usr/share/tor/tor-service-defaults-torrc \
/usr/share/tor/tor-service-defaults-torrc.bak
ln -s /etc/tor/torrc-defaults /usr/share/tor/tor-service-defaults-torrc

40
tasks/Devuan_post.yml Normal file
View File

@ -0,0 +1,40 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
- name: /etc/apt/apt.conf.d/70testforge.conf
blockinfile:
dest: /etc/apt/apt.conf.d/70testforge.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
block: |
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
Acquire::tor::Timeout 60;
when:
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
- name: "/etc/sdwdate.d/30_default.conf"
lineinfile:
dest: /etc/sdwdate.d/30_default.conf
create: true
regexp: "^#*{{ item.name }}.*"
line: "{{ item.name }}={{ item.val }}"
with_items:
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }

67
tasks/Gentoo.yml Normal file
View File

@ -0,0 +1,67 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Gentoo2.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Gentoo2.yml"
- assert:
that: "'{{BOX_OS_FLAVOR}}' in ['Clipos', 'Funtoo', 'Pentoo' , 'Gentoo']"
- name: "include proxy by-flavour tasks"
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}/{{ BOX_OS_FLAVOR }}/main.yml"
- name: install proxy packages proxy_pkgs_inst
environment: "{{ portage_proxy_env }}"
shell: |
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
retval=0
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{proxy_pkgs_bootstrap}} \
{{proxy_pkgs_inst}} \
&& exit 0
retval=$?
echo WARN: $retval
exit $retval
when:
- BASE_ARE_CONNECTED|default('') != ''
- ansible_virtualization_role|replace('NA', 'host') == 'host'
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
- name: install proxy packages GUEST
environment: "{{ portage_proxy_env }}"
shell: |
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
{{ proxy_pkgs_bootstrap }} \
{{ proxy_pkgs_inst_guest }} \
|| exit $?
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- BASE_ARE_CONNECTED|default('') != ''
- ansible_virtualization_role|replace('NA', 'host') != 'host'
- name: install cntlm packages
portage: package="net-proxy/cntlm" state=present
when: CORP_NTLM_PROXY|default('') != ''
- name: /etc/conf.d/consolefont
blockinfile:
dest: "/etc/{{ETC_CONF_D}}/consolefont"
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Gentoo"
mode: 0644
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
block: |
consolefont="ter-v24b"
- name: rc-update add bootlogd boot
shell: |
rc-update | grep -q 'bootlogd .* boot' || \
rc-update add bootlogd boot
exit 0

15
tasks/Gentoo/Gentoo/accept_keywords.yml Normal file
View File

@ -0,0 +1,15 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
blockinfile:
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
create: true
marker: "# {mark} Ansible Managed Block proxy polipo"
block: |
=net-proxy/polipo-9999 **

16
tasks/Gentoo/Gentoo/main.yml Normal file
View File

@ -0,0 +1,16 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo.yml"
- include_tasks: Gentoo/Pentoo/portage.yml
- include_tasks: Gentoo/Pentoo/use.yml
#- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml

8
tasks/Gentoo/Gentoo/portage.yml Normal file
View File

@ -0,0 +1,8 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo/portage.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo/portage.yml"

55
tasks/Gentoo/Gentoo/use.yml Normal file
View File

@ -0,0 +1,55 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.use/2022-08_nss.txt"
blockinfile:
dest: /etc/portage/package.use/2022-08_nss.txt
create: true
marker: "# {mark} Ansible Managed Block proxy curl"
block: |
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
blockinfile:
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
create: true
marker: "# {mark} Ansible Managed Block proxy unzip"
block: |
app-arch/unzip natspec
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
blockinfile:
dest: /etc/portage/package.use/2019-02_rkhunter.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof rpc
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof -ipv6

15
tasks/Gentoo/Pentoo/accept_keywords.yml Normal file
View File

@ -0,0 +1,15 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
blockinfile:
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
create: true
marker: "# {mark} Ansible Managed Block proxy polipo"
block: |
=net-proxy/polipo-9999 **

16
tasks/Gentoo/Pentoo/main.yml Normal file
View File

@ -0,0 +1,16 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo.yml"
- include_tasks: Gentoo/Pentoo/portage.yml
- include_tasks: Gentoo/Pentoo/use.yml
#- include_tasks: Gentoo/Pentoo/mask.yml
- include_tasks: Gentoo/Pentoo/accept_keywords.yml

8
tasks/Gentoo/Pentoo/portage.yml Normal file
View File

@ -0,0 +1,8 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy Gentoo/Pentoo/portage.yml"
debug:
verbosity: 1
msg: "proxy Gentoo/Pentoo/portage.yml"

