second
This commit is contained in:
parent
19597c9297
commit
d29b1e4542
13
README.md
Normal file
13
README.md
Normal file
@ -0,0 +1,13 @@
|
||||
|
||||
This role builds on, and requires, ../base_role and lays down the
|
||||
basics for cntlm and socks and http and https proxies. It is required
|
||||
to be run after ../base_role
|
||||
|
||||
Look at the variables in defaults/main.yml to customize the role, and
|
||||
double-check the settings in vars/*.yml.
|
||||
|
||||
It is multi-target and should run on Gentoo2, Debian4, Devuan5, Ubuntu18
|
||||
athough only tested on Gentoo. To bring it up to date, just copy the
|
||||
existing files in vars and maybe tasks to the new name and edit to suit,
|
||||
but be advised that it is systemd-challenged, like its author.
|
||||
|
@ -1,10 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
ROLE=proxy
|
||||
MODE=host
|
||||
|
||||
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
|
||||
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
|
||||
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
|
||||
|
||||
HOST=$1
|
||||
|
@ -7,6 +7,7 @@ ROLE=proxy
|
||||
PYVER=3
|
||||
|
||||
# DEBUG=1
|
||||
# TRACE=1
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
|
||||
@ -19,17 +20,17 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
|
||||
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
|
||||
|
||||
[ -z "$prog" ] || prog=proxy_ping_test
|
||||
proxy_ping_get_socks
|
||||
proxy_ping_get_socks >/dev/null
|
||||
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
|
||||
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
|
||||
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
|
||||
HTTPS_PORT=9128
|
||||
HTTPS_HOST=127.0.0.1
|
||||
proxy_ping_get_https
|
||||
proxy_ping_get_https >/dev/null
|
||||
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
|
||||
HTTP_PORT=3128
|
||||
HTTP_PROXY_HOST=127.0.0.1
|
||||
proxy_ping_get_http
|
||||
proxy_ping_get_http >/dev/null
|
||||
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
|
||||
@ -80,9 +81,15 @@ SCURL="/usr/local/bin/scurl.bash --output /dev/null"
|
||||
NSL='nslookup -querytype=A -debug'
|
||||
NETS='netstat -nl4e'
|
||||
ALL=""
|
||||
USAGE="$prog without arguments tests the current MODE=$MODE,
|
||||
or with 0 to list the tests by number,
|
||||
or one or more of the groups:
|
||||
|
||||
"
|
||||
|
||||
[ -z "$USER" ] && USER=$(id -un )
|
||||
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
|
||||
[ $USER = root -a -n "$TRACE" -a "$TRACE" != '0' ] && DMESG_LINES=1 || DMESG_LINES=0
|
||||
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
|
||||
# fixme - required
|
||||
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
|
||||
@ -91,11 +98,6 @@ PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
|
||||
# fixme - required
|
||||
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
|
||||
MODE=$( proxy_ping_mode )
|
||||
USAGE="$prog without arguments tests the current MODE=$MODE,
|
||||
or 0 to list the tests by number,
|
||||
or one or more of the groups:
|
||||
|
||||
"
|
||||
|
||||
DNS_HOST=$SOCKS_HOST
|
||||
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||
@ -244,20 +246,21 @@ proxy_run_as_root () { DBUG proxy_run_as_root $* ;
|
||||
return 1
|
||||
}
|
||||
|
||||
## proxy_test_pretests
|
||||
proxy_test_pretests () {
|
||||
if [ "$1" = panic ] ; then
|
||||
# could pull these out as tests and add them to
|
||||
## proxy_test_pretest_exit
|
||||
proxy_test_pretest_exit () {
|
||||
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
if [ "$1" = panic -o "$1" = firewall ] ; then
|
||||
: dont ping on panic
|
||||
proxy_ping_broken || proxy_do_ping || \
|
||||
{ WARN ping failed for panic so skipping ; exit 0 ; }
|
||||
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
|
||||
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
proxy_ping_broken || proxy_do_ping || exit 3$?
|
||||
proxy_ping_test_resolv $MODE ||\
|
||||
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
|
||||
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
|
||||
elif [ "$1" = nat ] ; then
|
||||
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
: proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
else
|
||||
proxy_do_ping || exit 4$?
|
||||
proxy_ping_test_resolv $MODE || \
|
||||
@ -270,9 +273,25 @@ proxy_test_pretests () {
|
||||
|
||||
## proxy_test_help_args
|
||||
proxy_test_help_args () {
|
||||
declare -a elts=()
|
||||
declare -a ret=()
|
||||
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
|
||||
sed -e 's/.=.*//' -e 's/.*tests.//') )
|
||||
local elt
|
||||
if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then
|
||||
elts=($1 socks http dns https tordns firefail)
|
||||
elif [ "$1" = torlibvirthost ] ; then
|
||||
elts=($1 libvirthost socks http https tordns firefail)
|
||||
elts+=($MODE)
|
||||
elif [ "$1" = gateway ] ; then
|
||||
elts=($1 libvirtguest socks dns http https firefail)
|
||||
else
|
||||
elts=($1)
|
||||
fi
|
||||
for elt in "${elts[@]}" ; do
|
||||
# DBUG proxy_test_help_args $elt $1 >&2
|
||||
ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \
|
||||
sed -e 's/.=.*//' -e 's/.*tests.//') )
|
||||
done
|
||||
DBUG proxy_test_help_args "${ret[@]}" >&2
|
||||
echo "${ret[@]}"
|
||||
return 0
|
||||
}
|
||||
@ -293,9 +312,6 @@ proxy_ping_test_set_args () {
|
||||
## vda - through the Gateway with the firewall - also polipo,panic - uses env
|
||||
[ "$1" = vda ] &&
|
||||
aret=( 35 3 20 ) #
|
||||
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
|
||||
[ "$1" = tor ] &&
|
||||
aret=( 21 30 20 4 5 36 3 )
|
||||
## kick - open firewall with tor running - call dns,polipo +tor in addition
|
||||
[ "$1" = kick -o "$1" = host ] &&
|
||||
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
|
||||
@ -304,15 +320,19 @@ proxy_ping_test_set_args () {
|
||||
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
|
||||
|
||||
# aliases
|
||||
# socks defines http as the target of a user using socks
|
||||
[ "$1" = "$SOCKS_PORT" ] && set -- socks
|
||||
# http defines http as the target of a user using http
|
||||
[ "$1" = "$HTTP_PORT" ] && set -- http
|
||||
# https defines http as the target of a user using https
|
||||
[ "$1" = "$HTTPS_PORT" ] && set -- https
|
||||
# dns defines http as the target of a user using dns
|
||||
[ "$1" = "53" ] && set -- dns
|
||||
# tordns defines http as the target of a user using tordns
|
||||
[ "$1" = "9053" ] && set -- tordns
|
||||
|
||||
[ "$1" = scan ] && set -- iwlist
|
||||
[ "$1" = panic ] && set -- firewall
|
||||
[ "$1" = tor ] && set -- torhost
|
||||
[ "$1" = to_gateway ] && set -- whonix
|
||||
[ "$1" = from_tor ] && set -- whonix
|
||||
[ "$1" = from_gateway ] && set -- gateway
|
||||
@ -326,11 +346,11 @@ proxy_ping_test_set_args () {
|
||||
set -- ping dns socks http https tordns firefail libvirtguest
|
||||
# wifi?
|
||||
[ "$1" = whonix ] && \
|
||||
set -- ping tordns dns socks http https torhost tordns firefail gw
|
||||
[ "$1" = tor ] && \
|
||||
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
|
||||
[ "$1" = selektor ] && \
|
||||
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
|
||||
set -- ping tordns dns socks http https torhost tordns firefail gw
|
||||
[ "$1" = tor -o "$1" = selektor ] && \
|
||||
set -- ping tordns dns trace torhost nmap gw
|
||||
## torhost implies -
|
||||
#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
|
||||
[ "$1" = direct -o "$1" = '' ] && \
|
||||
set -- ping dns trace nmap gw
|
||||
|
||||
@ -339,33 +359,34 @@ proxy_ping_test_set_args () {
|
||||
# aret="${#tests[@]}"
|
||||
|
||||
## gw - test if we are connected to the gateway
|
||||
## torhost - running tor with the firewall
|
||||
## env - from the cmdline with a properly setup env
|
||||
## firefail - test the proxy without env vars to expect failure
|
||||
## torhost - running tor with the firewall
|
||||
## http - assumes torhost or whonix and env setup
|
||||
## https - assumes torhost or whonix and env setup
|
||||
## socks - assumes torhost or whonix and env setup
|
||||
## tordns - test 9053 for dns using tor-resolve
|
||||
## dns - dns using tor or the gateway, with the firewall - does not assume env
|
||||
## ping - connected routed test the ping to DNS hosts
|
||||
## ntp - ntpdate through the firewall
|
||||
## nmap - nmap sgid through the firewall - does not assume env
|
||||
## iwlist - wlan scan
|
||||
## iwlist - wlan scan of a wifi host
|
||||
## firewall - test that the firewall blocks
|
||||
## virbr1 - assumes tor or whonix
|
||||
## gateway - ssh to the whonix gateway
|
||||
## virbr1 - looks for virbr1 on a libvirt host torhost or whonix
|
||||
## gateway - ssh to the whonix gateway from the torhost
|
||||
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
|
||||
## wifi - test if we are connected - call scan in addition
|
||||
## libvirthost - hosting a libvirt container
|
||||
## libvirtguest - in a libvirt container
|
||||
## tordns - test 9053 for dns using tor-resolve
|
||||
## dns - dns using tor or the gateway, with the firewall - does not assume env
|
||||
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
|
||||
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
|
||||
r
|
||||
## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor
|
||||
## direct - assume no firewall and no proxy - but may work depend on env
|
||||
|
||||
for elt in "$@" ; do
|
||||
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
|
||||
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
|
||||
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
|
||||
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
|
||||
"$elt" = libvirthost -o "$elt" = torlibvirthost -o \
|
||||
"$elt" = libvirtguest -o "$elt" = virbr1 -o \
|
||||
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
|
||||
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
|
||||
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
|
||||
@ -405,9 +426,8 @@ if [ $1 = '-h' -o $1 = '--help' ] ; then
|
||||
set -- `proxy_ping_test_set_args "$@"`
|
||||
DBUG running tests numbered "$@"
|
||||
fi
|
||||
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||
|
||||
proxy_test_pretests "$1"
|
||||
proxy_test_pretest_exit "$1"
|
||||
|
||||
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
|
||||
if [ $( id -u ) -eq 0 ] ; then
|
||||
@ -471,6 +491,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
[ $DEBIAN -eq 0 ] && continue
|
||||
|
||||
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||
# mode whonix implies torhost
|
||||
if [ $MODE = whonix ] ; then
|
||||
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
|
||||
retval=$?
|
||||
@ -496,14 +517,16 @@ while [ "$#" -gt 0 ] ; do
|
||||
GREP="$SOCKS_PORT"
|
||||
|
||||
elif [ $ARG -eq 4 ] ; then
|
||||
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
|
||||
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET - tordns "
|
||||
[ $HAVE_DIG = 1 ] || continue
|
||||
if [ $MODE = whonix ] ; then
|
||||
# test ssh to the whonix_gateway libvirt container
|
||||
# and make sure that the socks proxy is runninh
|
||||
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
|
||||
fi
|
||||
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||
dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -513,7 +536,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
elif [ $ARG -eq 5 ] ; then
|
||||
tests[5]="nslookup_socks_as_user - tordns "
|
||||
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
|
||||
desc="$NSL -port=$SOCKS_DNS $DNS_TARGET ${DNS_HOST}"
|
||||
$desc >/dev/null || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
|
||||
@ -697,8 +720,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
[ $DEBIAN -eq 0 ] && continue
|
||||
|
||||
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|
||||
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
|
||||
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null || {
|
||||
retval=$? ;
|
||||
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -742,11 +766,11 @@ while [ "$#" -gt 0 ] ; do
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
|
||||
elif [ $ARG -eq 24 ] ; then
|
||||
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
|
||||
tests[24]="dig_direct_or_dnsmasq dig -b $IP $DNS_TARGET - direct "
|
||||
[ $HAVE_DIG = 1 ] || continue
|
||||
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
|
||||
[ -n "$IP" ] || continue
|
||||
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||
dig -b $IP $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
@ -758,9 +782,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||
# noenv with or without proxy
|
||||
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
|
||||
$NSL >/dev/null www.whatismypublicip.com || { \
|
||||
$NSL >/dev/null $DNS_TARGET || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
|
||||
@ -768,7 +792,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
elif [ $ARG -eq 26 ] ; then
|
||||
tests[26]="route_connected_ping_scan - direct "
|
||||
[ $HAVE_DIG = 1 ] || continue
|
||||
#? proxy_test_pretests
|
||||
#? done already in proxy_test_pretest_exit
|
||||
proxy_do_ping && \
|
||||
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||
@ -777,7 +801,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
|
||||
[ $HAVE_DIG = 1 ] || continue
|
||||
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
|
||||
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||
dig -b 127.0.0.1 $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \
|
||||
retval=$?
|
||||
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
@ -808,9 +832,9 @@ while [ "$#" -gt 0 ] ; do
|
||||
|
||||
elif [ $ARG -eq 30 ] ; then
|
||||
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
|
||||
[ $MODE = tor -o $MODE = selektor ] || {
|
||||
ERROR $prog MODE != tor test=$ARG
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
[ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || {
|
||||
# are there other roles that run tor?
|
||||
WARN $prog MODE != tor test=$ARG
|
||||
}
|
||||
port=$SOCKS_PORT
|
||||
$NETS | grep -q :$port || {
|
||||
@ -834,7 +858,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
|
||||
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
|
||||
retval=$?
|
||||
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
|
||||
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
@ -923,7 +947,7 @@ while [ "$#" -gt 0 ] ; do
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
GREP=""
|
||||
elif [ $ARG -eq 38 ] ; then
|
||||
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
|
||||
tests[38]="qemu-guest-agent and ports - libvirthost "
|
||||
[ $USER = root ] || continue
|
||||
$PL proxy_libvirt_list
|
||||
aret=$?
|
||||
@ -932,9 +956,10 @@ while [ "$#" -gt 0 ] ; do
|
||||
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
|
||||
DBUG proxy_libvirt_status aret=$aret
|
||||
else
|
||||
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
|
||||
ERROR MODE=$MODE and $GATEW_DOM not running ;
|
||||
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||
# was $GATEW_DOM but now can be gentoo_vm-2 etc
|
||||
$PL proxy_libvirt_list 2>&1 | grep -q "running" || {
|
||||
WARN MODE=$MODE and nothing libvirt running ;
|
||||
continue
|
||||
}
|
||||
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||
fi
|
||||
@ -959,8 +984,6 @@ exit 0
|
||||
curl $D -k --proxy
|
||||
3)
|
||||
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
|
||||
5)
|
||||
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
|
||||
6)
|
||||
curl -k --proxy $HTTP_PORT
|
||||
16)
|
||||
|
1
overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem
Symbolic link
1
overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem
Symbolic link
@ -0,0 +1 @@
|
||||
cacert-curl.se_ca_cacert.pem
|
285
overlay/Linux/usr/local/etc/systemd/KickSecure.mask
Executable file
285
overlay/Linux/usr/local/etc/systemd/KickSecure.mask
Executable file
@ -0,0 +1,285 @@
|
||||
# accounts-daemon.service
|
||||
# acpid.path
|
||||
# acpid.service
|
||||
# acpid.socket
|
||||
# acpi-support.service
|
||||
# alsa-restore.service
|
||||
# alsa-state.service
|
||||
# alsa-utils.service
|
||||
# apparmor.service
|
||||
# apparmor.service.d
|
||||
apt-daily.service
|
||||
apt-daily.timer
|
||||
apt-daily-upgrade.service
|
||||
apt-daily-upgrade.timer
|
||||
# autovt@.service
|
||||
# basic.target
|
||||
# blk-availability.service
|
||||
# blockdev@.target
|
||||
bluetooth.target
|
||||
# bootclockrandomization.service
|
||||
# boot-complete.target
|
||||
# canary.service
|
||||
# console-getty.service
|
||||
# console-setup.service
|
||||
# console-setup.service.d
|
||||
# container-getty@.service
|
||||
# cryptdisks-early.service
|
||||
# cryptdisks.service
|
||||
# cryptsetup-pre.target
|
||||
# cryptsetup.target
|
||||
# ctrl-alt-del.target
|
||||
# dbus-org.freedesktop.hostname1.service
|
||||
# dbus-org.freedesktop.locale1.service
|
||||
# dbus-org.freedesktop.login1.service
|
||||
# dbus-org.freedesktop.timedate1.service
|
||||
# dbus.service
|
||||
# dbus.socket
|
||||
# debug-shell.service
|
||||
# default.target
|
||||
dev-hugepages.mount
|
||||
# dev-mqueue.mount
|
||||
# dist-skel-first-boot.service
|
||||
# dm-event.service
|
||||
# dm-event.socket
|
||||
# e2scrub_all.service
|
||||
# e2scrub_all.timer
|
||||
# e2scrub_fail@.service
|
||||
# e2scrub_reap.service
|
||||
# e2scrub@.service
|
||||
# emergency.service
|
||||
# emergency.target
|
||||
# exit.target
|
||||
# final.target
|
||||
# first-boot-complete.target
|
||||
# flatpak-system-helper.service
|
||||
# fstrim.service
|
||||
# fstrim.timer
|
||||
# gdm3.service
|
||||
# gdm.service
|
||||
# getty-pre.target
|
||||
# getty@.service
|
||||
# getty-static.service
|
||||
# getty.target
|
||||
# getty.target.wants
|
||||
# graphical.target
|
||||
# graphical.target.wants
|
||||
# halt.target
|
||||
# haveged.service
|
||||
# haveged.service.d
|
||||
# hibernate.target
|
||||
# hide-hardware-info.service
|
||||
# hwclock.service
|
||||
# hybrid-sleep.target
|
||||
# initrd-cleanup.service
|
||||
# initrd-fs.target
|
||||
# initrd-parse-etc.service
|
||||
# initrd-root-device.target
|
||||
# initrd-root-device.target.wants
|
||||
# initrd-root-fs.target
|
||||
# initrd-switch-root.service
|
||||
# initrd-switch-root.target
|
||||
# initrd.target
|
||||
# initrd-udevadm-cleanup-db.service
|
||||
# jitterentropy.service
|
||||
# kexec.target
|
||||
# keyboard-setup.service
|
||||
# kmod.service
|
||||
# kmod-static-nodes.service
|
||||
# live-mode-apparmor.service
|
||||
# live-tools.service
|
||||
# local-fs-pre.target
|
||||
# local-fs.target
|
||||
# local-fs.target.wants
|
||||
# lvm2-lvmpolld.service
|
||||
# lvm2-lvmpolld.socket
|
||||
# lvm2-monitor.service
|
||||
# lvm2-pvscan@.service
|
||||
# lvm2.service
|
||||
# machine.slice
|
||||
# man-db.service
|
||||
# man-db.timer
|
||||
# mnt-shared-kvm.service
|
||||
# mnt-shared-vbox.service
|
||||
# modprobe@.service
|
||||
# msgcollector.service
|
||||
# multi-user.target
|
||||
# multi-user.target.wants
|
||||
# NetworkManager-dispatcher.service
|
||||
# NetworkManager.service
|
||||
# NetworkManager-wait-online.service
|
||||
# network-online.target
|
||||
# network-pre.target
|
||||
# network.target
|
||||
# nss-lookup.target
|
||||
# nss-user-lookup.target
|
||||
# openvpn-client@.service
|
||||
# openvpn@openvpn.service.d
|
||||
# openvpn-server@.service
|
||||
# openvpn.service
|
||||
# openvpn@.service
|
||||
# orca-kill-at-shutdown.service
|
||||
# paths.target
|
||||
# permission-hardening.service
|
||||
# polkit.service
|
||||
# poweroff.target
|
||||
# printer.target
|
||||
# proc-hidepid.service
|
||||
# procps.service
|
||||
# proc-sys-fs-binfmt_misc.automount
|
||||
# proc-sys-fs-binfmt_misc.mount
|
||||
# pulseaudio-enable-autospawn.service
|
||||
# qubes-sync-time.service.d
|
||||
# quotaon.service
|
||||
# rc-local.service
|
||||
# rc-local.service.d
|
||||
# rc.service
|
||||
# rcS.service
|
||||
# reboot.target
|
||||
# remote-cryptsetup.target
|
||||
# remote-fs-pre.target
|
||||
# remote-fs.target
|
||||
# remount-secure.service
|
||||
# remove-system-map.service
|
||||
# rescue.service
|
||||
# rescue.target
|
||||
# rescue.target.wants
|
||||
# rpcbind.target
|
||||
# rsync.service
|
||||
# runlevel0.target
|
||||
# runlevel1.target
|
||||
# runlevel1.target.wants
|
||||
# runlevel2.target
|
||||
# runlevel2.target.wants
|
||||
# runlevel3.target
|
||||
# runlevel3.target.wants
|
||||
# runlevel4.target
|
||||
# runlevel4.target.wants
|
||||
# runlevel5.target
|
||||
# runlevel5.target.wants
|
||||
# runlevel6.target
|
||||
sdwdate-gui-shutdown-notify.service
|
||||
sdwdate-pre.service
|
||||
sdwdate.service
|
||||
# sdwdate.service.d
|
||||
sdwdate-start-anondate-set-file-watcher.service
|
||||
# serial-getty@.service
|
||||
# shutdown.target
|
||||
# sigpwr.target
|
||||
# sleep.target
|
||||
# slices.target
|
||||
# smartcard.target
|
||||
# sockets.target
|
||||
# sockets.target.wants
|
||||
# sound.target
|
||||
# sound.target.wants
|
||||
# sudo.service
|
||||
# suspend.target
|
||||
# suspend-then-hibernate.target
|
||||
# swap.target
|
||||
# sys-fs-fuse-connections.mount
|
||||
# sysinit.target
|
||||
# sysinit.target.wants
|
||||
# sys-kernel-config.mount
|
||||
# sys-kernel-debug.mount
|
||||
# sys-kernel-tracing.mount
|
||||
# syslog.socket
|
||||
# systemd-ask-password-console.path
|
||||
# systemd-ask-password-console.service
|
||||
# systemd-ask-password-wall.path
|
||||
# systemd-ask-password-wall.service
|
||||
# systemd-backlight@.service
|
||||
# systemd-binfmt.service
|
||||
# systemd-bless-boot.service
|
||||
# systemd-boot-check-no-failures.service
|
||||
# systemd-boot-system-token.service
|
||||
# systemd-exit.service
|
||||
# systemd-fsckd.service
|
||||
# systemd-fsckd.socket
|
||||
# systemd-fsck-root.service
|
||||
# systemd-fsck@.service
|
||||
# systemd-halt.service
|
||||
# systemd-hibernate-resume@.service
|
||||
# systemd-hibernate.service
|
||||
# systemd-hostnamed.service
|
||||
# systemd-hwdb-update.service
|
||||
# systemd-hybrid-sleep.service
|
||||
# systemd-initctl.service
|
||||
# systemd-initctl.socket
|
||||
# systemd-journald-audit.socket
|
||||
# systemd-journald-dev-log.socket
|
||||
# systemd-journald.service
|
||||
# systemd-journald@.service
|
||||
# systemd-journald.socket
|
||||
# systemd-journald@.socket
|
||||
# systemd-journald-varlink@.socket
|
||||
# systemd-journal-flush.service
|
||||
# systemd-kexec.service
|
||||
# systemd-localed.service
|
||||
# systemd-localed.service.d
|
||||
# systemd-logind.service
|
||||
# systemd-machine-id-commit.service
|
||||
# systemd-modules-load.service
|
||||
# systemd-networkd.service
|
||||
# systemd-networkd.socket
|
||||
# systemd-networkd-wait-online.service
|
||||
# systemd-network-generator.service
|
||||
# systemd-poweroff.service
|
||||
# systemd-pstore.service
|
||||
# systemd-quotacheck.service
|
||||
# systemd-random-seed.service
|
||||
# systemd-reboot.service
|
||||
# systemd-remount-fs.service
|
||||
# systemd-resolved.service
|
||||
# systemd-resolved.service.d
|
||||
# systemd-rfkill.service
|
||||
# systemd-rfkill.socket
|
||||
# systemd-suspend.service
|
||||
# systemd-suspend-then-hibernate.service
|
||||
# systemd-sysctl.service
|
||||
# systemd-sysusers.service
|
||||
# systemd-timedated.service
|
||||
# systemd-timesyncd.service.d
|
||||
# systemd-time-wait-sync.service
|
||||
# systemd-tmpfiles-clean.service
|
||||
# systemd-tmpfiles-clean.timer
|
||||
# systemd-tmpfiles-setup-dev.service
|
||||
# systemd-tmpfiles-setup.service
|
||||
# systemd-udevd-control.socket
|
||||
# systemd-udevd-kernel.socket
|
||||
# systemd-udevd.service
|
||||
# systemd-udev-settle.service
|
||||
# systemd-udev-trigger.service
|
||||
# systemd-update-utmp-runlevel.service
|
||||
# systemd-update-utmp.service
|
||||
# systemd-user-sessions.service
|
||||
# systemd-volatile-root.service
|
||||
# system-systemd\x2dcryptsetup.slice
|
||||
# system-update-cleanup.service
|
||||
# system-update-pre.target
|
||||
# system-update.target
|
||||
# timers.target
|
||||
# timers.target.wants
|
||||
# timesanitycheck.service
|
||||
# time-set.target
|
||||
# time-sync.target
|
||||
# tor@default.service
|
||||
tor.service
|
||||
tor@.service
|
||||
# udev.service
|
||||
# udisks2.service
|
||||
# umount.target
|
||||
# upower.service
|
||||
# usb-gadget.target
|
||||
# user-runtime-dir@.service
|
||||
# user@.service
|
||||
# user@.service.d
|
||||
# user.slice
|
||||
# user-.slice.d
|
||||
# virtualbox-guest-utils.service
|
||||
# whonix-legacy.service
|
||||
# wpa_supplicant-nl80211@.service
|
||||
# wpa_supplicant.service
|
||||
# wpa_supplicant@.service
|
||||
# wpa_supplicant-wired@.service
|
||||
# x11-common.service
|
7
overlay/Linux/usr/local/etc/systemd/proxy.mask
Normal file
7
overlay/Linux/usr/local/etc/systemd/proxy.mask
Normal file
@ -0,0 +1,7 @@
|
||||
multi-user.target.wants/NetworkManager.service
|
||||
multi-user.target.wants/bootclockrandomization.service
|
||||
multi-user.target.wants/openvpn.service
|
||||
multi-user.target.wants/remote-fs.target
|
||||
multi-user.target.wants/sdwdate.service
|
||||
privoxy.service
|
||||
sdwdate.service
|
33
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup
Executable file
33
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup
Executable file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
|
||||
|
||||
title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
|
||||
|
||||
text="\
|
||||
<p>
|
||||
DO NOT USE THIS YET AS A USER!
|
||||
<br />
|
||||
Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
|
||||
<br />
|
||||
Missing features the the initial release include
|
||||
|
||||
<ul>
|
||||
<li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
|
||||
<li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
|
||||
<li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
|
||||
</ul>
|
||||
|
||||
See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
|
||||
<br />
|
||||
Help welcome!
|
||||
</p>
|
||||
"
|
||||
|
||||
[ -d ~/.config/whonix/host-boot-popup ] || mkdir -p ~/.config/whonix/host-boot-popup
|
||||
[ -z "$DISPLAY" ] || \
|
||||
[ -f /usr/lib/msgcollector/one-time-popup ] || \
|
||||
/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"
|
31
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst
Executable file
31
overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst
Executable file
@ -0,0 +1,31 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
|
||||
|
||||
title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
|
||||
|
||||
text="\
|
||||
<p>
|
||||
DO NOT USE THIS YET AS A USER!
|
||||
<br />
|
||||
Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
|
||||
<br />
|
||||
Missing features the the initial release include
|
||||
|
||||
<ul>
|
||||
<li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
|
||||
<li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
|
||||
<li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
|
||||
</ul>
|
||||
|
||||
See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
|
||||
<br />
|
||||
Help welcome!
|
||||
</p>
|
||||
"
|
||||
|
||||
mkdir -p ~/.config/whonix/host-boot-popup
|
||||
/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"
|
92
overlay/Linux/usr/local/lib/whonix-libvirt/install
Executable file
92
overlay/Linux/usr/local/lib/whonix-libvirt/install
Executable file
@ -0,0 +1,92 @@
|
||||
#!/bin/bash
|
||||
|
||||
[ -f /var/lib/whonix-libvirt/install.done ] && exit 0
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
|
||||
## {{ Taken from qemu-system-common.postinst.
|
||||
# Add the kvm group unless it's already there
|
||||
if ! getent group kvm >/dev/null; then
|
||||
addgroup --quiet --system kvm || true
|
||||
fi
|
||||
## }} Taken from qemu-system-common.postinst.
|
||||
|
||||
## {{ Taken from libvirt-bin.postinst.
|
||||
if ! getent group libvirt >/dev/null; then
|
||||
addgroup --system libvirt
|
||||
fi
|
||||
## }} Taken from libvirt-bin.postinst.
|
||||
|
||||
## Existence of user "user" is not guaranteed at this point.
|
||||
## XXX: Or is it?
|
||||
grep -q ^kvm /etc/group || addgroup user kvm
|
||||
grep -q ^libvirt /etc/group || addgroup user libvirt
|
||||
|
||||
## Create shared directory and adjust permissions
|
||||
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
|
||||
[ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
|
||||
chmod 1777 /mnt/gateway-shared
|
||||
chmod 1777 /mnt/workstation-shared
|
||||
|
||||
## TODO: proper error handling. '|| true' can probably be removed.
|
||||
|
||||
virsh -c qemu:///system net-autostart "default" || true
|
||||
virsh -c qemu:///system net-start "default" || true
|
||||
virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-External.xml" || true
|
||||
virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
|
||||
virsh -c qemu:///system net-autostart "Whonix-External" || true
|
||||
virsh -c qemu:///system net-start "Whonix-External" || true
|
||||
virsh -c qemu:///system net-autostart "Whonix-Internal" || true
|
||||
virsh -c qemu:///system net-start "Whonix-Internal" || true
|
||||
|
||||
## Doing the following in a temporary directory to avoid modified files should
|
||||
## this be interrupted in the middle.
|
||||
temp_dir="$(mktemp --directory)"
|
||||
cp -r /usr/local/share/whonix-libvirt/xml "$temp_dir"
|
||||
|
||||
if virsh capabilities | grep "<domain type='kvm'>" ; then
|
||||
true "OK: found KVM"
|
||||
else
|
||||
## replace the 'kvm' domain type with 'qemu'
|
||||
search="<domain type='kvm'>"
|
||||
replace="<domain type='qemu'>"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
search="<cpu mode='host-passthrough'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
|
||||
search="<pvspinlock state='on'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
fi
|
||||
|
||||
test -f "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
test -f "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
|
||||
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
|
||||
|
||||
virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
|
||||
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
|
||||
|
||||
mkdir --parents /var/lib/whonix-libvirt
|
||||
touch /var/lib/whonix-libvirt/install.done
|
90
overlay/Linux/usr/local/lib/whonix-libvirt/install.dst
Executable file
90
overlay/Linux/usr/local/lib/whonix-libvirt/install.dst
Executable file
@ -0,0 +1,90 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
|
||||
## {{ Taken from qemu-system-common.postinst.
|
||||
# Add the kvm group unless it's already there
|
||||
if ! getent group kvm >/dev/null; then
|
||||
addgroup --quiet --system kvm || true
|
||||
fi
|
||||
## }} Taken from qemu-system-common.postinst.
|
||||
|
||||
## {{ Taken from libvirt-bin.postinst.
|
||||
if ! getent group libvirt >/dev/null; then
|
||||
addgroup --system libvirt
|
||||
fi
|
||||
## }} Taken from libvirt-bin.postinst.
|
||||
|
||||
## Existence of user "user" is not guaranteed at this point.
|
||||
## XXX: Or is it?
|
||||
addgroup user kvm >/dev/null || true
|
||||
addgroup user libvirt >/dev/null || true
|
||||
|
||||
## Create shared directory and adjust permissions
|
||||
mkdir --parents /mnt/gateway-shared
|
||||
mkdir --parents /mnt/workstation-shared
|
||||
chmod 777 /mnt/gateway-shared
|
||||
chmod 777 /mnt/workstation-shared
|
||||
|
||||
## TODO: proper error handling. '|| true' can probably be removed.
|
||||
|
||||
virsh -c qemu:///system net-autostart "default" || true
|
||||
virsh -c qemu:///system net-start "default" || true
|
||||
virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-External.xml" || true
|
||||
virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
|
||||
virsh -c qemu:///system net-autostart "Whonix-External" || true
|
||||
virsh -c qemu:///system net-start "Whonix-External" || true
|
||||
virsh -c qemu:///system net-autostart "Whonix-Internal" || true
|
||||
virsh -c qemu:///system net-start "Whonix-Internal" || true
|
||||
|
||||
## Doing the following in a temporary directory to avoid modified files should
|
||||
## this be interrupted in the middle.
|
||||
temp_dir="$(mktemp --directory)"
|
||||
cp -r /usr/share/whonix-libvirt/xml "$temp_dir"
|
||||
|
||||
if virsh capabilities | grep "<domain type='kvm'>" ; then
|
||||
true "OK: found KVM"
|
||||
else
|
||||
## replace the 'kvm' domain type with 'qemu'
|
||||
search="<domain type='kvm'>"
|
||||
replace="<domain type='qemu'>"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
search="<cpu mode='host-passthrough'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
|
||||
search="<pvspinlock state='on'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
fi
|
||||
|
||||
test -f "$temp_dir/xml/Whonix-Gateway.xml"
|
||||
test -f "$temp_dir/xml/Whonix-Workstation.xml"
|
||||
|
||||
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
|
||||
virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
|
||||
|
||||
virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
|
||||
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
|
||||
|
||||
mkdir --parents /var/lib/whonix-libvirt
|
||||
touch /var/lib/whonix-libvirt/install.done
|
35
overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only
Executable file
35
overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only
Executable file
@ -0,0 +1,35 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Similar to persistent-mode-to-read-write.
|
||||
|
||||
set -x
|
||||
|
||||
error_handler() {
|
||||
exit_code="1"
|
||||
}
|
||||
|
||||
trap error_handler ERR
|
||||
|
||||
exit_code="0"
|
||||
|
||||
vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
|
||||
|
||||
for vm_name_item in $vm_names_list ; do
|
||||
virt-xml "$vm_name_item" --edit --disk readonly=on
|
||||
done
|
||||
|
||||
## https://phabricator.whonix.org/T914
|
||||
if test -f "/var/lib/libvirt/images/Whonix-Gateway.qcow2" ; then
|
||||
chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
|
||||
fi
|
||||
if test -f "/var/lib/libvirt/images/Whonix-Workstation.qcow2" ; then
|
||||
chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
|
||||
fi
|
||||
|
||||
## "chmod ugo-r" is set during build in chroot:
|
||||
## https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw
|
||||
|
||||
exit "$exit_code"
|
27
overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write
Executable file
27
overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write
Executable file
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Similar to live-mode-to-read-only.
|
||||
|
||||
set -x
|
||||
|
||||
error_handler() {
|
||||
exit_code="1"
|
||||
}
|
||||
|
||||
trap error_handler ERR
|
||||
|
||||
exit_code="0"
|
||||
|
||||
vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
|
||||
|
||||
for vm_name_item in $vm_names_list ; do
|
||||
virt-xml "$vm_name_item" --edit --disk readonly=off
|
||||
done
|
||||
|
||||
chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
|
||||
chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
|
||||
|
||||
exit "$exit_code"
|
677
overlay/Linux/usr/local/proxy_whonix_lib.bash
Executable file
677
overlay/Linux/usr/local/proxy_whonix_lib.bash
Executable file
@ -0,0 +1,677 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
|
||||
|
||||
# . /usr/local/sbin/proxy_whonix_lib.bash || { echo ERROR: loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||
|
||||
## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new
|
||||
proxy_guest_firewall_config () {
|
||||
. /usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$?
|
||||
source_config_folder
|
||||
iptables_cmd="echo iptables"
|
||||
ip6tables_cmd="echo # ip6tables"
|
||||
main > /etc/firewall.conf.ws.new
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_guest_config
|
||||
proxy_whonix_guest_config () {
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_guest_start
|
||||
proxy_whonix_guest_start () {
|
||||
local dire=$1
|
||||
|
||||
[ ! -f /etc/init.d/qemu-guest-agent ] || \
|
||||
proxy_rc_service qemu-guest-agent status >/dev/null \
|
||||
|| proxy_rc_service qemu-guest-agent start || return 2$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_guest_test
|
||||
proxy_whonix_guest_test () {
|
||||
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
|
||||
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
|
||||
proxy_rc_service qemu-guest-agent status
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_gateway_config
|
||||
proxy_whonix_gateway_config () {
|
||||
proxy_whonix_dnsmasq_config gateway 10.0.2.15
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_config
|
||||
proxy_whonix_dnsmasq_config () {
|
||||
local dire
|
||||
|
||||
[ "$#" -eq 0 ] || dire=$1
|
||||
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
|
||||
[ -n "$MODE" ] || MODE=host
|
||||
|
||||
proxy_dest_port_wlan_config
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 1
|
||||
|
||||
# 9040 - no wgetrc polipo
|
||||
# need dnsmasq to 127
|
||||
file=/etc/dnsmasq.conf
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server=${DEST}#$PORT
|
||||
port=53
|
||||
# wlan4
|
||||
interface=$PROXY_WLAN
|
||||
bind-interfaces
|
||||
no-dhcp-interface=$PROXY_WLAN
|
||||
EOF
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_polipo_config
|
||||
proxy_whonix_polipo_config () {
|
||||
local dire
|
||||
local file
|
||||
[ "$#" -eq 0 ] && { echo ERROR: proxy_whonix_polipo_config no dire ; return 1; }
|
||||
dire=$1
|
||||
|
||||
file=/etc/polipo/config
|
||||
if [ $dire = whonix ]; then
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=10.0.2.15:9050
|
||||
socksProxyType=socks5
|
||||
#?ssocksUserName=foo
|
||||
EOF
|
||||
fi
|
||||
else
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=${DEST}:$PORT
|
||||
socksProxyType=socks5
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_polipo_config
|
||||
proxy_whonix_polipo_config () {
|
||||
local dire
|
||||
local file
|
||||
dire=$1 ; shift
|
||||
|
||||
file=/etc/polipo/config
|
||||
if [ $dire = whonix ]; then
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=10.0.2.15:9050
|
||||
socksProxyType=socks5
|
||||
#?ssocksUserName=foo
|
||||
EOF
|
||||
fi
|
||||
else
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=${DEST}:$PORT
|
||||
socksProxyType=socks5
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_privoxy_config
|
||||
proxy_whonix_privoxy_config () {
|
||||
local dire
|
||||
local file
|
||||
dire=$1 ; shift
|
||||
|
||||
file=/etc/privoxy/config
|
||||
if [ $dire = whonix ]; then
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
listen-address 127.0.0.1:3128
|
||||
forward-socks5t / 10.0.2.15:9050 .
|
||||
EOF
|
||||
fi
|
||||
else
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
listen-address 127.0.0.1:3128
|
||||
forward-socks5t / 127.0.0.1:9050 .
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_config
|
||||
proxy_whonix_dnsmasq_config () {
|
||||
local dire
|
||||
|
||||
[ "$#" -eq 0 ] && set - tor
|
||||
dire=$1 ; shift
|
||||
proxy_dest_port_wlan_config $*
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 1
|
||||
|
||||
# 9040 - no wgetrc
|
||||
# need dnsmasq to 127
|
||||
file=/etc/dnsmasq.conf
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.$dire <<EOF
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server=${DEST}#$PORT
|
||||
port=53
|
||||
# wlan4
|
||||
interface=$PROXY_WLAN
|
||||
bind-interfaces
|
||||
no-dhcp-interface=$PROXY_WLAN
|
||||
EOF
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_tor_config
|
||||
proxy_whonix_tor_config () {
|
||||
proxy_host_tor_config tor 127.0.0.1
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_host_tor_config
|
||||
proxy_host_tor_config () {
|
||||
local dir
|
||||
local file
|
||||
dire=tor
|
||||
DEST=127.0.0.1
|
||||
PORT=9050
|
||||
|
||||
#? [ -z "$DEST" ] && proxy_dest_port_wlan_config || return 1$?
|
||||
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 2
|
||||
proxy_whonix_polipo_config $dire || return 3$?
|
||||
proxy_whonix_dnsmasq_config $dire || return 4$?
|
||||
|
||||
if proxy_ping_online ; then
|
||||
proxy_ping_test_resolv $dire || { echo ERROR: proxy_host_tor_config 5$?; return 5 ; }
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_host_from_config
|
||||
proxy_host_whonix_config () {
|
||||
local dire=whonix
|
||||
local file
|
||||
|
||||
proxy_dest_port_wlan_config || return 1$?
|
||||
DEST=10.0.2.15
|
||||
PORT=9053
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 2
|
||||
proxy_whonix_polipo_config $dire
|
||||
proxy_ping_test_resolv $dire || return 4$?
|
||||
proxy_whonix_dnsmasq_config $dire || return 5$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_host_gateway
|
||||
proxy_whonix_gateway () {
|
||||
local dire=gateway
|
||||
debug proxy_whonix_gateway $dire
|
||||
|
||||
PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
proxy_whonix_config $dire || return 2$?
|
||||
|
||||
# works?
|
||||
proxy_ping_set_resolv gateway
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_from_config
|
||||
proxy_whonix_config () {
|
||||
local dire=$1
|
||||
[ -z "$DEST" ] && proxy_dest_port_wlan_config
|
||||
|
||||
if [ ! -f /etc/tor/torsocks.conf.$dire ] ; then
|
||||
cp -p /etc/tor/torsocks.conf /etc/tor/torsocks.conf.$dire
|
||||
# TorAddress 127.0.0.1
|
||||
# TorPort 9050
|
||||
fi
|
||||
sed -e "s@^#* *TorAddress.*@TorAddress $DEST@" -i /etc/tor/torsocks.conf
|
||||
sed -e "s@^#* *TorPort.*@TorPort 9050@" -i /etc/tor/torsocks.conf
|
||||
|
||||
# proxy_whonix_start_wget
|
||||
|
||||
proxy_host_${dire}_config
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_ws_whonix_config
|
||||
proxy_ws_whonix_config () {
|
||||
local dir=ws
|
||||
|
||||
DEST=10.152.152.10
|
||||
PROXY_WLAN=eth0
|
||||
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_status
|
||||
proxy_whonix_libvirt_status () {
|
||||
proxy_rc_service libvirtd status >/dev/null || \
|
||||
proxy_rc_service libvirtd start || \
|
||||
echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG
|
||||
proxy_libvirt_status
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_start
|
||||
proxy_whonix_libvirt_start () {
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_start
|
||||
proxy_whonix_libvirt_start () {
|
||||
local domain
|
||||
[ "$#" -ge 1 ] && domain=$1
|
||||
|
||||
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||
cp /dev/null /var/log/libvirt/libvirtd.log
|
||||
/etc/init.d/libvirtd status
|
||||
retval=$?
|
||||
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
|
||||
[ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd
|
||||
proxy_rc_service libvirtd start || return 3
|
||||
sleep $DELAY
|
||||
fi
|
||||
proxy_libvirt_no_autostart
|
||||
proxy_libvirt_start
|
||||
proxy_libvirt_status
|
||||
proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3
|
||||
proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4
|
||||
|
||||
[ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )"
|
||||
[ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \
|
||||
domain=Whonix-Gateway && \
|
||||
echo INFO: set proxy_testforge_get_gateway_dom $domain
|
||||
proxy_libvirt_list | grep -v grep | grep "$domain" || \
|
||||
virsh start $domain || {
|
||||
ret=$?
|
||||
echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret
|
||||
return 5$ret
|
||||
}
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_test
|
||||
proxy_whonix_test () {
|
||||
local dire
|
||||
DEBUG proxy_whonix_test $dire
|
||||
[ "$#" -eq 0 ] && dire=$MODE || dire=$1
|
||||
|
||||
[ $dire = ws -o $dire = workstation ] && dire=vda
|
||||
|
||||
if [ $dire = client ] ; then
|
||||
:
|
||||
# dunno - look at netstat? -nle4
|
||||
|
||||
elif [ $dire = vda -o $dire = gateway ] ; then
|
||||
proxy_whonix_guest_test
|
||||
|
||||
elif [ $dire = tor ] ; then
|
||||
proxy_rc_service tor status >/dev/null || \
|
||||
{ echo ERROR: $prog tor is not running ; return 2 ; }
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash to_tor || return 6$?
|
||||
|
||||
elif [ $dire = whonix ] ; then
|
||||
proxy_libvirt_no_autostart
|
||||
proxy_libvirt_clean_virbr1_rules
|
||||
|
||||
proxy_whonix_get_gateway_dom
|
||||
[ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM
|
||||
|
||||
proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; }
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash from_tor || return 6$?
|
||||
fi
|
||||
|
||||
#? gateway
|
||||
if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then
|
||||
proxy_rc_service polipo status >/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog polipo not running ; return 4 ; }
|
||||
/usr/local/bin/proxy_ping_test.bash polipo || return 9$?
|
||||
elif [ $dire = host -o $dire = tor ] ; then
|
||||
proxy_rc_service privoxy status >/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog privoxy not running ; return 4 ; }
|
||||
/usr/local/bin/proxy_ping_test.bash privoxy || return 9$?
|
||||
fi
|
||||
|
||||
if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
|
||||
proxy_clobber_resolv_local 10.152.152.10
|
||||
elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then
|
||||
proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog dnsmasq not running ; return 5 ; }
|
||||
proxy_clobber_resolv_local 127.0.0.1
|
||||
fi
|
||||
/usr/local/bin/proxy_ping_test.bash dns # || return 9$?
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash $dire || return 6$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Weher was this
|
||||
## rc_host_symlink_etc_fstab
|
||||
rc_host_symlink_etc_fstab () {
|
||||
grep -q root=/dev/vda /proc/cmdline
|
||||
PROXY_IS_VDA=$?
|
||||
if [ $PROXY_IS_VDA -eq 0 ] ; then
|
||||
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
|
||||
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
|
||||
return 1
|
||||
# else
|
||||
# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \
|
||||
# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_config
|
||||
proxy_vda_config () {
|
||||
|
||||
rc_host_symlink_etc_fstab
|
||||
sed -e 's/^#x1/x1/' -i /etc/inittab #
|
||||
|
||||
if false ; then
|
||||
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
|
||||
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
|
||||
ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/
|
||||
fi
|
||||
fi
|
||||
if false ; then
|
||||
[ -f /etc/firewall.conf.vda ] && \
|
||||
cp -p /etc/firewall.conf.vda /etc/firewall.conf
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
##
|
||||
old_proxy_vda_config () {
|
||||
|
||||
[ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_whonix_config
|
||||
proxy_vda_whonix_config () {
|
||||
local dir=vda
|
||||
|
||||
DEST=10.152.152.10
|
||||
PROXY_WLAN=eth0
|
||||
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_quest_config
|
||||
proxy_quest_config () {
|
||||
|
||||
proxy_vda_config
|
||||
|
||||
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
|
||||
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
|
||||
cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_start
|
||||
proxy_whonix_dnsmasq_start () {
|
||||
local dire
|
||||
local service=dnsmasq
|
||||
|
||||
[ "$#" -eq 0 ] || dire=$1
|
||||
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
|
||||
[ -n "$MODE" ] || MODE=host
|
||||
|
||||
DEBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN
|
||||
|
||||
proxy_whonix_config $dire || return 1$?
|
||||
|
||||
PROXY_WLAN=$( proxy_get_if )
|
||||
[ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4
|
||||
|
||||
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire
|
||||
if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then
|
||||
proxy_rc_service dnsmasq status >/dev/null || \
|
||||
proxy_ping_dnsmasq_start || return 8$?
|
||||
else
|
||||
proxy_rc_service dnsmasq status >/dev/null && \
|
||||
proxy_ping_dnsmasq_stop
|
||||
cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf
|
||||
proxy_ping_dnsmasq_start || return 8$?
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_privoxy_start
|
||||
proxy_whonix_polipo_start () {
|
||||
local dire
|
||||
local service=polipo
|
||||
|
||||
[ $# -eq 1 ] && dire=$1
|
||||
[ -z "$dire" ] && dire="$( proxy_whonix_mode )"
|
||||
DEBUG proxy_whonix_start_$service $dire
|
||||
|
||||
proxy_whonix_config $dire || \
|
||||
echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$?
|
||||
|
||||
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire
|
||||
|
||||
if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then
|
||||
cp -p /etc/polipo/config.$dire /etc/polipo/config
|
||||
proxy_rc_service $service restart || return 2$?
|
||||
else
|
||||
proxy_rc_service $service status >/dev/null || \
|
||||
proxy_rc_service $service start||return 3$
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_prepare_blocks
|
||||
proxy_whonix_host_prepare_blocks () {
|
||||
if [ ! -s /etc/firewall.conf.block ] ; then
|
||||
if [ -f /usr/local/etc/firewall.conf.block ] ; then
|
||||
echo "WARN: $prog copying /usr/local/etc/firewall.conf.block"
|
||||
cp -p /usr/local/etc/firewall.conf.block /etc/firewall.conf.block
|
||||
else
|
||||
echo "ERROR: $prog missing /usr/local/etc/firewall.conf.block"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_add_block
|
||||
proxy_whonix_host_add_block () {
|
||||
local elt tab ip
|
||||
|
||||
# PROXY_WLAN=$( proxy_get_if )
|
||||
# [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
proxy_whonix_host_prepare_blocks \| return 1$?
|
||||
set - $( cat /etc/firewall.conf.block )
|
||||
fi
|
||||
# DEBUG "$prog adding $*"
|
||||
[ -f /etc/firewall.conf.newer ] || \
|
||||
cp -p /etc/firewall.conf /etc/firewall.conf.newer
|
||||
for elt in wlan virbr1 ; do
|
||||
[ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI
|
||||
grep -q "^# blocks $elt" /etc/firewall.conf.newer || {
|
||||
echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer
|
||||
return 2
|
||||
}
|
||||
sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$
|
||||
echo "# blocks $elt" >> /etc/firewall.conf.$$
|
||||
for ip in $* ; do
|
||||
grep -q $ip /etc/firewall.conf.block || \
|
||||
grep -q $ip /etc/firewall.conf.block.newer || \
|
||||
echo $ip >> /etc/firewall.conf.block.newer
|
||||
grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue
|
||||
echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$
|
||||
DEBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP"
|
||||
done
|
||||
sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$
|
||||
mv /etc/firewall.conf.$$ /etc/firewall.conf.newer
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_online
|
||||
proxy_whonix_host_online () {
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
[ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2
|
||||
if [ -x /etc/init.d/NetworkManager ] ; then
|
||||
/etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3
|
||||
else
|
||||
proxy_rc_service NetworkManager status >/dev/null \
|
||||
|| proxy_rc_service NetworkManager start || return 3$?
|
||||
fi
|
||||
nm-online -t 0 -x || return 4$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_down - call when the network goes down
|
||||
proxy_whonix_down () {
|
||||
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||
proxy_ping_online && return 0 # dont do anything
|
||||
# nothing to do?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_up - call when the network comes up
|
||||
proxy_whonix_up () {
|
||||
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||
proxy_ping_online || return 0 # dont do anything
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_start_wget
|
||||
proxy_whonix_start_wget () {
|
||||
return 0
|
||||
if [ -f /etc/wgetrc ] ; then
|
||||
sp=https://127.0.0.1:3128
|
||||
grep -q ^https_proxy /etc/wgetrc && \
|
||||
sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc
|
||||
grep -q ^https_proxy /etc/wgetrc && \
|
||||
echo "https_proxy = $sp" >> /etc/wgetrc
|
||||
grep -q ^http_proxy /etc/wgetrc && \
|
||||
sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc
|
||||
grep -q ^http_proxy /etc/wgetrc || \
|
||||
echo "http_proxy = $sp" >> /etc/wgetrc
|
||||
fi
|
||||
|
||||
sp=http://127.0.0.1:3128
|
||||
for elt in http https ; do
|
||||
grep -q ^$elt_proxy /etc/wgetrc && \
|
||||
sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \
|
||||
echo "$elt_proxy = $sp" >> /etc/wgetrc
|
||||
done
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_libvirt_clean_iptables () {
|
||||
local i int dir dcp prot port
|
||||
|
||||
for dir in i ; do
|
||||
for int in virbr2 virbr1; do
|
||||
dcp=67
|
||||
[ $dir = i ] || dcp=68
|
||||
for port in 53 $dcp ; do
|
||||
[ $dir = i ] && table=INP || table=OUT
|
||||
for prot in udp tcp; do
|
||||
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
for dir in o ; do
|
||||
for int in virbr2 virbr1; do
|
||||
dcp=68
|
||||
[ $dir = o ] || dcp=67
|
||||
for port in 53 68 ; do
|
||||
table=OUT
|
||||
[ $dir = i ] && table=INP
|
||||
for prot in udp tcp; do
|
||||
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||
done
|
||||
done
|
||||
done
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
base=proxy_whonix_lib
|
||||
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then
|
||||
[ "$#" -eq 0 ] && exit 0
|
||||
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \
|
||||
exit 0
|
||||
DEBUG $base "$@"
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
34
overlay/Linux/usr/local/sbin/debian_whonix_tor.bash
Executable file
34
overlay/Linux/usr/local/sbin/debian_whonix_tor.bash
Executable file
@ -0,0 +1,34 @@
|
||||
#!/bin/sh
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=privacy
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||
|
||||
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
|
||||
systemctl stop vanguards
|
||||
systemctl stop onion-grater
|
||||
sh /etc/rc.local
|
||||
|
||||
#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1
|
||||
tor --verify-config | grep -v 'notice\|DisableNetwork'
|
||||
rm -f /etc/torrc.d/*~
|
||||
|
||||
netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; }
|
||||
|
||||
cp /dev/null /run/tor/log.err
|
||||
cp /dev/null /run/tor/log.log
|
||||
rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~
|
||||
|
||||
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
|
||||
#sleep 5
|
||||
|
||||
# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
|
||||
systemctl start tor || exit 4$?
|
||||
|
||||
sleep 10
|
||||
|
||||
sed -e '/configured a non-loopback address/d' /run/tor/log.*
|
||||
|
||||
[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5
|
||||
|
||||
grep % /run/tor/log.*
|
827
overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash
Executable file
827
overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash
Executable file
@ -0,0 +1,827 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=privacy
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|
||||
|| { echo >&2 ERROR: $prog "/usr/local/etc/testforge/testforge.bash" ; exit 1 ; }
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
|
||||
|
||||
#set -- -x
|
||||
DEBUG=
|
||||
WHONIX_HOST=0
|
||||
WHONIX_GATE=1
|
||||
|
||||
SSH_SERVICE=22
|
||||
BOOTPC_SERVICE=68
|
||||
BOOTPS_SERVICE=67
|
||||
NETBIOSNS_SERVICE=137
|
||||
NETBIOSDG_SERVICE=138
|
||||
|
||||
PRIV_WHONIX_EXTERNAL_NET=10.0.2.0/24
|
||||
# 10.152.152.10 gateway
|
||||
# 10.152.152.11 work
|
||||
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## Copyright (C) 2014 - 2015 Jason Mehring <nrgaway@gmail.com>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
ALLOW_GATEWAY_USER_USER=1
|
||||
GATEWAY_ALLOW_INCOMING_SSH=0
|
||||
GATEWAY_ALLOW_INCOMING_ICMP=0
|
||||
|
||||
#### meta start
|
||||
#### project Whonix
|
||||
#### category networking and firewall
|
||||
#### description
|
||||
## firewall script
|
||||
#### meta end
|
||||
|
||||
## --reject-with
|
||||
## http://ubuntuforums.org/showthread.php?p=12011099
|
||||
|
||||
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
|
||||
## confusion. icmp-port-unreachable looks like a bug while
|
||||
## icmp-admin-prohibited hopefully makes clear it is by design.
|
||||
|
||||
set -e
|
||||
|
||||
error_handler() {
|
||||
echo "$0 ##################################################"
|
||||
echo "$0 ERROR: Whonix firewall script failed!"
|
||||
echo "$0 ##################################################"
|
||||
|
||||
exit 1
|
||||
}
|
||||
|
||||
trap "error_handler" ERR
|
||||
|
||||
init() {
|
||||
output_cmd "OK: Loading Whonix firewall..."
|
||||
|
||||
set -o pipefail
|
||||
set -o errtrace
|
||||
}
|
||||
|
||||
source_config_folder() {
|
||||
shopt -s nullglob
|
||||
local i
|
||||
for i in \
|
||||
/etc/whonix_firewall.d/*.conf \
|
||||
/rw/config/whonix_firewall.d/*.conf \
|
||||
/usr/local/etc/whonix_firewall.d/*.conf \
|
||||
; do
|
||||
bash_n_exit_code="0"
|
||||
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
|
||||
if [ ! "$bash_n_exit_code" = "0" ]; then
|
||||
output_cmd "ERROR: Invalid config file: $i
|
||||
bash_n_exit_code: $bash_n_exit_code
|
||||
bash_n_output:
|
||||
$bash_n_output" >&2
|
||||
exit 1
|
||||
fi
|
||||
source "$i"
|
||||
done
|
||||
}
|
||||
|
||||
variables_defaults() {
|
||||
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
|
||||
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
|
||||
|
||||
[ -n "$WORKSTATION_TRANSPARENT_TCP" ] || WORKSTATION_TRANSPARENT_TCP=1
|
||||
[ -n "$WORKSTATION_TRANSPARENT_DNS" ] || WORKSTATION_TRANSPARENT_DNS=1
|
||||
[ -n "$WORKSTATION_ALLOW_SOCKSIFIED" ] || WORKSTATION_ALLOW_SOCKSIFIED=1
|
||||
[ -n "$CONTROL_PORT_FILTER_PROXY_ENABLE" ] || CONTROL_PORT_FILTER_PROXY_ENABLE=1
|
||||
[ -n "$GATEWAY_ALLOW_INCOMING_DIR_PORT" ] || GATEWAY_ALLOW_INCOMING_DIR_PORT=0
|
||||
[ -n "$GATEWAY_ALLOW_INCOMING_OR_PORT" ] || GATEWAY_ALLOW_INCOMING_OR_PORT=0
|
||||
[ -n "$DIR_PORT" ] || DIR_PORT=80
|
||||
[ -n "$OR_PORT" ] || OR_PORT=443
|
||||
[ -n "$GATEWAY_TRANSPARENT_TCP" ] || GATEWAY_TRANSPARENT_TCP=0
|
||||
[ -n "$GATEWAY_TRANSPARENT_UDP" ] || GATEWAY_TRANSPARENT_UDP=0
|
||||
[ -n "$GATEWAY_TRANSPARENT_DNS" ] || GATEWAY_TRANSPARENT_DNS=0
|
||||
[ -n "$ALLOW_GATEWAY_ROOT_USER" ] || ALLOW_GATEWAY_ROOT_USER=0
|
||||
[ -n "$ALLOW_GATEWAY_USER_USER" ] || ALLOW_GATEWAY_USER_USER=0
|
||||
[ -n "$GATEWAY_ALLOW_INCOMING_SSH" ] || GATEWAY_ALLOW_INCOMING_SSH=0
|
||||
[ -n "$GATEWAY_ALLOW_INCOMING_ICMP" ] || GATEWAY_ALLOW_INCOMING_ICMP=0
|
||||
|
||||
## Get Tor username, distro specific!
|
||||
[ -n "$TOR_USER" ] || TOR_USER=$PRIV_TOR_OWNER
|
||||
|
||||
## Get user uids.
|
||||
#!? [ -n "$CLEARNET_USER" ] || CLEARNET_USER="$(id -u clearnet)"
|
||||
[ -n "$USER_USER" ] || USER_USER="$(id -u user)" || true
|
||||
[ -n "$ROOT_USER" ] || ROOT_USER="$(id -u root)"
|
||||
#!? [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel)"
|
||||
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate)"
|
||||
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck)"
|
||||
|
||||
## No NAT for clearnet user.
|
||||
[ -n "$CLEARNET_USER" ] && NO_NAT_USERS+=" $CLEARNET_USER"
|
||||
|
||||
## No NAT for tunnel user.
|
||||
[ -n "$TUNNEL_USER" ] && NO_NAT_USERS+=" $TUNNEL_USER"
|
||||
|
||||
## No NAT for user user.
|
||||
## DISABLED BY DEFAULT. For testing/debugging only.
|
||||
if [ "$ALLOW_GATEWAY_USER_USER" = "1" ]; then
|
||||
if [ "$USER_USER" = "" ]; then
|
||||
output_cmd "INFO: USER_USER is unset. Not adding USER_USER to NO_NAT_USERS."
|
||||
else
|
||||
NO_NAT_USERS+=" $USER_USER"
|
||||
fi
|
||||
fi
|
||||
|
||||
## No NAT for root user.
|
||||
## DISABLED BY DEFAULT. For testing/debugging only.
|
||||
if [ "$ALLOW_GATEWAY_ROOT_USER" = "1" ]; then
|
||||
NO_NAT_USERS+=" $ROOT_USER"
|
||||
fi
|
||||
|
||||
## Whonix-Gateway firewall does not support TUNNEL_FIREWALL_ENABLE=true yet.
|
||||
## It only supports VPN_FIREWALL="1".
|
||||
## In case someone confused this setting, i.e. using TUNNEL_FIREWALL_ENABLE=true
|
||||
## since this is how it is done on Whonix-Workstation, then gracefully enable
|
||||
## VPN_FIREWALL="1" to prevent users shooting their own feet.
|
||||
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
|
||||
VPN_FIREWALL="1"
|
||||
fi
|
||||
|
||||
## No NAT for Tor itself,
|
||||
## unless VPN_FIREWALL mode is enabled.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
true
|
||||
else
|
||||
NO_NAT_USERS+=" $TOR_USER"
|
||||
fi
|
||||
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
[ -n "$INT_IF" ] || INT_IF="vif+"
|
||||
[ -n "$INT_TIF" ] || INT_TIF="vif+"
|
||||
fi
|
||||
|
||||
## External interface
|
||||
[ -n "$EXT_IF" ] || EXT_IF="eth0"
|
||||
## Internal interface
|
||||
[ -n "$INT_IF" ] || INT_IF="eth1"
|
||||
## Internal "tunnel" interface, usually the same as
|
||||
## the Internal interface unless using vpn tunnels
|
||||
## between workstations and gateway
|
||||
[ -n "$INT_TIF" ] || INT_TIF="eth1"
|
||||
|
||||
if [ "$NON_TOR_GATEWAY" = "" ]; then
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
NON_TOR_GATEWAY=""
|
||||
else
|
||||
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
|
||||
NON_TOR_GATEWAY="\
|
||||
127.0.0.0-127.0.0.24 \
|
||||
192.168.0.0-192.168.0.24 \
|
||||
192.168.1.0-192.168.1.24 \
|
||||
10.152.152.0-10.152.152.24 \
|
||||
10.0.2.2-10.0.2.24 \
|
||||
"
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
|
||||
|
||||
## Destinations you do not routed through VPN, only for Whonix-Gateway.
|
||||
if [ "$LOCAL_NET" = "" ]; then
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
LOCAL_NET="\
|
||||
127.0.0.0-127.0.0.24 \
|
||||
10.137.0.0-10.138.255.255 \
|
||||
"
|
||||
else
|
||||
## 10.0.2.2/24: VirtualBox DHCP
|
||||
LOCAL_NET="\
|
||||
127.0.0.0-127.0.0.24 \
|
||||
192.168.0.0-192.168.0.24 \
|
||||
192.168.1.0-192.168.1.24 \
|
||||
10.152.152.0-10.152.152.24 \
|
||||
10.0.2.2-10.0.2.24 \
|
||||
"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$WORKSTATION_DEST_SOCKSIFIED" = "" ]; then
|
||||
## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP
|
||||
##
|
||||
## 10.137.0.0/8 - persistent Qubes-Whonix-Gateway IP range
|
||||
## 10.138.0.0/8 - DispVM Qubes-Whonix-Gateway IP range
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16
|
||||
## 10.152.152.10 is hardcoded in some places.
|
||||
WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/16,10.138.0.0/16,10.152.152.10"
|
||||
else
|
||||
WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"
|
||||
fi
|
||||
fi
|
||||
|
||||
## The following ports are used
|
||||
## - here in /usr/bin/whonix_firewall (package: whonix-gw-firewall)
|
||||
## - by Tor in /usr/share/tor/tor-service-defaults-torrc (package: anon-gw-anonymizer-config)
|
||||
##
|
||||
## The following applications will be separated, preventing identity
|
||||
## correlation through circuit sharing.
|
||||
|
||||
## Transparent Proxy Ports for Whonix-Workstation
|
||||
[ -n "$TRANS_PORT_WORKSTATION" ] || TRANS_PORT_WORKSTATION="9040"
|
||||
[ -n "$DNS_PORT_WORKSTATION" ] || DNS_PORT_WORKSTATION="5300"
|
||||
|
||||
## Transparent Proxy Ports for Whonix-Gateway
|
||||
[ -n "$TRANS_PORT_GATEWAY" ] || TRANS_PORT_GATEWAY="9041"
|
||||
[ -n "$DNS_PORT_GATEWAY" ] || DNS_PORT_GATEWAY="5400"
|
||||
|
||||
## Control Port Filter Proxy Port
|
||||
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
|
||||
|
||||
[ -n "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" ] || GATEWAY_ALLOW_INCOMING_FLASHPROXY="0"
|
||||
[ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000"
|
||||
|
||||
## Socks Ports for per application circuits.
|
||||
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
|
||||
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
|
||||
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
|
||||
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
|
||||
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
|
||||
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
|
||||
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
|
||||
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
|
||||
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
|
||||
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
|
||||
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
|
||||
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
|
||||
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
|
||||
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
|
||||
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
|
||||
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
|
||||
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
|
||||
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
|
||||
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
|
||||
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
|
||||
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
|
||||
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
|
||||
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
|
||||
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
|
||||
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
|
||||
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
|
||||
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
|
||||
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
|
||||
|
||||
## For testing purposes only.
|
||||
## To test if prerouting redirection rules for socksified interfere with transparent torification.
|
||||
## https://phabricator.whonix.org/T462
|
||||
#[ -n "$SOCKS_PORT_HTTP" ] || SOCKS_PORT_HTTP="80"
|
||||
#[ -n "$SOCKS_PORT_SSL" ] || SOCKS_PORT_SSL="443"
|
||||
|
||||
## Adding more Socks Ports here should no longer be necessary.
|
||||
## There are already lots of custom ports prepared that you can use.
|
||||
## See documentation:
|
||||
## https://www.whonix.org/wiki/Stream_Isolation
|
||||
##
|
||||
## Additional Socks Ports for per application circuits could be
|
||||
## added here, but you would have to:
|
||||
## - Edit '/usr/local/etc/torrc.d/50_user.conf' to add more 'SocksPort's.
|
||||
## - And 'sudo service tor@default reload' afterwards.
|
||||
## - Add more socks port variables to Whonix firewall configuration.
|
||||
## (For example to '/etc/whonix_firewall.d/50_user.conf'.)
|
||||
## Follow the 'SOCKS_PORT_...' naming scheme.
|
||||
## (For example 'SOCKS_PORT_CUSTOM_ONE', 'SOCKS_PORT_CUSTOM_TWO', etc.)
|
||||
## - And issue "sudo /usr/bin/whonix_firewall" afterwards.
|
||||
|
||||
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
|
||||
}
|
||||
|
||||
ipv4_defaults() {
|
||||
lsmod | grep -q iptable_filter || modprobe iptable_filter
|
||||
## Set secure defaults.
|
||||
$iptables_cmd -P INPUT DROP
|
||||
|
||||
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
|
||||
$iptables_cmd -P FORWARD DROP
|
||||
|
||||
## Will be lifted below.
|
||||
$iptables_cmd -P OUTPUT DROP
|
||||
}
|
||||
|
||||
ipv4_preparation() {
|
||||
lsmod | grep -q nf_nat || modprobe nf_nat
|
||||
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
|
||||
|
||||
## Flush old rules.
|
||||
$iptables_cmd -F
|
||||
$iptables_cmd -X
|
||||
$iptables_cmd -t nat -F
|
||||
$iptables_cmd -t nat -X
|
||||
$iptables_cmd -t mangle -F
|
||||
$iptables_cmd -t mangle -X
|
||||
}
|
||||
|
||||
ipv4_drop_invalid_incoming_packages() {
|
||||
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
|
||||
|
||||
## DROP MARTIANS
|
||||
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
|
||||
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
|
||||
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
|
||||
|
||||
## DROP INVALID
|
||||
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
|
||||
|
||||
## DROP INVALID SYN PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
|
||||
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||
$iptables_cmd -A INPUT -f -j DROP
|
||||
|
||||
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
|
||||
## DROP INCOMING MALFORMED NULL PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
}
|
||||
|
||||
qubes() {
|
||||
lsmod | grep -q xt_owner || modprobe xt_owner
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ -e /run/qubes/this-is-netvm ] || [ -e /run/qubes/this-is-proxyvm ]; then
|
||||
local int_if_item
|
||||
|
||||
for int_if_item in $INT_IF; do
|
||||
## Allow connections from port 8082 of internal vif interface for tinyproxy
|
||||
## tinyproxy is responsible to handle TemplateVMs updates.
|
||||
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp -m tcp --dport 8082 -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -o "$int_if_item" -p tcp -m tcp --sport 8082 -j ACCEPT
|
||||
done
|
||||
|
||||
## Qubes pre-routing. Will be able to intercept traffic destined for
|
||||
## 10.137.255.254 to be re-routed to tinyproxy.
|
||||
$iptables_cmd -t nat -N PR-QBS-SERVICES
|
||||
$iptables_cmd -t nat -A PREROUTING -j PR-QBS-SERVICES
|
||||
|
||||
for int_if_item in $INT_IF; do
|
||||
## Redirects traffic destined for 10.137.255.154 to port 8082 (tinyproxy).
|
||||
$iptables_cmd -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i "$int_if_item" -p tcp -m tcp --dport 8082 -j REDIRECT
|
||||
done
|
||||
|
||||
## Forward tinyproxy output to port 5300/9040 on internal (Tor) interface (eth1) to be
|
||||
## able to connect to Internet (via Tor) to proxy updates for TemplateVM.
|
||||
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
|
||||
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
|
||||
|
||||
## The same for squid from qubes-updates-cache, which runs as user vm-updates.
|
||||
if getent passwd vm-updates >/dev/null; then
|
||||
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
|
||||
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
|
||||
fi
|
||||
|
||||
## https://github.com/QubesOS/qubes-issues/issues/3201#issuecomment-338646742
|
||||
$iptables_cmd -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${DNS_PORT_GATEWAY}" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${TRANS_PORT_GATEWAY}" -j ACCEPT
|
||||
fi
|
||||
}
|
||||
|
||||
ipv4_input_rules() {
|
||||
## Traffic on the loopback interface is accepted.
|
||||
$iptables_cmd -A INPUT -i lo -j ACCEPT
|
||||
|
||||
## Established incoming connections are accepted.
|
||||
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
## Drop all incoming ICMP traffic by default.
|
||||
## All incoming connections are dropped by default anyway, but should a user
|
||||
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
|
||||
## still be dropped to filter for example ICMP time stamp requests.
|
||||
if [ ! "$GATEWAY_ALLOW_INCOMING_ICMP" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -p icmp -j DROP
|
||||
fi
|
||||
|
||||
## Allow all incoming connections on the virtual VPN network interface,
|
||||
## when VPN_FIREWALL mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
|
||||
fi
|
||||
|
||||
local ext_if_item
|
||||
|
||||
for ext_if_item in $EXT_IF; do
|
||||
## Allow incoming SSH connections on the external interface.
|
||||
## DISABLED BY DEFAULT. For testing/debugging only.
|
||||
if [ "$GATEWAY_ALLOW_INCOMING_SSH" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 22 -j ACCEPT
|
||||
fi
|
||||
|
||||
## Allow incoming Flash Proxy connections on the external interface.
|
||||
## This has NOTHING to do with Adobe Flash.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$FLASHPROXY_PORT" -j ACCEPT
|
||||
fi
|
||||
|
||||
local local_port_to_open
|
||||
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
|
||||
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT
|
||||
done
|
||||
|
||||
local local_udp_port_to_open
|
||||
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
|
||||
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
|
||||
done
|
||||
|
||||
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
|
||||
$iptables_cmd -A INPUT -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
|
||||
return 0
|
||||
fi
|
||||
|
||||
for ext_if_item in $EXT_IF; do
|
||||
## Allow incoming DIRPORT connections for an optional Tor relay.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$GATEWAY_ALLOW_INCOMING_DIR_PORT" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$DIR_PORT" -j ACCEPT
|
||||
fi
|
||||
|
||||
## Allow incoming ORPORT connections for an optional Tor relay.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$GATEWAY_ALLOW_INCOMING_OR_PORT" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$OR_PORT" -j ACCEPT
|
||||
fi
|
||||
|
||||
## Custom Open Ports on external interface
|
||||
## - untested, should work
|
||||
## - Replace 22,9050,9051,9150,9151 with any ports you like to be open, example: 9050,9051
|
||||
## or just 9050
|
||||
## - $iptables_cmd v1.4.14: multiport needs -p tcp, -p udp, -p udplite, -p sctp or -p dccp
|
||||
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
|
||||
#$iptables_cmd -A INPUT -i "$ext_if_item" -p udp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
|
||||
|
||||
## OPTIONAL Allow incoming OpenVPN connections on the external interface.
|
||||
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 1194 -j ACCEPT
|
||||
done
|
||||
|
||||
local int_tif_item
|
||||
local int_if_item
|
||||
|
||||
for int_tif_item in $INT_TIF; do
|
||||
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
|
||||
## Allow DNS traffic to DnsPort.
|
||||
$iptables_cmd -A INPUT -i "$int_tif_item" -p udp --dport "$DNS_PORT_WORKSTATION" -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
for int_if_item in $INT_IF; do
|
||||
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
|
||||
## Allow TCP traffic TransPort.
|
||||
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp --dport "$TRANS_PORT_WORKSTATION" -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
for int_tif_item in $INT_TIF; do
|
||||
## Allow TCP traffic to Control Port Filter Proxy.
|
||||
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
|
||||
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j ACCEPT
|
||||
fi
|
||||
|
||||
## Allow socksified applications.
|
||||
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
|
||||
for socks_port in $socks_ports_list; do
|
||||
true "$socks_port: ${!socks_port}"
|
||||
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "${!socks_port}" -j ACCEPT
|
||||
done
|
||||
|
||||
## Accept ports 9152-9189 prepared for user custom applications.
|
||||
## See /usr/share/tor/tor-service-defaults-torrc for more comments.
|
||||
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
for int_if_item in $INT_IF; do
|
||||
## Redirect Control Port Filter Proxy to Control Port Filter Proxy port.
|
||||
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
|
||||
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j REDIRECT --to-ports "$CONTROL_PORT_FILTER_PROXY_PORT"
|
||||
fi
|
||||
|
||||
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
|
||||
for socks_port in $socks_ports_list; do
|
||||
true "$socks_port: ${!socks_port}"
|
||||
## Redirect Browser/IRC/TorBirdy, etc. to SocksPort.
|
||||
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "${!socks_port}" -j REDIRECT --to-ports "${!socks_port}"
|
||||
done
|
||||
|
||||
## Redirect ports 9152-9189 prepared for user custom applications.
|
||||
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport 9152:9189 -j REDIRECT
|
||||
fi
|
||||
|
||||
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
|
||||
## Redirect remaining DNS traffic to DNS_PORT_WORKSTATION.
|
||||
## Only user installed applications not configured to use a SocksPort are affected.
|
||||
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_WORKSTATION"
|
||||
fi
|
||||
|
||||
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
|
||||
## Catch all remaining TCP and redirect to TransPort.
|
||||
## Only user installed applications not configured to use a SocksPort are affected.
|
||||
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
|
||||
|
||||
## Optionally restrict TransPort.
|
||||
## Replace above rule with a more restrictive one, e.g.:
|
||||
#$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
ipv4_input_defaults() {
|
||||
## Log.
|
||||
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
|
||||
|
||||
## Reject anything not explicitly allowed above.
|
||||
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
|
||||
## (In case someone running Whonix-Gateway on bare metal.)
|
||||
$iptables_cmd -A INPUT -j DROP
|
||||
}
|
||||
|
||||
ipv4_forward() {
|
||||
## Log.
|
||||
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
|
||||
|
||||
## Reject everything.
|
||||
$iptables_cmd -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
|
||||
}
|
||||
|
||||
ipv4_reject_invalid_outgoing_packages() {
|
||||
## Drop invalid outgoing packages,
|
||||
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
|
||||
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
|
||||
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
|
||||
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INVALID SYN PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INCOMING MALFORMED NULL PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
|
||||
fi
|
||||
}
|
||||
|
||||
ipv4_output() {
|
||||
lsmod | grep -q xt_owner || modprobe xt_owner
|
||||
|
||||
## Allow outgoing traffic on VPN interface,
|
||||
## if VPN_FIREWALL mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
|
||||
fi
|
||||
|
||||
local no_nat_user
|
||||
for no_nat_user in $NO_NAT_USERS ; do
|
||||
$iptables_cmd -t nat -A OUTPUT -m owner --uid-owner "$no_nat_user" -j RETURN
|
||||
done
|
||||
|
||||
if [ "$firewall_mode" = "full" ]; then
|
||||
## Redirect of Gateway DNS traffic to DNS_PORT_GATEWAY.
|
||||
## DISABLED BY DEFAULT. default. Using SocksPort instead.
|
||||
if [ "$GATEWAY_TRANSPARENT_DNS" = "1" ]; then
|
||||
$iptables_cmd -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_GATEWAY"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "full" ]; then
|
||||
## Exclude connections to local network, Whonix-Workstation, VirtualBox from being redirected through Tor,
|
||||
## unless VPN_FIREWALL mode is enabled.
|
||||
## ENABLED BY DEFAULT.
|
||||
if [ ! "$VPN_FIREWALL" = "1" ]; then
|
||||
local non_tor_gateway_item
|
||||
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
|
||||
$iptables_cmd -t nat -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j RETURN
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "full" ]; then
|
||||
## Redirect all Gateway TCP traffic to TRANS_PORT_GATEWAY.
|
||||
## DISABLED BY DEFAULT. Using SocksPort instead.
|
||||
if [ "$GATEWAY_TRANSPARENT_TCP" = "1" ]; then
|
||||
$iptables_cmd -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_GATEWAY"
|
||||
fi
|
||||
fi
|
||||
|
||||
## Existing connections are accepted.
|
||||
$iptables_cmd -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
if [ "$firewall_mode" = "full" ]; then
|
||||
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||||
## unless VPN_FIREWALL mode is enabled.
|
||||
## ENABLED BY DEFAULT.
|
||||
if [ ! "$VPN_FIREWALL" = "1" ]; then
|
||||
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
|
||||
$iptables_cmd -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j ACCEPT
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "full" ]; then
|
||||
## Accept outgoing connections to local network,
|
||||
## when VPN_FIREWALL mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
local local_net_item
|
||||
for local_net_item in $LOCAL_NET; do
|
||||
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
## Prevent connections to Tor SocksPorts.
|
||||
## https://phabricator.whonix.org/T533#11025
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
local socks_port_item
|
||||
for socks_port_item in $socks_ports_list; do
|
||||
true "$socks_port_item: ${!socks_port_item}"
|
||||
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
|
||||
continue
|
||||
fi
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
|
||||
done
|
||||
fi
|
||||
|
||||
## Access to localhost is required even in timesync-fail-closed mode,
|
||||
## otherwise breaks applications such as konsole and kwrite.
|
||||
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
for no_nat_user in $NO_NAT_USERS ; do
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$no_nat_user" -j ACCEPT
|
||||
done
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
|
||||
## Otherwise in Whonix firewall full mode this rule is redundant.
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
|
||||
fi
|
||||
|
||||
## Log.
|
||||
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
|
||||
|
||||
## Reject all other outgoing traffic.
|
||||
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
|
||||
}
|
||||
|
||||
ipv6() {
|
||||
## Policy DROP for all traffic as fallback.
|
||||
$ip6tables_cmd -P INPUT DROP
|
||||
$ip6tables_cmd -P OUTPUT DROP
|
||||
$ip6tables_cmd -P FORWARD DROP
|
||||
|
||||
## Flush old rules.
|
||||
$ip6tables_cmd -F
|
||||
$ip6tables_cmd -X
|
||||
$ip6tables_cmd -t mangle -F
|
||||
$ip6tables_cmd -t mangle -X
|
||||
|
||||
## Allow unlimited access on loopback.
|
||||
## Not activated, since we do not need it.
|
||||
#$ip6tables_cmd -A INPUT -i lo -j ACCEPT
|
||||
#$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
## Log.
|
||||
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
|
||||
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
|
||||
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
|
||||
|
||||
## Drop/reject all other traffic.
|
||||
$ip6tables_cmd -A INPUT -j DROP
|
||||
## --reject-with icmp-admin-prohibited not supported by ip6tables
|
||||
$ip6tables_cmd -A OUTPUT -j REJECT
|
||||
## --reject-with icmp-admin-prohibited not supported by ip6tables
|
||||
$ip6tables_cmd -A FORWARD -j REJECT
|
||||
}
|
||||
|
||||
status_files() {
|
||||
mkdir --parents /run/whonix_firewall
|
||||
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
|
||||
touch /run/whonix_firewall/consecutive_run.status
|
||||
return 0
|
||||
fi
|
||||
touch /run/whonix_firewall/first_run_current_boot.status
|
||||
}
|
||||
|
||||
date_cmd(){
|
||||
date -u +"%Y-%m-%d %T"
|
||||
}
|
||||
|
||||
output_cmd() {
|
||||
echo "$(date_cmd) - $0 - $@"
|
||||
}
|
||||
|
||||
firewall_mode_detection() {
|
||||
if [ ! "$firewall_mode" = "" ]; then
|
||||
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
|
||||
return 0
|
||||
elif [ "$firewall_mode" = "full" ]; then
|
||||
output_cmd "OK: (Full torified network access allowed.)"