55
tasks/Gentoo/Pentoo/use.yml Normal file
View File

@ -0,0 +1,55 @@
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
# This is an automatically generated file: do not edit
---
- name: "/etc/portage/package.use/2022-08_nss.txt"
blockinfile:
dest: /etc/portage/package.use/2022-08_nss.txt
create: true
marker: "# {mark} Ansible Managed Block proxy curl"
block: |
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
blockinfile:
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
create: true
marker: "# {mark} Ansible Managed Block proxy unzip"
block: |
app-arch/unzip natspec
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap -ipv6
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
blockinfile:
dest: /etc/portage/package.use/2021-00_verify-sig.txt
create: true
marker: "# {mark} Ansible Managed Block proxy nmap"
block: |
net-analyzer/nmap verify-sig
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
blockinfile:
dest: /etc/portage/package.use/2019-02_rkhunter.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof rpc
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
blockinfile:
dest: /etc/portage/package.use/2020-00_ipv6.txt
create: true
marker: "# {mark} Ansible Managed Block proxy lsof"
block: |
sys-process/lsof -ipv6

104
tasks/Gentoo_post.yml Normal file
View File

@ -0,0 +1,104 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Gentoo_post.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Gentoo_post.yml"
- name: proxy http equals
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http equals"
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
# emerge does not seem to pick up .gitconfig settings for proxy from ~portage/.gitconfig
# neded to get these form the environment or hosts.yml
# fucking google go calls home during COMPILE
#NO api/services/events/v1/events.pb.go:15:2: google.golang.org/grpc@v1.43.0: Get "https://proxy.golang.org/google.golang.org/grpc/@v/v1.43.0.zip": proxyconnect tcp: dial tcp 127.0.0.1:9128: connect: connection refused
# allow
#NO http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
#NO https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
#NO socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
# NO RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
http_proxy=http://127.0.0.1:666
https_proxy=http://127.0.0.1:666
socks_proxy=socks5h://127.0.0.1:666
no_proxy="{{ NO_PROXY }}"
RSYNC_PROXY=127.0.0.1:666
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: proxy http CURL_OPTS
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http CURL_OPTS"
# state: "{{ 'present' if SOCKS_PROXY != '' else 'absent' }}"
block: |
CURL_OPTS="--cert-status --connect-timeout 30 {{ '--tlsv1.3' if BOX_TLS_VERSION == '1.3' else '--tlsv1.2' }} --location --proto-redir https --proto-default https --proto =https -x ${socks_proxy} --fail"
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: proxy http FETCHCOMMAND
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http FETCHCOMMAND"
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
#FETCHCOMMAND='wget -t 1 -T 10 --passive-ftp -O "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND_HTTP='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
FETCHCOMMAND_HTTPS='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND_HTTP='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
RESUMECOMMAND_HTTPS='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
when:
- "item.bool == 'yes'"
with_items:
- dest: "/etc/portage/make.conf"
owner: "portage"
group: "portage"
mode: "0644"
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
- name: /etc/portage/make.conf PORTAGE_RSYNC_EXTRA_OPTS
blockinfile:
dest: /etc/portage/make.conf
create: no
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy [PORTAGE_RSYNC_EXTRA_OPTS]"
block: |
PORTAGE_RSYNC_RETRIES=5
#mgorny suggested this speeds up sync, in my testing it makes a rather large difference
PORTAGE_RSYNC_EXTRA_OPTS="--omit-dir-times -4 --timeout=20"

28
tasks/Msys.yml Executable file
View File

@ -0,0 +1,28 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Msys.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Msys.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
- name: netsh interface ip set address name="Ethernet0" static 10.1.2.220 255.255.255.0 10.1.2.1
shell: |
# https://pureinfotech.com/set-static-ip-address-windows-10/
netsh interface ip set address name="{{BOX_DEFAULT_OUTPUT_IF}}" static 10.152.152.13 255.255.255.0 10.152.152.10
- name: "proxy local_connection.yml"
include_tasks: "local_connection.yml"
- block:
- name: mvmc_setup.msi
shell: |
[ -f /e/net/Http/https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi ] \
wget --restrict-file-names=windows -xcP /e/net/Http \
https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi || \
exit 1
[ -d /c/Program Files/ ] || \
start "/e/net/Http/github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi" //quiet

41
tasks/Ubuntu.yml Normal file
View File

@ -0,0 +1,41 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: Including proxy Ubuntu.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu.yml"
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
shell: |
apt-get install {{ proxy_debs_inst|join(' ') }} -y \
{{ '--print-uris' if BASE_ARE_CONNECTED|default('') == '' else '' }}
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- BASE_ARE_CONNECTED|default('') != ''
- name: "/etc/default/console-setup"
lineinfile:
dest: /etc/default/console-setup
regexp: "^#* *{{item.name}}.*"
line: '{{ item.name }}="{{ item.val }}"'
state: present
with_items:
- { name: FONTFACE, val: "TerminusBold" }
- { name: FONTSIZE, val: "12x24" }