|
||||
return 0
|
||||
else
|
||||
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
|
||||
error_handler
|
||||
fi
|
||||
fi
|
||||
|
||||
## Run Whonix firewall in full mode if sdwdate already succeeded.
|
||||
if [ -e /run/sdwdate/first_success ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/sdwdate/first_success exists.)"
|
||||
elif [ -e /run/sdwdate/success ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/sdwdate/success exists.)"
|
||||
## /run/whonix_firewall/first_run_current_boot.status already exists,
|
||||
## therefore have Whonix firewall run in full mode.
|
||||
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
|
||||
else
|
||||
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
|
||||
## therefore return 'yes, timesync-fail-closed'.
|
||||
firewall_mode=timesync-fail-closed
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
|
||||
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
|
||||
else
|
||||
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
|
||||
output_cmd "OK: (Full torified network access allowed.)"
|
||||
fi
|
||||
}
|
||||
|
||||
end() {
|
||||
output_cmd "OK: Whonix firewall loaded."
|
||||
|
||||
exit 0
|
||||
}
|
||||
|
||||
main() {
|
||||
init
|
||||
firewall_mode_detection
|
||||
variables_defaults
|
||||
ipv4_defaults
|
||||
ipv4_preparation
|
||||
ipv4_drop_invalid_incoming_packages
|
||||
qubes
|
||||
ipv4_input_rules
|
||||
ipv4_input_defaults
|
||||
ipv4_forward
|
||||
ipv4_reject_invalid_outgoing_packages
|
||||
ipv4_output
|
||||
if [ -d /proc/sys/net/ipv6/ ]; then
|
||||
ipv6
|
||||
fi
|
||||
status_files
|
||||
end
|
||||
}
|
||||
|
||||
source_config_folder
|
||||
main
|
5
overlay/Linux/usr/local/sbin/proxy_firewall_start.bash
Executable file
5
overlay/Linux/usr/local/sbin/proxy_firewall_start.bash
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/bash
|
||||
|
||||
ROLE=proxy
|
||||
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
|
||||
proxy_ping_firewall_restart $*
|
80
overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash
Executable file
80
overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/sh
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=hostvms
|
||||
|
||||
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
|
||||
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
|
||||
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 3
|
||||
|
||||
HOST=$1
|
||||
shift
|
||||
CMD=$1
|
||||
shift
|
||||
|
||||
# FixMe
|
||||
if [ $# -lt 1 ] ; then
|
||||
ARGS=""
|
||||
elif [ $# -gt 1 ] ; then
|
||||
ARGS=`sed -e 's/ /","/g' <<< $*`
|
||||
else
|
||||
ARGS="$1"
|
||||
fi
|
||||
|
||||
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
|
||||
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
|
||||
[ -z "$CMD" ] && CMD=/usr/sbin/qemu-ga && ARGS=-D
|
||||
|
||||
INFO $0 $HOST $CMD $ARGS
|
||||
|
||||
if ifconfig virbr1 | grep -q 10.0.2.2 ; then
|
||||
# lrwxrwxrwx 1 root root 11 Aug 26 21:58 /dev/virtio-ports/org.qemu.guest_agent.0 -> ../vport3p2
|
||||
INFO ssh user@10.0.2.15 virbr1
|
||||
ssh user@10.0.2.15 ls -l /dev/virtio-ports/org.qemu.guest_agent.0 | \
|
||||
grep /dev/virtio-ports/org.qemu.guest_agent.0 || \
|
||||
WARN NOT ssh ls -l /dev/virtio-ports/org.qemu.guest_agent.0
|
||||
# /usr/sbin/qemu-ga
|
||||
ssh user@10.0.2.15 ps ax | \
|
||||
grep qemu-ga || \
|
||||
WARN NOT ssh ps qemu-ga
|
||||
fi
|
||||
|
||||
|
||||
DBUG virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
|
||||
virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
|
||||
>/tmp/Q$$.out || exit 1$?
|
||||
|
||||
grep -q return /tmp/Q$$.out || exit 2
|
||||
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
|
||||
[ $? -eq 0 -a -n "$pid" ] || exit 3
|
||||
|
||||
# DBUG virsh qemu-agent-command $HOST \
|
||||
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
|
||||
#virsh qemu-agent-command $HOST \
|
||||
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||
# >/tmp/R$$.out || exit 4$?
|
||||
|
||||
TRIES=10
|
||||
i=0
|
||||
while [ $i -lt $TRIES ] ; do
|
||||
i=`expr $i + 1`
|
||||
virsh qemu-agent-command $HOST \
|
||||
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||
>/tmp/R$$.out || exit 4$i$?
|
||||
grep -q '"exitcode":0' /tmp/R$$.out && break
|
||||
sleep 5
|
||||
DBUG $i
|
||||
done
|
||||
[ $i -lt $TRIES ] || \
|
||||
{ ERROR $i no exitcode in /tmp/R$$.out; exit 5 ; }
|
||||
|
||||
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
|
||||
[ $? -eq 0 ] || exit 6
|
||||
[ -n "$b64" ] || exit 7
|
||||
echo $b64 | base64 -d - || exit 8
|
||||
|
||||
rm -f /tmp/{Q,R}$$.out
|
||||
exit 0
|
29
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash
Executable file
29
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash
Executable file
@ -0,0 +1,29 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || exit 1$?
|
||||
|
||||
if [ -f /etc/modules-load.d/firewall.conf ] ; then
|
||||
grep -v '#' /etc/modules-load.d/firewall.conf|xargs modprobe --all
|
||||
fi
|
||||
|
||||
proxy_ping_firewall_restart
|
||||
retval=$?
|
||||
if [ $retval -eq 0 ] ; then
|
||||
logger INFO: $prog proxy_ping_firewall_restart $*
|
||||
else
|
||||
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
|
||||
exit $retval
|
||||
fi
|
||||
|
||||
# clean
|
||||
exit 0
|
||||
|
||||
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
13
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash
Executable file
13
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash
Executable file
@ -0,0 +1,13 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
logger INFO: $0 $PWD $*
|
||||
|
||||
exit 0
|
||||
|
BIN
overlay/Linux/usr/local/sbin/proxy_tor_lib.bad
Executable file
BIN
overlay/Linux/usr/local/sbin/proxy_tor_lib.bad
Executable file
Binary file not shown.
217
overlay/Linux/usr/local/sbin/proxy_tor_lib.bash
Executable file
217
overlay/Linux/usr/local/sbin/proxy_tor_lib.bash
Executable file
@ -0,0 +1,217 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
## /usr/local/bin/proxy_whonix_tor_start.bash
|
||||
|
||||
ROLE=proxy
|
||||
[ -z "$prog" ] && prog=$( basename $0 .bash )
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||
|
||||
## host_tor_verify_config
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 3
|
||||
host_tor_verify_config () {
|
||||
# tor --verify-config # || exit 2$?
|
||||
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
|
||||
| grep -v 'notice\|DisableNetwork'
|
||||
# || exit 2
|
||||
return 0
|
||||
}
|
||||
|
||||
tor_grep_log () {
|
||||
local log
|
||||
|
||||
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
|
||||
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
|
||||
|
||||
INFO grep % $log
|
||||
grep % $log | grep -v 5%
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## host_tor_is_running
|
||||
host_tor_is_running () {
|
||||
local retval
|
||||
|
||||
retval=0
|
||||
if netstat -nlp4 2>&1| grep ':90.*/tor' ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=2
|
||||
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=3
|
||||
elif ls -l /run/tor/socket 2>/dev/null ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=4
|
||||
fi
|
||||
tor_grep_log
|
||||
return $retval
|
||||
}
|
||||
|
||||
## host_tor_start
|
||||
host_tor_start () {
|
||||
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
|
||||
#sleep 5
|
||||
|
||||
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
|
||||
# systemd overrides these
|
||||
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
|
||||
chmod 2750 /run/tor/
|
||||
|
||||
gateway_tor_stop
|
||||
# systemctl daemon-reload
|
||||
rm -f /run/tor/log.err /tmp/log.err
|
||||
rm -f /run/tor/log /tmp/log.log
|
||||
rm -f /run/tor/tor.pid /tmp/log.pid
|
||||
|
||||
|
||||
INFO starting tor - see /tmp/tor.err /tmp/tor.log
|
||||
|
||||
if false ; then
|
||||
su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
|
||||
netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
|
||||
else
|
||||
su -c 'tor' -s /bin/sh $debian 2>/tmp/tor.err >/tmp/tor.log &
|
||||
echo -n $! >/tmp/tor.pid
|
||||
fi
|
||||
sleep 15
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## host_tor_stop
|
||||
host_tor_stop () {
|
||||
local debian
|
||||
|
||||
[ -s /tmp/tor.pid ] && \
|
||||
DBUG $prog kill $( cat /tmp/tor.pid ) && \
|
||||
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
|
||||
rm /tmp/tor.pid
|
||||
rm -f /tmp/tor.log /tmp/tor.err
|
||||
debian=$PRIV_TOR_OWNER
|
||||
pkill -u $debian
|
||||
[ -s /tmp/tog.pid ] && \
|
||||
kill $( cat /tmp/tog.pid ) 2>/dev/null \
|
||||
&& rm /tmp/tog.pid
|
||||
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
|
||||
return 0
|
||||
}
|
||||
|
||||
PROXY_ExcludeNodes="{gb},{ca}"
|
||||
|
||||
## proxy_tor_torrc_update
|
||||
proxy_tor_torrc_update () {
|
||||
local file IP
|
||||
file=$1
|
||||
IP=$2
|
||||
grep -q "SocksPort $IP:9050" $file || \
|
||||
echo "SocksPort $IP:9050" >> $file
|
||||
grep -q "DNSPort $IP:9053" $file || \
|
||||
echo "DNSPort $IP:9053" >> $file
|
||||
if false ; then
|
||||
grep -q "TransPort $IP:9040" $file || \
|
||||
echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort" >> $file
|
||||
fi
|
||||
grep -q "HTTPTunnelPort $IP:9128" $file || \
|
||||
echo "HTTPTunnelPort $IP:9128 IsolateDestAddr" >> $file
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
export TOR_LOG="/var/log/tor/log"
|
||||
export TOR_DIR=/var/lib/tor/data
|
||||
|
||||
cmd_item_list=(
|
||||
"--has-consensus"
|
||||
"--current-time-in-valid-range"
|
||||
"--show-valid-after"
|
||||
"--show-valid-until"
|
||||
"--show-middle-range"
|
||||
)
|
||||
|
||||
#"--tor-cert-lifetime-invalid"
|
||||
#"--tor-cert-valid-after"
|
||||
|
||||
## proxy_tor_test_ntp
|
||||
proxy_tor_test_ntp () {
|
||||
/usr/local/bin/proxy_ping_test.bash ntp
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_tor_test_anondate
|
||||
proxy_tor_test_anondate () {
|
||||
local cmd_item outout exit_code
|
||||
|
||||
for cmd_item in ${cmd_item_list[@]} ; do
|
||||
output="$( /usr/local/lib/helper-scripts/anondate $cmd_item $@ )"
|
||||
exit_code="$?"
|
||||
if [ $exit_code -eq 0 ] ; then
|
||||
INFO "/usr/local/lib/helper-scripts/anondate $cmd_item $@"
|
||||
echo "output: $output"
|
||||
else
|
||||
echo "WARN: /usr/local/lib/helper-scripts/anondate $cmd_item $@"
|
||||
echo -n "exit_code: $exit_code "
|
||||
echo "output: $output"
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
host_tor_status () {
|
||||
[ -f /tmp/tor.pid ] && \
|
||||
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
|
||||
rm /tmp/tor.pid
|
||||
|
||||
if [ -f /tmp/tor.pid ]; then
|
||||
ps -p "$( cat /tmp/tor.pid )"
|
||||
elif [ -f /run/tor/tor.pid ] ; then
|
||||
ps -p "$( cat /run/tor/tor.pid )"
|
||||
else
|
||||
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
|
||||
fi
|
||||
|
||||
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
|
||||
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|
||||
|| return 1
|
||||
|
||||
debian=$PRIV_TOR_OWNER
|
||||
INFO $prog $debian processes:
|
||||
ps -g $debian
|
||||
|
||||
guest_qemu_status || return 2$?
|
||||
tor_start_not_running && return 3$?
|
||||
|
||||
[ ! -f /usr/local/src/helper-scripts/tor_circuit_established_check.py ] || \
|
||||
a=$( python3 /usr/local/src/helper-scripts/tor_circuit_established_check.py ) \
|
||||
|| return 4
|
||||
[ "$a" = "1" ]|| { echo "WARN: $prog tor_circuit_established_check != 1" ;
|
||||
return 5
|
||||
}
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_tor_torrc_exclude
|
||||
proxy_tor_torrc_exclude () {
|
||||
local file
|
||||
[ $# -eq 0 ] && file=$1 || file=/etc/tor/torrc
|
||||
[ -n "$file" ] || return 1
|
||||
[ -f "$file" ] || return 2
|
||||
[ -n "$PROXY_ExcludeNodes" ] || return 3
|
||||
grep -q "ExcludeNodes.*$PROXY_ExcludeNodes" "$file" && return 0
|
||||
if grep -q "ExcludeNodes" $file ; then
|
||||
sed -e "s@ExcludeNodes.*@ExcludeNodes ${PROXY_ExcludeNodes}@" -i $file
|
||||
else
|
||||
echo "ExcludeNodes $PROXY_ExcludeNodes" >> $file
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
base=proxy_tor_lib
|
||||
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
|
||||
[ "$#" -eq 0 ] && exit 0
|
||||
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
||||
|
172
overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash
Executable file
172
overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash
Executable file
@ -0,0 +1,172 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
set -o pipefail || exit 1
|
||||
|
||||
# was in /usr/lib/whonix-libvirt/install
|
||||
# unlike that one, this should be idempotent
|
||||
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=base
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
GATEW=1
|
||||
# for testforge use we only need the Gateway
|
||||
WORKS=
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
MODE=`proxy_ping_mode`
|
||||
[ $MODE = whonix ] || exit 0
|
||||
|
||||
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
|
||||
|
||||
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
|
||||
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
|
||||
|
||||
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
|
||||
chmod 1777 /usr/local/var/log
|
||||
|
||||
[ -f /etc/firewall.conf.whonix ] || \
|
||||
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
|
||||
|
||||
[ -f /etc/firewall.conf ] || \
|
||||
cp -p /etc/firewall.conf.whonix /etc/firewall.conf || exit 16
|
||||
|
||||
# ERROR: proxy_ping_firewall_check /etc/firewall.conf empty
|
||||
[ -x /etc/libvirt/hooks/network ] || cat > /etc/libvirt/hooks/network << \EOF
|
||||
#!/bin/sh
|
||||
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log
|
||||
echo INFO: hooks/network $* > /usr/local/var/log/libvirt_network.log
|
||||
bash /usr/local/bin/proxy_libvirt_hook_network.bash "$@" \
|
||||
>> /usr/local/var/log/libvirt_network.log 2>&1
|
||||
EOF
|
||||
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
|
||||
/etc/libvirt/hooks/network || exit 16
|
||||
|
||||
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
set -e
|
||||
|
||||
## {{ Taken from qemu-system-common.postinst.
|
||||
# Add the kvm group unless it's already there
|
||||
if ! getent group kvm >/dev/null; then
|
||||
addgroup --quiet --system kvm || true
|
||||
fi
|
||||
## }} Taken from qemu-system-common.postinst.
|
||||
|
||||
## {{ Taken from libvirt-bin.postinst.
|
||||
if ! getent group libvirt >/dev/null; then
|
||||
addgroup --system libvirt
|
||||
fi
|
||||
## }} Taken from libvirt-bin.postinst.
|
||||
|
||||
## Existence of user "user" is not guaranteed at this point.
|
||||
if grep -q ^user /etc/passwd ; then
|
||||
grep -q ^kvm /etc/group || addgroup user kvm
|
||||
grep -q ^libvirt /etc/group || addgroup user libvirt
|
||||
fi
|
||||
|
||||
## Create shared directory and adjust permissions
|
||||
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
|
||||
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
|
||||
chmod 1777 /mnt/gateway-shared
|
||||
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
|
||||
|
||||
|
||||
## networks
|
||||
proxy_virsh net-list --all | grep -q default || \
|
||||
virsh -c qemu:///system net-autostart "default" || exit 1$?
|
||||
#? virsh -c qemu:///system net-start "default" || exit 2$?
|
||||
proxy_virsh net-list --all | grep -q Whonix-External || \
|
||||
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-External.xml" \
|
||||
|| exit 3$?
|
||||
proxy_virsh net-list --all | grep -q Whonix-Internal || \
|
||||
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-Internal.xml" \
|
||||
|| exit 4$?
|
||||
|
||||
#no virsh -c qemu:///system net-autostart "Whonix-External"
|
||||
proxy_virsh net-list | grep -q Whonix-External || \
|
||||
virsh -c qemu:///system net-start "Whonix-External" || exit 5$?
|
||||
# no virsh -c qemu:///system net-autostart "Whonix-Internal"
|
||||
proxy_virsh net-list | grep -q Whonix-Internal || \
|
||||
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
|
||||
|
||||
lsmod | grep -q kvm||modprobe kvm || exit 7
|
||||
temp_dir=/usr/local/etc/libvirt/qemu
|
||||
|
||||
if virsh capabilities | grep -q "<domain type='kvm'" ; then
|
||||
true "OK: found KVM"
|
||||
else
|
||||
## replace the 'kvm' domain type with 'qemu'
|
||||
search="<domain type='kvm'>"
|
||||
replace="<domain type='qemu'>"
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||||
[ -n "$WORKS" ] && \
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||||
|
||||
search="<cpu mode='host-passthrough'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
|
||||
search="<pvspinlock state='on'/>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||||
[ -n "$WORKS" ] && \
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
|
||||
replace=""
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||||
|
||||
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||||
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
|
||||
replace=""
|
||||
[ -n "$WORKS" ] && \
|
||||
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||||
fi
|
||||
|
||||
[ -z "$GATEW" ] || \
|
||||
proxy_virsh list --all | grep -q Whonix-Gateway || \
|
||||
virsh -c qemu:///system define "$temp_dir/Whonix-Gateway.xml" || exit 8$?
|
||||
[ -z "$WORKS" ] || \
|
||||
proxy_virsh list --all | grep -q Whonix-Workstation || \
|
||||
virsh -c qemu:///system define "$temp_dir/Whonix-Workstation.xml" || exit 9$?
|
||||
|
||||
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Gateway.xml" || \
|
||||
virt-xml "Whonix-Gateway" --add-device \
|
||||
--filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || exit 10$?
|
||||
|
||||
[ -z "$WORKS" ] || \
|
||||
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Workstation.xml" || \
|
||||
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
|
||||
|
||||
[ -d /var/lib/whonix-libvirt ] || \
|
||||
mkdir --parents /var/lib/whonix-libvirt
|
||||
touch /var/lib/whonix-libvirt/install.done
|
||||
|
||||
proxy_virsh list | grep -q Whonix-Gateway || \
|
||||
virsh -c qemu:///system start "Whonix-Gateway" || exit 19$?
|
||||
|
||||
if [ -d ~user ] ; then
|
||||
# kicksecure installs ~user/.xchat2/ not owned by user and it seems to screw up X
|
||||
# with "unable load load a failsafe session" unable to determine failsafe session name
|
||||
# even with no-allow-failsafe in /etc/X11/Xsession.options
|
||||
# Linkname:Xfce - Unable to load a failsafe session / Newbie... / Arch Linux Forums
|
||||
# https://bbs.archlinux.org/viewtopic.php?id=77646
|
||||
chown -R user ~user
|
||||
|
||||
[ -x /var/local/bin/testforge_user_profile.bash ] && \
|
||||
su -c /var/local/bin/testforge_user_profile.bash -s /bin/bash user
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
349
overlay/Linux/usr/local/sbin/proxy_whonix_gateway_tor.bash
Executable file
349
overlay/Linux/usr/local/sbin/proxy_whonix_gateway_tor.bash
Executable file
@ -0,0 +1,349 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
# was /usr/local/bin/proxy_whonix_tor_start.bash
|
||||
|
||||
ROLE=proxy
|
||||
USAGE="config|start|stop|status|restart|verify|test"
|
||||
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog you must be root ; exit 1 ; }
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 3
|
||||
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || exit 1
|
||||
. /usr/local/sbin/proxy_tor_lib.bash || exit 2
|
||||
rm -f /etc/torrc.d/*~
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
|
||||
|
||||
NEEDED_SCRIPTS="
|
||||
/usr/local/sbin/proxy_tor_lib.bash
|
||||
/usr/local/bin/proxy_ping_test.bash
|
||||
"
|
||||
|
||||
# to stop
|
||||
# 4269 ttyS0 S 0:00 su -c tor -s /bin/sh debian-tor
|
||||
# 4272 ? Ss 0:00 sh -c tor
|
||||
# 4273 ? S 0:02 tor
|
||||
# 4355 ? S 0:00 timeout --kill-after=5s 10s /usr/lib/helper-scripts/tor_circuit_established_check.py
|
||||
# 4356 ? R 0:00 /usr/bin/python3 -u /usr/lib/helper-scripts/tor_circuit_established_check.py
|
||||
## gateway_tor_stop
|
||||
gateway_tor_stop () {
|
||||
local debian
|
||||
|
||||
[ -s /tmp/tor.pid ] && \
|
||||
DBUG $prog kill $( cat /tmp/tor.pid ) && \
|
||||
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
|
||||
rm /tmp/tor.pid
|
||||
rm -f /tmp/tor.log /tmp/tor.err
|
||||
debian=$PRIV_TOR_OWNER
|
||||
pkill -u $debian
|
||||
[ -s /tmp/tog.pid ] && \
|
||||
kill $( cat /tmp/tog.pid ) 2>/dev/null \
|
||||
&& rm /tmp/tog.pid
|
||||
systemctl stop vanguards
|
||||
# systemctl start onion-grater >/dev/null && systemctl stop onion-grater
|
||||
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
|
||||
netstat -npet4
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## gateway_tor_torrc
|
||||
gateway_tor_torrc () {
|
||||
local file IP
|
||||
# file=/etc/torrc.d/50_user.conf
|
||||
file=/usr/local/etc/torrc.d/50_user.conf
|
||||
if [ ! -f $file ] ; then
|
||||
cat > $file <<EOF
|
||||
# Tor user specific configuration file
|
||||
#
|
||||
# Add user modifications below this line:
|
||||
############################################
|
||||
Socks5ProxyUsername foo
|
||||
Socks5ProxyPassword bar
|
||||
SafeLogging 0
|
||||
SocksPort 10.0.2.15:9050
|
||||
DNSPort 10.0.2.15:9053
|
||||
HTTPTunnelPort 10.0.2.15:9128 IsolateDestAddr
|
||||
TransPort 10.0.2.15:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
|
||||
DisableNetwork 0
|
||||
ControlSocket /run/tor/control
|
||||
EOF
|
||||
else
|
||||
IP=10.0.2.15
|
||||
proxy_tor_torrc_update $file $IP
|
||||
fi
|
||||
proxy_tor_torrc_exclude $file
|
||||
return 0
|
||||
}
|
||||
|
||||
## gateway_tor_init_config_gateway_conf
|
||||
gateway_tor_init_config_gateway_conf () {
|
||||
local elt file
|
||||
file=/etc/whonix_firewall.d/30_whonix_gateway_default.conf
|
||||
for elt in GATEWAY_ALLOW_INCOMING_ICMP GATEWAY_ALLOW_INCOMING_SSH ; do
|
||||
grep -q $elt=1 $file || \
|
||||
sed -e "s/$elt=.*/$elt=1/" -i $file
|
||||
done
|
||||
for elt in 22 9050 9053 9040 9128 ; do
|
||||
grep -q '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \
|
||||
/etc/whonix_firewall.d/30_whonix_gateway_default.conf && continue
|
||||
echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> $file
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## gateway_tor_init_check_iptables
|
||||
gateway_tor_init_check_iptables () {
|
||||
local rule changed
|
||||
changed=0
|
||||
rule='-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT'
|
||||
if ! proxy_iptables_save | grep -q -e "$rule" ; then
|
||||
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
|
||||
proxy_iptables $rule
|
||||
changed=1
|
||||
fi
|
||||
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT'
|
||||
if ! proxy_iptables_save | grep -q -e "$rule" ; then
|
||||
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
|
||||
proxy_iptables $rule
|
||||
changed=1
|
||||
fi
|
||||
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT'
|
||||
if ! proxy_iptables_save | grep -q -e "$rule" ; then
|
||||
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
|
||||
proxy_iptables $rule
|
||||
changed=1
|
||||
fi
|
||||
[ $changed -gt 0 ] && proxy_iptables -A INPUT -j DROP
|
||||
return 0
|
||||
}
|
||||
# systemctl --no-pager status tor@default
|
||||
|
||||
## tor_start_not_running
|
||||
tor_start_not_running () {
|
||||
local retval
|
||||
|
||||
retval=0
|
||||
if netstat -nlp4 2>&1| grep '15:90.*/tor' ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=2
|
||||
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=3
|
||||
elif ls -l /run/tor/socket 2>/dev/null ; then
|
||||
DBUG $prog tor is already running
|
||||
retval=4
|
||||
fi
|
||||
tor_grep_log
|
||||
return $retval
|
||||
}
|
||||
|
||||
## gateway_tor_config_tor
|
||||
gateway_tor_config_tor () {
|
||||
|
||||
gateway_tor_init_check_iptables || exit 2$?
|
||||
gateway_tor_torrc
|
||||
gateway_tor_init_config_gateway_conf
|
||||
rm -f /usr/local/etc/torrc.d/*~
|
||||
return $?
|
||||
}
|
||||
|
||||
## tor_start_verify_config
|
||||
tor_start_verify_config () {
|
||||
# tor --verify-config # || exit 2$?
|
||||
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
|
||||
| grep -v 'notice\|DisableNetwork'
|
||||
# || exit 2
|
||||
return 0
|
||||
}
|
||||
|
||||
## tor_prepare_to_start
|
||||
tor_prepare_to_start () {
|
||||
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
|
||||
#sleep 5
|
||||
|
||||
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
|
||||
# systemd overrides these
|
||||
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
|
||||
chmod 0700 /run/tor/
|
||||
|
||||
gateway_tor_stop
|
||||
# systemctl daemon-reload
|
||||
rm -f /run/tor/log.err /tmp/log.err
|
||||
rm -f /run/tor/log /tmp/log.log
|
||||
rm -f /run/tor/tor.pid /tmp/log.pid
|
||||
|
||||
sed '/DisableNetwork/d' -i /usr/local/etc/torrc.d/50_user.conf
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## tor_after_start
|
||||
tor_after_start () {
|
||||
|
||||
[ -s /tmp/tor.err ] && ERROR $prog /tmp/tor.err && cat /tmp/tor.err && return 6
|
||||
grep '\[warn\]' /tmp/tor.log
|
||||
grep '\[err\]' /tmp/tor.log && ERROR $prog /tmp/tor.log && return 7
|
||||
|
||||
ls /run/tor/log* >/dev/null && \
|
||||
sed -e '/configured a non-loopback address/d' -i /run/tor/log*
|
||||
chmod 750 /run/tor/
|
||||
chmod 640 /run/tor/log
|
||||
INFO checked /tmp/tor.log /tmp/tor.err
|
||||
|
||||
INFO starting onion-grater
|
||||
# systemctl start onion-grater
|
||||
pidof /usr/lib/onion-grater || return 0
|
||||
/usr/lib/onion-grater --listen-interface eth1 &
|
||||
echo -n $! >/tmp/tog.pid
|
||||
return 0
|
||||
}
|
||||
|
||||
tor_grep_log () {
|
||||
local log
|
||||
|
||||
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
|
||||
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
|
||||
|
||||
INFO grep % $log
|
||||
grep % $log | grep -v 5%
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
tor_test () {
|
||||
tor_grep_log
|
||||
tor_qemu_status || return 1$?
|
||||
return 0
|
||||
}
|
||||
|
||||
tor_qemu_status () {
|
||||
local pid
|
||||
|
||||
pid=$( pidof /usr/sbin/qemu-ga )
|
||||
[ $? -eq 0 -a -n "$pid" ] || \
|
||||
{ WARN $prog qemu-qa not running; return 1 ; }
|
||||
lsof -p $pid | grep -q /dev/v || \
|
||||
{ WARN /usr/sbin/qemu-ga not bound to /dev ; return 1 ; }
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
tor_status () {
|
||||
[ -f /tmp/tor.pid ] && \
|
||||
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
|
||||
rm /tmp/tor.pid
|
||||
|
||||
if [ -f /tmp/tor.pid ]; then
|
||||
ps -p "$( cat /tmp/tor.pid )"
|
||||
elif [ -f /run/tor/tor.pid ] ; then
|
||||
ps -p "$( cat /run/tor/tor.pid )"
|
||||
else
|
||||
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
|
||||
fi
|
||||
|
||||
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
|
||||
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|
||||
|| return 1
|
||||
|
||||
debian=$( grep -q ^$PRIV_TOR_OWNER /etc/passwd && echo $PRIV_TOR_OWNER || echo tor )
|
||||
INFO $prog $debian processes:
|
||||
ps -g $debian
|
||||
|
||||
tor_qemu_status || return 1$?
|
||||
tor_start_not_running && return 2$?
|
||||
|
||||
# /usr/lib/helper-scripts/tor_circuit_established_check.py
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
gateway_tor_verify () {
|
||||
tor_start_verify_config || return 1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
gateway_tor_start () {
|
||||
local debian
|
||||
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
|
||||
|
||||
# debian-tor soft nofile 100000
|
||||
# /etc/security/limits.conf
|
||||
|
||||
gateway_tor_config_tor || return 2$?
|
||||
tor_start_not_running || return 3$?
|
||||
|
||||
gateway_tor_verify || return 4$?
|
||||
tor_prepare_to_start
|
||||
|
||||
INFO startiing tor - see /tmp/tor.err /tmp/tor.log
|
||||
#su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
|
||||
#netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
|
||||
su -c 'tor' -s /bin/sh $PRIV_TOR_OWNER 2>/tmp/tor.err >/tmp/tor.log &
|
||||
echo -n $! >/tmp/tor.pid
|
||||
|
||||
sleep 15
|
||||
|
||||
tor_after_start
|
||||
tor_status
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog "$USAGE"
|
||||
|
||||
elif [ "$d1#" = '--help' ] ; then
|
||||
echo USAGE: $prog "$USAGE" or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
## config
|
||||
elif [ $1 = config ] ; then
|
||||
INFO $prog $1
|
||||
gateway_tor_config_tor || exit 1$?
|
||||
|
||||
## stop -
|
||||
elif [ $1 = stop ] ; then
|
||||
INFO $prog $1
|
||||
gateway_tor_stop
|
||||
exit $?
|
||||
|
||||
## status
|
||||
elif [ $1 = status ] ; then
|
||||
INFO $prog tor_status
|
||||
tor_status || exit $?
|
||||
exit 0
|
||||
|
||||
## start
|
||||
elif [ "$1" = gateway -o "$1" = start ] ; then
|
||||
INFO $prog tor_start
|
||||
gateway_tor_start
|
||||
exit $?
|
||||
|
||||
## restart
|
||||
elif [ "$1" = restart ] ; then
|
||||
INFO $prog tor_restart
|
||||
gateway_tor_stop || exit 1$?
|
||||
sleep 2
|
||||
gateway_tor_start
|
||||
exit $?
|
||||
|
||||
## verify
|
||||
elif [ "$1" = verify ] ; then
|
||||
tor_start_verify_config
|
||||
|
||||
elif [ "$1" = test ] ; then
|
||||
tor_test
|
||||
|
||||
elif [ "$1" = '--help' -o "$1" = '-h' ] ; then
|
||||
echo USAGE: $prog "$USAGE or:"
|
||||
grep '^## ' $0 | sed -e 's/## //'
|
||||
|
||||
else
|
||||
eval "$@" || exit $?
|
||||
fi
|
||||
|
||||
exit 0
|
262
overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash
Executable file
262
overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash
Executable file
@ -0,0 +1,262 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
CONN=guest
|
||||
USAGE="[config|start|stop|test|verify]"
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 1; }
|
||||
. /usr/local/sbin/proxy_whonix_gateway_tor.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_gateway_tor.bash ; exit 2; }
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 3
|
||||
|
||||
NSL='nslookup -querytype=A'
|
||||
NETS='netstat -nl4e'
|
||||
SHARED_MNTS="o"
|
||||
# ELTS="onion-grater" # these work and start normally
|
||||
# sdwdate should be linked to NetManager and prevents logins if not connected
|
||||
# well start tor ourselves
|
||||
# we dont need vanguards
|
||||
DISABLE_SERVICES="sdwdate tor vanguards"
|
||||
DISABLE_X_SERVICES="rads sdwdate-gui-shutdown-notify tor-control-panel"
|
||||
grep -q ' text ' /proc/cmdline && \
|
||||
DISABLE_SERVICES="$DISABLE_X_SERVICES $DISABLE_SERVICES"
|
||||
|
||||
## proxy_gateway_fix_getty_timeout
|
||||
proxy_gateway_fix_getty_timeout () {
|
||||
# fix_getty_timeout - wheres inittab
|
||||
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
|
||||
[ -f $file.dst ] && continue
|
||||
cp -p $file $file.dst
|
||||
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_disable_rads
|
||||
proxy_gateway_disable_rads () {
|
||||
# rads is really hard to kill
|
||||
if [ ! -f /etc/rads.d/50_default.conf ] ; then
|
||||
sed /etc/rads.d/30_default.conf > /etc/rads.d/50_default.conf \
|
||||
-e 's@rads_start_display_manager=1@rads_start_display_manager=0@' \
|
||||
-e 's@rads_skip_ram_test=0rads_skip_ram_test=1@' \
|
||||
-e 's@rads_wait=0@rads_wait=1@' \
|
||||
-e 's@rads_wait_seconds=10@rads_wait_seconds=20@' \
|
||||
-e 's@rads_debug=0@rads_debug=1@'
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_install_tor
|
||||
proxy_gateway_install_tor () {
|
||||
# fixme parameterize?
|
||||
|
||||
if [ ! -f /usr/local/etc/torrc.d/50_user.conf ] ; then
|
||||
cat > /usr/local/etc/torrc.d/50_user.conf << EOF
|
||||
Socks5ProxyUsername foo
|
||||
Socks5ProxyPassword bar
|
||||
SafeLogging 0
|
||||
SocksPort 10.0.2.15:9050
|
||||
DnsPort 10.0.2.15:9053
|
||||
HTTPTunnelPort 10.0.2.15:9128
|
||||
TransPort 10.0.2.15:9040
|
||||
ControlSocket /run/tor/control
|
||||
ControlSocketGroupWriteable 1
|
||||
DisableNetwork 0
|
||||
EOF
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway__shutup_verbosity
|
||||
proxy_gateway_shutup_verbosity () {
|
||||
for file in /etc/issue* /etc/issue.d/* ; do
|
||||
[ -f $file ] || continue
|
||||
[ -s $file ] && cp /dev/null $file
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_install_fstab
|
||||
proxy_gateway_install_fstab () {
|
||||
# /etc/fstab
|
||||
|
||||
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
|
||||
for elt in $SHARED_MNTS ; do
|
||||
[ -d /mnt/$elt ] || mkdir /mnt/$elt
|
||||
grep -q /mnt/$elt /etc/fstab && continue
|
||||
echo "$elt /mnt/$elt 9p $options 0 0" \
|
||||
>> /etc/fstab
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_install_gagent
|
||||
proxy_gateway_install_gagent () {
|
||||
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
|
||||
ERROR /dev/virtio-ports/org.qemu.guest_agent.0 not found
|
||||
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
|
||||
ERROR "or blame Pottyring's systemd"
|
||||
}
|
||||
[ -x /usr/sbin/qemu-ga ] && return 0
|
||||
|
||||
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
|
||||
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
|
||||
# /o/Cache/Apt/Debian/10.6/deb.debian.org/debian-security/pool/updates/main/q/qemu/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
|
||||
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
|
||||
fi
|
||||
|
||||
false && \
|
||||
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
|
||||
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
|
||||
ln -s /lib/systemd/system/qemu-guest-agent.service \
|
||||
/etc/systemd/system/multi-user.target.wants
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_disable_services
|
||||
proxy_gateway_disable_services () {
|
||||
[ -f /usr/local/etc/local.d/local.bash ] || \
|
||||
{ ERROR loading /usr/local/etc/local.d/local.bash ; return 2; }
|
||||
local_systemd_stop_and_mask $DISABLE_SERVICES
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_test
|
||||
proxy_gateway_test () {
|
||||
|
||||
proxy_whonix_test gateway
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_config
|
||||
proxy_gateway_config () {
|
||||
grep '^nameserver 127.0.0.1' /etc/resolv.conf || \
|
||||
echo 'nameserver 127.0.0.1' >> /etc/resolv.conf
|
||||
proxy_gateway_disable_services || return 1$?
|
||||
# /usr/local/sbin/proxy_whonix_gateway_tor.bash config || return 2$?
|
||||
gateway_tor_verify || return 3$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_config
|
||||
proxy_gateway_config () {
|
||||
local dire=gateway
|
||||
local file
|
||||
|
||||
proxy_dest_port_wlan_config $dire || return 1$?
|
||||
DEST=10.0.2.15
|
||||
PORT=9053
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 2
|
||||
#? proxy_whonix_polipo_config $dire
|
||||
proxy_ping_test_resolv $dire || return 4$?
|
||||
proxy_whonix_dnsmasq_config $dire || return 5$?
|
||||
|
||||
return 0
|
||||
}
|
||||
## proxy_gateway_start_bg
|
||||
proxy_gateway_start_bg () { proxy_gateway_start $* ; }
|
||||
## proxy_gateway_start
|
||||
proxy_gateway_start () {
|
||||
proxy_gateway_config || return 1$?
|
||||
proxy_whonix_guest_start gateway
|
||||
|
||||
proxy_ping_dnsmasq_status || \
|
||||
proxy_ping_dnsmasq_start || return 2$?
|
||||
|
||||
/usr/local/sbin/proxy_whonix_gateway_tor.bash start || return 3$?
|
||||
#? . gateway_tor_start
|
||||
|
||||
#? polipo
|
||||
# dnsmasq
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_stop
|
||||
proxy_gateway_stop () {
|
||||
gateway_tor_stop stop || return 3$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_status
|
||||
proxy_gateway_status () {
|
||||
|
||||
if [ -f /etc/ssh/sshd_config ] ; then
|
||||
rc_service sshd status
|
||||
else
|
||||
WARN ssh not installed
|
||||
fi
|
||||
|
||||
# tor_grep_log || return 2$?
|
||||
tor_status
|
||||
|
||||
#? /usr/local/bin/proxy_ping_test.bash polipo || return 3$?
|
||||
/usr/local/bin/proxy_ping_test.bash gateway || return 3$?
|
||||
/usr/local/bin/proxy_ping_test.bash dns || return 4$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_config
|
||||
proxy_gateway_config () {
|
||||
systemctl is-enabled rc.local || systemctl enable --now rc.local || return 1
|
||||
# [ -f /etc/systemd/system/multi-user.target.wants/rc-local.service ] || \
|
||||
# ln -s /lib/systemd/system/rc-local.service \
|
||||
# /etc/systemd/system/multi-user.target.wants/rc-local.service
|
||||
|
||||
systemctl is-enabled tor || systemctl disable --now tor
|
||||
tor_config_tor || return 1$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_gateway_verify () {
|
||||
for elt in $( echo $USAGE | sed -e 's/|/ /' ) do ; grep ^$elt $0 ; done
|
||||
tor_do_verify || return 1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_gateway_install
|
||||
proxy_gateway_install () {
|
||||
proxy_gateway_config || return 0
|
||||
|
||||
proxy_gateway_install_gagent
|
||||
proxy_gateway_fix_getty_timeout
|
||||
proxy_gateway_install_tor
|
||||
proxy_gateway_shutup_verbosity
|
||||
proxy_gateway_install_fstab
|
||||
proxy_gateway_disable_rads
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
elif [ "$1" = config -o "$1" -o "$1" = install ] ; then
|
||||
proxy_gateway_$1 || return 3$?
|
||||
|
||||
elif [ "$1" = verify -o "$1" = status -o "$1" = test_from -o "$1" = test ] ; then
|
||||
proxy_gateway_$1 || return 4$?
|
||||
|
||||
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
|
||||
proxy_gateway_$1 || return 5$?
|
||||
|
||||
else
|
||||
INFO $prog "$@"
|
||||
eval "$@"
|
||||
exit $?
|
||||
|
||||
fi
|
161
overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash
Executable file
161
overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash
Executable file
@ -0,0 +1,161 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
MODE=vda
|
||||
CONN=guest
|
||||
USAGE="[config|start|stop|status|restart|verify|test]"
|
||||
|
||||
[ $( id -u ) -eq 0 ] || { ERROR you must be root ; exit 1 ; }
|
||||
prog=$( basename $0 .bash )
|
||||
|
||||
export PATH=$PATH:/usr/local/sbin
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
|
||||
NEEDED_SCRIPTS="
|
||||
/usr/local/bin/proxy_ping_test.bash
|
||||
/usr/local/sbin/proxy_whonix_gateway_tor.bash
|
||||
"
|
||||
. /usr/local/etc/local.d/local.bash || exit 1
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
|
||||
|
||||
# vda does not need dnsmasq
|
||||
# $DEST resolv.conf
|
||||
|
||||
## proxy_vda_stop
|
||||
proxy_vda_stop () {
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## tor_init_check_iptables
|
||||
proxy_vda_init_check_iptables () {
|
||||
# tor_init_check_iptables || return 1$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_config
|
||||
proxy_vda_config () {
|
||||
proxy_whonix_guest_config || return 1$?
|
||||
|
||||
[ -f /etc/firewall.conf.vda ] && \
|
||||
cp -p /usr/local/etc/firewall.conf.vda /etc/firewall.conf.vda
|
||||
|
||||
proxy_guest_firewall_config || return 2$?
|
||||
#/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash > \
|
||||
# /etc/firewall.conf.ws.new
|
||||
|
||||
proxy_vda_whonix_config
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_verify
|
||||
proxy_vda_verify () {
|
||||
|
||||
for elt in $(echo $USAGE | sed -e 's/|/ /') ; do grep ^$elt $0 ; done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_vda_grep_logs () {
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_test
|
||||
proxy_vda_test () {
|
||||
|
||||
proxy_whonix_test vda || return 3$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_status
|
||||
proxy_vda_status () {
|
||||
netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null || \
|
||||
{ [ -n "$DEBUG" ] && WARN $0 polipo not running ; return 1 ; }
|
||||
[ -n "$DEBUG" ] && DBUG $0 polipo running
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash vda
|
||||
/usr/local/bin/proxy_ping_test.bash polipo
|
||||
/usr/local/bin/proxy_ping_test.bash dns
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_whonix_start
|
||||
proxy_vda_whonix_start () {
|
||||
local dire=vda
|
||||
local ret
|
||||
|
||||
#? proxy_whonix_guest_start
|
||||
|
||||
proxy_whonix_polipo_start $dire || \
|
||||
{ ret=$? ;ERROR $prog polipo not running ret=$ret ; return 4$ret ; }
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_start
|
||||
proxy_vda_start () {
|
||||
# local_guest_start_services
|
||||
local PROXY_WLAN_GW=10.152.152.10
|
||||
local IP=10.152.152.11
|
||||
|
||||
grep -q gateway /etc//hosts || grep $PROXY_WLAN_GW gateway >> /etc//hosts
|
||||
|
||||
if ! ifconfig eth0 | grep -q $IP ; then
|
||||
ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
|
||||
#? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255
|
||||
fi
|
||||
ip route | grep -q ^default || \
|
||||
route add default gw $PROXY_WLAN_GW
|
||||
|
||||
# dnsmasq
|
||||
echo nameserver $PROXY_WLAN_GW > /etc/resolv.conf
|
||||
|
||||
[ -f /etc/firewall.conf.vda ] || exit 2
|
||||
if [ -f /etc/firewall.conf.vda -a ! -f /etc/firewall.conf ] ; then
|
||||
cp -p /etc/firewall.conf.vda /etc/firewall.conf
|
||||
proxy_iptables_restore < /etc/firewall.conf
|
||||
elif ! diff -q /etc/firewall.conf.vda /etc/firewall.conf ; then
|
||||
mv /etc/firewall.conf /etc/firewall.conf.bak
|
||||
cp -p /etc/firewall.conf.vda /etc/firewall.conf
|
||||
proxy_iptables -F; proxy_iptables_restore < /etc/firewall.conf
|
||||
fi
|
||||
proxy_iptables_save | grep -i reject || return 3
|
||||
|
||||
proxy_vda_whonix_start
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
elif [ "$1" = config -o "$1" = 'install' ] ; then
|
||||
proxy_vda_config || exit 3$?
|
||||
|
||||
elif [ "$1" = verify -o "$1" = 'test' ] ; then
|
||||
proxy_vda_$1 || exit 4$?
|
||||
|
||||
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
|
||||
proxy_vda_$1 || exit 5$?
|
||||
|
||||
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
|
||||
proxy_vda_refresh || exit 6$?
|
||||
|
||||
else
|
||||
eval "$@"
|
||||
exit $?
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
624
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash
Executable file
624
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash
Executable file
@ -0,0 +1,624 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
ROLE=proxy
|
||||
MODE=all
|
||||
iptables_cmd='echo iptables'
|
||||
ip6tables_cmd='echo iptables >/dev/null'
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
#### meta start
|
||||
#### project Whonix
|
||||
#### category networking and firewall
|
||||
#### description
|
||||
## firewall script
|
||||
#### meta end
|
||||
|
||||
## NOTE: If you make changes to this firewall, think about, if it would
|
||||
## make sense to add the changes to Whonix-Gateway script as well.
|
||||
## Some things like dropping invalid packages, should be shared.
|
||||
|
||||
## TODO:
|
||||
## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).
|
||||
|
||||
## source for some rules:
|
||||
## http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
|
||||
|
||||
set -e
|
||||
|
||||
error_handler() {
|
||||
echo "$0 ##################################################"
|
||||
echo "$0 ERROR: Whonix firewall script failed!"
|
||||
echo "$0 ##################################################"
|
||||
|
||||
exit 1
|
||||
}
|
||||
|
||||
# trap "error_handler" ERR
|
||||
|
||||
init() {
|
||||
output_cmd "OK: Loading Whonix firewall..."
|
||||
|
||||
set -o pipefail
|
||||
set -o errtrace
|
||||
}
|
||||
|
||||
source_config_folder() {
|
||||
shopt -s nullglob
|
||||
local i
|
||||
for i in \
|
||||
/etc/whonix_firewall.d/*.conf \
|
||||
/usr/local/etc/whonix_firewall.d/*.conf \
|
||||
; do
|
||||
bash_n_exit_code="0"
|
||||
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
|
||||
if [ ! "$bash_n_exit_code" = "0" ]; then
|
||||
output_cmd "ERROR: Invalid config file: $i
|
||||
bash_n_exit_code: $bash_n_exit_code
|
||||
bash_n_output:
|
||||
$bash_n_output" >&2
|
||||
exit 1
|
||||
fi
|
||||
source "$i"
|
||||
done
|
||||
}
|
||||
|
||||
variables_defaults() {
|
||||
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
|
||||
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
|
||||
|
||||
## Legacy.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
TUNNEL_FIREWALL_ENABLE="true"
|
||||
fi
|
||||
|
||||
## Not in use/defined yet.
|
||||
## INT_IF could be the internal network.
|
||||
## EXT_IF could be an additional virtual network adapter,
|
||||
## such as OnionCat or OpenVPN.
|
||||
|
||||
## External interface
|
||||
[ -n "$EXT_IF" ] || EXT_IF="eth0"
|
||||
## Internal interface
|
||||
[ -n "$INT_IF" ] || INT_IF="eth1"
|
||||
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
## Would fail if netvm is set to 'none',
|
||||
## which is the case in Qubes R4 TemplateVMs.
|
||||
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway 2>/dev/null)" || GATEWAY_IP="127.0.0.1"
|
||||
else
|
||||
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="10.152.152.10"
|
||||
fi
|
||||
|
||||
## Since hardcoded in anon-ws-disable-stacked-tor.
|
||||
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
|
||||
|
||||
[ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel 2>/dev/null)" || true
|
||||
[ -n "$NOTUNNEL_USER" ] || NOTUNNEL_USER="$(id -u notunnel 2>/dev/null)" || true
|
||||
[ -n "$UPDATESPROXYCHECK_USER" ] || UPDATESPROXYCHECK_USER="$(id -u updatesproxycheck 2>/dev/null)" || true
|
||||
|
||||
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate 2>/dev/null)" || true
|
||||
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck 2>/dev/null)" || true
|
||||
|
||||
[ -n "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" ] || TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER="true"
|
||||
|
||||
## Control Port Filter Proxy Port
|
||||
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
|
||||
|
||||
[ -n "$qubes_updates_proxy_port" ] || qubes_updates_proxy_port="8082"
|
||||
|
||||
## Socks Ports for per application circuits.
|
||||
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
|
||||
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
|
||||
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
|
||||
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
|
||||
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
|
||||
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
|
||||
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
|
||||
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
|
||||
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
|
||||
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
|
||||
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
|
||||
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
|
||||
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
|
||||
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
|
||||
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
|
||||
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
|
||||
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
|
||||
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
|
||||
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
|
||||
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
|
||||
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
|
||||
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
|
||||
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
|
||||
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
|
||||
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
|
||||
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
|
||||
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
|
||||
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
|
||||
|
||||
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
|
||||
|
||||
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
|
||||
|
||||
## Destinations you do not routed through VPN.
|
||||
if [ "$LOCAL_NET" = "" ]; then
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
LOCAL_NET="\
|
||||
127.0.0.0-127.0.0.24 \
|
||||
10.137.0.0-10.138.255.255 \
|
||||
"
|
||||
else
|
||||
## 10.0.2.2/24: VirtualBox DHCP
|
||||
LOCAL_NET="\
|
||||
127.0.0.0-127.0.0.24 \
|
||||
192.168.0.0-192.168.0.24 \
|
||||
192.168.1.0-192.168.1.24 \
|
||||
10.152.152.0-10.152.152.24 \
|
||||
10.0.2.2-10.0.2.24 \
|
||||
"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
ipv4_defaults() {
|
||||
## Set secure defaults.
|
||||
$iptables_cmd -P INPUT DROP
|
||||
|
||||
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
|
||||
$iptables_cmd -P FORWARD DROP
|
||||
|
||||
## Will be lifted below.
|
||||
$iptables_cmd -P OUTPUT DROP
|
||||
}
|
||||
|
||||
ipv4_preparation() {
|
||||
## Flush old rules.
|
||||
$iptables_cmd -F
|
||||
$iptables_cmd -X
|
||||
$iptables_cmd -t nat -F
|
||||
$iptables_cmd -t nat -X
|
||||
$iptables_cmd -t mangle -F
|
||||
$iptables_cmd -t mangle -X
|
||||
}
|
||||
|
||||
ipv4_drop_invalid_incoming_packages() {
|
||||
## DROP MARTIANS
|
||||
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
|
||||
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
|
||||
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j DROP
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j DROP
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j DROP
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j DROP
|
||||
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j DROP
|
||||
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j DROP
|
||||
|
||||
## DROP INVALID
|
||||
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
|
||||
|
||||
## DROP INVALID SYN PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
|
||||
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||
$iptables_cmd -A INPUT -f -j DROP
|
||||
|
||||
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
|
||||
## DROP INCOMING MALFORMED NULL PACKETS
|
||||
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
}
|
||||
|
||||
qubes() {
|
||||
## Not yet required. Just so Whonix-Workstation firewall can be more similar
|
||||
## to Whonix-Gateway firewall.
|
||||
true
|
||||
}
|
||||
|
||||
qubes_dns() {
|
||||
local counter
|
||||
counter=0
|
||||
|
||||
## Using '2>/dev/null' because 'qubesdb-read' DNS would fail in Qubes R4
|
||||
## TemplateVMs, because these are non-networked by default.
|
||||
|
||||
if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2>/dev/null)" ; then
|
||||
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
|
||||
counter=$(( counter + 1 ))
|
||||
fi
|
||||
|
||||
if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2>/dev/null)" ; then
|
||||
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
|
||||
counter=$(( counter + 1 ))
|
||||
fi
|
||||
|
||||
if [ "$counter" -ge "2" ]; then
|
||||
output_cmd "OK: Qubes DNS firewall rules ok."
|
||||
else
|
||||
$iptables_cmd -A OUTPUT -p udp --dport 53 -j ACCEPT
|
||||
fi
|
||||
}
|
||||
|
||||
ipv4_input_rules() {
|
||||
## Traffic on the loopback interface is accepted.
|
||||
$iptables_cmd -A INPUT -i lo -j ACCEPT
|
||||
|
||||
## Established incoming connections are accepted.
|
||||
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
|
||||
## Allow all incoming connections on the virtual VPN network interface,
|
||||
## when TUNNEL_FIREWALL_ENABLE mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
|
||||
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS."
|
||||
else
|
||||
local local_port_to_open
|
||||
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
|
||||
$iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT
|
||||
done
|
||||
|
||||
local local_udp_port_to_open
|
||||
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
|
||||
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
|
||||
done
|
||||
|
||||
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
|
||||
$iptables_cmd -A INPUT -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
ipv4_input_defaults() {
|
||||
## Log.
|
||||
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
|
||||
|
||||
## Required for Control Port Filter Proxy Connection.
|
||||
## https://phabricator.whonix.org/T112
|
||||
$iptables_cmd -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
||||
|
||||
## Reject anything not explicitly allowed above.
|
||||
$iptables_cmd -A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||
}
|
||||
|
||||
ipv4_forward() {
|
||||
## Log.
|
||||
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
|
||||
|
||||
$iptables_cmd -A FORWARD -j DROP
|
||||
}
|
||||
|
||||
ipv4_reject_invalid_outgoing_packages() {
|
||||
## Drop invalid outgoing packages,
|
||||
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
|
||||
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
|
||||
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
|
||||
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INVALID SYN PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
|
||||
|
||||
## DROP INCOMING MALFORMED NULL PACKETS
|
||||
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
|
||||
fi
|
||||
}
|
||||
|
||||
qubes_updates_proxy() {
|
||||
## Detect Qubes.
|
||||
if ! command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
## Detect being run inside TemplateVM.
|
||||
if [ ! -f "/run/qubes/this-is-templatevm" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
## Detect if torified Qubes updates proxy was detected.
|
||||
if test -f "/run/qubes-service/whonix-secure-proxy" ; then
|
||||
output_cmd "OK: Torified Qubes Updates Proxy check ok. Full access to Qubes Updates Proxy."
|
||||
return 0
|
||||
fi
|
||||
|
||||
output_cmd "OK: Torified Qubes Updates Proxy check not done yet. Limiting access to Qubes Updates Proxy to user 'updatesproxycheck'."
|
||||
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
|
||||
|
||||
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
|
||||
$iptables_cmd -A OUTPUT -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
|
||||
}
|
||||
|
||||
ipv4_output() {
|
||||
## Prevent connections to Tor SocksPorts.
|
||||
## https://phabricator.whonix.org/T533#11025
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
local socks_port_item
|
||||
for socks_port_item in $socks_ports_list; do
|
||||
true "$socks_port_item: ${!socks_port_item}"
|
||||
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
|
||||
continue
|
||||
fi
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
|
||||
done
|
||||
fi
|
||||
|
||||
qubes_updates_proxy
|
||||
|
||||
## Access to localhost is required even in timesync-fail-closed mode,
|
||||
## otherwise breaks applications such as konsole and kwrite.
|
||||
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
## Allow outgoing traffic on VPN interface,
|
||||
## if TUNNEL_FIREWALL_ENABLE mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "firewall_mode is $firewall_mode, therefore prohibiting user $TUNNEL_USER traffic."
|
||||
else
|
||||
true "firewall_mode is $firewall_mode, therefore allowing user $TUNNEL_USER traffic."
|
||||
## Connections to VPN servers are allowed,
|
||||
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$TUNNEL_USER" -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_SDWDATE_USER" = "true" ]; then
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" = "true" ]; then
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
fi
|
||||
|
||||
## Accept outgoing connections to local network.
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_LOCAL_NET" = "true" ]; then
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true
|
||||
else
|
||||
local local_net_item
|
||||
for local_net_item in $LOCAL_NET; do
|
||||
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY" = "true" ]; then
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_TB_UPDATER" = "true" ]; then
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true
|
||||
else
|
||||
local socks_port_tbb
|
||||
for socks_port_tbb in $SOCKS_PORT_TBB_DOWNLOAD $SOCKS_PORT_TBB_GPG ; do
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$TUNNEL_FIREWALL_ALLOW_WHONIXCHECK" = "true" ]; then
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true
|
||||
else
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "firewall_mode is $firewall_mode, therefore prohibiting DNS traffic."
|
||||
else
|
||||
true "firewall_mode is $firewall_mode, therefore allowing DNS traffic."
|
||||
## Allow Whonix-Workstation to query Whonix-Gateway for DNS.
|
||||
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
|
||||
qubes_dns
|
||||
fi
|
||||
fi
|
||||
|
||||
## Not sure about the next one. UDP is not supported by Tor, why not
|
||||
## block any outgoing UDP. Might have unwanted side effects when tunneling
|
||||
## UDP over Tor.
|
||||
## https://www.whonix.org/wiki/Tunnel_UDP_over_Tor
|
||||
##
|
||||
## All other non-TCP protocol traffic gets rejected.
|
||||
## iptables knows 7 different protocols and all.
|
||||
## (tcp, udp, udplite, icmp, esp, ah, sctp or all)
|
||||
##
|
||||
## (1) ping torproject.org
|
||||
## 4 packets transmitted, 0 received, 100% packet loss, time 3000ms
|
||||
##
|
||||
## (2) ping torproject.org
|
||||
## From 10.152.152.11 icmp_seq=1 Destination Port Unreachable
|
||||
## 0 packets transmitted, 0 received, +100 errors
|
||||
##
|
||||
## The next rule ensures, that only tcp can leave and achieves the desired result from (2).
|
||||
$iptables_cmd -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
true "firewall_mode is $firewall_mode, therefore prohibiting all outgoing traffic."
|
||||
|
||||
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
|
||||
## Otherwise in Whonix firewall full mode this rule is redundant.
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
|
||||
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
|
||||
else
|
||||
true "firewall_mode is $firewall_mode, therefore allowing all outgoing traffic."
|
||||
## Allow full outgoing connection but no incoming stuff.
|
||||
$iptables_cmd -A OUTPUT -j ACCEPT
|
||||
fi
|
||||
|
||||
## Log.
|
||||
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
|
||||
|
||||
## Reject all other outgoing traffic.
|
||||
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
||||
fi
|
||||
}
|
||||
|
||||
ipv6() {
|
||||
## Policy DROP for all traffic as fallback.
|
||||
$ip6tables_cmd -P INPUT DROP
|
||||
$ip6tables_cmd -P OUTPUT DROP
|
||||
$ip6tables_cmd -P FORWARD DROP
|
||||
|
||||
## Flush old rules.
|
||||
$ip6tables_cmd -F
|
||||
$ip6tables_cmd -X
|
||||
$ip6tables_cmd -t mangle -F
|
||||
$ip6tables_cmd -t mangle -X
|
||||
|
||||
## Allow unlimited access on loopback.
|
||||
$ip6tables_cmd -A INPUT -i lo -j ACCEPT
|
||||
$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
## Log.
|
||||
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
|
||||
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
|
||||
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
|
||||
|
||||
## Drop/reject all other traffic.
|
||||
$ip6tables_cmd -A INPUT -j DROP
|
||||
## --reject-with icmp-admin-prohibited not supported by ip6tables
|
||||
$ip6tables_cmd -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
|
||||
## --reject-with icmp-admin-prohibited not supported by ip6tables
|
||||
$ip6tables_cmd -A FORWARD -j DROP
|
||||
}
|
||||
|
||||
status_files() {
|
||||
mkdir --parents /run/whonix_firewall
|
||||
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
|
||||
touch /run/whonix_firewall/consecutive_run.status
|
||||
return 0
|
||||
fi
|
||||
touch /run/whonix_firewall/first_run_current_boot.status
|
||||
}
|
||||
|
||||
date_cmd(){
|
||||
date -u +"%Y-%m-%d %T"
|
||||
}
|
||||
|
||||
output_cmd() {
|
||||
echo "$(date_cmd) - $0 - $@"
|
||||
}
|
||||
|
||||
firewall_mode_detection() {
|
||||
if [ ! "$firewall_mode" = "" ]; then
|
||||
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
|
||||
return 0
|
||||
elif [ "$firewall_mode" = "full" ]; then
|
||||
output_cmd "OK: (Full torified network access allowed.)"
|
||||
return 0
|
||||
else
|
||||
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
|
||||
error_handler
|
||||
fi
|
||||
fi
|
||||
|
||||
## Run Whonix firewall in full mode if sdwdate already succeeded.
|
||||
if [ -e /run/sdwdate/first_success ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/sdwdate/first_success exists.)"
|
||||
elif [ -e /run/sdwdate/success ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/sdwdate/success exists.)"
|
||||
## /run/whonix_firewall/first_run_current_boot.status already exists,
|
||||
## therefore have Whonix firewall run in full mode.
|
||||
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
|
||||
firewall_mode=full
|
||||
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
|
||||
else
|
||||
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
|
||||
## therefore return 'yes, timesync-fail-closed'.
|
||||
firewall_mode=timesync-fail-closed
|
||||
fi
|
||||
|
||||
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
|
||||
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
|
||||
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
|
||||
else
|
||||
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
|
||||
output_cmd "OK: (Full torified network access allowed.)"
|
||||
fi
|
||||
}
|
||||
|
||||
end() {
|
||||
output_cmd "OK: Whonix firewall loaded."
|
||||
|
||||
exit 0
|
||||
}
|
||||
|
||||
main() {
|
||||
init
|
||||
firewall_mode_detection
|
||||
variables_defaults
|
||||
ipv4_defaults
|
||||
ipv4_preparation
|
||||
ipv4_drop_invalid_incoming_packages
|
||||
qubes
|
||||
ipv4_input_rules
|
||||
ipv4_input_defaults
|
||||
ipv4_forward
|
||||
ipv4_reject_invalid_outgoing_packages
|
||||
ipv4_output
|
||||
if [ -d /proc/sys/net/ipv6/ ]; then
|
||||
ipv6
|
||||
fi
|
||||
status_files
|
||||
end
|
||||
}
|
||||
|
||||
if [ -x /usr/bin/basename ] && [ $( basename -- $0 ) = 'proxy_whonix_guest_workstation-firewall.bash' ] ; then
|
||||
source_config_folder
|
||||
iptables_cmd="echo iptables"
|
||||
ip6tables_cmd="echo # ip6tables"
|
||||
main
|
||||
|
||||
fi
|
195
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash
Executable file
195
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash
Executable file
@ -0,0 +1,195 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
[ -n "$prog" ] || prog= # no qa
|
||||
prog=$( basename $0 .bash )
|
||||
. /usr/local/bin/usr_local_tput.bash
|
||||
|
||||
USAGE="[config|start|stop|status|restart|test]"
|
||||
|
||||
SHARED_MNTS="o"
|
||||
|
||||
[ "$#" -eq 0 ] && set -- install
|
||||
|
||||
## proxy_workstation_fix_getty_timeout
|
||||
proxy_workstation_fix_getty_timeout () {
|
||||
# fix_getty_timeout - wheres inittab
|
||||
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
|
||||
[ -f $file.dst ] && continue
|
||||
cp -p $file $file.dst
|
||||
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
## proxy_workstation__shutup_verbosity
|
||||
proxy_workstation_shutup_verbosity () {
|
||||
for file in /etc/issue* /etc/issue.d/* ; do
|
||||
[ -f $file ] || continue
|
||||
[ -s $file ] && cp /dev/null $file
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_install_fstab
|
||||
proxy_workstation_install_fstab () {
|
||||
# /etc/fstab
|
||||
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
|
||||
for elt in $SHARED_MNTS ; do
|
||||
[ -d /mnt/$elt ] || mkdir /mnt/$elt
|
||||
grep -q /mnt/$elt /etc/fstab && continue
|
||||
echo "$elt /mnt/$elt 9p $options 0 0" \
|
||||
>> /etc/fstab
|
||||
done
|
||||
# root
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_install_gagent
|
||||
proxy_workstation_install_gagent () {
|
||||
[ -d /etc/apt ] && proxy_workstation_install_gagent_debian || return 1$?
|
||||
[ -d /etc/gentoo ] && proxy_workstation_install_gagent_gentoo || return 2$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_install_gagent
|
||||
proxy_workstation_install_gagent_gentoo () {
|
||||
[ -x /usr/bin/qemu-ga -a -x /etc/init.d/qemu-guest-agent ] || \
|
||||
emerge -vb app-emulation/qemu-guest-agent || return 1$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_install_gagent
|
||||
proxy_workstation_install_gagent_debian () {
|
||||
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
|
||||
echo ERROR: /dev/virtio-ports/org.qemu.guest_agent.0 not found
|
||||
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
|
||||
ERROR "or blame Pottyring's systemd"
|
||||
}
|
||||
[ -x /usr/sbin/qemu-ga ] && return 0
|
||||
|
||||
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
|
||||
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
|
||||
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
|
||||
fi
|
||||
|
||||
# start guest-service - its failing on the device prerequisite
|
||||
systemctl is-enabled qemu-guest-agent || systemctl enable --now qemu-guest-agent
|
||||
false && \
|
||||
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
|
||||
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
|
||||
ln -s /lib/systemd/system/qemu-guest-agent.service \
|
||||
/etc/systemd/system/multi-user.target.wants
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_test
|
||||
proxy_workstation_test () {
|
||||
service qemu-guest-agent status >/dev/null || return 1$?
|
||||
proxy_whonix_test ws || return 2$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_config
|
||||
proxy_workstation_config () {
|
||||
proxy_whonix_guest_config || return 1$?
|
||||
proxy_guest_firewall_config || return 2$?
|
||||
|
||||
proxy_ws_whonix_config ws || return 3$?
|
||||
|
||||
variables_defaults
|
||||
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
|
||||
|
||||
## Control Port Filter Proxy Port
|
||||
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
|
||||
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
|
||||
|
||||
## Socks Ports for per application circuits.
|
||||
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
|
||||
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
|
||||
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
|
||||
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
|
||||
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
|
||||
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
|
||||
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
|
||||
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
|
||||
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
|
||||
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
|
||||
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
|
||||
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
|
||||
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
|
||||
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
|
||||
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
|
||||
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
|
||||
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
|
||||
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
|
||||
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
|
||||
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
|
||||
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
|
||||
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
|
||||
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
|
||||
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
|
||||
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
|
||||
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
|
||||
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_start_bg
|
||||
proxy_workstation_start_bg () { proxy_workstation_start $* ; }
|
||||
## proxy_workstation_start
|
||||
proxy_workstation_start () {
|
||||
local dire=ws
|
||||
|
||||
proxy_workstation_config || return 1$?
|
||||
proxy_whonix_guest_start
|
||||
|
||||
proxy_whonix_polipo_start $dire || \
|
||||
{ ret=$? ;echo ERROR: $prog polipo not started ret=$ret; return 4$ret ; }
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_stop
|
||||
proxy_workstation_stop () {
|
||||
|
||||
service qemu-guest-agent status >/dev/null \
|
||||
&& service qemu-guest-agent stop || return 2$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_workstation_install
|
||||
proxy_workstation_install () {
|
||||
|
||||
proxy_workstation_install_gagent
|
||||
proxy_workstation_fix_getty_timeout
|
||||
proxy_workstation_shutup_verbosity
|
||||
proxy_workstation_install_fstab
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
elif [ "$1" = config -o "$1" = install ] ; then
|
||||
proxy_workstation_install || return 3$?
|
||||
|
||||
elif [ "$1" = verify -o "$1" = test ] ; then
|
||||
proxy_workstation_test || return 4$?
|
||||
|
||||
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
|
||||
proxy_workstation_$1 || return 5$?
|
||||
|
||||
else
|
||||
eval "$@"
|
||||
exit $?
|
||||
|
||||
fi
|
769
overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash
Executable file
769
overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash
Executable file
@ -0,0 +1,769 @@
|
||||
#!/bin/bash
|
||||
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=$( basename $0 .bash )
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
VER=10
|
||||
|
||||
set -o pipefail || { ERROR use bash ; exit 1 ; } #! illegal option
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || exit 2
|
||||
|
||||
# unlike the original script, this just generates the rules
|
||||
# and writes the to an output file
|
||||
OUT=/tmp/I4$$.iptables
|
||||
cp /dev/null $OUT4
|
||||
ip4_tables () {
|
||||
# now unused
|
||||
echo "$@" >> $OUT4
|
||||
return 0
|
||||
}
|
||||
ip6_tables () {
|
||||
[ -d /proc/sys/net/ipv6/ ] || return 0
|
||||
echo "$@" >> $OUT6
|
||||
return 0
|
||||
}
|
||||
|
||||
. /usr/local/bin/proxy_ping_lib.bash || exit 2
|
||||
|
||||
# sysctl net.ipv4.conf.all.accept_redirects != 1 in /etc/sysctl.d/70_testforge_harden_lynis.conf
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
# || { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 3 ; }
|
||||
|
||||
if [ "$#" -eq 1 -a "$1" = test ] ; then
|
||||
bash /usr/local/bin/proxy_ping_test.bash 2>&1| grep ' 0% packet loss' \
|
||||
|| { echo ERROR: ping ; exit 4 ; }
|
||||
exit 0
|
||||
fi
|
||||
|
||||
#set -- -x
|
||||
# leave empty for debugging
|
||||
[ "$DEBUG" = "1" ] && HUSH="" || HUSH="#D#"
|
||||
WHONIX_HOST=1
|
||||
# leave it in anyway
|
||||
LOCAL_TOR=1
|
||||
|
||||
if [ -f /etc/firewall.conf.block ] ; then
|
||||
BLOCK_IPS=`cat /etc/firewall.conf.block`
|
||||
else
|
||||
BLOCK_IPS="37.191.192.147 51.79.22.22"
|
||||
fi
|
||||
|
||||
NOW=$( date +%c )
|
||||
|
||||
PROXY_WLAN=$( proxy_get_if )
|
||||
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 2 ; }
|
||||
[ -n "$PROXY_WLAN" ] || { echo ERROR: " error getting device $PROXY_WLAN" ; exit 3 ; }
|
||||
|
||||
## External interface
|
||||
[ -n "$WLAN_IF" ] || WLAN_IF="$PROXY_WLAN"
|
||||
[ -n "$IP" ] && WLAN_NET=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.0/' )/24
|
||||
[ -n "$PROXY_WLAN_GW" ] && PROXY_WLAN_GW=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.1/' )
|
||||
|
||||
[ -z "$PRIV_NTP_OWNER" ] && PRIV_NTP_OWNER=ntp
|
||||
PRIV_NTP_GID=$( grep ^$PRIV_NTP_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
[ -z "$PRIV_TOR_OWNER" ] && PRIV_TOR_OWNER=tor
|
||||
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
[ $LOCAL_TOR -ne 0 ] && CLEARNET_GIDS="$PRIV_BIN_GID $PRIV_TOR_GID" || CLEARNET_GIDS="$PRIV_BIN_GID"
|
||||
|
||||
[ -z "$PRIV_TOR_SOCKSPORT" ] && PRIV_TOR_SOCKSPORT=9050
|
||||
[ -z "$PRIV_TOR_CONTROLPORT" ] && PRIV_TOR_CONTROLPORT=9051
|
||||
[ -z "$PRIV_TOR_DNSSPORT" ] && PRIV_TOR_DNSSPORT=9053
|
||||
[ -z "$PRIV_POLIPO_PROXYPORT" ] && PRIV_POLIPO_PROXYPORT=3128
|
||||
[ -z "$PRIV_TOR_PROXYPORT" ] && PRIV_TOR_PROXYPORT=9128
|
||||
[ -z "$PRIV_NAT_TRANSPORT" ] && PRIV_NAT_TRANSPORT="9040"
|
||||
PRIV_NAT_TRANSHOST="$PROXY_WLAN"
|
||||
|
||||
SSH_SERVICE=22
|
||||
BOOTPC_SERVICE=68
|
||||
BOOTPS_SERVICE=67
|
||||
[ -z "$PRIV_SERVICE_NTPPORT" ] && PRIV_SERVICE_NTPPORT=123
|
||||
NETBIOSNS_SERVICE=137
|
||||
NETBIOSDG_SERVICE=138
|
||||
NETBIOSSS_SERVICE=139
|
||||
|
||||
WLAN_ALLOW_SERVICES="$PRIV_SERVICE_NTPPORT $BOOTPC_SERVICE $BOOTPS_SERVICE"
|
||||
WLAN_DROP_SERVICES="$NETBIOSNS_SERVICE $NETBIOSDG_SERVICE $NETBIOSSS_SERVICE"
|
||||
NAT_SERVICES_TO_LO_TCP=""
|
||||
EXT_ALLOW_SERVICES_IN_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
|
||||
EXT_ALLOW_SERVICES_IN_UDP="$PRIV_TOR_DNSSPORT"
|
||||
# $PRIV_NAT_TRANSPORT
|
||||
EXT_ALLOW_SERVICES_OUT_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
|
||||
EXT_ALLOW_SERVICES_OUT_UDP="$PRIV_TOR_DNSSPORT"
|
||||
|
||||
EXT_VNET=virbr1
|
||||
PRIV_WHONIX_EXTERNAL_NET="10.0.2.0/24"
|
||||
# 10.152.152.10 gateway
|
||||
# 10.152.152.11 work
|
||||
# 10.16.238.0.0
|
||||
INT_VNET=virbr2
|
||||
# gateway is 10.152.152.10
|
||||
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
|
||||
PRIVATE_NET="" # 192.168.1.0/24
|
||||
|
||||
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||||
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
|
||||
VPN_FIREWALL="0"
|
||||
LIBVIRT_FW=1 # 0 or 1 or 2
|
||||
# I think this is still needed - dnsmasq is on 127:
|
||||
LOCALHOST_DNS=1
|
||||
HOST_ALLOW_INCOMING_ICMP=1
|
||||
HOST_ALLOW_OUTGOING_ICMP=1
|
||||
|
||||
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||||
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
|
||||
VPN_FIREWALL="0"
|
||||
LIBVIRT_FW=1 # 0 or 1 or 2
|
||||
|
||||
#override
|
||||
HOST_nat_TRANS="";PRIV_NAT_TRANSPORT="";PRIV_NAT_TRANSHOST=""
|
||||
|
||||
INFO "Loading Whonix firewall for $PROXY_WLAN IP=$IP LIBVIRT_FW=$LIBVIRT_FW"
|
||||
|
||||
if ifconfig -a | grep -q $EXT_VNET && proxy_virsh list | grep Whonix-Gateway ; then
|
||||
# on the host - does this work?
|
||||
ifconfig -a | grep -q inet # || ifconfig $EXT_VNET 10.0.2.2 up
|
||||
HOST_WHONIX_GATE=1
|
||||
fi
|
||||
if ifconfig -a | grep -q $INT_VNET && proxy_virsh list | grep Whonix-Workstation ; then
|
||||
# on the host
|
||||
ifconfig -a | grep -q inet #? || ifconfig $INT_VNET 10.152.152.10 up
|
||||
HOST_WHONIX_WORK=1
|
||||
fi
|
||||
HOST_WHONIX_GATE=1
|
||||
HOST_WHONIX_WORK=1
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
###########################
|
||||
## debugging
|
||||
###########################
|
||||
|
||||
#set -x
|
||||
|
||||
###########################
|
||||
## error_handler
|
||||
###########################
|
||||
|
||||
error_handler() {
|
||||
echo "##################################################"
|
||||
echo "Whonix firewall script failed!" see $OUT4
|
||||
echo "##################################################"
|
||||
exit 1
|
||||
}
|
||||
|
||||
#? trap "error_handler" ERR
|
||||
|
||||
###########################
|
||||
## source config folder
|
||||
###########################
|
||||
|
||||
shopt -s nullglob || exit 1
|
||||
for i in /etc/whonix_firewall.d/*.conf /usr/local/etc/whonix_firewall.d/*.conf; do
|
||||
bash_n_exit_code="0"
|
||||
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
|
||||
if [ ! "$bash_n_exit_code" = "0" ]; then
|
||||
ERROR "Invalid config file: $i
|
||||
bash_n_exit_code: $bash_n_exit_code
|
||||
bash_n_output:
|
||||
$bash_n_output" >&2
|
||||
exit 1
|
||||
fi
|
||||
source "$i"
|
||||
done
|
||||
|
||||
###########################
|
||||
## comments
|
||||
###########################
|
||||
|
||||
## --reject-with
|
||||
## http://ubuntuforums.org/showthread.php?p=12011099
|
||||
|
||||
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
|
||||
## confusion. icmp-port-unreachable looks like a bug while
|
||||
## icmp-admin-prohibited hopefully makes clear it is by design.
|
||||
|
||||
###########################
|
||||
## /usr/bin/whonix_firewall
|
||||
###########################
|
||||
|
||||
###########################
|
||||
## interfaces
|
||||
###########################
|
||||
|
||||
INFO "Loading Whonix firewall for $WLAN_IF"
|
||||
|
||||
###########################
|
||||
DBUG NON_TOR_GATEWAY
|
||||
###########################
|
||||
|
||||
#me these defaults should be in the .conf files
|
||||
## Destinations you do not routed through VPN, only for Whonix-Gateway.
|
||||
## 10.0.2.2/24: VirtualBox DHCP
|
||||
[ -n "$NON_TOR_GATEWAY" ] || NON_TOR_GATEWAY="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
|
||||
|
||||
################
|
||||
## VPN related #
|
||||
################
|
||||
|
||||
## Space separated list of VPN servers,
|
||||
## which Whonix-Gateway is allowed to connect to.
|
||||
[ -n "$VPN_SERVERS" ] || VPN_SERVERS="198.252.153.26"
|
||||
VPN_SERVERS=
|
||||
|
||||
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
|
||||
VPN_INTERFACE=
|
||||
|
||||
## Destinations you do not routed through VPN, only for Whonix-Gateway.
|
||||
## $PRIV_WHONIX_EXTERNAL_NET: VirtualBox DHCP
|
||||
[ -n "$LOCAL_NET" ] || LOCAL_NET="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
|
||||
|
||||
###########################
|
||||
DBUG IPv4 DEFAULTS
|
||||
###########################
|
||||
lsmod | grep -q iptable_filter || modprobe iptable_filter
|
||||
|
||||
###########################
|
||||
DBUG IPv4 PREPARATIONS
|
||||
###########################
|
||||
# FixMe: nf or xt?
|
||||
lsmod | grep -q nf_nat || modprobe nf_nat
|
||||
lsmod | grep -q iptable_filter || modprobe iptable_filter
|
||||
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
|
||||
|
||||
## Flush old rules. We now let the caller do that when it uses the rules
|
||||
# mangle comes before filter, before nat
|
||||
# iptables -t mangle -F
|
||||
# iptables -t mangle -X
|
||||
# iptables -t filter -F
|
||||
# iptables -t filter -X
|
||||
# iptables -t nat -F
|
||||
# iptables -t nat -X
|
||||
|
||||
DBUG MANGLE COMES BEFORE FILTER
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
|
||||
# firewall.bash.libvirt.$VER
|
||||
*mangle
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
EOF
|
||||
|
||||
[ $LIBVIRT_FW -ge 1 ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
:LIBVIRT_PRT - [0:0]
|
||||
${HUSH}-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
:LIBVIRT_PRT - [0:0]
|
||||
EOF
|
||||
|
||||
# iptables: No chain/target/match by that name.
|
||||
false && \
|
||||
[ $LOCALHOST_DNS -gt 0 ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
|
||||
# was ! -o lo
|
||||
# let resolve.conf redirect to lo - this rule cannot be removed
|
||||
#-A OUTPUT -o $WLAN_IF -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
|
||||
#-A OUTPUT -o $WLAN_IF -p udp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
|
||||
EOF
|
||||
#?