35
tasks/Ubuntu16.yml Normal file
View File

@ -0,0 +1,35 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: proxy Ubuntu14.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu14.yml"
- name: install proxy_debs_inst packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "{{ proxy_debs_inst }}"
state: latest
update_cache: no
ignore_errors: BASE_ARE_CONNECTED|default('') == ''
when:
- BASE_ARE_CONNECTED|default('') != ''
- not ansible_check_mode
- name: install cntlm packages
environment:
- "RUNLEVEL": 1
apt:
force_apt_get: true
name: "cntlm"
state: latest
update_cache: no
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
when:
- not ansible_check_mode
- CORP_NTLM_PROXY|default('') != ''
- BASE_ARE_CONNECTED|default('') != ''

11
tasks/Ubuntu16_no_systemd.yml Normal file
View File

@ -0,0 +1,11 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
# http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_an_Ubuntu_Xenial_installation
---
- name: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"

23
tasks/Ubuntu_post.yml Normal file
View File

@ -0,0 +1,23 @@
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- debug:
verbosity: 1
msg: "DEBUG: Including proxy Ubuntu_post.yml"
- name: /etc/apt/apt.conf.d/80proxy.conf
blockinfile:
dest: /etc/apt/apt.conf.d/80proxy.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
block: |
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
when: HTTP_PROXYHOST != ''
- name: /etc/apt/apt.conf.d/80proxy.conf
file:
path: /etc/apt/apt.conf.d/80proxy.conf
state: absent
when: HTTP_PROXYHOST == ''

20
tasks/dirmngr.err Normal file
View File

@ -0,0 +1,20 @@
3root@Ulati:# dirmngr --help|less
3root@Ulati:# dirmngr --server --http-proxy $http_proxy &
[1] 8783
3root@Ulati:# dirmngr[8783]: No ldapserver file at: '/root/.gnupg/dirmngr_ldapservers.conf'
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
ksba: ERROR: object length field 2 octects too large
ksba: ERROR: object length field 12 octects too large
ksba: ERROR: object length field 12 octects too large
ksba: ERROR: object length field 71 octects too large
ksba: ERROR: object length field 59 octects too large
ksba: ber-decoder: node `?': TLV length too large
dirmngr[8783.0]: can't parse certificate '/etc/ssl/certs/ca-certificates.crt': BER error
dirmngr[8783.0]: permanently loaded certificates: 2
dirmngr[8783.0]: runtime cached certificates: 0
dirmngr[8783.0]: trusted certificates: 2 (1,0,0,1)

54
tasks/dirmngr.hlp Normal file
View File

@ -0,0 +1,54 @@
dirmngr (GnuPG) 2.2.12
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Syntax: dirmngr [options] [command [args]]
Keyserver, CRL, and OCSP access for GnuPG
Commands:
--server run in server mode (foreground)
--daemon run in daemon mode (background)
--supervised run in supervised mode
--list-crls list the contents of the CRL cache
--load-crl FILE load CRL from FILE into cache
--fetch-crl URL fetch a CRL from URL
--shutdown shutdown the dirmngr
--flush flush the cache
Options:
-v, --verbose verbose
-q, --quiet be somewhat more quiet
-s, --sh sh-style command output
-c, --csh csh-style command output
--options FILE read options from FILE
--debug-level LEVEL set the debugging level to LEVEL
--no-detach do not detach from the console
--log-file FILE write server mode logs to FILE
--batch run without asking a user
--force force loading of outdated CRLs
--allow-ocsp allow sending OCSP requests
--allow-version-check allow online software version check
--disable-http inhibit the use of HTTP
--disable-ldap inhibit the use of LDAP
--ignore-http-dp ignore HTTP CRL distribution points
--ignore-ldap-dp ignore LDAP CRL distribution points
--ignore-ocsp-service-url ignore certificate contained OCSP service URLs
--http-proxy URL redirect all HTTP requests to URL
--ldap-proxy HOST use HOST for LDAP queries
--only-ldap-proxy do not use fallback hosts with --ldap-proxy
--ldapserverlist-file FILE read LDAP server list from FILE
--add-servers add new servers discovered in CRL distribution points to serverlist
--ldaptimeout N set LDAP timeout to N seconds
--ocsp-responder URL use OCSP responder at URL
--ocsp-signer FPR OCSP response signed by FPR
--max-replies N do not return more than N items in one query
--hkp-cacert FILE use the CA certificates in FILE for HKP over TLS
--use-tor route all network traffic via Tor
(See the "info" manual for a complete listing of all commands and options)
Please report bugs to <https://bugs.gnupg.org>.

1
tasks/dirmngr.sh Normal file
View File

@ -0,0 +1 @@
dirmngr --server --http-proxy http://127.0.0.1:3128 --options /etc/dirmngr/dirmngr.conf --disable-ldap --hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem --log-file /var/log/dirmngr.log --no-detach

Some files were not shown because too many files have changed in this diff Show More