|
||||
for elt in $NAT_SERVICES_TO_LO_TCP ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT ! -o lo -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$elt
|
||||
EOF
|
||||
done
|
||||
|
||||
if [ $LOCAL_TOR -ne 0 -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" -a "$PRIV_NAT_VIRTUAL_NET" != "" ] ; then
|
||||
NO=""
|
||||
else
|
||||
NO="#"
|
||||
fi
|
||||
cat >> $OUT4 << EOF
|
||||
|
||||
# .onion mapped addresses redirection to Tor.
|
||||
${NO}-A OUTPUT -d $PRIV_NAT_VIRTUAL_NET -p tcp -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
|
||||
EOF
|
||||
|
||||
if [ -n "$HOST_nat_TRANS" -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" ] ; then
|
||||
cat >> $OUT4 << EOF
|
||||
|
||||
# nat REDIRECT ALL REMAINING TCP TRAFFIC TO TOR.
|
||||
# was ! -o lo
|
||||
-A OUTPUT -o $WLAN_IF -j LOG --log-uid --log-prefix "iptables_nat_TRANS: "
|
||||
-A OUTPUT -o $WLAN_IF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
## Log.
|
||||
${HUSH}-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
|
||||
EOF
|
||||
|
||||
lsmod | grep -q nft_masq || modprobe nft_masq
|
||||
#4 lsmod | grep -q xt_MASQUERADE|| modprobe xt_MASQUERADE
|
||||
|
||||
[ $LIBVIRT_FW -ge 1 ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
-A POSTROUTING -j LIBVIRT_PRT
|
||||
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 224.0.0.0/24 -j RETURN
|
||||
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 255.255.255.255/32 -j RETURN
|
||||
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p tcp -j MASQUERADE --to-ports 1024-65535
|
||||
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p udp -j MASQUERADE --to-ports 1024-65535
|
||||
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -j MASQUERADE
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
COMMIT
|
||||
EOF
|
||||
|
||||
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
|
||||
lsmod | grep -q xt_state || modprobe xt_state
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
# SET SECURE DEFAULTS FOR INPUT FILTER
|
||||
*filter
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT DROP [0:0]
|
||||
EOF
|
||||
|
||||
[ $LIBVIRT_FW -ge 1 ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
:LIBVIRT_FWI - [0:0]
|
||||
:LIBVIRT_FWO - [0:0]
|
||||
:LIBVIRT_FWX - [0:0]
|
||||
:LIBVIRT_INP - [0:0]
|
||||
:LIBVIRT_OUT - [0:0]
|
||||
|
||||
${HUSH}-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.bash.libvirt.$VER" --log-uid
|
||||
|
||||
# blocks wlan
|
||||
EOF
|
||||
|
||||
for elt in $BLOCK_IPS ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -s $elt -p tcp -j DROP
|
||||
EOF
|
||||
done
|
||||
|
||||
DBUG IPv4 DROP INVALID INCOMING PACKAGES
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
|
||||
## DROP MARTIANS
|
||||
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
|
||||
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
|
||||
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
|
||||
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
|
||||
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
|
||||
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
|
||||
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
|
||||
|
||||
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
|
||||
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
|
||||
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
|
||||
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
|
||||
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
|
||||
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
|
||||
|
||||
## DROP INVALID
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -m state --state INVALID -j DROP
|
||||
|
||||
## DROP INVALID SYN PACKETS
|
||||
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
|
||||
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||
-A INPUT -f -j DROP
|
||||
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||
## DROP INCOMING MALFORMED NULL PACKETS
|
||||
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
## Traffic on the loopback interface is accepted.
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
## Established incoming connections are accepted.
|
||||
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
EOF
|
||||
|
||||
## All incoming connections are dropped by default anyway, but should a user
|
||||
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
|
||||
## still be dropped to filter for example ICMP time stamp requests.
|
||||
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
|
||||
DBUG Drop all incoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
|
||||
-A INPUT -i $WLAN_IF -p icmp -j DROP
|
||||
EOF
|
||||
else
|
||||
DBUG Accept all incoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
### this is required for outgoing pings
|
||||
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||
-A INPUT -i $WLAN_IF -p icmp -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
## Allow all incoming connections on the virtual VPN network interface,
|
||||
## when VPN_FIREWALL mode is enabled. DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i "$VPN_INTERFACE" -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
#root@Flati:# su -c '/usr/sbin/ntpdate 132.163.97.3' -s /bin/sh ntp
|
||||
#12 Nov 21:39:14 ntpdate[4085]: bind() fails: Permission denied
|
||||
#root@Flati:# ls -l `which ntpdate`
|
||||
#-rwxr-sr-x 1 root ntp 85016 Jun 29 17:18 /usr/sbin/ntpdate
|
||||
|
||||
lsmod | grep -q xt_owner || modprobe xt_owner
|
||||
cat >> $OUT4 << EOF
|
||||
# these are NOT needed
|
||||
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
|
||||
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
|
||||
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
|
||||
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
|
||||
EOF
|
||||
|
||||
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
|
||||
for elt in $CLEARNET_GIDS ; do
|
||||
cat >> $OUT4 << EOF
|
||||
# these are NOT needed
|
||||
#!-A INPUT -i $WLAN_IF -p tcp -m owner --gid-owner $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
#?# let dhcp through?
|
||||
#?-A INPUT -p udp --sport $BOOTPC_SERVICE -j ACCEPT
|
||||
#?-A INPUT -p udp --sport $BOOTPS_SERVICE -j ACCEPT
|
||||
EOF
|
||||
# was ACCEPT - try DROP - should be up in mangle as REJECT?
|
||||
for elt in $WLAN_DROP_SERVICES ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i $WLAN_IF -p udp --sport $elt -j DROP
|
||||
EOF
|
||||
done
|
||||
|
||||
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
|
||||
DBUG Drop all incoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
|
||||
-A INPUT -i $EXT_VNET -p icmp -j DROP
|
||||
EOF
|
||||
else
|
||||
DBUG Accept all incoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
### this is required for outgoing pings
|
||||
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||
-A INPUT -i $EXT_VNET -p icmp -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
DBUG use the gateway as a proxy box, including ssh INPUT
|
||||
# works -i virbr1 and -sport not -dport
|
||||
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
|
||||
for elt in $EXT_ALLOW_SERVICES_IN_TCP ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
|
||||
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
for elt in $EXT_ALLOW_SERVICES_IN_UDP ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -i $EXT_VNET -p udp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
|
||||
-A INPUT -i $EXT_VNET -p udp --sport $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
|
||||
## Reject anything not explicitly allowed above.
|
||||
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
|
||||
## (In case someone running Whonix-Gateway on bare metal.)
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
|
||||
-A INPUT -j DROP
|
||||
EOF
|
||||
|
||||
# FixMe: DROP?
|
||||
[ may = be ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
#?-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
|
||||
#?-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
|
||||
EOF
|
||||
|
||||
[ $LIBVIRT_FW -ge 1 ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
-A INPUT -j LIBVIRT_INP
|
||||
|
||||
|
||||
|
||||
-A FORWARD -j LIBVIRT_FWX
|
||||
-A FORWARD -j LIBVIRT_FWI
|
||||
-A FORWARD -j LIBVIRT_FWO
|
||||
EOF
|
||||
###########################
|
||||
## IPv4 OUTPUT
|
||||
###########################
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
## Traffic on the loopback interface is accepted.
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
## Existing connections are accepted.
|
||||
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||
EOF
|
||||
|
||||
## Allow outgoing traffic on VPN interface,
|
||||
## if VPN_FIREWALL mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
## Connections to VPN servers are allowed,
|
||||
## when VPN_FIREWALL mode is enabled.
|
||||
## DISABLED BY DEFAULT.
|
||||
if [ "$VPN_FIREWALL" = "1" ]; then
|
||||
for SERVER in $VPN_SERVERS; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -d $SERVER -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
fi
|
||||
|
||||
## Drop all incoming ICMP traffic by default.
|
||||
## All incoming connections are dropped by default anyway, but should a user
|
||||
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
|
||||
## still be dropped to filter for example ICMP time stamp requests.
|
||||
if [ "$HOST_ALLOW_OUTGOING_ICMP" != "1" ]; then
|
||||
DBUG Drop all outcoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-o: " --log-uid
|
||||
-A OUTPUT -o $WLAN_IF -p icmp -j DROP
|
||||
EOF
|
||||
else
|
||||
DBUG Accept all outcoming ICMP traffic by default.
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||
-A OUTPUT -o $WLAN_IF -p icmp -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||||
## unless VPN_FIREWALL mode is enabled. ENABLED BY DEFAULT.
|
||||
#? WHY?!
|
||||
if [ "$VPN_FIREWALL" != "1" ]; then
|
||||
for NET in $NON_TOR_GATEWAY; do
|
||||
cat >> $OUT4 << EOF
|
||||
#?-A OUTPUT -d $NET -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
fi
|
||||
|
||||
# required sufficient works - not for user ntp
|
||||
[ -n "$PRIV_NTP_GID" ] && \
|
||||
cat >> $OUT4 << EOF
|
||||
# The ntp user is allowed to connect to services listening on the ntp port...
|
||||
# If root runs ntpdate manually you will see requests to port 53 UID=0
|
||||
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
|
||||
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
|
||||
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
|
||||
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
# ssh - specifically forbid ssh out the wlan
|
||||
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
|
||||
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j REJECT --reject-with icmp-port-unreachable
|
||||
EOF
|
||||
|
||||
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
|
||||
for elt in $CLEARNET_GIDS ; do
|
||||
cat >> $OUT4 << EOF
|
||||
# necessary and sufficient
|
||||
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
|
||||
if [ "$HOST_ALLOW_OUTGOING_ICMP" == "1" ]; then
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||
-A OUTPUT -o $EXT_VNET -p icmp -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
DBUG use the gateway as a proxy box, including ssh OUTPUT host to guest
|
||||
# works -i virbr1 and -sport not -dport
|
||||
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
|
||||
for elt in $EXT_ALLOW_SERVICES_OUT_TCP ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
|
||||
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
for elt in $EXT_ALLOW_SERVICES_OUT_UDP ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
|
||||
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j ACCEPT
|
||||
EOF
|
||||
done
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
|
||||
EOF
|
||||
|
||||
if [ $LIBVIRT_FW -ge 1 ] ; then
|
||||
cat >> $OUT4 << EOF
|
||||
-A OUTPUT -j LIBVIRT_OUT
|
||||
# block virbr1
|
||||
EOF
|
||||
for elt in $BLOCK_IPS ; do
|
||||
cat >> $OUT4 << EOF
|
||||
-A LIBVIRT_FWI -s $elt -p tcp -j DROP
|
||||
EOF
|
||||
done
|
||||
cat >> $OUT4 << EOF
|
||||
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||
-A LIBVIRT_FWI -o $INT_VNET -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
-A LIBVIRT_FWI -d $PRIV_WHONIX_EXTERNAL_NET -o $EXT_VNET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||
#blocks
|
||||
-A LIBVIRT_FWI -o $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
-A LIBVIRT_FWO -i $INT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||
-A LIBVIRT_FWO -i $INT_VNET -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
-A LIBVIRT_FWO -s $PRIV_WHONIX_EXTERNAL_NET -i $EXT_VNET -j ACCEPT
|
||||
|
||||
-A LIBVIRT_FWO -i $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||
-A LIBVIRT_FWO -i $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
|
||||
|
||||
-A LIBVIRT_FWX -i $INT_VNET -o $INT_VNET -j ACCEPT
|
||||
-A LIBVIRT_FWX -i $EXT_VNET -o $EXT_VNET -j ACCEPT
|
||||
|
||||
# FixMe: sic this is what libvirt did -i --dport
|
||||
# FixMe: I will disable them as I dont think theyre needed or wanted
|
||||
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 67 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 67 -j ACCEPT
|
||||
#no
|
||||
#no # FixMe:sic this is what libvirt did -i --dport
|
||||
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 67 -j ACCEPT
|
||||
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 67 -j ACCEPT
|
||||
#no
|
||||
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 68 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 68 -j ACCEPT
|
||||
#no
|
||||
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 53 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 68 -j ACCEPT
|
||||
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 68 -j ACCEPT
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
# added
|
||||
-A LIBVIRT_FWX -o $EXT_VNET -s 10.0.2.2 -d 10.0.2.15 -j ACCEPT
|
||||
${HUSH}-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
|
||||
${HUSH}-A OUTPUT -j DROP
|
||||
EOF
|
||||
|
||||
cat >> $OUT4 << EOF
|
||||
COMMIT
|
||||
# Generated $NOW
|
||||
EOF
|
||||
|
||||
# IPV6
|
||||
if [ ! -e /proc/net/if_inet6 ] ; then
|
||||
[ -f /etc/sysctl.d/70_testforge_harden_lynis.conf ] && \
|
||||
sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
|
||||
else
|
||||
# nft_reject nft_reject_inet nf_reject_ipv4 nft_reject_ipv4 ipt_REJECT
|
||||
for elt in nf_reject_ipv6 nft_reject_ipv6 ip6t_REJECT ; do
|
||||
lsmod | grep -q $elt || modprobe $elt
|
||||
done
|
||||
|
||||
sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
|
||||
# ACTIVE
|
||||
## Log.
|
||||
proxy_ip6tables -A INPUT -j LOG --log-prefix "IPTABLES_Whonix blocked input6: "
|
||||
proxy_ip6tables -A OUTPUT -j LOG --log-prefix "IPTABLES_Whonix blocked output6: "
|
||||
proxy_ip6tables -A FORWARD -j LOG --log-prefix "IPTABLES_Whonix blocked forward6: "
|
||||
|
||||
## Drop/reject all other traffic.
|
||||
proxy_ip6tables -A INPUT -j DROP
|
||||
#### --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
|
||||
proxy_ip6tables -A OUTPUT -j REJECT
|
||||
## --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
|
||||
proxy_ip6tables -A FORWARD -j REJECT
|
||||
fi
|
||||
|
||||
|
||||
###########################
|
||||
## End
|
||||
###########################
|
||||
|
||||
proxy_iptables_restore -tv < $OUT4 >/tmp/I$$.log 2>&1
|
||||
retval=$?
|
||||
if [ $retval -ne 0 ] ;then
|
||||
ERROR "$prog firewall - $retval see /tmp/I$$.log"
|
||||
exit $retval
|
||||
fi
|
||||
|
||||
echo "# Whonix firewall for wlan=$PROXY_WLAN LIBVIRT_FW=$LIBVIRT_FW" >> $OUT4
|
||||
|
||||
if [ `id -u` -eq 0 ] && ls /etc/sysctl.d/*.conf 2>/dev/null >/dev/null; then
|
||||
# hardcore
|
||||
sed -i \
|
||||
-e 's/forward = 0/forward = 1 ##libvirt/' \
|
||||
-e 's/forwarding = 0/forwarding = 1 ##libvirt/' \
|
||||
/etc/sysctl.d/*.conf
|
||||
|
||||
grep -l forward /etc/sysctl.d/*f | xargs sysctl -p | grep forward >/dev/null
|
||||
fi
|
||||
|
||||
# mv $OUT4 /etc/firewall.conf.new || { echo ERROR: ; exit 9 ; }
|
||||
INFO "OK Whonix firewall - mv $OUT4 /etc/firewall.conf.new"
|
||||
|
||||
exit 0
|
534
overlay/Linux/usr/local/sbin/proxy_whonix_host.bash
Executable file
534
overlay/Linux/usr/local/sbin/proxy_whonix_host.bash
Executable file
@ -0,0 +1,534 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
DELAY=10
|
||||
prog=proxy_whonix_host
|
||||
|
||||
PL=$PREFIX/bin/proxy_libvirt_lib.bash
|
||||
|
||||
USAGE="config|from_tor|to_tor|start|status|test|refresh|update"
|
||||
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||
. /usr/local/etc/testforge/testforge.bash
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
|
||||
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
|
||||
. /usr/local/bin/proxy_ping_lib.bash || exit 3
|
||||
|
||||
prog=proxy_whonix_host
|
||||
[ -z "$MODE" ] && MODE=`proxy_ping_mode`
|
||||
|
||||
HTTP_PROXY_PORT=3128
|
||||
HTTP_PROXY_HOST=127.0.0.1
|
||||
HTTPS_PORT=9128
|
||||
HTTPS_HOST=127.0.0.1
|
||||
proxy_ping_get_socks
|
||||
[ -z "$SOCKS_HOST" ] || SOCKS_HOST=127.0.0.1
|
||||
[ -z "$SOCKS_PORT" ] || SOCKS_PORT=9050
|
||||
proxy_ping_get_https
|
||||
proxy_ping_get_http
|
||||
|
||||
WD=$PWD
|
||||
|
||||
NEEDED_DIRS=""
|
||||
# /usr/local/lib/helper-scripts
|
||||
# /usr/local/etc/ssl
|
||||
|
||||
NEEDED_SCRIPTS="
|
||||
/usr/local/bin/proxy_get_if.bash
|
||||
/usr/local/bin/proxy_libvirt_hook_qemu.bash
|
||||
/usr/local/bin/proxy_ping_lib.bash
|
||||
/usr/local/bin/proxy_ping_test.bash
|
||||
/usr/local/etc/jnettop.conf
|
||||
/usr/local/lib/helper-scripts/tor_bootstrap_check.py
|
||||
/usr/local/lib/helper-scripts/tor_bootstrap_check.bsh
|
||||
/usr/local/etc/ssl/cacert-testforge.pem
|
||||
/usr/local/sbin/Whonix-Gateway.rc
|
||||
/usr/local/sbin/debian_cache_to_archives.bash
|
||||
/usr/local/sbin/debian_elts_to_uris.bash
|
||||
/usr/local/sbin/debian_uris_to_urls.bash
|
||||
/usr/local/sbin/proxy_libvirt_ga_test.bash
|
||||
/usr/local/sbin/proxy_whonix_gateway_tor.bash
|
||||
/usr/local/sbin/proxy_whonix_guest_gateway.bash
|
||||
/usr/local/sbin/proxy_whonix_host-firewall.bash
|
||||
/usr/local/sbin/proxy_whonix_host_lib.bash
|
||||
/usr/local/sbin/proxy_whonix_host.bash
|
||||
/usr/local/sbin/proxy_whonix_host_tor.bash
|
||||
/usr/local/sbin/root_nm_wireless.bash
|
||||
"
|
||||
|
||||
proxy_install_package () {
|
||||
for pkg in $* ; do
|
||||
if [ -d /etc/apt ] ; then
|
||||
[ "$pkg" = guestfish ] && pkg=libguestfs-tools
|
||||
apt-get install -y $pkg || return $?
|
||||
elif [ -d /etc/portage ] ; then
|
||||
apt-get install -y $pkg || return $?
|
||||
fi
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_dmesg_blocks
|
||||
proxy_whonix_host_dmesg_blocks () {
|
||||
local retval=0
|
||||
|
||||
[ -f /etc/firewall.conf.block ] || touch /etc/firewall.conf.block
|
||||
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
|
||||
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
|
||||
ERROR $prog null interface && return 1
|
||||
}
|
||||
dmesg|tail -1000 | grep IPTABLES_FWI_REJECT-o| \
|
||||
sed -e 's/.*SRC=//' -e 's/ .*//'|sort -u| \
|
||||
while read elt ; do
|
||||
grep -q $elt /etc/firewall.conf.block && continue
|
||||
grep -q $elt /etc/firewall.conf && continue
|
||||
echo $elt >> /etc/firewall.conf.block
|
||||
done
|
||||
[ -s /etc/firewall.conf.block ] || proxy_whonix_host_prepare_blocks || return 1$?
|
||||
proxy_whonix_host_add_block $( cat /etc/firewall.conf.block ) || return 2$?
|
||||
|
||||
if [ ! -f /etc/firewall.conf.$$ -o ! -f /etc/firewall.conf ] ; then
|
||||
return 3
|
||||
elif diff /etc/firewall.conf.$$ /etc/firewall.conf ; then
|
||||
return 4
|
||||
else
|
||||
base_wall.bash WARN: $prog BLOCKING \
|
||||
$(diff /etc/firewall.conf.$$ /etc/firewall.conf | grep -v , | cut -f 7 -d ' ') \
|
||||
in /etc/firewall.conf.block
|
||||
proxy_ping_wlan_config /etc/firewall.conf.$$
|
||||
mv /etc/firewall.conf /etc/firewall.conf.bak && \
|
||||
mv /etc/firewall.conf.$$ /etc/firewall.conf && \
|
||||
/usr/local/bin/proxy_libvirt_hook_network.bash
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_refresh
|
||||
proxy_whonix_host_refresh () {
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
[ -z "$dire" ] && dire=$( proxy_ping_mode )
|
||||
if [ $dire = whonix ] ; then
|
||||
$PL proxy_libvirt_clean_iptables
|
||||
proxy_whonix_host_dmesg_blocks
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_update
|
||||
proxy_whonix_host_update () {
|
||||
local copy_in
|
||||
|
||||
# use nbd instead
|
||||
return 0
|
||||
|
||||
DOM=$( proxy_whonix_get_gateway_dom )
|
||||
[ -z "$DOM" ] && \
|
||||
WARN proxy_whonix_host_update empty DOM from proxy_whonix_get_gateway_dom && \
|
||||
DOM=Whonix-Gateway
|
||||
cd /usr/local/sbin/
|
||||
|
||||
cp -p $PWD/$DOM.rc rc.local
|
||||
copy_in="copy-in $PWD/rc.local /etc"
|
||||
for dir in $NEEDED_DIRS ; do
|
||||
copy_in="$copy_in
|
||||
mkdir $dir
|
||||
"
|
||||
done
|
||||
for file in $NEEDED_SCRIPTS ; do
|
||||
dir=$( dirname $file )
|
||||
copy_in="$copy_in
|
||||
copy-in $file $dir
|
||||
"
|
||||
done
|
||||
|
||||
QCOW=/var/lib/libvirt/images/$DOM.qcow2
|
||||
if [ -f $QCOW ] ; then
|
||||
which virsh 2>/dev/null >/dev/null || proxy_install_package libvirt
|
||||
proxy_virsh list | grep -q $DOM && virsh shutdown $DOM && echo sleep 60 && sleep 60
|
||||
which guestfish 2>/dev/null >/dev/null || proxy_install_package guestfish
|
||||
INFO copying in $( echo $NEEDED_SCRIPTS| wc -w ) files
|
||||
guestfish -a $QCOW << EOF
|
||||
run
|
||||
mount /dev/sda1 /
|
||||
$copy_in
|
||||
umount /
|
||||
EOF
|
||||
fi
|
||||
rm -f rc.local
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_config
|
||||
proxy_whonix_host_config () {
|
||||
local dire
|
||||
local retval=0
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
[ -z "$dire" ] && dire=$( proxy_ping_mode )
|
||||
DBUG proxy_whonix_host_config dire=$dire
|
||||
|
||||
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
|
||||
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
|
||||
ERROR proxy_whonix_host_config null interface && return 1
|
||||
}
|
||||
|
||||
proxy_ping_firewall_restart
|
||||
proxy_ping_firewall_check || {
|
||||
ERROR /etc/firewall.conf missing $? ; return 2 ;
|
||||
}
|
||||
|
||||
proxy_ping_test_resolv $dire || return 4$?
|
||||
|
||||
proxy_whonix_privoxy_config $dire
|
||||
proxy_ping_dnsmasq_config $dire || return 3$?
|
||||
|
||||
if [ -f /etc/inittab ] ; then
|
||||
grep -q '^x1' /etc/inittab || \
|
||||
sed -e 's/^x1/#x1/' -i /etc/inittab
|
||||
# x1:12345:respawn:/sbin/agetty
|
||||
fi
|
||||
|
||||
proxy_ping_firewall_modules
|
||||
if [ "$dire" = whonix ] ; then
|
||||
[ -f /var/lib/libvirt/images/Whonix-Gateway.qcow2 ] || \
|
||||
WARN /var/lib/libvirt/images/Whonix-Gateway.qcow2 - mount /mnt/linuxKick150154
|
||||
|
||||
if [ -s /etc/firewall.conf.$dire ] ; then
|
||||
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
|
||||
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
|
||||
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
|
||||
proxy_iptables_restore /etc/firewall.conf || return 3
|
||||
fi
|
||||
elif [ -s /etc/firewall.conf ] ; then
|
||||
iptables-save |grep -q virbr1 || {
|
||||
proxy_iptables_restore /etc/firewall.conf || return 4
|
||||
}
|
||||
else
|
||||
[ -s /etc/firewall.conf.new ] || \
|
||||
/usr/local/sbin/privacy_whonix_host-firewall.bash || \
|
||||
{ ERROR " $prog privacy_whonix_host-firewall.bash failed " ; return 5 ; }
|
||||
[ -s /etc/firewall.conf.new ] || \
|
||||
{ ERROR " /etc/firewall.conf.new missing " ; return 6 ; }
|
||||
[ -s /etc/firewall.conf ] || cp -p /etc/firewall.conf.new /etc/firewall.conf
|
||||
proxy_iptables_restore < /etc/firewall.conf || return 7
|
||||
fi
|
||||
|
||||
proxy_host_whonix_config $dire
|
||||
|
||||
elif [ "$dire" = selektor -o "$dire" = tor ] ; then
|
||||
proxy_host_selektor_config $dire
|
||||
fi
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_host_selektor_config () { DBUG proxy_host_selektor_config ;
|
||||
local dire=$1
|
||||
|
||||
# /var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
|
||||
if [ -s /etc/firewall.conf.$dire ] ; then
|
||||
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
|
||||
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
|
||||
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
|
||||
proxy_iptables_restore /etc/firewall.conf || return 8
|
||||
elif [ -s /etc/firewall.conf ] ; then
|
||||
iptables-save |grep -q gid-owner || \
|
||||
proxy_iptables_restore /etc/firewall.conf || return 9
|
||||
else
|
||||
{ ERROR " /etc/firewall.conf.$dire missing " ; return 7 ; }
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_install
|
||||
proxy_whonix_host_install () { DBUG proxy_whonix_host_install $* ;
|
||||
|
||||
if [ $dire = host ] ; then
|
||||
ERROR proxy_whonix_host_install host
|
||||
return 1
|
||||
elif [ $dire = whonix ] ; then
|
||||
proxy_whonix_libvirt_start
|
||||
proxy_whonix_gateway_start $dire
|
||||
else
|
||||
if /etc/init.d/libvirtd status ; then
|
||||
proxy_virsh list | grep -q Whonix-Gateway && \
|
||||
proxy_virsh shutdown Whonix-Gateway
|
||||
fi
|
||||
fi
|
||||
|
||||
/usr/local/sbin/proxy_whonix_host_tor.bash $dire || return 7$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_host_from_config
|
||||
proxy_host_from_config () {
|
||||
#? rm -f /etc/modules_load.d/vda*conf
|
||||
|
||||
DOM=$( proxy_whonix_get_gateway_dom )
|
||||
[ -z "$DOM" ] && \
|
||||
WARN proxy_host_whonix_config empty DOM assuming Whonix-Gateway && \
|
||||
DOM=Whonix-Gateway
|
||||
|
||||
if [ -d /etc/libvirt/qemu/ -a /etc/libvirt/qemu/$DOM.xml ] ; then
|
||||
if [ ! -f /etc/libvirt/qemu/$DOM.xml.dst ] ; then
|
||||
cd /etc/libvirt/qemu/
|
||||
cp -p /etc/libvirt/qemu/$DOM.xml /etc/libvirt/qemu/$DOM.xml.dst
|
||||
for file in $WD/$DOM.xml.?.diff ; do
|
||||
[ -f /etc/libvirt/qemu/$DOM.xml ] || \
|
||||
ERROR $prog /etc/libvirt/qemu/$DOM.xml missing ; return 2
|
||||
patch /etc/libvirt/qemu/$DOM.xml < $file
|
||||
done
|
||||
cd $WD
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
## proxy_host_from_config
|
||||
proxy_host_whonix_config () {
|
||||
local dire=whonix
|
||||
local file
|
||||
|
||||
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || return 1
|
||||
|
||||
if false && ! [ -x /etc/libvirt/hooks/network ] ; then
|
||||
cat > /etc/libvirt/hooks/network <<EOF
|
||||
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||
[ ! -f /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
|
||||
/usr/local/bin/proxy_libvirt_hook_network.bash
|
||||
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||
EOF
|
||||
chmod 755 /etc/libvirt/hooks/network
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_verify
|
||||
proxy_whonix_host_verify () {
|
||||
$0 --help > /dev/null || return 6
|
||||
$0 -h > /dev/null || return 7
|
||||
for elt in $( echo $USAGE | sed -e 's/|/ /g' ) ; do
|
||||
grep -q ^proxy_whonix_host_$elt $0 || { WARN proxy_whonix_host_$elt NOT in $0 ; return 8 ; }
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_status
|
||||
proxy_whonix_host_status () { proxy_whonix_host_test "$@" ; }
|
||||
|
||||
## proxy_whonix_host_test
|
||||
proxy_whonix_host_test () {
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
[ -z "$dire" ] && dire=$( proxy_ping_mode )
|
||||
|
||||
proxy_whonix_host_verify
|
||||
|
||||
proxy_ping_status
|
||||
|
||||
/usr/local/bin/proxy_ping_test.bash $dire || \
|
||||
WARN $prog proxy_ping_test.bash FAILED $dire
|
||||
|
||||
if [ "$dire" = whonix ] ; then
|
||||
grep "`date +%Y-%m-%d`.* error :" /var/local/log/libvirtd.log
|
||||
proxy_whonix_host_tor.bash proxy_libvirt_test || return 1
|
||||
proxy_virsh list | grep running || return 2
|
||||
|
||||
# FixMe look in /etc/libvirt/qemu
|
||||
for elt in Whonix-Gateway Whonix-Workstation Pen19-1 Kick15-1 ; do
|
||||
proxy_virsh list | grep -q $elt || continue
|
||||
# /usr/local/sbin/proxy_libvirt_ga_test.bash $elt /bin/netstat -lnp4 ||
|
||||
/usr/local/sbin/proxy_libvirt_ga_test.bash $elt ls /dev/virtio-ports/ || \
|
||||
WARN $prog $elt not responding
|
||||
# fallsover with
|
||||
# error: internal error: unable to execute QEMU agent command 'guest-exec-status': Invalid parameter 'pid'
|
||||
done
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_restart
|
||||
proxy_whonix_host_restart () {
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
|
||||
|
||||
proxy_whonix_host_start $dire || return 1$?
|
||||
proxy_whonix_host_status $dire || return 2$?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_selektor
|
||||
proxy_whonix_host_selektor () {
|
||||
local dire=selektor
|
||||
proxy_whonix_host_start $dire
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_host_from_tor
|
||||
proxy_whonix_host_from_tor () {
|
||||
local dire=whonix
|
||||
proxy_whonix_host_start $dire
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_host_to_tor
|
||||
proxy_whonix_host_to_tor () {
|
||||
local dire=tor
|
||||
proxy_virsh list | grep -q Whonix-Gateway && proxy_virsh shutdown Whonix-Gateway
|
||||
proxy_whonix_host_start $dire
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_stop
|
||||
proxy_whonix_stop () {
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
[ -z "$dire" ] && dire=$( proxy_ping_mode )
|
||||
DBUG proxy_whonix_stop $*
|
||||
|
||||
if [ $dire = whonix -o $dire = host -o $dire = tor ] ; then
|
||||
proxy_whonix_host_stop $dire
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_stop
|
||||
proxy_whonix_libvirt_stop () {
|
||||
|
||||
proxy_virsh net-list | grep -q Whonix-External && \
|
||||
virsh net-destroy Whonix-External
|
||||
|
||||
proxy_virsh net-list | grep -q Whonix-Internal && \
|
||||
virsh net-destroy Whonix-Internal
|
||||
|
||||
proxy_virsh list | grep -q Whonix-Gateway && \
|
||||
virsh shutdown Whonix-Gateway
|
||||
|
||||
proxy_virsh list | grep -q Whonix-Gateway && \
|
||||
virsh destroy Whonix-Gateway
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_stop
|
||||
proxy_whonix_host_stop () {
|
||||
local dire=$1
|
||||
|
||||
DBUG $prog proxy_whonix_host_stop $*
|
||||
|
||||
if [ $dire = whonix ] ; then
|
||||
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
|
||||
proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
|
||||
proxy_whonix_libvirt_stop || return 3$?
|
||||
elif [ $dire = tor ] ; then
|
||||
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
|
||||
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
|
||||
fi
|
||||
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_gateway_start - start whonix on a host
|
||||
proxy_whonix_gateway_start () {
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
|
||||
# proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
|
||||
proxy_whonix_libvirt_start || return 3$?
|
||||
|
||||
proxy_virsh net-list | grep -q Whonix-External || \
|
||||
virsh net-start Whonix-External || return 4$?
|
||||
ifconfig virbr1 || return 5$?
|
||||
|
||||
proxy_virsh net-list | grep -q Whonix-Internal || \
|
||||
virsh net-start Whonix-Internal|| return 6$?
|
||||
ifconfig virbr2 || return 7$?
|
||||
|
||||
DOM=$( proxy_whonix_get_gateway_dom )
|
||||
[ -z "$GATEW_DOM" ] && \
|
||||
WARN $prog empty DOM from proxy_whonix_get_gateway_dom && \
|
||||
DOM=Whonix-Gateway
|
||||
proxy_virsh list | grep -q $DOM || \
|
||||
{ INFO $prog virsh starting $DOM ; virsh start $DOM ; } || \
|
||||
return 8$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_start - start either whonix or tor on a host
|
||||
proxy_whonix_host_start () { DBUG $prog proxy_whonix_host_start $* ;
|
||||
local dire
|
||||
[ "$#" -gt 0 ] && dire=$1
|
||||
|
||||
proxy_whonix_host_config $dire || return 2$?
|
||||
|
||||
proxy_whonix_host_install $dire || return 4$?
|
||||
proxy_clobber_resolv_local
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
|
||||
elif [ "$1" = '-h' -o "$1" = '--help' -o "$1" = 'host' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
elif [ "$1" = config ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_config $MODE || exit 2$?
|
||||
|
||||
elif [ "$1" = start ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_start $MODE || exit 2$?
|
||||
|
||||
elif [ "$1" = selektor ] ; then
|
||||
MODE=$1
|
||||
proxy_whonix_host_start $MODE
|
||||
|
||||
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_to_tor || exit 3$?
|
||||
|
||||
elif [ "$1" = from -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_from_tor || exit 4$?
|
||||
|
||||
elif [ "$1" = verify -o "$1" = 'install' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_$1 $MODE || exit 5$?
|
||||
|
||||
elif [ "$1" = 'test' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_test $MODE || exit 4$?
|
||||
|
||||
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_$1 $MODE || exit 5$?
|
||||
|
||||
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
|
||||
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
|
||||
proxy_whonix_host_refresh || exit 6$?
|
||||
|
||||
else
|
||||
DBUG $base "$@"
|
||||
eval "$@"
|
||||
exit $?
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
3
overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash
Executable file
3
overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
exec bash /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_test "$@"
|
257
overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash
Executable file
257
overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash
Executable file
@ -0,0 +1,257 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
ROLE=proxy
|
||||
prog=$( basename $0 .bash )
|
||||
|
||||
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||
PREFIX=/usr/local
|
||||
|
||||
USAGE="[to_tor|from_tor|test_to|test_from|verify]"
|
||||
|
||||
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
. /usr/local/sbin/proxy_tor_lib.bash || \
|
||||
{ ERROR loading /usr/local/sbin/proxy_tor_lib.bash ; exit 3; }
|
||||
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||
|
||||
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
|
||||
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
|
||||
|
||||
#ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' && \
|
||||
# ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' | sed -e 's/ .*//' \
|
||||
# | xargs kill
|
||||
|
||||
[ $USER != root ] || proxy_iptables_save | grep -qi reject || \
|
||||
proxy_ping_firewall_restart || exit 2$?
|
||||
# bash /usr/local/sbin/base_firewall_start.bash
|
||||
|
||||
## proxy_whonix_or_tor
|
||||
proxy_whonix_or_tor () { DBUG proxy_whonix_or_tor $* ;
|
||||
local a dire debian file
|
||||
dire=$1
|
||||
file=/etc/tor/torrc
|
||||
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
[ -n "$PROXY_WLAN" ] || return 2$?
|
||||
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
|
||||
|
||||
true || \
|
||||
proxy_ping_online || {
|
||||
wlan7=$PROXY_WLAN
|
||||
base_wlan_modules_unload $PROXY_WLAN
|
||||
proxy_base_wlan_modules_load $PROXY_WLAN
|
||||
ERROR not online ret=$? ; return 3 ;
|
||||
}
|
||||
proxy_whonix_copy_files $dire
|
||||
## proxy_whonix_to_tor
|
||||
}
|
||||
|
||||
proxy_whonix_to_selektor () { DBUG proxy_whonix_to_selektor $* ;
|
||||
local a dire file
|
||||
dire=selektor
|
||||
file=
|
||||
proxy_whonix_or_tor $dire
|
||||
if ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
|
||||
:
|
||||
elif ! proxy_route_check ; then
|
||||
return $?
|
||||
elif tty >/dev/null ; then
|
||||
/var/local/bin/selektor.bash &
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
proxy_whonix_to_tor () { DBUG proxy_whonix_to_tor $* ;
|
||||
local a dire debian file
|
||||
dire=tor
|
||||
file=/etc/tor/torrc
|
||||
|
||||
proxy_whonix_or_tor $dire || return 2$?
|
||||
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
|
||||
|
||||
proxy_tor_torrc_update /etc/tor/torrc 127.0.0.1
|
||||
proxy_tor_torrc_exclude /etc/tor/torrc
|
||||
# proxy_rc_service tor status >/dev/null || proxy_rc_service tor start
|
||||
# weaker - includes running from cmdline
|
||||
debian=$PRIV_TOR_OWNER
|
||||
ps ax -g $debian | grep -v grep | grep -q ' tor ' || \
|
||||
proxy_rc_service tor start || \
|
||||
{ ERROR not service start ret=$? ; return 3 ; }
|
||||
|
||||
|
||||
proxy_whonix_privoxy_start tor || {
|
||||
echo WARN: $prog privoxy NOT running ret=$?
|
||||
# return 4 ;
|
||||
}
|
||||
|
||||
proxy_whonix_dnsmasq_start tor || {
|
||||
echo WARN: proxy_whonix_to_tor dnsmasq NOT started retval=$?
|
||||
# return 5$? ;
|
||||
}
|
||||
|
||||
# proxy_whonix_start_wget
|
||||
|
||||
proxy_iptables_save | grep -q 'udp --dport 53 -j DNAT --to-destination 127.0.0.1:9053' || \
|
||||
proxy_rc_service dnsmasq status >/dev/null || \
|
||||
{ ERROR $prog dnsmasq not running ; return 6 ; }
|
||||
|
||||
netstat -nlp4 | grep 127.0.0.1:9 || return 9
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_tor_clean
|
||||
proxy_tor_clean () {
|
||||
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
||||
if [ "$MODE" = whonix ] ; then
|
||||
proxy_whonix_get_gateway_dom || exit 8
|
||||
if [ -z "$GATEW_DOM" ] ; then
|
||||
proxy_virsh list | grep -q $GATEW_DOM && \
|
||||
proxy_libvirt_clean_virbr1_rules
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_tor_test
|
||||
proxy_tor_test () {
|
||||
local dire
|
||||
[ $# -eq 1 ] && dire=$1
|
||||
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
|
||||
|
||||
if [ $dire = tor -o $dire = whonix -o $dire = host ] ; then
|
||||
# is vda a host?
|
||||
proxy_tor_test_ntp || return 2$?
|
||||
proxy_tor_test_anondate # || return 3$?
|
||||
fi
|
||||
|
||||
proxy_whonix_test $dire || return 1$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
starbucks_torrc () { proxy_whonix_host_tor_install $* ; }
|
||||
## proxy_whonix_host_install
|
||||
proxy_whonix_host_tor_install () { DBUG proxy_whonix_host_tor_install $* ;
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
[ -n "$PROXY_WLAN_IP" ] || PROXY_WLAN_IP=$( proxy_get_wlan_ip ) || \
|
||||
{ ERROR proxy_whonix_host_tor_install ifconfig $PROXY_WLAN ; return 7 ; }
|
||||
[ -z "$PROXY_WLAN_IP" ] && return 0
|
||||
|
||||
for file in /etc/tor/torrc /etc/tor/torrc-defaults ; do
|
||||
[ -f $file ] || continue
|
||||
grep -q "SocksPolicy accept " /etc/tor/torrc || continue
|
||||
grep -q "SocksPolicy accept $PROXY_WLAN_IP" /etc/tor/torrc || continue
|
||||
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $PROXY_WLAN_IP@" \
|
||||
-i $file
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
proxy_whonix_host_whonix () { proxy_whonix_from_tor $* ; }
|
||||
## proxy_whonix_from_tor
|
||||
proxy_whonix_from_tor () {
|
||||
local dire=whonix
|
||||
local ret
|
||||
DBUG proxy_whonix_from_tor $*
|
||||
|
||||
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
|
||||
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
# ; return 2$ret
|
||||
proxy_whonix_config $dire || { ret=$? ; ERROR proxy_whonix_from_tor failed proxy_whonix_config ret=$ret ; return 2$ret ; }
|
||||
|
||||
proxy_whonix_libvirt_start || {
|
||||
ret=$? ;
|
||||
ERROR proxy_whonix_from_tor failed proxy_whonix_libvirt_start ret=$ret ;
|
||||
return 3$ret
|
||||
}
|
||||
|
||||
a=$( proxy_iptables_save | grep -e '-A OUTPUT -o .* -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT' | grep -c -v grep )
|
||||
[ $? -eq 0 ] && [ -n "$a" ] && [ "$a" -gt 0 ] && \
|
||||
WARN proxy_iptables -D OUTPUT -o $PROXY_WLAN -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT
|
||||
|
||||
proxy_whonix_copy_files $dire
|
||||
|
||||
# netstat -nlp4e | grep 127.0.0.1:53 && { ERROR dns still running ; return 3;}
|
||||
if false; then
|
||||
proxy_rc_service pdnsd status >/dev/null && proxy_rc_service pdnsd stop
|
||||
[ -f /etc/pdnsd/pdnsd.conf.whonix ] && \
|
||||
cp -p /etc/pdnsd/pdnsd.conf.whonix /etc/pdnsd/pdnsd.conf
|
||||
|
||||
# proxy_whonix_start_wget
|
||||
proxy_whonix_dnsmasq_start $dire || \
|
||||
{ ret=$? ; echo WARN: proxy_whonix_from_tor dnsmasq NOT started $ret ; }
|
||||
fi
|
||||
|
||||
proxy_whonix_privoxy_start $dire || \
|
||||
{ ret=$?; echo WARN: proxy_privoxy_from_tor polipo not started $ret ; }
|
||||
|
||||
proxy_whonix_host_tor_install
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
echo USAGE: $prog $USAGE
|
||||
|
||||
elif [ "$1" = '-h' ] || [ "$1" = 'help' ] || [ "$1" = '--help' ] ; then
|
||||
echo USAGE: $prog $USAGE or:
|
||||
grep '^## ' $0 | sed -e 's/^## //'
|
||||
|
||||
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
|
||||
proxy_whonix_to_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
|
||||
|
||||
elif [ "$1" = 'selektor' ] ; then
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
|
||||
proxy_whonix_to_selektor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
|
||||
|
||||
elif [ "$1" = 'from' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
|
||||
proxy_whonix_from_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
|
||||
|
||||
elif [ "$1" = 'gateway' ] ; then
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
|
||||
proxy_whonix_gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
|
||||
proxy_whonix_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 4$ret ; }
|
||||
|
||||
elif [ "$1" = 'test_from' -o "$1" = 'test_whonix' ] ; then
|
||||
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
|
||||
proxy_tor_test whonix || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
|
||||
/usr/local/bin/proxy_ping_test.bash panic || exit 7
|
||||
|
||||
elif [ "$1" = 'test_gateway' -o "$1" = 'test_gateway' ] ; then
|
||||
proxy_tor_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
|
||||
/usr/local/bin/proxy_ping_test.bash panic || exit 7
|
||||
|
||||
elif [ "$1" = 'test_to' -o "$1" = 'test_tor' ] ; then
|
||||
proxy_tor_test tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 7$ret ; }
|
||||
/usr/local/bin/proxy_ping_test.bash panic || exit 7
|
||||
|
||||
elif [ "$1" = 'direct' -o "$1" = 'test_direct' ] ; then
|
||||
/usr/local/bin/proxy_ping_test.bash direct
|
||||
|
||||
elif [ "$1" = 'verify' ] ; then
|
||||
/usr/local/bin/proxy_ping_test.bash panic || exit 7
|
||||
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
|
||||
proxy_whonix_test $MODE || \
|
||||
{ ret=$? ; ERROR "$prog host='$GATEW_DOM' retval=$ret" ; exit 8$ret ; }
|
||||
|
||||
elif [ "$1" = 'clean' -o "$1" = 'stop' ] ; then
|
||||
proxy_whonix_$1
|
||||
/usr/local/bin/proxy_ping_test.bash panic || exit 8
|
||||
|
||||
elif [ "$1" = 'config' ] ; then
|
||||
ERROR $prog not implemented $1;exit 1
|
||||
|
||||
else
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
742
overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash
Executable file
742
overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash
Executable file
@ -0,0 +1,742 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
prog=$( basename $0 .bash )
|
||||
export PATH=$PATH:$PREFIX/sbin:$PREFIX/bin
|
||||
. $PREFIX/bin/usr_local_tput.bash
|
||||
|
||||
PL=$PREFIX/bin/proxy_libvirt_lib.bash
|
||||
|
||||
# . $PREFIX/sbin/proxy_whonix_lib.bash || { echo ERROR: loading $PREFIX/sbin/proxy_whonix_lib.bash ; exit 2; }
|
||||
. $PREFIX/bin/proxy_ping_lib.bash || \
|
||||
{ echo ERROR: loading $PREFIX/bin/proxy_ping_lib.bash ; exit 2; }
|
||||
base=proxy_whonix_lib
|
||||
|
||||
starbucks_torrc () {
|
||||
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
|
||||
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
|
||||
[ -z "$ip" ] && return 0
|
||||
for file in /etc/tor/torrc /etc/tor/torrc-default ; do
|
||||
grep -q "^SocksPolicy accept " /etc/tor/torrc || continue
|
||||
grep -q "^SocksPolicy accept $ip$" /etc/tor/torrc && continue
|
||||
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
|
||||
-i $file
|
||||
done
|
||||
return
|
||||
}
|
||||
|
||||
starbucks_set () {
|
||||
|
||||
if [ -f /etc/init.d/network-manager ] ; then
|
||||
NetworkManager=network-manager
|
||||
elif [ -f /etc/init.d/NetworkManager ] ; then
|
||||
NetworkManager=NetworkManager
|
||||
elif [ -f /lib/systemd/system/NetworkManager ] ; then
|
||||
NetworkManager=NetworkManager
|
||||
else
|
||||
NetworkManager=network-manager
|
||||
fi
|
||||
mgr=$NetworkManager
|
||||
mgr=wicd
|
||||
|
||||
[ -x /mnt/linuxBack52/usr/bin/macchanger ] && \
|
||||
macchanger=/mnt/linuxBack52/usr/bin/macchanger || \
|
||||
macchanger=macchanger
|
||||
|
||||
# may be empty wlan7
|
||||
# ifconfig wlan7 2>/dev/null && wlan7=wlan7 || wlan7=wlp3s0
|
||||
if [ -z "$wlan7" ] ; then
|
||||
echo ERROR: null wlan7 ;exit 1
|
||||
fi
|
||||
INFO starbucks_set wlan7=$wlan7 mgr=$mgr macchanger=$macchanger
|
||||
|
||||
if [ -z "$wlan7" ] ; then
|
||||
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
|
||||
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
|
||||
|
||||
elif [ $wlan7 = wlan4 ] ; then
|
||||
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
|
||||
elif [ $wlan7 = wlan6 -o $wlan7 = wlan7 ] ; then
|
||||
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
|
||||
fi
|
||||
sleep 5
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
starbucks_ip () {
|
||||
local wlan7
|
||||
[ $# -eq 0 -o -z "$1" ] && return 1
|
||||
wlan7=$1
|
||||
base_wlan_modules_unload $wlan7 || return 1$?
|
||||
base_wlan_modules_load $wlan7 || return 2$?
|
||||
|
||||
cd /etc
|
||||
grep -l 'wlan[0-9]' * */* 2>/dev/null|grep -v ~$|xargs sed -e "s/wlan[0-9]/$wlan7/g" -i
|
||||
|
||||
local_rc_service dbus start;local_rc_service wicd start
|
||||
return 0
|
||||
}
|
||||
|
||||
starbucks_start_services () {
|
||||
[ -z "$MODE" ] && echo ERROR: $0 unknown MODE && return 2
|
||||
$PREFIX/sbin/proxy_whonix_host.bash start || return 3$?
|
||||
# $PREFIX/sbin/proxy_whonix_host.bash proxy_whonix_host_start $MODE || return 5$?
|
||||
[ "$MODE" != tor ] || starbucks_torrc || return 5$?
|
||||
return 0
|
||||
}
|
||||
|
||||
starbucks_stop () {
|
||||
[ "$#" -eq 0 ] && set -- stop
|
||||
starbucks_restart stop
|
||||
}
|
||||
|
||||
# old tor only
|
||||
starbucks_restart () {
|
||||
[ "$#" -eq 0 ] && set -- start
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
# [ -e /etc/tor/torrc ] && /bin/systemctl $1 tor >/dev/null
|
||||
[ -e /etc/pdnsd.conf ] && /bin/systemctl $1 pdnsd >/dev/null
|
||||
[ -e /etc/polipo.conf ] && /bin/systemctl $1 polipo >/dev/null
|
||||
/bin/systemctl $1 $mgr
|
||||
else
|
||||
# [ -e /etc/tor/torrc ] && /etc/init.d/tor $1
|
||||
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd $1
|
||||
[ -e /etc/polipo.conf ] && /etc/init.d/polipo $1
|
||||
/etc/init.d/$mgr $1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
starbucks_pdnsd () {
|
||||
if [ "$pdnsd" = "dnscrypt" ] && \
|
||||
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
|
||||
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
|
||||
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
|
||||
sleep $DELAY
|
||||
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
|
||||
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
|
||||
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
|
||||
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
[ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null
|
||||
else
|
||||
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
starbucks_torrc () {
|
||||
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
|
||||
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
|
||||
[ -z "$ip" ] || \
|
||||
grep -q "SocksPolicy accept $ip@" /etc/tor/torrc || \
|
||||
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
|
||||
-i /etc/tor/torrc
|
||||
}
|
||||
|
||||
|
||||
## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new
|
||||
proxy_guest_firewall_config () {
|
||||
. $PREFIX/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$?
|
||||
source_config_folder
|
||||
iptables_cmd="echo iptables"
|
||||
ip6tables_cmd="echo # ip6tables"
|
||||
main > /etc/firewall.conf.ws.new
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_guest_config
|
||||
proxy_whonix_guest_config () {
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_guest_start
|
||||
proxy_whonix_guest_start () {
|
||||
$PL proxy_libvirt_start_guest
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_test_guest
|
||||
proxy_whonix_test_guest () {
|
||||
$PL proxy_libvirt_test_guest
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_gateway_config
|
||||
proxy_whonix_gateway_config () {
|
||||
proxy_whonix_dnsmasq_config gateway 10.0.2.15
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_config
|
||||
proxy_whonix_dnsmasq_config () {
|
||||
local dire
|
||||
|
||||
[ "$#" -eq 0 ] || dire=$1
|
||||
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
|
||||
[ -n "$MODE" ] || MODE=host
|
||||
|
||||
proxy_dest_port_wlan_config
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 1
|
||||
|
||||
# 9040 - no wgetrc polipo
|
||||
# need dnsmasq to 127
|
||||
file=/etc/dnsmasq.conf
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server=${DEST}#$PORT
|
||||
port=53
|
||||
# wlan4
|
||||
interface=$PROXY_WLAN
|
||||
bind-interfaces
|
||||
no-dhcp-interface=$PROXY_WLAN
|
||||
EOF
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_polipo_config
|
||||
proxy_whonix_polipo_config () {
|
||||
local dire
|
||||
local file
|
||||
[ "$#" -eq 0 ] && { echo ERROR: proxy_whonix_polipo_config no dire ; return 1; }
|
||||
dire=$1
|
||||
|
||||
file=/etc/polipo/config
|
||||
if [ $dire = whonix ]; then
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=10.0.2.15:9050
|
||||
socksProxyType=socks5
|
||||
#?ssocksUserName=foo
|
||||
EOF
|
||||
fi
|
||||
elif [ $dire = nat ]; then
|
||||
# get external
|
||||
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
||||
#? . /usr/local/bin/proxy_export.bash
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=$external
|
||||
proxyPort=3128
|
||||
proxyName=$external
|
||||
socksParentProxy=$external:9050
|
||||
socksProxyType=socks5
|
||||
#?ssocksUserName=foo
|
||||
EOF
|
||||
fi
|
||||
else
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
proxyAddress=127.0.0.1
|
||||
proxyPort=3128
|
||||
proxyName=127.0.0.1
|
||||
socksParentProxy=${DEST}:$PORT
|
||||
socksProxyType=socks5
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_privoxy_config
|
||||
proxy_whonix_privoxy_config () {
|
||||
local dire
|
||||
local file
|
||||
dire=$1 ; shift
|
||||
|
||||
file=/etc/privoxy/config
|
||||
if [ $dire = whonix ]; then
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
listen-address 127.0.0.1:3128
|
||||
forward-socks5t / 10.0.2.15:9050 .
|
||||
EOF
|
||||
fi
|
||||
elif [ $dire = nat ]; then
|
||||
# get external
|
||||
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
||||
#? . /usr/local/bin/proxy_export.bash
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp /dev/null $file.$dire
|
||||
fi
|
||||
else
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.conf <<EOF
|
||||
listen-address 127.0.0.1:3128
|
||||
forward-socks5t / 127.0.0.1:9050 .
|
||||
EOF
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_config
|
||||
proxy_whonix_dnsmasq_config () {
|
||||
local dire
|
||||
|
||||
[ "$#" -eq 0 ] && set -- tor
|
||||
dire=$1 ; shift
|
||||
proxy_dest_port_wlan_config $*
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 1
|
||||
|
||||
# 9040 - no wgetrc
|
||||
# need dnsmasq to 127
|
||||
file=/etc/dnsmasq.conf
|
||||
if [ ! -f $file.$dire ] ; then
|
||||
cp -p $file $file.$dire
|
||||
cat >> $file.$dire <<EOF
|
||||
log-facility=/var/log/dnsmasq.log
|
||||
no-resolv
|
||||
listen-address=127.0.0.1
|
||||
server=${DEST}#$PORT
|
||||
port=53
|
||||
# wlan4
|
||||
interface=$PROXY_WLAN
|
||||
bind-interfaces
|
||||
no-dhcp-interface=$PROXY_WLAN
|
||||
EOF
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_tor_config
|
||||
proxy_whonix_tor_config () {
|
||||
proxy_host_tor_config tor 127.0.0.1
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_host_tor_config
|
||||
proxy_host_tor_config () {
|
||||
local dir
|
||||
local file
|
||||
dire=tor
|
||||
DEST=127.0.0.1
|
||||
PORT=9050
|
||||
|
||||
#? [ -z "$DEST" ] && proxy_dest_port_wlan_config || return 1$?
|
||||
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 2
|
||||
proxy_whonix_polipo_config $dire || return 3$?
|
||||
proxy_whonix_dnsmasq_config $dire || return 4$?
|
||||
|
||||
if proxy_ping_online ; then
|
||||
proxy_ping_test_resolv $dire || { echo ERROR: proxy_host_tor_config 5$?; return 5 ; }
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_host_from_config
|
||||
proxy_host_whonix_config () {
|
||||
local dire=whonix
|
||||
local file
|
||||
|
||||
proxy_dest_port_wlan_config || return 1$?
|
||||
DEST=10.0.2.15
|
||||
PORT=9053
|
||||
[ -z "$PORT" -o -z "$DEST" ] && return 2
|
||||
proxy_whonix_polipo_config $dire
|
||||
proxy_ping_test_resolv $dire || return 4$?
|
||||
proxy_whonix_dnsmasq_config $dire || return 5$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_host_gateway
|
||||
proxy_whonix_gateway () {
|
||||
local dire=gateway
|
||||
debug proxy_whonix_gateway $dire
|
||||
|
||||
PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
s proxy_whonix_config $dire || return 2$?
|
||||
|
||||
# works?
|
||||
proxy_ping_set_resolv gateway
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_from_config
|
||||
proxy_whonix_config () {
|
||||
local dire=$1
|
||||
[ -z "$DEST" ] && proxy_dest_port_wlan_config
|
||||
|
||||
if [ ! -f /etc/tor/torsocks.conf.$dire ] ; then
|
||||
cp -p /etc/tor/torsocks.conf /etc/tor/torsocks.conf.$dire
|
||||
# TorAddress 127.0.0.1
|
||||
# TorPort 9050
|
||||
fi
|
||||
sed -e "s@^#* *TorAddress.*@TorAddress $DEST@" -i /etc/tor/torsocks.conf
|
||||
sed -e "s@^#* *TorPort.*@TorPort 9050@" -i /etc/tor/torsocks.conf
|
||||
|
||||
# proxy_whonix_start_wget
|
||||
|
||||
proxy_host_${dire}_config
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_ws_whonix_config
|
||||
proxy_ws_whonix_config () {
|
||||
local dir=ws
|
||||
|
||||
DEST=10.152.152.10
|
||||
PROXY_WLAN=eth0
|
||||
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_status
|
||||
proxy_whonix_libvirt_status () {
|
||||
proxy_rc_service libvirtd status >/dev/null || \
|
||||
proxy_rc_service libvirtd start || \
|
||||
echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG
|
||||
$PL proxy_libvirt_status
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_libvirt_start
|
||||
proxy_whonix_libvirt_start () {
|
||||
local domain
|
||||
[ "$#" -ge 1 ] && domain=$1
|
||||
|
||||
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||
cp /dev/null /var/log/libvirt/libvirtd.log
|
||||
/etc/init.d/libvirtd status
|
||||
retval=$?
|
||||
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
|
||||
[ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd
|
||||
proxy_rc_service libvirtd start || return 3
|
||||
sleep $DELAY
|
||||
fi
|
||||
$PL proxy_libvirt_no_autostart
|
||||
$PL proxy_libvirt_start
|
||||
$PL proxy_libvirt_status
|
||||
proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3
|
||||
proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4
|
||||
|
||||
[ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )"
|
||||
[ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \
|
||||
domain=Whonix-Gateway && \
|
||||
INFO set proxy_testforge_get_gateway_dom $domain
|
||||
$PL proxy_libvirt_list | grep -v grep | grep "$domain" || \
|
||||
virsh start $domain || {
|
||||
ret=$?
|
||||
echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret
|
||||
return 5$ret
|
||||
}
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_test
|
||||
proxy_whonix_test () {
|
||||
local dire
|
||||
DBUG proxy_whonix_test $dire
|
||||
[ "$#" -eq 0 ] && dire=$MODE || dire=$1
|
||||
|
||||
[ $dire = ws -o $dire = workstation ] && dire=vda
|
||||
|
||||
if [ $dire = client ] ; then
|
||||
:
|
||||
# dunno - look at netstat? -nle4
|
||||
|
||||
elif [ $dire = nat ] ; then
|
||||
$PL proxy_libvirt_test_guest
|
||||
|
||||
elif [ $dire = vda -o $dire = gateway ] ; then
|
||||
proxy_whonix_test_guest
|
||||
|
||||
elif [ $dire = tor ] ; then
|
||||
$PL proxy_libvirt_test_host
|
||||
|
||||
elif [ $dire = whonix ] ; then
|
||||
$PL proxy_libvirt_no_autostart
|
||||
$PL proxy_libvirt_clean_virbr1_rules
|
||||
|
||||
proxy_whonix_get_gateway_dom
|
||||
[ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM
|
||||
|
||||
proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; }
|
||||
|
||||
$PREFIX/bin/proxy_ping_test.bash from_tor || return 6$?
|
||||
fi
|
||||
|
||||
#? gateway
|
||||
if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then
|
||||
proxy_rc_service polipo status >/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog polipo not running ; return 4 ; }
|
||||
$PREFIX/bin/proxy_ping_test.bash polipo || return 9$?
|
||||
elif [ $dire = host -o $dire = tor ] ; then
|
||||
proxy_rc_service privoxy status >/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog privoxy not running ; return 4 ; }
|
||||
$PREFIX/bin/proxy_ping_test.bash privoxy || return 9$?
|
||||
fi
|
||||
|
||||
if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
|
||||
proxy_clobber_resolv_local 10.152.152.10
|
||||
elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then
|
||||
proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \
|
||||
{ echo ERROR: $prog dnsmasq not running ; return 5 ; }
|
||||
proxy_clobber_resolv_local 127.0.0.1
|
||||
fi
|
||||
$PREFIX/bin/proxy_ping_test.bash dns # || return 9$?
|
||||
|
||||
$PREFIX/bin/proxy_ping_test.bash $dire || return 6$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# Weher was this
|
||||
## rc_host_symlink_etc_fstab
|
||||
rc_host_symlink_etc_fstab () {
|
||||
grep -q root=/dev/vda /proc/cmdline
|
||||
PROXY_IS_VDA=$?
|
||||
if [ $PROXY_IS_VDA -eq 0 ] ; then
|
||||
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
|
||||
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
|
||||
return 1
|
||||
# else
|
||||
# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \
|
||||
# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_config
|
||||
proxy_vda_config () {
|
||||
|
||||
rc_host_symlink_etc_fstab
|
||||
sed -e 's/^#x1/x1/' -i /etc/inittab #
|
||||
|
||||
if false ; then
|
||||
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
|
||||
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
|
||||
ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/
|
||||
fi
|
||||
fi
|
||||
if false ; then
|
||||
[ -f /etc/firewall.conf.vda ] && \
|
||||
cp -p /etc/firewall.conf.vda /etc/firewall.conf
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
##
|
||||
old_proxy_vda_config () {
|
||||
|
||||
[ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_vda_whonix_config
|
||||
proxy_vda_whonix_config () {
|
||||
local dir=vda
|
||||
|
||||
DEST=10.152.152.10
|
||||
PROXY_WLAN=eth0
|
||||
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
|
||||
|
||||
return $?
|
||||
}
|
||||
|
||||
## proxy_quest_config
|
||||
proxy_quest_config () {
|
||||
|
||||
proxy_vda_config
|
||||
|
||||
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
|
||||
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
|
||||
cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_dnsmasq_start
|
||||
proxy_whonix_dnsmasq_start () {
|
||||
local dire
|
||||
local service=dnsmasq
|
||||
|
||||
[ "$#" -eq 0 ] || dire=$1
|
||||
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
|
||||
[ -n "$MODE" ] || MODE=host
|
||||
|
||||
DBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN
|
||||
|
||||
proxy_whonix_config $dire || return 1$?
|
||||
|
||||
PROXY_WLAN=$( proxy_get_if )
|
||||
[ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4
|
||||
|
||||
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire
|
||||
if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then
|
||||
proxy_rc_service dnsmasq status >/dev/null || \
|
||||
proxy_ping_dnsmasq_start || return 8$?
|
||||
else
|
||||
proxy_rc_service dnsmasq status >/dev/null && \
|
||||
proxy_ping_dnsmasq_stop
|
||||
cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf
|
||||
proxy_ping_dnsmasq_start || return 8$?
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_privoxy_start
|
||||
proxy_whonix_polipo_start () {
|
||||
local dire
|
||||
local service=polipo
|
||||
|
||||
[ $# -eq 1 ] && dire=$1
|
||||
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
|
||||
DBUG proxy_whonix_start_$service $dire
|
||||
|
||||
proxy_whonix_config $dire || \
|
||||
echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$?
|
||||
|
||||
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire
|
||||
|
||||
if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then
|
||||
cp -p /etc/polipo/config.$dire /etc/polipo/config
|
||||
proxy_rc_service $service restart || return 2$?
|
||||
else
|
||||
proxy_rc_service $service status >/dev/null || \
|
||||
proxy_rc_service $service start||return 3$
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_prepare_blocks
|
||||
proxy_whonix_host_prepare_blocks () {
|
||||
if [ ! -s /etc/firewall.conf.block ] ; then
|
||||
if [ -f $PREFIX/etc/firewall.conf.block ] ; then
|
||||
echo "WARN: $prog copying $PREFIX/etc/firewall.conf.block"
|
||||
cp -p $PREFIX/etc/firewall.conf.block /etc/firewall.conf.block
|
||||
else
|
||||
ERROR "$prog missing $PREFIX/etc/firewall.conf.block"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_add_block
|
||||
proxy_whonix_host_add_block () {
|
||||
local elt tab ip
|
||||
|
||||
# PROXY_WLAN=$( proxy_get_if )
|
||||
# [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1
|
||||
if [ "$#" -eq 0 ] ; then
|
||||
proxy_whonix_host_prepare_blocks \| return 1$?
|
||||
set -- $( cat /etc/firewall.conf.block )
|
||||
fi
|
||||
# DBUG "$prog adding $*"
|
||||
[ -f /etc/firewall.conf.newer ] || \
|
||||
cp -p /etc/firewall.conf /etc/firewall.conf.newer
|
||||
for elt in wlan virbr1 ; do
|
||||
[ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI
|
||||
grep -q "^# blocks $elt" /etc/firewall.conf.newer || {
|
||||
echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer
|
||||
return 2
|
||||
}
|
||||
sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$
|
||||
echo "# blocks $elt" >> /etc/firewall.conf.$$
|
||||
for ip in $* ; do
|
||||
grep -q $ip /etc/firewall.conf.block || \
|
||||
grep -q $ip /etc/firewall.conf.block.newer || \
|
||||
echo $ip >> /etc/firewall.conf.block.newer
|
||||
grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue
|
||||
echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$
|
||||
DBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP"
|
||||
done
|
||||
sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$
|
||||
mv /etc/firewall.conf.$$ /etc/firewall.conf.newer
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_host_online
|
||||
proxy_whonix_host_online () {
|
||||
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
|
||||
[ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2
|
||||
if [ -x /etc/init.d/NetworkManager ] ; then
|
||||
/etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3
|
||||
else
|
||||
proxy_rc_service NetworkManager status >/dev/null \
|
||||
|| proxy_rc_service NetworkManager start || return 3$?
|
||||
fi
|
||||
nm-online -t 0 -x || return 4$?
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_down - call when the network goes down
|
||||
proxy_whonix_down () {
|
||||
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||
proxy_ping_online && return 0 # dont do anything
|
||||
# nothing to do?
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_up - call when the network comes up
|
||||
proxy_whonix_up () {
|
||||
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||
proxy_ping_online || return 0 # dont do anything
|
||||
return 0
|
||||
}
|
||||
|
||||
## proxy_whonix_start_wget
|
||||
proxy_whonix_start_wget () {
|
||||
return 0
|
||||
if [ -f /etc/wgetrc ] ; then
|
||||
sp=https://127.0.0.1:3128
|
||||
grep -q ^https_proxy /etc/wgetrc && \
|
||||
sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc
|
||||
grep -q ^https_proxy /etc/wgetrc && \
|
||||
echo "https_proxy = $sp" >> /etc/wgetrc
|
||||
grep -q ^http_proxy /etc/wgetrc && \
|
||||
sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc
|
||||
grep -q ^http_proxy /etc/wgetrc || \
|
||||
echo "http_proxy = $sp" >> /etc/wgetrc
|
||||
fi
|
||||
|
||||
sp=http://127.0.0.1:3128
|
||||
for elt_proxy in http https ; do
|
||||
grep -q ^$elt_proxy /etc/wgetrc && \
|
||||
sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \
|
||||
echo "$elt_proxy = $sp" >> /etc/wgetrc
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then
|
||||
[ "$#" -eq 0 ] && exit 0
|
||||
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \
|
||||
exit 0
|
||||
DBUG $base "$@"
|
||||
eval "$@"
|
||||
exit $?
|
||||
fi
|
2
overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash
Executable file
2
overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash
Executable file
@ -0,0 +1,2 @@
|
||||
#!/bin/bash
|
||||
exec sh proxy_whonix_gateway_tor.bash "$@"
|
93
overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt
Normal file
93
overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt
Normal file
@ -0,0 +1,93 @@
|
||||
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
|
||||
|
||||
== testserver box testing ==
|
||||
|
||||
>>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE
|
||||
|
||||
This is a Python doctest file that is executable documentation.
|
||||
It is built to run in the host against a Vagranted VirtualBox, and is run
|
||||
from the directory that contains the box's {{{.vagrant}}} subdirectory.
|
||||
|
||||
>>> import subprocess
|
||||
>>> import sys
|
||||
>>> import time
|
||||
|
||||
And, now run tests against the box.
|
||||
|
||||
>>> sys.stderr.write("Running tests against box" +'\n')
|
||||
26
|
||||
|
||||
=== Box settings ===
|
||||
|
||||
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
|
||||
|
||||
>>> import yaml
|
||||
>>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read()
|
||||
>>> assert sFacts
|
||||
>>> dFacts = yaml.safe_load(sFacts)
|
||||
|
||||
=== .gitconfig ===
|
||||
|
||||
We have a .gitconfig file in this directory that has our template
|
||||
of what we need up in the box to checkout from https://git.example.com
|
||||
You can edit the file and customize it, and we will use it as a
|
||||
Python string template, so look out for the {{{%()s}}} template fields.
|
||||
|
||||
>>> sDir = os.path.dirname(__file__)
|
||||
>>> sFile = os.path.join(sDir, example.gitconfig')
|
||||
>>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile
|
||||
>>> sGitConfig = open(sFile, 'r').read()
|
||||
>>> assert sGitConfig, "ERROR: Nothing in " +sFile
|
||||
|
||||
We will look for the environment variables:
|
||||
* {{{AAA_CERT}}} for the filename of your example certificate
|
||||
* {{{AAA_KEY}}} for the filename of your example key
|
||||
|
||||
>>> sCertFile = os.environ.get('AAA_CERT')
|
||||
>>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment"
|
||||
>>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file"
|
||||
|
||||
>>> sKeyFile = os.environ.get('AAA_KEY')
|
||||
>>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment"
|
||||
>>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file"
|
||||
|
||||
>>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa')
|
||||
>>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file"
|
||||
|
||||
|
||||
The directory we push to should have been created by Ansible.
|
||||
|
||||
>>> sBoxHome = dFacts['BOX_HOME']
|
||||
>>> sDir = sBoxHome +'/etc/ssl/keys'
|
||||
>>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None
|
||||
|
||||
We will push these files up to the box so that we can use them.
|
||||
|
||||
>>> sUser = os.environ.get('USERNAME') or os.environ.get('USER')
|
||||
>>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sKeyFile) or None
|
||||
>>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sCertFile) or None
|
||||
>>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sIdentityFile) or None
|
||||
>>> sToDir = '%s/%s@*' % (sDir, sUser,)
|
||||
>>> run( "chown 600 " +sToDir) or None
|
||||
|
||||
Now we have the cert and key up we can write our templated {{{~/.gitconfig}}}
|
||||
|
||||
>>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp'
|
||||
>>> assert os.path.isdir(sTempDir)
|
||||
>>> sFile = os.path.join(sTempDir, '.gitconfig')
|
||||
>>> oFile = open(sFile, 'w')
|
||||
>>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir,
|
||||
... BOX_HOME=sBoxHome)
|
||||
>>> try:
|
||||
... oFile.write(sGitConfig)
|
||||
... finally:
|
||||
... oFile.close()
|
||||
>>> assert os.path.isfile(sFile)
|
||||
>>> sTo = sBoxHome +'/.gitconfig'
|
||||
>>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None
|
||||
>>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n')
|
||||
|
||||
QED.
|
93
overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt
Normal file
93
overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt
Normal file
@ -0,0 +1,93 @@
|
||||
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
|
||||
|
||||
== testserver box testing ==
|
||||
|
||||
>>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE
|
||||
|
||||
This is a Python doctest file that is executable documentation.
|
||||
It is built to run in the host against a Vagranted VirtualBox, and is run
|
||||
from the directory that contains the box's {{{.vagrant}}} subdirectory.
|
||||
|
||||
>>> import subprocess
|
||||
>>> import sys
|
||||
>>> import time
|
||||
|
||||
And, now run tests locally
|
||||
|
||||
>>> sys.stderr.write("Running tests locally" +'\n')
|
||||
22
|
||||
|
||||
=== Box settings ===
|
||||
|
||||
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
|
||||
|
||||
>>> import yaml
|
||||
>>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read()
|
||||
>>> assert sFacts
|
||||
>>> dFacts = yaml.safe_load(sFacts)
|
||||
|
||||
=== .gitconfig ===
|
||||
|
||||
We have a .gitconfig file in this directory that has our template
|
||||
of what we need up in the box to checkout from https://git.example.com
|
||||
You can edit the file and customize it, and we will use it as a
|
||||
Python string template, so look out for the {{{%()s}}} template fields.
|
||||
|
||||
>>> sDir = '/var/local/share/doc/txt'
|
||||
>>> sFile = os.path.join(sDir, 'example.gitconfig')
|
||||
>>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile
|
||||
>>> sGitConfig = open(sFile, 'r').read()
|
||||
>>> assert sGitConfig, "ERROR: Nothing in " +sFile
|
||||
|
||||
We will look for the environment variables:
|
||||
* {{{AAA_CERT}}} for the filename of your example certificate
|
||||
* {{{AAA_KEY}}} for the filename of your example key
|
||||
|
||||
>>> sCertFile = os.environ.get('AAA_CERT')
|
||||
>>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment"
|
||||
>>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file"
|
||||
|
||||
>>> sKeyFile = os.environ.get('AAA_KEY')
|
||||
>>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment"
|
||||
>>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file"
|
||||
|
||||
>>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa')
|
||||
>>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file"
|
||||
|
||||
|
||||
The directory we push to should have been created by Ansible.
|
||||
|
||||
>>> sBoxHome = dFacts['BOX_HOME']
|
||||
>>> sDir = sBoxHome +'/etc/ssl/keys'
|
||||
>>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None
|
||||
|
||||
We will push these files up to the box so that we can use them.
|
||||
|
||||
>>> sUser = os.environ.get('USERNAME') or os.environ.get('USER')
|
||||
>>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sKeyFile) or None
|
||||
>>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sCertFile) or None
|
||||
>>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,)
|
||||
>>> ssh_run_with_stdin(sTo, sIdentityFile) or None
|
||||
>>> sToDir = '%s/%s@*' % (sDir, sUser,)
|
||||
>>> run( "chown 600 " +sToDir) or None
|
||||
|
||||
Now we have the cert and key up we can write our templated {{{~/.gitconfig}}}
|
||||
|
||||
>>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp'
|
||||
>>> assert os.path.isdir(sTempDir)
|
||||
>>> sFile = os.path.join(sTempDir, '.gitconfig')
|
||||
>>> oFile = open(sFile, 'w')
|
||||
>>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir,
|
||||
... BOX_HOME=sBoxHome)
|
||||
>>> try:
|
||||
... oFile.write(sGitConfig)
|
||||
... finally:
|
||||
... oFile.close()
|
||||
>>> assert os.path.isfile(sFile)
|
||||
>>> sTo = sBoxHome +'/.gitconfig'
|
||||
>>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None
|
||||
>>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n')
|
||||
|
||||
QED.
|
21
overlay/Linux/usr/local/share/doc/txt/proxy2.txt
Normal file
21
overlay/Linux/usr/local/share/doc/txt/proxy2.txt
Normal file
@ -0,0 +1,21 @@
|
||||
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
|
||||
|
||||
== proxy box testing ==
|
||||
|
||||
This is a Python doctest file that is executable documentation.
|
||||
It is built to run against a Vagranted VirtualBox, and is run from the
|
||||
directory that contains the box's {{{.vagrant}}} subdirectory.
|
||||
|
||||
>>> import subprocess
|
||||
>>> import sys
|
||||
>>> import time
|
||||
|
||||
And, now run tests against the box.
|
||||
|
||||
>>> print("Running tests against box", file=sys.stderr)
|
||||
|
||||
We should be able to get a page from our proxy
|
||||
|
||||
>>> sUrl = 'http://' +myip +':3128/'
|
||||
>>> print ssh_run('wget -O - -q %s | grep Polipo | head -1' % (sUrl,))
|
||||
<title>Welcome to Polipo</title>
|
47
overlay/Linux/usr/local/share/doc/txt/proxy3.txt
Normal file
47
overlay/Linux/usr/local/share/doc/txt/proxy3.txt
Normal file
@ -0,0 +1,47 @@
|
||||
#!/var/local/bin/testforge_run_doctest3.bash
|
||||
# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*-
|
||||
|
||||
== proxy testing ==
|
||||
|
||||
This is a Python doctest file that is executable documentation.
|
||||
|
||||
>>> import os,sys # doctest: +REPORT_ONLY_FIRST_FAILURE
|
||||
|
||||
And, now run tests against the box.
|
||||
|
||||
>>> sys.stderr.write("Running tests against box" +'\n')
|
||||
2...
|
||||
|
||||
=== Box settings ===
|
||||
|
||||
We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}}
|
||||
|
||||
>>> import yaml
|
||||
>>> sFacts = run('cat /usr/local/etc/testforge/testforge.yml')
|
||||
>>> assert sFacts
|
||||
>>> dFacts = yaml.safe_load(sFacts)
|
||||
|
||||
=== /var/local/bin/proxy_hourly.bash ===
|
||||
|
||||
>>> os.system("/usr/local/bin/proxy_hourly.bash")
|
||||
0
|
||||
|
||||
=== /var/local/src check ===
|
||||
|
||||
>>> os.chdir ('/usr/local/src')
|
||||
>>> os.system('sh usr_local_proxy.bash check')
|
||||
0
|
||||
|
||||
=== /var/local/src test ===
|
||||
|
||||
>>> os.chdir ('/usr/local/src')
|
||||
>>> os.system('sh usr_local_proxy.bash test')
|
||||
0
|
||||
|
||||
=== /var/local/src lint ===
|
||||
|
||||
>>> os.chdir ('/usr/local/src')
|
||||
>>> os.system('sh usr_local_proxy.bash lint')
|
||||
0
|
||||
|
||||
|
7
overlay/Linux/usr/local/share/sed/fact_to_bash.sed
Normal file
7
overlay/Linux/usr/local/share/sed/fact_to_bash.sed
Normal file
@ -0,0 +1,7 @@
|
||||
# ROLE=proxy
|
||||
s@u*'@@g
|
||||
s@^ *@@
|
||||
s@\[@"@
|
||||
s@\]@"@
|
||||
s@, @ @g
|
||||
s@^@export @
|
@ -0,0 +1,80 @@
|
||||
<domain type='kvm'>
|
||||
<name>Kicksecure</name>
|
||||
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
|
||||
<genid/>
|
||||
<memory dumpCore='off' unit='KiB'>2097152</memory>
|
||||
<currentMemory unit='KiB'>2097152</currentMemory>
|
||||
<memoryBacking>
|
||||
<allocation mode='ondemand'/>
|
||||
<discard/>
|
||||
<nosharepages/>
|
||||
</memoryBacking>
|
||||
<blkiotune>
|
||||
<weight>250</weight>
|
||||
</blkiotune>
|
||||
<vcpu placement='static' cpuset='1'>1</vcpu>
|
||||
<os>
|
||||
<type>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
<hap/>
|
||||
<pvspinlock state='on'/>
|
||||
<pmu state='off'/>
|
||||
<vmport state='off'/>
|
||||
</features>
|
||||
<cpu mode='host-passthrough'/>
|
||||
<clock offset='utc'>
|
||||
<timer name='rtc' present='no'/>
|
||||
<timer name='kvmclock' present='no'/>
|
||||
<timer name='pit' present='no'/>
|
||||
<timer name='hpet' present='no'/>
|
||||
<timer name='hypervclock' present='no'/>
|
||||
</clock>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>restart</on_crash>
|
||||
<pm>
|
||||
<suspend-to-mem enabled='no'/>
|
||||
<suspend-to-disk enabled='no'/>
|
||||
</pm>
|
||||
<devices>
|
||||
<disk type='file' device='disk'>
|
||||
<driver name='qemu' type='qcow2'/>
|
||||
<source file='/var/lib/libvirt/images/Kicksecure.qcow2'/>
|
||||
<target dev='vda' bus='virtio'/>
|
||||
</disk>
|
||||
<interface type='network'>
|
||||
<source network='default'/>
|
||||
<model type='virtio'/>
|
||||
<driver name='qemu'/>
|
||||
</interface>
|
||||
<controller type='virtio-serial' index='0'/>
|
||||
<serial type='pty'>
|
||||
<target port='0'/>
|
||||
</serial>
|
||||
<console type='pty'>
|
||||
<target type='serial' port='0'/>
|
||||
</console>
|
||||
<channel type='spicevmc'>
|
||||
<target type='virtio' name='com.redhat.spice.0'/>
|
||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
||||
</channel>
|
||||
<graphics type='spice' autoport='yes'>
|
||||
<clipboard copypaste='no'/>
|
||||
<filetransfer enable='no'/>
|
||||
<gl enable='no'/>
|
||||
</graphics>
|
||||
<sound model='ich6'>
|
||||
<codec type='output'/>
|
||||
</sound>
|
||||
<video>
|
||||
<model type='virtio' heads='1' primary='yes'/>
|
||||
</video>
|
||||
<memballoon model='none'/>
|
||||
<rng model='virtio'>
|
||||
<backend model='random'>/dev/urandom</backend>
|
||||
</rng>
|
||||
</devices>
|
||||
</domain>
|
@ -0,0 +1,80 @@
|
||||
<domain type='kvm'>
|
||||
<name>Whonix-Custom-Workstation</name>
|
||||
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
|
||||
<genid/>
|
||||
<memory dumpCore='off' unit='KiB'>2097152</memory>
|
||||
<currentMemory unit='KiB'>2097152</currentMemory>
|
||||
<memoryBacking>
|
||||
<allocation mode='ondemand'/>
|
||||
<discard/>
|
||||
<nosharepages/>
|
||||
</memoryBacking>
|
||||
<blkiotune>
|
||||
<weight>250</weight>
|
||||
</blkiotune>
|
||||
<vcpu placement='static' cpuset='1'>1</vcpu>
|
||||
<os>
|
||||
<type>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
<hap/>
|
||||
<pvspinlock state='on'/>
|
||||
<pmu state='off'/>
|
||||
<vmport state='off'/>
|
||||
</features>
|
||||
<cpu mode='host-passthrough'/>
|
||||
<clock offset='utc'>
|
||||
<timer name='rtc' present='no'/>
|
||||
<timer name='kvmclock' present='no'/>
|
||||
<timer name='pit' present='no'/>
|
||||
<timer name='hpet' present='no'/>
|
||||
<timer name='hypervclock' present='no'/>
|
||||
</clock>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>restart</on_crash>
|
||||
<pm>
|
||||
<suspend-to-mem enabled='no'/>
|
||||
<suspend-to-disk enabled='no'/>
|
||||
</pm>
|
||||
<devices>
|
||||
<disk type='file' device='disk'>
|
||||
<driver name='qemu' type='qcow2'/>
|
||||
<source file='/var/lib/libvirt/images/Whonix-Custom-Workstation.qcow2'/>
|
||||
<target dev='vda' bus='virtio'/>
|
||||
</disk>
|
||||
<interface type='network'>
|
||||
<source network='Whonix-Internal'/>
|
||||
<model type='virtio'/>
|
||||
<driver name='qemu'/>
|
||||
</interface>
|
||||
<controller type='virtio-serial' index='0'/>
|
||||
<serial type='pty'>
|
||||
<target port='0'/>
|
||||
</serial>
|
||||
<console type='pty'>
|
||||
<target type='serial' port='0'/>
|
||||
</console>
|
||||
<channel type='spicevmc'>
|
||||
<target type='virtio' name='com.redhat.spice.0'/>
|
||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
||||
</channel>
|
||||
<graphics type='spice' autoport='yes'>
|
||||
<clipboard copypaste='no'/>
|
||||
<filetransfer enable='no'/>
|
||||
<gl enable='no'/>
|
||||
</graphics>
|
||||
<sound model='ich6'>
|
||||
<codec type='output'/>
|
||||
</sound>
|
||||
<video>
|
||||
<model type='virtio' heads='1' primary='yes'/>
|
||||
</video>
|
||||
<memballoon model='none'/>
|
||||
<rng model='virtio'>
|
||||
<backend model='random'>/dev/urandom</backend>
|
||||
</rng>
|
||||
</devices>
|
||||
</domain>
|
@ -0,0 +1,6 @@
|
||||
<network>
|
||||
<name>Whonix-External</name>
|
||||
<forward mode='nat'/>
|
||||
<bridge name='virbr1' stp='on' delay='0'/>
|
||||
<ip address='10.0.2.2' netmask='255.255.255.0'/>
|
||||
</network>
|
@ -0,0 +1,82 @@
|
||||
<domain type='kvm'>
|
||||
<name>Whonix-Gateway</name>
|
||||
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
|
||||
<genid/>
|
||||
<memory dumpCore='off' unit='KiB'>524288</memory>
|
||||
<currentMemory unit='KiB'>524288</currentMemory>
|
||||
<memoryBacking>
|
||||
<allocation mode='ondemand'/>
|
||||
<discard/>
|
||||
<nosharepages/>
|
||||
</memoryBacking>
|
||||
<blkiotune>
|
||||
<weight>250</weight>
|
||||
</blkiotune>
|
||||
<vcpu placement='static' cpuset='0'>1</vcpu>
|
||||
<os>
|
||||
<type>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
<hap/>
|
||||
<pvspinlock state='on'/>
|
||||
<pmu state='off'/>
|
||||
<vmport state='off'/>
|
||||
</features>
|
||||
<cpu mode='host-passthrough'/>
|
||||
<clock offset='utc'>
|
||||
<timer name='rtc' tickpolicy='catchup' track='guest'/>
|
||||
<timer name='kvmclock' present='yes'/>
|
||||
<timer name='pit' present='no'/>
|
||||
<timer name='hpet' present='no'/>
|
||||
<timer name='hypervclock' present='no'/>
|
||||
</clock>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>restart</on_crash>
|
||||
<pm>
|
||||
<suspend-to-mem enabled='no'/>
|
||||
<suspend-to-disk enabled='no'/>
|
||||
</pm>
|
||||
<devices>
|
||||
<disk type='file' device='disk'>
|
||||
<driver name='qemu' type='qcow2'/>
|
||||
<source file='/var/lib/libvirt/images/Whonix-Gateway.qcow2'/>
|
||||
<target dev='vda' bus='virtio'/>
|
||||
</disk>
|
||||
<interface type='network'>
|
||||
<source network='Whonix-External'/>
|
||||
<model type='virtio'/>
|
||||
<driver name='qemu'/>
|
||||
</interface>
|
||||
<interface type='network'>
|
||||
<source network='Whonix-Internal'/>
|
||||
<model type='virtio'/>
|
||||
<driver name='qemu'/>
|
||||
</interface>
|
||||
<controller type='virtio-serial' index='0'/>
|
||||
<serial type='pty'>
|
||||
<target port='0'/>
|
||||
</serial>
|
||||
<console type='pty'>
|
||||
<target type='serial' port='0'/>
|
||||
</console>
|
||||
<channel type='spicevmc'>
|
||||
<target type='virtio' name='com.redhat.spice.0'/>
|
||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
||||
</channel>
|
||||
<graphics type='spice' autoport='yes'>
|
||||
<clipboard copypaste='yes'/>
|
||||
<filetransfer enable='no'/>
|
||||
<gl enable='no'/>
|
||||
</graphics>
|
||||
<video>
|
||||
<model type='virtio' heads='1' primary='yes'/>
|
||||
</video>
|
||||
<memballoon model='none'/>
|
||||
<rng model='virtio'>
|
||||
<backend model='random'>/dev/urandom</backend>
|
||||
</rng>
|
||||
</devices>
|
||||
</domain>
|
@ -0,0 +1,4 @@
|
||||
<network>
|
||||
<name>Whonix-Internal</name>
|
||||
<bridge name='virbr2' stp='on' delay='0'/>
|
||||
</network>
|
@ -0,0 +1,80 @@
|
||||
<domain type='kvm'>
|
||||
<name>Whonix-Workstation</name>
|
||||
<description>Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings</description>
|
||||
<genid/>
|
||||
<memory dumpCore='off' unit='KiB'>2097152</memory>
|
||||
<currentMemory unit='KiB'>2097152</currentMemory>
|
||||
<memoryBacking>
|
||||
<allocation mode='ondemand'/>
|
||||
<discard/>
|
||||
<nosharepages/>
|
||||
</memoryBacking>
|
||||
<blkiotune>
|
||||
<weight>250</weight>
|
||||
</blkiotune>
|
||||
<vcpu placement='static' cpuset='1'>1</vcpu>
|
||||
<os>
|
||||
<type>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<features>
|
||||
<acpi/>
|
||||
<hap/>
|
||||
<pvspinlock state='on'/>
|
||||
<pmu state='off'/>
|
||||
<vmport state='off'/>
|
||||
</features>
|
||||
<cpu mode='host-passthrough'/>
|
||||
<clock offset='utc'>
|
||||
<timer name='rtc' present='no'/>
|
||||
<timer name='kvmclock' present='no'/>
|
||||
<timer name='pit' present='no'/>
|
||||
<timer name='hpet' present='no'/>
|
||||
<timer name='hypervclock' present='no'/>
|
||||
</clock>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>restart</on_crash>
|
||||
<pm>
|
||||
<suspend-to-mem enabled='no'/>
|
||||
<suspend-to-disk enabled='no'/>
|
||||
</pm>
|
||||
<devices>
|
||||
<disk type='file' device='disk'>
|
||||
<driver name='qemu' type='qcow2'/>
|
||||
<source file='/var/lib/libvirt/images/Whonix-Workstation.qcow2'/>
|
||||
<target dev='vda' bus='virtio'/>
|
||||
</disk>
|
||||
<interface type='network'>
|
||||
<source network='Whonix-Internal'/>
|
||||
<model type='virtio'/>
|
||||
<driver name='qemu'/>
|
||||
</interface>
|
||||
<controller type='virtio-serial' index='0'/>
|
||||
<serial type='pty'>
|
||||
<target port='0'/>
|
||||
</serial>
|
||||
<console type='pty'>
|
||||
<target type='serial' port='0'/>
|
||||
</console>
|
||||
<channel type='spicevmc'>
|
||||
<target type='virtio' name='com.redhat.spice.0'/>
|
||||
<address type='virtio-serial' controller='0' bus='0' port='1'/>
|
||||
</channel>
|
||||
<graphics type='spice' autoport='yes'>
|
||||
<clipboard copypaste='no'/>
|
||||
<filetransfer enable='no'/>
|
||||
<gl enable='no'/>
|
||||
</graphics>
|
||||
<sound model='ich6'>
|
||||
<codec type='output'/>
|
||||
</sound>
|
||||
<video>
|
||||
<model type='virtio' heads='1' primary='yes'/>
|
||||
</video>
|
||||
<memballoon model='none'/>
|
||||
<rng model='virtio'>
|
||||
<backend model='random'>/dev/urandom</backend>
|
||||
</rng>
|
||||
</devices>
|
||||
</domain>
|
300
overlay/Linux/usr/local/src/helper-scripts/anondate
Executable file
300
overlay/Linux/usr/local/src/helper-scripts/anondate
Executable file
@ -0,0 +1,300 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) Amnesia <amnesia at boum dot org>
|
||||
## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -o pipefail
|
||||
|
||||
export TOR_LOG="/var/log/tor/log"
|
||||
if [ -d /var/lib/tor/data ] ; then
|
||||
export TOR_DIR=/var/lib/tor/data
|
||||
elif [ -d /var/lib/tor ] ; then
|
||||
export TOR_DIR=/var/lib/tor
|
||||
fi
|
||||
|
||||
USAGE="
|
||||
--has-consensus
|
||||
--current-time-in-valid-range
|
||||
--show-valid-after
|
||||
--show-valid-until
|
||||
--show-middle-range
|
||||
--tor-cert-lifetime-invalid
|
||||
--tor-cert-valid-after
|
||||
--verified-only
|
||||
--prefer-verified
|
||||
--unverified-only
|
||||
--user-permission
|
||||
--group-permission
|
||||
"
|
||||
|
||||
variables () {
|
||||
[ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
|
||||
[ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
|
||||
[ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
|
||||
[ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
|
||||
[ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
|
||||
[ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
|
||||
[ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
|
||||
[ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
|
||||
}
|
||||
|
||||
parse_cmd_options() {
|
||||
## Thanks to:
|
||||
## http://mywiki.wooledge.org/BashFAQ/035
|
||||
|
||||
while :
|
||||
do
|
||||
case $1 in
|
||||
--verbose)
|
||||
echo "$SCRIPTNAME verbose output..."
|
||||
echo "Script running as $(whoami)"
|
||||
set -x
|
||||
true "$0: $@"
|
||||
shift
|
||||
;;
|
||||
--has-consensus)
|
||||
has_consensus_="true"
|
||||
shift
|
||||
;;
|
||||
--current-time-in-valid-range)
|
||||
current_time_in_valid_range_="true"
|
||||
shift
|
||||
;;
|
||||
--show-valid-after)
|
||||
show_valid_after_="true"
|
||||
shift
|
||||
;;
|
||||
--show-valid-until)
|
||||
show_valid_until_="true"
|
||||
shift
|
||||
;;
|
||||
--show-middle-range)
|
||||
show_middle_range_="true"
|
||||
shift
|
||||
;;
|
||||
--tor-cert-lifetime-invalid)
|
||||
tor_cert_lifetime_invalid_="true"
|
||||
shift
|
||||
;;
|
||||
--tor-cert-valid-after)
|
||||
tor_cert_valid_after_="true"
|
||||
shift
|
||||
;;
|
||||
--verified-only)
|
||||
verified_only_="true"
|
||||
shift
|
||||
;;
|
||||
--prefer-verified)
|
||||
prefer_verified_="true"
|
||||
shift
|
||||
;;
|
||||
--unverified-only)
|
||||
unverified_only_="true"
|
||||
shift
|
||||
;;
|
||||
--user-permission)
|
||||
user_permission_="true"
|
||||
shift
|
||||
;;
|
||||
--group-permission)
|
||||
group_permission_="true"
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-*)
|
||||
echo "$SCRIPTNAME unknown option: $1" >&2
|
||||
exit 111
|
||||
;;
|
||||
*)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
## If there are input files (for example) that follow the options, they
|
||||
## will remain in the "$@" positional parameters.
|
||||
|
||||
if [ "$verified_only_" = "true" ]; then
|
||||
consensus="$TOR_CONSENSUS"
|
||||
elif [ "$prefer_verified_" = "true" ]; then
|
||||
if [ -e "${TOR_CONSENSUS}" ]; then
|
||||
consensus="$TOR_CONSENSUS"
|
||||
else
|
||||
consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
fi
|
||||
elif [ "$unverified_only_" = "true" ]; then
|
||||
consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
else
|
||||
consensus="$TOR_CONSENSUS"
|
||||
fi
|
||||
|
||||
if [ "$has_consensus_" = "true" ]; then
|
||||
has_consensus
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$current_time_in_valid_range_" = "true" ]; then
|
||||
current_time_is_in_valid_range
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_valid_after_" = "true" ]; then
|
||||
show-valid-after
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_valid_until_" = "true" ]; then
|
||||
show-valid-until
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_middle_range_" = "true" ]; then
|
||||
show-middle-range
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
|
||||
tor_cert_lifetime_invalid
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$tor_cert_valid_after_" = "true" ]; then
|
||||
tor_cert_valid_after
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$user_permission_" = "true" ]; then
|
||||
user_permission
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$group_permission_" = "true" ]; then
|
||||
group_permission
|
||||
exit "$?"
|
||||
fi
|
||||
|
||||
echo "USAGE: $0 $USAGE"
|
||||
exit 1
|
||||
}
|
||||
|
||||
root_check() {
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "ERROR: Must run as root."
|
||||
exit 112
|
||||
fi
|
||||
}
|
||||
|
||||
has_consensus() {
|
||||
if [ ! -r "$consensus" ]; then
|
||||
exit 4
|
||||
fi
|
||||
local grep_exit_code="0"
|
||||
grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
|
||||
if [ "$grep_exit_code" = "0" ]; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
show-valid-after() {
|
||||
vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
if [ "$show_valid_after_" = "true" ]; then
|
||||
echo "$vstart"
|
||||
fi
|
||||
}
|
||||
|
||||
show-valid-until() {
|
||||
vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
if [ "$show_valid_until_" = "true" ]; then
|
||||
echo "$vend"
|
||||
fi
|
||||
}
|
||||
|
||||
show-middle-range() {
|
||||
show-valid-after
|
||||
show-valid-until
|
||||
vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
|
||||
if [ "$show_middle_range_" = "true" ]; then
|
||||
echo "$vmid"
|
||||
fi
|
||||
}
|
||||
|
||||
current_time_is_in_valid_range() {
|
||||
show-middle-range
|
||||
|
||||
## {{ Sanity Test
|
||||
## Debugging.
|
||||
#vend="2099-09-03 09:41:29"
|
||||
vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
|
||||
if [ ! "${vend}" = "${vendchk}" ]; then
|
||||
echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
|
||||
return 1
|
||||
fi
|
||||
## Sanity Test
|
||||
|
||||
curdate="$(date -u +'%F %T')"
|
||||
## Debugging.
|
||||
#curdate="2099-09-03 09:41:29"
|
||||
|
||||
vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
|
||||
order="${vstart}
|
||||
${curdate}
|
||||
${vendcons}"
|
||||
ordersrt="$(echo "${order}" | sort)"
|
||||
|
||||
if [ "${order}" = "${ordersrt}" ]; then
|
||||
return 0
|
||||
fi
|
||||
echo WARN: failed Sanity Test
|
||||
echo INFO: 'expected' $order
|
||||
echo INFO: 'got ' $ordersrt
|
||||
return 1
|
||||
}
|
||||
|
||||
tor_cert_lifetime_invalid() {
|
||||
if [ ! -r "$TOR_LOG" ]; then
|
||||
return 3
|
||||
fi
|
||||
|
||||
## TODO:
|
||||
## To be sure that we only grep relevant information, we
|
||||
## should delete the log when Tor is started, which we do
|
||||
## TODO:
|
||||
## in 10-tor.sh.
|
||||
|
||||
## Example Tor log:
|
||||
## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
|
||||
## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
|
||||
|
||||
## The log severity will be "warn" if bootstrapping with
|
||||
## authorities and "info" with bridges.
|
||||
grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
|
||||
if [ "$?" = "0" ]; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
tor_cert_valid_after() {
|
||||
if [ ! -r "$TOR_LOG" ]; then
|
||||
return 3
|
||||
fi
|
||||
|
||||
## Only print the last = freshest match
|
||||
sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
|
||||
|
||||
## Example output:
|
||||
## Jun 16 00:00:00 2014 GMT
|
||||
## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
|
||||
return 0
|
||||
}
|
||||
|
||||
user_permission() {
|
||||
stat -c "%U" "$consensus"
|
||||
}
|
||||
|
||||
group_permission() {
|
||||
stat -c "%G" "$consensus"
|
||||
}
|
||||
|
||||
root_check
|
||||
variables
|
||||
parse_cmd_options "$@"
|
27
overlay/Linux/usr/local/src/helper-scripts/anondate-tester
Normal file
27
overlay/Linux/usr/local/src/helper-scripts/anondate-tester
Normal file
@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
|
||||
export TOR_LOG="/var/log/tor/log"
|
||||
export TOR_DIR=/var/lib/tor/data
|
||||
|
||||
cmd_item_list=(
|
||||
"--has-consensus"
|
||||
"--current-time-in-valid-range"
|
||||
"--show-valid-after"
|
||||
"--show-valid-until"
|
||||
"--show-middle-range"
|
||||
"--tor-cert-lifetime-invalid"
|
||||
"--tor-cert-valid-after"
|
||||
)
|
||||
|
||||
for cmd_item in ${cmd_item_list[@]} ; do
|
||||
output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
|
||||
exit_code="$?"
|
||||
if [ $exit_code -eq 0 ] ; then
|
||||
echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
echo "output: $output"
|
||||
else
|
||||
echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
echo -n "exit_code: $exit_code "
|
||||
echo "output: $output"
|
||||
fi
|
||||
done
|
@ -0,0 +1,45 @@
|
||||
*** anondate-tester.dst 2015-10-21 00:00:00.000000000 +0000
|
||||
--- anondate-tester 2020-12-20 22:02:49.000000000 +0000
|
||||
***************
|
||||
*** 1,8 ****
|
||||
--- 1,9 ----
|
||||
#!/bin/bash
|
||||
|
||||
export TOR_LOG="/var/log/tor/log"
|
||||
+ export TOR_DIR=/var/lib/tor/data
|
||||
|
||||
cmd_item_list=(
|
||||
"--has-consensus"
|
||||
"--current-time-in-valid-range"
|
||||
"--show-valid-after"
|
||||
***************
|
||||
*** 11,22 ****
|
||||
"--tor-cert-lifetime-invalid"
|
||||
"--tor-cert-valid-after"
|
||||
)
|
||||
|
||||
for cmd_item in ${cmd_item_list[@]} ; do
|
||||
! echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
|
||||
exit_code="$?"
|
||||
! echo "output: $output"
|
||||
! echo "exit_code: $exit_code"
|
||||
! echo "----------"
|
||||
done
|
||||
--- 12,27 ----
|
||||
"--tor-cert-lifetime-invalid"
|
||||
"--tor-cert-valid-after"
|
||||
)
|
||||
|
||||
for cmd_item in ${cmd_item_list[@]} ; do
|
||||
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
|
||||
exit_code="$?"
|
||||
! if [ $exit_code -eq 0 ] ; then
|
||||
! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
! echo "output: $output"
|
||||
! else
|
||||
! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
! echo -n "exit_code: $exit_code "
|
||||
! echo "output: $output"
|
||||
! fi
|
||||
done
|
22
overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst
Executable file
22
overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
export TOR_LOG="/var/log/tor/log"
|
||||
|
||||
cmd_item_list=(
|
||||
"--has-consensus"
|
||||
"--current-time-in-valid-range"
|
||||
"--show-valid-after"
|
||||
"--show-valid-until"
|
||||
"--show-middle-range"
|
||||
"--tor-cert-lifetime-invalid"
|
||||
"--tor-cert-valid-after"
|
||||
)
|
||||
|
||||
for cmd_item in ${cmd_item_list[@]} ; do
|
||||
echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
|
||||
exit_code="$?"
|
||||
echo "output: $output"
|
||||
echo "exit_code: $exit_code"
|
||||
echo "----------"
|
||||
done
|
307
overlay/Linux/usr/local/src/helper-scripts/anondate.diff
Normal file
307
overlay/Linux/usr/local/src/helper-scripts/anondate.diff
Normal file
@ -0,0 +1,307 @@
|
||||
*** anondate.dst 2015-10-21 00:00:00.000000000 +0000
|
||||
--- anondate-tester 2020-12-20 22:02:49.000000000 +0000
|
||||
***************
|
||||
*** 1,275 ****
|
||||
#!/bin/bash
|
||||
|
||||
! ## Copyright (C) Amnesia <amnesia at boum dot org>
|
||||
! ## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
! ## See the file COPYING for copying conditions.
|
||||
|
||||
! set -o pipefail
|
||||
!
|
||||
! variables() {
|
||||
! [ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
|
||||
! [ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
|
||||
! [ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
|
||||
! [ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
|
||||
! [ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
|
||||
! [ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
|
||||
! [ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
|
||||
! [ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
|
||||
! }
|
||||
!
|
||||
! parse_cmd_options() {
|
||||
! ## Thanks to:
|
||||
! ## http://mywiki.wooledge.org/BashFAQ/035
|
||||
!
|
||||
! while :
|
||||
! do
|
||||
! case $1 in
|
||||
! --verbose)
|
||||
! echo "$SCRIPTNAME verbose output..."
|
||||
! echo "Script running as $(whoami)"
|
||||
! set -x
|
||||
! true "$0: $@"
|
||||
! shift
|
||||
! ;;
|
||||
! --has-consensus)
|
||||
! has_consensus_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --current-time-in-valid-range)
|
||||
! current_time_in_valid_range_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --show-valid-after)
|
||||
! show_valid_after_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --show-valid-until)
|
||||
! show_valid_until_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --show-middle-range)
|
||||
! show_middle_range_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --tor-cert-lifetime-invalid)
|
||||
! tor_cert_lifetime_invalid_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --tor-cert-valid-after)
|
||||
! tor_cert_valid_after_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --verified-only)
|
||||
! verified_only_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --prefer-verified)
|
||||
! prefer_verified_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --unverified-only)
|
||||
! unverified_only_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --user-permission)
|
||||
! user_permission_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --group-permission)
|
||||
! group_permission_="true"
|
||||
! shift
|
||||
! ;;
|
||||
! --)
|
||||
! shift
|
||||
! break
|
||||
! ;;
|
||||
! -*)
|
||||
! echo "$SCRIPTNAME unknown option: $1" >&2
|
||||
! exit 111
|
||||
! ;;
|
||||
! *)
|
||||
! break
|
||||
! ;;
|
||||
! esac
|
||||
! done
|
||||
!
|
||||
! ## If there are input files (for example) that follow the options, they
|
||||
! ## will remain in the "$@" positional parameters.
|
||||
!
|
||||
! if [ "$verified_only_" = "true" ]; then
|
||||
! consensus="$TOR_CONSENSUS"
|
||||
! elif [ "$prefer_verified_" = "true" ]; then
|
||||
! if [ -e "${TOR_CONSENSUS}" ]; then
|
||||
! consensus="$TOR_CONSENSUS"
|
||||
! else
|
||||
! consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
fi
|
||||
! elif [ "$unverified_only_" = "true" ]; then
|
||||
! consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
! else
|
||||
! consensus="$TOR_CONSENSUS"
|
||||
! fi
|
||||
!
|
||||
! if [ "$has_consensus_" = "true" ]; then
|
||||
! has_consensus
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$current_time_in_valid_range_" = "true" ]; then
|
||||
! current_time_is_in_valid_range
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$show_valid_after_" = "true" ]; then
|
||||
! show-valid-after
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$show_valid_until_" = "true" ]; then
|
||||
! show-valid-until
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$show_middle_range_" = "true" ]; then
|
||||
! show-middle-range
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
|
||||
! tor_cert_lifetime_invalid
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$tor_cert_valid_after_" = "true" ]; then
|
||||
! tor_cert_valid_after
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$user_permission_" = "true" ]; then
|
||||
! user_permission
|
||||
! exit "$?"
|
||||
! fi
|
||||
! if [ "$group_permission_" = "true" ]; then
|
||||
! group_permission
|
||||
! exit "$?"
|
||||
! fi
|
||||
!
|
||||
! echo "No option chosen." 2>&1
|
||||
! exit 1
|
||||
! }
|
||||
!
|
||||
! root_check() {
|
||||
! if [ "$(id -u)" != "0" ]; then
|
||||
! echo "ERROR: Must run as root."
|
||||
! exit 112
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! has_consensus() {
|
||||
! if [ ! -r "$consensus" ]; then
|
||||
! exit 4
|
||||
! fi
|
||||
! local grep_exit_code="0"
|
||||
! grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
|
||||
! if [ "$grep_exit_code" = "0" ]; then
|
||||
! return 0
|
||||
! else
|
||||
! return 1
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! show-valid-after() {
|
||||
! vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
! if [ "$show_valid_after_" = "true" ]; then
|
||||
! echo "$vstart"
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! show-valid-until() {
|
||||
! vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
! if [ "$show_valid_until_" = "true" ]; then
|
||||
! echo "$vend"
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! show-middle-range() {
|
||||
! show-valid-after
|
||||
! show-valid-until
|
||||
! vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
|
||||
! if [ "$show_middle_range_" = "true" ]; then
|
||||
! echo "$vmid"
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! current_time_is_in_valid_range() {
|
||||
! show-middle-range
|
||||
!
|
||||
! ## {{ Sanity Test
|
||||
! ## Debugging.
|
||||
! #vend="2099-09-03 09:41:29"
|
||||
! vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
|
||||
! if [ ! "${vend}" = "${vendchk}" ]; then
|
||||
! echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
|
||||
! exit 1
|
||||
! fi
|
||||
! ## }} Sanity Test
|
||||
!
|
||||
! curdate="$(date -u +'%F %T')"
|
||||
! ## Debugging.
|
||||
! #curdate="2099-09-03 09:41:29"
|
||||
!
|
||||
! vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
|
||||
! order="${vstart}
|
||||
! ${curdate}
|
||||
! ${vendcons}"
|
||||
! ordersrt="$(echo "${order}" | sort)"
|
||||
!
|
||||
! if [ "${order}" = "${ordersrt}" ]; then
|
||||
! exit 0
|
||||
! else
|
||||
! exit 1
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! tor_cert_lifetime_invalid() {
|
||||
! if [ ! -r "$TOR_LOG" ]; then
|
||||
! exit 3
|
||||
! fi
|
||||
!
|
||||
! ## TODO:
|
||||
! ## To be sure that we only grep relevant information, we
|
||||
! ## should delete the log when Tor is started, which we do
|
||||
! ## TODO:
|
||||
! ## in 10-tor.sh.
|
||||
!
|
||||
! ## Example Tor log:
|
||||
! ## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
|
||||
! ## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
|
||||
!
|
||||
! ## The log severity will be "warn" if bootstrapping with
|
||||
! ## authorities and "info" with bridges.
|
||||
! grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
|
||||
! if [ "$?" = "0" ]; then
|
||||
! return 0
|
||||
! else
|
||||
! return 1
|
||||
! fi
|
||||
! }
|
||||
!
|
||||
! tor_cert_valid_after() {
|
||||
! if [ ! -r "$TOR_LOG" ]; then
|
||||
! exit 3
|
||||
! fi
|
||||
!
|
||||
! ## Only print the last = freshest match
|
||||
! sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
|
||||
!
|
||||
! ## Example output:
|
||||
! ## Jun 16 00:00:00 2014 GMT
|
||||
! ## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
|
||||
! }
|
||||
!
|
||||
! user_permission() {
|
||||
! stat -c "%U" "$consensus"
|
||||
! }
|
||||
!
|
||||
! group_permission() {
|
||||
! stat -c "%G" "$consensus"
|
||||
! }
|
||||
!
|
||||
! root_check
|
||||
! variables
|
||||
! parse_cmd_options "$@"
|
||||
--- 1,27 ----
|
||||
#!/bin/bash
|
||||
|
||||
! export TOR_LOG="/var/log/tor/log"
|
||||
! export TOR_DIR=/var/lib/tor/data
|
||||
|
||||
! cmd_item_list=(
|
||||
! "--has-consensus"
|
||||
! "--current-time-in-valid-range"
|
||||
! "--show-valid-after"
|
||||
! "--show-valid-until"
|
||||
! "--show-middle-range"
|
||||
! "--tor-cert-lifetime-invalid"
|
||||
! "--tor-cert-valid-after"
|
||||
! )
|
||||
!
|
||||
! for cmd_item in ${cmd_item_list[@]} ; do
|
||||
! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)"
|
||||
! exit_code="$?"
|
||||
! if [ $exit_code -eq 0 ] ; then
|
||||
! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
! echo "output: $output"
|
||||
! else
|
||||
! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@"
|
||||
! echo -n "exit_code: $exit_code "
|
||||
! echo "output: $output"
|
||||
fi
|
||||
! done
|
275
overlay/Linux/usr/local/src/helper-scripts/anondate.dst
Executable file
275
overlay/Linux/usr/local/src/helper-scripts/anondate.dst
Executable file
@ -0,0 +1,275 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) Amnesia <amnesia at boum dot org>
|
||||
## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -o pipefail
|
||||
|
||||
variables() {
|
||||
[ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc"
|
||||
[ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log"
|
||||
[ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor"
|
||||
[ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs"
|
||||
[ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new"
|
||||
[ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus"
|
||||
[ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus"
|
||||
[ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]'
|
||||
}
|
||||
|
||||
parse_cmd_options() {
|
||||
## Thanks to:
|
||||
## http://mywiki.wooledge.org/BashFAQ/035
|
||||
|
||||
while :
|
||||
do
|
||||
case $1 in
|
||||
--verbose)
|
||||
echo "$SCRIPTNAME verbose output..."
|
||||
echo "Script running as $(whoami)"
|
||||
set -x
|
||||
true "$0: $@"
|
||||
shift
|
||||
;;
|
||||
--has-consensus)
|
||||
has_consensus_="true"
|
||||
shift
|
||||
;;
|
||||
--current-time-in-valid-range)
|
||||
current_time_in_valid_range_="true"
|
||||
shift
|
||||
;;
|
||||
--show-valid-after)
|
||||
show_valid_after_="true"
|
||||
shift
|
||||
;;
|
||||
--show-valid-until)
|
||||
show_valid_until_="true"
|
||||
shift
|
||||
;;
|
||||
--show-middle-range)
|
||||
show_middle_range_="true"
|
||||
shift
|
||||
;;
|
||||
--tor-cert-lifetime-invalid)
|
||||
tor_cert_lifetime_invalid_="true"
|
||||
shift
|
||||
;;
|
||||
--tor-cert-valid-after)
|
||||
tor_cert_valid_after_="true"
|
||||
shift
|
||||
;;
|
||||
--verified-only)
|
||||
verified_only_="true"
|
||||
shift
|
||||
;;
|
||||
--prefer-verified)
|
||||
prefer_verified_="true"
|
||||
shift
|
||||
;;
|
||||
--unverified-only)
|
||||
unverified_only_="true"
|
||||
shift
|
||||
;;
|
||||
--user-permission)
|
||||
user_permission_="true"
|
||||
shift
|
||||
;;
|
||||
--group-permission)
|
||||
group_permission_="true"
|
||||
shift
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-*)
|
||||
echo "$SCRIPTNAME unknown option: $1" >&2
|
||||
exit 111
|
||||
;;
|
||||
*)
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
## If there are input files (for example) that follow the options, they
|
||||
## will remain in the "$@" positional parameters.
|
||||
|
||||
if [ "$verified_only_" = "true" ]; then
|
||||
consensus="$TOR_CONSENSUS"
|
||||
elif [ "$prefer_verified_" = "true" ]; then
|
||||
if [ -e "${TOR_CONSENSUS}" ]; then
|
||||
consensus="$TOR_CONSENSUS"
|
||||
else
|
||||
consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
fi
|
||||
elif [ "$unverified_only_" = "true" ]; then
|
||||
consensus="$TOR_UNVERIFIED_CONSENSUS"
|
||||
else
|
||||
consensus="$TOR_CONSENSUS"
|
||||
fi
|
||||
|
||||
if [ "$has_consensus_" = "true" ]; then
|
||||
has_consensus
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$current_time_in_valid_range_" = "true" ]; then
|
||||
current_time_is_in_valid_range
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_valid_after_" = "true" ]; then
|
||||
show-valid-after
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_valid_until_" = "true" ]; then
|
||||
show-valid-until
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$show_middle_range_" = "true" ]; then
|
||||
show-middle-range
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$tor_cert_lifetime_invalid_" = "true" ]; then
|
||||
tor_cert_lifetime_invalid
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$tor_cert_valid_after_" = "true" ]; then
|
||||
tor_cert_valid_after
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$user_permission_" = "true" ]; then
|
||||
user_permission
|
||||
exit "$?"
|
||||
fi
|
||||
if [ "$group_permission_" = "true" ]; then
|
||||
group_permission
|
||||
exit "$?"
|
||||
fi
|
||||
|
||||
echo "No option chosen." 2>&1
|
||||
exit 1
|
||||
}
|
||||
|
||||
root_check() {
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "ERROR: Must run as root."
|
||||
exit 112
|
||||
fi
|
||||
}
|
||||
|
||||
has_consensus() {
|
||||
if [ ! -r "$consensus" ]; then
|
||||
exit 4
|
||||
fi
|
||||
local grep_exit_code="0"
|
||||
grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; };
|
||||
if [ "$grep_exit_code" = "0" ]; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
show-valid-after() {
|
||||
vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
if [ "$show_valid_after_" = "true" ]; then
|
||||
echo "$vstart"
|
||||
fi
|
||||
}
|
||||
|
||||
show-valid-until() {
|
||||
vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1
|
||||
if [ "$show_valid_until_" = "true" ]; then
|
||||
echo "$vend"
|
||||
fi
|
||||
}
|
||||
|
||||
show-middle-range() {
|
||||
show-valid-after
|
||||
show-valid-until
|
||||
vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1
|
||||
if [ "$show_middle_range_" = "true" ]; then
|
||||
echo "$vmid"
|
||||
fi
|
||||
}
|
||||
|
||||
current_time_is_in_valid_range() {
|
||||
show-middle-range
|
||||
|
||||
## {{ Sanity Test
|
||||
## Debugging.
|
||||
#vend="2099-09-03 09:41:29"
|
||||
vendchk="$(date -ud "${vstart} -0300" +'%F %T')"
|
||||
if [ ! "${vend}" = "${vendchk}" ]; then
|
||||
echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]"
|
||||
exit 1
|
||||
fi
|
||||
## }} Sanity Test
|
||||
|
||||
curdate="$(date -u +'%F %T')"
|
||||
## Debugging.
|
||||
#curdate="2099-09-03 09:41:29"
|
||||
|
||||
vendcons="$(date -ud "${vstart} -0230" +'%F %T')"
|
||||
order="${vstart}
|
||||
${curdate}
|
||||
${vendcons}"
|
||||
ordersrt="$(echo "${order}" | sort)"
|
||||
|
||||
if [ "${order}" = "${ordersrt}" ]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
tor_cert_lifetime_invalid() {
|
||||
if [ ! -r "$TOR_LOG" ]; then
|
||||
exit 3
|
||||
fi
|
||||
|
||||
## TODO:
|
||||
## To be sure that we only grep relevant information, we
|
||||
## should delete the log when Tor is started, which we do
|
||||
## TODO:
|
||||
## in 10-tor.sh.
|
||||
|
||||
## Example Tor log:
|
||||
## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong.
|
||||
## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.)
|
||||
|
||||
## The log severity will be "warn" if bootstrapping with
|
||||
## authorities and "info" with bridges.
|
||||
grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1
|
||||
if [ "$?" = "0" ]; then
|
||||
return 0
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
tor_cert_valid_after() {
|
||||
if [ ! -r "$TOR_LOG" ]; then
|
||||
exit 3
|
||||
fi
|
||||
|
||||
## Only print the last = freshest match
|
||||
sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1
|
||||
|
||||
## Example output:
|
||||
## Jun 16 00:00:00 2014 GMT
|
||||
## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT
|
||||
}
|
||||
|
||||
user_permission() {
|
||||
stat -c "%U" "$consensus"
|
||||
}
|
||||
|
||||
group_permission() {
|
||||
stat -c "%G" "$consensus"
|
||||
}
|
||||
|
||||
root_check
|
||||
variables
|
||||
parse_cmd_options "$@"
|
8
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper
Executable file
8
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper
Executable file
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
kill -s sigterm "$1"
|
||||
|
||||
exit 0
|
37
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate
Executable file
37
overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate
Executable file
@ -0,0 +1,37 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Required to run apt-get dist-upgrade --simulate as user (non-root).
|
||||
## Required for whonixcheck function check_operating_system.
|
||||
## Exception to run /usr/bin/apt-get-update as user
|
||||
## is defined in /etc/sudoers.d/.
|
||||
|
||||
sigterm_trap() {
|
||||
if [ "$lastpid" = "" ]; then
|
||||
exit 0
|
||||
fi
|
||||
ps -p "$lastpid" >/dev/null 2>&1
|
||||
if [ ! "$?" = "0" ]; then
|
||||
## Already terminated.
|
||||
exit 0
|
||||
fi
|
||||
kill -s sigterm "$lastpid"
|
||||
exit "$?"
|
||||
}
|
||||
|
||||
trap "sigterm_trap" SIGTERM SIGINT
|
||||
|
||||
timeout_after="10"
|
||||
kill_after="5"
|
||||
|
||||
timeout \
|
||||
--kill-after="$kill_after" \
|
||||
"$timeout_after" \
|
||||
apt-get dist-upgrade --simulate &
|
||||
|
||||
lastpid="$!"
|
||||
wait "$lastpid"
|
||||
|
||||
exit "$?"
|
32
overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator
Executable file
32
overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator
Executable file
@ -0,0 +1,32 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## This script gets `source`ed.
|
||||
## Using both 'return 0' and 'exit 0' to support both, `source`ing as well as
|
||||
## executing this script.
|
||||
|
||||
if [ -z "$PS1" ]; then
|
||||
true "If not running interactively, don't do anything."
|
||||
return 0
|
||||
exit 0
|
||||
fi
|
||||
|
||||
shopt -q login_shell
|
||||
var="$?"
|
||||
if [ "$var" = "0" ]; then
|
||||
true "running in a login shell, don't do anything."
|
||||
## Login shells are greeted by /etc/motd.
|
||||
return 0
|
||||
exit 0
|
||||
fi
|
||||
|
||||
## We run in a terminal emulator.
|
||||
|
||||
if ! test -d /etc/update-motd.d ; then
|
||||
return 0
|
||||
exit 0
|
||||
fi
|
||||
|
||||
run-parts /etc/update-motd.d || true
|
111
overlay/Linux/usr/local/src/helper-scripts/first-boot-skel
Executable file
111
overlay/Linux/usr/local/src/helper-scripts/first-boot-skel
Executable file
@ -0,0 +1,111 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
|
||||
if command -v qubesdb-read >/dev/null 2>&1 ; then
|
||||
qubes_vm_type="$(qubesdb-read /qubes-vm-type)"
|
||||
fi
|
||||
|
||||
cache_folder="/var/cache/anon-base-files"
|
||||
|
||||
if [ "$qubes_vm_type" = "TemplateVM" ]; then
|
||||
## Separate done file for Qubes TemplateVMs to make this work with the
|
||||
## current home folder population for Qubes DispVMs.
|
||||
## https://github.com/QubesOS/qubes-core-agent-linux/blob/f380c346cf9af3f058b8ece853d7d4a5ece28815/misc/dispvm-prerun.sh#L6-L12
|
||||
done_file="$cache_folder/first-boot-skel.TemplateVM.done"
|
||||
else
|
||||
## Non-Qubes-Whonix or non-Qubes TemplateVMs
|
||||
done_file="$cache_folder/first-boot-skel.done"
|
||||
fi
|
||||
|
||||
if [ -e "$done_file" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
user_name="user"
|
||||
home_dir="/home/$user_name"
|
||||
|
||||
if [ ! -d "$home_dir" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
skel_folder="/etc/skel"
|
||||
|
||||
if [ ! -d "$skel_folder" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
pushd "$skel_folder"
|
||||
|
||||
mkdir -p "$cache_folder"
|
||||
|
||||
shopt -s dotglob
|
||||
shopt -s nullglob
|
||||
|
||||
for fso in ./* ; do
|
||||
true "fso: $fso"
|
||||
## Technically below for 'cp' it would also be possible to use '$fso' rather
|
||||
## than '$fso_basename', but the latter produces a prettier xtrace.
|
||||
fso_basename="${fso##*/}"
|
||||
if [ ".bashrc" = "$fso_basename" ]; then
|
||||
## We do not need /home/user/.bashrc.
|
||||
## /home/user/.bashrc is handled below.
|
||||
continue
|
||||
fi
|
||||
if [ ".bashrc.whonix" = "$fso_basename" ]; then
|
||||
## We do not need /home/user/.bashrc.whonix.
|
||||
## /home/user/.bashrc is handled below.
|
||||
continue
|
||||
fi
|
||||
if [ ".bashrc.whonix-orig" = "$fso_basename" ]; then
|
||||
## We do not need /home/user/.bashrc.whonix-orig.
|
||||
## /home/user/.bashrc is handled below.
|
||||
continue
|
||||
fi
|
||||
if [ -d "$fso" ]; then
|
||||
true "folder: yes"
|
||||
cp --verbose --no-clobber --archive --parents --recursive "$fso_basename" "$home_dir"
|
||||
chown --changes --recursive "$user_name:$user_name" "$home_dir/$fso_basename"
|
||||
else
|
||||
true "folder: no"
|
||||
## Require '--dereference' otherwise the 'chown' below could fail.
|
||||
cp --verbose --no-clobber --archive --dereference "$fso_basename" "$home_dir"
|
||||
chown --changes "$user_name:$user_name" "$home_dir/$fso_basename"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ ! -f "$skel_folder/.bashrc.whonix-orig" ]; then
|
||||
touch "$done_file"
|
||||
exit 0
|
||||
fi
|
||||
if [ ! -f "$skel_folder/.bashrc.whonix" ]; then
|
||||
touch "$done_file"
|
||||
exit 0
|
||||
fi
|
||||
if [ ! -f "$skel_folder/.bashrc" ]; then
|
||||
touch "$done_file"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if diff "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc" >/dev/null ; then
|
||||
## no diff found
|
||||
true "Already using Whonix $skel_folder/.bashrc.whonix. No need to copy $skel_folder/.bashrc.whonix."
|
||||
touch "$done_file"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if diff "$skel_folder/.bashrc.whonix-orig" "$home_dir/.bashrc" >/dev/null ; then
|
||||
## no diff found
|
||||
true "Overwriting default $home_dir/.bashrc ( which matches $skel_folder/.bashrc.whonix-orig ) with $skel_folder/.bashrc.whonix."
|
||||
cp --verbose --archive "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc"
|
||||
chown --changes "$user_name:$user_name" "$home_dir/.bashrc"
|
||||
else
|
||||
## a diff was found
|
||||
true "User customized $home_dir/.bashrc. Keeping it."
|
||||
fi
|
||||
|
||||
touch "$done_file"
|
24
overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py
Executable file
24
overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py
Executable file
@ -0,0 +1,24 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from scapy.all import *
|
||||
|
||||
#define the target gateway & data payload
|
||||
target = "scanme.nmap.org"
|
||||
#target = "45.33.32.156"
|
||||
|
||||
data = "testing"
|
||||
|
||||
#define packet
|
||||
ip = IP()
|
||||
|
||||
#define packet parameters
|
||||
ip.dst = target
|
||||
|
||||
#loop through all IP packet types
|
||||
for ip_type in range(0,255):
|
||||
ip.proto = ip_type
|
||||
send(ip/data)
|
61
overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py
Executable file
61
overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py
Executable file
@ -0,0 +1,61 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
# Since it will be useful to know something about the script,
|
||||
# for the later tests, the terms are defined here:
|
||||
# (A discussion of Python language structure is beyond
|
||||
# the scope of this document)
|
||||
|
||||
# [1] http://en.wikipedia.org/wiki/Ipv4
|
||||
# [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
|
||||
# [3] http://en.wikipedia.org/wiki/IP_routing
|
||||
# [4] http://en.wikipedia.org/wiki/Ping
|
||||
# [5] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#List_of_permitted_control_messages_.28incomplete_list.29
|
||||
# [6] http://www.secdev.org/projects/scapy/doc/usage.html#send-and-receive-packets-sr
|
||||
# [7] http://www.secdev.org/projects/scapy/doc/usage.html#stacking-layers
|
||||
|
||||
import sys
|
||||
from scapy.all import *
|
||||
|
||||
# define the target gateway & data payload
|
||||
target = "10.152.152.10"
|
||||
#target = "45.33.32.156"
|
||||
|
||||
data = "testing"
|
||||
|
||||
# define packets
|
||||
# These define two variables, that are set to the object types IP
|
||||
# and ICMP respectively. These objects in Scapy define the protocol
|
||||
# type for IP (default IPv4) [1] and ICMP [2] respectively.
|
||||
# And will send packets on the wire of these types when used.
|
||||
ip = IP()
|
||||
icmp = ICMP()
|
||||
|
||||
# define packet parameters
|
||||
ip.dst = target
|
||||
|
||||
# IP packets are used for routing [3] between networks on the Internet.
|
||||
# So, we assign the destination (dst) in the IP portion of the
|
||||
# packet we are going to assemble and send out.
|
||||
icmp.type = 8
|
||||
icmp.code = 0
|
||||
|
||||
# Defines the type of ICMP message to send out. The ..8 type.. is
|
||||
# a type defined as ..echo request.., e.g. a simple ping [4].
|
||||
# See a list here of various types of ICMP [5] messages here.
|
||||
|
||||
# The sr1() [6] command will ..send and receive network traffic,
|
||||
# returning the 1st packet received...
|
||||
# The notation of ..ip/icmp/data.. is the notation for encapsulation
|
||||
# of various instances of networking protocols [7].
|
||||
# Read it right to left: ..data encapsulated inside an ICMP message
|
||||
# and encapsulated inside an IP datagram...
|
||||
test_ping = sr1(ip/icmp/data)
|
||||
|
||||
if isinstance(test_ping, types.NoneType):
|
||||
print("No response")
|
||||
else:
|
||||
# Prints a short report on the packet received (if any).
|
||||
test_ping.summary()
|
25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py
Executable file
25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py
Executable file
@ -0,0 +1,25 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from scapy.all import *
|
||||
|
||||
#define the target gateway & data payload
|
||||
target = "scanme.nmap.org"
|
||||
#target = "45.33.32.156"
|
||||
|
||||
data = "testing"
|
||||
|
||||
#define packets
|
||||
ip = IP()
|
||||
tcp = TCP()
|
||||
|
||||
#define packet parameters
|
||||
ip.dst = target
|
||||
|
||||
#loop through all TCP ports
|
||||
for tcp_port in range(0,65535):
|
||||
tcp.dport = tcp_port
|
||||
send(ip/tcp/data)
|
25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py
Executable file
25
overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py
Executable file
@ -0,0 +1,25 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from scapy.all import *
|
||||
|
||||
#define the target gateway & data payload
|
||||
target = "scanme.nmap.org"
|
||||
#target = "45.33.32.156"
|
||||
|
||||
data = "testing"
|
||||
|
||||
#define packets
|
||||
ip = IP()
|
||||
udp = UDP()
|
||||
|
||||
#define packet parameters
|
||||
ip.dst = target
|
||||
|
||||
#loop through all TCP ports
|
||||
for udp_port in range(0,65535):
|
||||
udp.dport = udp_port
|
||||
send(ip/udp/data)
|
58
overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check
Executable file
58
overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
check_package_manager_running_helper() {
|
||||
if [ -f "/run/package_manager_lock" ]; then
|
||||
check_apt_get_exit_code="/run/package_manager_lock exists."
|
||||
package_manager_waiting_msg="Lock file \
|
||||
/run/package_manager_lock exists. Waiting for it to be removed..."
|
||||
package_manager_waiting_msg_x="$package_manager_waiting_msg"
|
||||
return 0
|
||||
fi
|
||||
|
||||
local fuser_exit_code
|
||||
fuser_exit_code=0
|
||||
sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock &>/dev/null || { fuser_exit_code="$?" ; true; };
|
||||
|
||||
## If a package manager is running:
|
||||
## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $?
|
||||
## /var/lib/dpkg/lock: 15601
|
||||
## /var/cache/apt/archives/lock: 15601
|
||||
## 0
|
||||
##
|
||||
## If no package manager is running:
|
||||
## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $?
|
||||
## 1
|
||||
|
||||
if [ "$fuser_exit_code" = "0" ]; then
|
||||
check_apt_get_exit_code="1"
|
||||
else
|
||||
check_apt_get_exit_code="0"
|
||||
fi
|
||||
|
||||
if [ ! "$check_apt_get_exit_code" = "0" ]; then
|
||||
## package_manager_waiting_msg used by cli-only applications.
|
||||
package_manager_waiting_msg="A package manager (such as apt-get) is currently running. Waiting for it to finish...
|
||||
|
||||
If you are not aware of any package mangers running, exit now, find out if there are any issues with dpkg or apt-get. Run in the terminal for example:
|
||||
sudo dpkg --audit
|
||||
sudo dpkg --configure -a
|
||||
sudo apt-get dist-upgrade
|
||||
|
||||
Technical Info:
|
||||
\"sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock\" exit code: $fuser_exit_code"
|
||||
## package_manager_waiting_msg_x used applications using msgcollector.
|
||||
package_manager_waiting_msg_x="<p>A package manager (such as <code>apt-get</code>) is currently running. Waiting for it to finish...
|
||||
<br></br>
|
||||
If you are not aware of any package mangers running, exit now, find out if there are any issues with <code>dpkg</code> or <code>apt-get</code>. Run in the terminal for example:
|
||||
<code>sudo dpkg --audit</code>
|
||||
<code>sudo dpkg --configure -a</code>
|
||||
<code>sudo apt-get dist-upgrade</code>
|
||||
<br></br>
|
||||
Technical Info:
|
||||
\"<code>sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock</code>\" exit code: <code>$fuser_exit_code</code></p>"
|
||||
else
|
||||
package_manager_waiting_msg="No package manger currently running. \
|
||||
You should not see this message. Please report this bug!"
|
||||
package_manager_waiting_msg_x="$package_manager_waiting_msg"
|
||||
fi
|
||||
}
|
276
overlay/Linux/usr/local/src/helper-scripts/pre.bsh
Executable file
276
overlay/Linux/usr/local/src/helper-scripts/pre.bsh
Executable file
@ -0,0 +1,276 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## The idea of this bash fragment is:
|
||||
## Say nothing, if everything goes well, but dump everything on error.
|
||||
|
||||
## It allows to easily look inside the xtrace of a (Debian maintainer) script,
|
||||
## when the DEBDEBUG environment variable is set to 1.
|
||||
|
||||
## To use it in other scripts, use something like this:
|
||||
# if [ -f /usr/local/lib64/helper-scripts/pre.bsh ]; then
|
||||
# source /usr/local/lib64/helper-scripts/pre.bsh
|
||||
# fi
|
||||
|
||||
## Error log:
|
||||
## - implement trap ERR if function errorhandlergeneral does not exist
|
||||
## - implements a simple error handler if non exists
|
||||
## - run silent by default
|
||||
## - write xtrace to temporary log
|
||||
## - show full xtrace on unexpected non-zero exit code
|
||||
## - show exit code on unexpected non-zero exit code
|
||||
## - run syntax check "bash -n" on this script
|
||||
## - run syntax check "bash -n" on the script that sourced this script
|
||||
|
||||
## DEBDEBUG:
|
||||
##
|
||||
## enable xtrace (-x) for maintainer script when DEBDEBUG environment
|
||||
## variable is set to 1.
|
||||
## For example:
|
||||
## sudo DEBDEBUG=1 dpkg -i /path/to/package.deb
|
||||
|
||||
## SKIP_SCRIPTS
|
||||
##
|
||||
## The SKIP_SCRIPTS environment variable to skip scripts by name
|
||||
## For example:
|
||||
## sudo DEBDEBUG=1 SKIP_SCRIPTS=" security-misc.postinst " dpkg -i /path/to/package.deb
|
||||
##
|
||||
## another example:
|
||||
##
|
||||
## export DEBDEBUG=1
|
||||
## export SKIP_SCRIPTS+=" security-misc.postinst "
|
||||
## sudo -E dpkg -i /path/to/package.deb
|
||||
|
||||
## Colorful output: provides color function
|
||||
|
||||
## Shell options: enables errtrace
|
||||
|
||||
## Configuration Folders
|
||||
##
|
||||
## For example if the name of the package is 'security-misc':
|
||||
## - /etc/security-misc_maint.d/*.conf
|
||||
## - /usr/local/etc/security-misc_maint.d/*.conf
|
||||
##
|
||||
## For example if the name of the script is 'panic-on-oops':
|
||||
## - /etc/panic-on-oops_pre.d/*.conf
|
||||
## - /usr/local/etc/panic-on-oops_pre.d/*.conf
|
||||
|
||||
## {{{ pre.bsh 1.0
|
||||
|
||||
## bash script fragment
|
||||
|
||||
colors() {
|
||||
if [ "$TERM" = "" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
## Thanks to:
|
||||
## http://mywiki.wooledge.org/BashFAQ/037
|
||||
## Variables for terminal requests.
|
||||
[[ -t 2 ]] && {
|
||||
alt=$( tput smcup || tput ti ) # Start alt display
|
||||
ealt=$( tput rmcup || tput te ) # End alt display
|
||||
hide=$( tput civis || tput vi ) # Hide cursor
|
||||
show=$( tput cnorm || tput ve ) # Show cursor
|
||||
save=$( tput sc ) # Save cursor
|
||||
load=$( tput rc ) # Load cursor
|
||||
bold=$( tput bold || tput md ) # Start bold
|
||||
stout=$( tput smso || tput so ) # Start stand-out
|
||||
estout=$( tput rmso || tput se ) # End stand-out
|
||||
under=$( tput smul || tput us ) # Start underline
|
||||
eunder=$( tput rmul || tput ue ) # End underline
|
||||
reset=$( tput sgr0 || tput me ) # Reset cursor
|
||||
blink=$( tput blink || tput mb ) # Start blinking
|
||||
italic=$( tput sitm || tput ZH ) # Start italic
|
||||
eitalic=$( tput ritm || tput ZR ) # End italic
|
||||
[[ $TERM != *-m ]] && {
|
||||
red=$( tput setaf 1|| tput AF 1 )
|
||||
green=$( tput setaf 2|| tput AF 2 )
|
||||
yellow=$( tput setaf 3|| tput AF 3 )
|
||||
blue=$( tput setaf 4|| tput AF 4 )
|
||||
magenta=$( tput setaf 5|| tput AF 5 )
|
||||
cyan=$( tput setaf 6|| tput AF 6 )
|
||||
}
|
||||
white=$( tput setaf 7|| tput AF 7 )
|
||||
default=$( tput op )
|
||||
eed=$( tput ed || tput cd ) # Erase to end of display
|
||||
eel=$( tput el || tput ce ) # Erase to end of line
|
||||
ebl=$( tput el1 || tput cb ) # Erase to beginning of line
|
||||
ewl=$eel$ebl # Erase whole line
|
||||
draw=$( tput -S <<< ' enacs
|
||||
smacs
|
||||
acsc
|
||||
rmacs' || { \
|
||||
tput eA; tput as;
|
||||
tput ac; tput ae; } ) # Drawing characters
|
||||
back=$'\b'
|
||||
} 2>/dev/null ||:
|
||||
}
|
||||
|
||||
source_config_folder() {
|
||||
## dpkg sets environment variables
|
||||
## example:
|
||||
## DPKG_MAINTSCRIPT_PACKAGE=security-misc
|
||||
|
||||
if [ "$DPKG_MAINTSCRIPT_PACKAGE" = "" ]; then
|
||||
pre_bsh_settings_folder="${own_filename}_pre.d"
|
||||
else
|
||||
pre_bsh_settings_folder="${DPKG_MAINTSCRIPT_PACKAGE}_maint.d"
|
||||
fi
|
||||
|
||||
## example:
|
||||
## pre_bsh_settings_folder=security-misc_maint.d
|
||||
|
||||
shopt -s nullglob
|
||||
local i
|
||||
|
||||
## example:
|
||||
## /etc/panic-on-oops_pre.d/*.conf
|
||||
## /usr/local/etc/panic-on-oops_pre.d/*.conf
|
||||
|
||||
true "folder 1: /etc/${pre_bsh_settings_folder}/*.conf"
|
||||
true "folder 2: /usr/local/etc/${pre_bsh_settings_folder}/*.conf"
|
||||
|
||||
for i in /etc/${pre_bsh_settings_folder}/*.conf /usr/local/etc/${pre_bsh_settings_folder}/*.conf; do
|
||||
bash_n_exit_code="0"
|
||||
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
|
||||
if [ ! "$bash_n_exit_code" = "0" ]; then
|
||||
force_output "Invalid config file: $i
|
||||
bash_n_exit_code: $bash_n_exit_code
|
||||
bash_n_output:
|
||||
$bash_n_output" >&2
|
||||
rm -f "$TEMP_FILE_PRE_BSH"
|
||||
exit 1
|
||||
fi
|
||||
source "$i"
|
||||
done
|
||||
shopt -u nullglob
|
||||
}
|
||||
|
||||
check_scripts_to_skip() {
|
||||
local skip_script
|
||||
for skip_script in $SKIP_SCRIPTS; do
|
||||
if [ "$skip_script" = "$own_filename" ]; then
|
||||
force_output "INFO: Skipping $own_filename, because SKIP_SCRIPTS includes it."
|
||||
rm -f "$TEMP_FILE_PRE_BSH"
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
disable_echo() {
|
||||
if [ "$disabled_echo" = "true" ]; then
|
||||
return 0
|
||||
fi
|
||||
exec 5>&1 1>> "$TEMP_FILE_PRE_BSH"
|
||||
exec 6>&2 2>> "$TEMP_FILE_PRE_BSH"
|
||||
disabled_echo=true
|
||||
}
|
||||
|
||||
enable_echo() {
|
||||
if [ "$disabled_echo" = "true" ]; then
|
||||
exec 1>&5
|
||||
exec 2>&6
|
||||
disabled_echo=false
|
||||
fi
|
||||
}
|
||||
|
||||
force_output() {
|
||||
if [ "$disabled_echo" = "true" ]; then
|
||||
redisable_echo="true"
|
||||
enable_echo
|
||||
fi
|
||||
echo "$@"
|
||||
if [ "$redisable_echo" = "true" ]; then
|
||||
disable_echo
|
||||
fi
|
||||
}
|
||||
|
||||
error_handler_pre() {
|
||||
local exit_code="$?"
|
||||
local last_err="$BASH_COMMAND"
|
||||
|
||||
if [ ! "$DEBDEBUG" = "1" ]; then
|
||||
local output
|
||||
output="$(cat "$TEMP_FILE_PRE_BSH")"
|
||||
fi
|
||||
|
||||
if [ "$output" = "" ]; then
|
||||
output="## See above."
|
||||
fi
|
||||
|
||||
force_output "
|
||||
####################################################################
|
||||
## ${red}${bold}BEGIN ERROR in $0 detected!${reset}
|
||||
##
|
||||
## ${under}ERROR LOG${reset}:
|
||||
$output
|
||||
##
|
||||
## ${under}BASH_COMMAND${reset}: $BASH_COMMAND
|
||||
## ${under}EXIT_CODE${reset}: $exit_code
|
||||
##
|
||||
## ${red}${bold}END ERROR in $0 detected!${reset}
|
||||
## ${red}${bold}Please report this bug!${reset}
|
||||
####################################################################
|
||||
" 1>&2
|
||||
|
||||
rm -f "$TEMP_FILE_PRE_BSH"
|
||||
exit 1
|
||||
}
|
||||
|
||||
## config-package-dev doesn't like 'set -o pipefail'
|
||||
## http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html
|
||||
#set -o pipefail
|
||||
|
||||
set -o errtrace
|
||||
|
||||
TEMP_FILE_PRE_BSH="$(mktemp)"
|
||||
|
||||
if test -o xtrace ; then
|
||||
true "INFO: Setting DEBDEBUG to 1, because xtrace (-x) is set."
|
||||
DEBDEBUG="1"
|
||||
fi
|
||||
|
||||
if [ "$DEBDEBUG" = "1" ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
if [ "$disable_echo" = "true" ]; then
|
||||
disable_echo
|
||||
fi
|
||||
|
||||
colors
|
||||
|
||||
## {{ Set up error handler.
|
||||
if [ "$(type -t errorhandlergeneral)" = "function" ]; then
|
||||
## Function errorhandlergeneral exists (declared in
|
||||
## help-steps/pre). Prefer to use the more feature rich version of the error
|
||||
## handler.
|
||||
trap "errorhandlergeneral" ERR
|
||||
else
|
||||
## Function errorhandlergeneral does not exist.
|
||||
|
||||
## Check if any trap is already declared.
|
||||
if [ "$(trap -p ERR)" = "" ]; then
|
||||
## No trap exist yet.
|
||||
## Fall back to a simpler error handler.
|
||||
trap "error_handler_pre" ERR
|
||||
fi
|
||||
fi
|
||||
## }}
|
||||
|
||||
## syntax check this script
|
||||
bash -n "$BASH_SOURCE"
|
||||
|
||||
## syntax check script that sourced this script
|
||||
bash -n "$0"
|
||||
|
||||
own_filename="${0##*/}"
|
||||
|
||||
source_config_folder
|
||||
|
||||
check_scripts_to_skip
|
||||
|
||||
## }}}
|
77
overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py
Executable file
77
overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py
Executable file
@ -0,0 +1,77 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2018 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import os
|
||||
|
||||
whonix = os.path.exists('/usr/share/anon-gw-base-files/gateway')
|
||||
if whonix:
|
||||
torrc_file_path = '/usr/local/etc/torrc.d/40_tor_control_panel.conf'
|
||||
torrc_user_file_path = '/usr/local/etc/torrc.d/50_user.conf'
|
||||
else:
|
||||
torrc_file_path = '/etc/torrc.d/40_tor_control_panel.conf'
|
||||
torrc_user_file_path = '/etc/torrc.d/50_user.conf'
|
||||
|
||||
torrc_text = '# Do not edit this file!\n\
|
||||
# Please add modifications to the following file instead:\n'
|
||||
|
||||
user_text = '# Tor user specific configuration file\n\
|
||||
#\n\
|
||||
# Add user modifications below this line:\n\
|
||||
############################################\n'
|
||||
|
||||
'''Guarantee the existence of /etc/torrc.d/
|
||||
and the existence of /usr/local/etc/torrc.d/ if required.
|
||||
'''
|
||||
if not os.path.exists('/etc/torrc.d/'):
|
||||
os.makedirs('/etc/torrc.d/')
|
||||
if whonix and not os.path.exists('/usr/local/etc/torrc.d/'):
|
||||
os.makedirs('/usr/local/etc/torrc.d/')
|
||||
|
||||
'''Guarantee the existence of:
|
||||
1. /etc/torrc.d/95_whonix.conf
|
||||
2. /etc/tor/torrc
|
||||
3. "%include /etc/torrc.d/95_whonix.conf" line in /etc/tor/torrc file
|
||||
|
||||
In addition, we create 40_tor_control_panel.conf
|
||||
and 50_user.conf here if they do not exist.
|
||||
'''
|
||||
whonix_torrcd_path = '/etc/torrc.d/95_whonix.conf'
|
||||
|
||||
if not os.path.exists('/etc/tor/torrc'):
|
||||
with open('/etc/tor/torrc', "w+") as f:
|
||||
if whonix:
|
||||
f.write('%include {0}\n'.format(whonix_torrcd_path))
|
||||
else:
|
||||
f.write('%include {0}\n'.format(torrc_file_path))
|
||||
f.write('%include {0}\n'.format(torrc_user_file_path))
|
||||
|
||||
else:
|
||||
torrcd_line_exists = 'include /etc/torrc.d' in open('/etc/tor/torrc', "r").read()
|
||||
if not torrcd_line_exists:
|
||||
with open('/etc/tor/torrc', "a") as f:
|
||||
if whonix:
|
||||
f.write('%include {0}\n'.format(whonix_torrcd_path))
|
||||
else:
|
||||
f.write('%include {0}\n'.format(torrc_file_path))
|
||||
f.write('%include {0}\n'.format(torrc_user_file_path))
|
||||
|
||||
if whonix and not os.path.exists(whonix_torrcd_path):
|
||||
with open(whonix_torrcd_path, "w+") as f:
|
||||
f.write('%include {0}\n'.format(torrc_file_path))
|
||||
f.write('%include {0}\n'.format(torrc_user_file_path))
|
||||
|
||||
torrc_text = '%s# %s\n' % (torrc_text, torrc_user_file_path)
|
||||
if not whonix:
|
||||
torrc_text = (torrc_text +
|
||||
'Log notice file /run/tor/log\n')
|
||||
|
||||
if not os.path.exists(torrc_file_path):
|
||||
with open(torrc_file_path, "w+") as f:
|
||||
f.write(torrc_text)
|
||||
|
||||
if not os.path.exists(torrc_user_file_path):
|
||||
with open(torrc_user_file_path, "w+") as f:
|
||||
f.write(user_text)
|
||||
|
15
overlay/Linux/usr/local/src/helper-scripts/settings_echo
Executable file
15
overlay/Linux/usr/local/src/helper-scripts/settings_echo
Executable file
@ -0,0 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -e
|
||||
|
||||
## provides: check_tor_bootstrap_helper_variables
|
||||
source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh
|
||||
|
||||
check_tor_bootstrap_helper_variables
|
||||
|
||||
echo "\
|
||||
GATEWAY_IP=\"$GATEWAY_IP\"
|
||||
gateway_control_port=\"$gateway_control_port\""
|
15
overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst
Executable file
15
overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst
Executable file
@ -0,0 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -e
|
||||
|
||||
## provides: check_tor_bootstrap_helper_variables
|
||||
source /usr/local/lib/helper-scripts/tor_bootstrap_check.bsh
|
||||
|
||||
check_tor_bootstrap_helper_variables
|
||||
|
||||
echo "\
|
||||
GATEWAY_IP=\"$GATEWAY_IP\"
|
||||
gateway_control_port=\"$gateway_control_port\""
|
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -e
|
||||
|
||||
/usr/local/lib64/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file
|
@ -0,0 +1,8 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -e
|
||||
|
||||
/usr/local/lib/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file
|
233
overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check
Executable file
233
overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check
Executable file
@ -0,0 +1,233 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Exit codes of this script get interpreted by sdwdate.
|
||||
## exit 0
|
||||
## exit 1: wait, retry and warning icon
|
||||
## exit 2: wait, retry and error icon
|
||||
|
||||
set -o pipefail
|
||||
set -e errtrace
|
||||
|
||||
error_handler() {
|
||||
local exit_code="$?"
|
||||
echo "\
|
||||
BASH_COMMAND: $BASH_COMMAND
|
||||
exit_code: $exit_code"
|
||||
}
|
||||
|
||||
trap "error_handler" ERR
|
||||
|
||||
source /usr/local/lib64/helper-scripts/tor_enabled_check
|
||||
source /usr/local/lib64/helper-scripts/pkg_manager_running_check
|
||||
source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh
|
||||
|
||||
te_pe_tb_check() {
|
||||
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
|
||||
VM="Gateway"
|
||||
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
|
||||
VM="Workstation"
|
||||
else
|
||||
VM="Could not determine if this is gateway or workstation. Please report this bug."
|
||||
fi
|
||||
|
||||
clock_causes="\
|
||||
<br><br>Possible causes:<br>
|
||||
- The host clock is wrong -> shut down the VM, fix the clock in the host and restart the VM.<br>
|
||||
- The VM clock is wrong -> manually fix the clock. Restart Tor if necessary. Then restart sdwdate.<br>
|
||||
- A host clock attack succeeded.<br>
|
||||
- A hardware issue (for example bios clock issues).<br>"
|
||||
|
||||
## Debugging.
|
||||
true "$FUNCNAME: CURL: $CURL"
|
||||
true "$FUNCNAME: LD_PRELOAD: $LD_PRELOAD"
|
||||
|
||||
if [ -e /usr/share/timesanitycheck/shared ]; then
|
||||
## provides: time_sanity_check
|
||||
## sets: time_sanity_check_exit_code
|
||||
## sets: time_sanity_check_msg_static
|
||||
source /usr/share/timesanitycheck/shared
|
||||
time_sanity_check
|
||||
if [ "$time_sanity_check_exit_code" = "0" ]; then
|
||||
echo "$time_sanity_check_msg_static" >&2
|
||||
else
|
||||
echo "$time_sanity_check_msg_static
|
||||
$clock_causes"
|
||||
timesanitycheck_static_timestamp_based_failed="true"
|
||||
if [ "$VM" = "Gateway" ]; then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
## Sets: TOR_ENABLED
|
||||
check_tor_enabled_do
|
||||
|
||||
if [ "$TOR_ENABLED" = "1" ]; then
|
||||
## Ok.
|
||||
true
|
||||
else
|
||||
if [ -f /usr/share/whonix/marker ]; then
|
||||
echo "<b>Tor is disabled.</b> Please enable Tor using whonixsetup.<br> \
|
||||
Start Menu -> System -> Anon Connection Wizard or in Terminal: sudo whonixsetup"
|
||||
else
|
||||
echo "Tor is disabled. Please enable Tor in the Tor config."
|
||||
fi
|
||||
|
||||
exit 1
|
||||
fi
|
||||
|
||||
## sets: check_apt_get_exit_code
|
||||
## sets: package_manager_waiting_msg
|
||||
#check_package_manager_running_helper ## pkg_manager_running_check
|
||||
#if [ "$check_apt_get_exit_code" = "0" ]; then
|
||||
#true "Package manager not busy, ok."
|
||||
#else
|
||||
#echo "$package_manager_waiting_msg"
|
||||
|
||||
#exit 2
|
||||
#fi
|
||||
|
||||
## sets: check_bootstrap_helper_script
|
||||
## sets: lastpid
|
||||
## sets: tor_bootstrap_percent
|
||||
## sets: tor_bootstrap_status
|
||||
check_tor_circuit_established ## tor_bootstrap_check.bsh
|
||||
|
||||
## $tor_circuit_established_check_exit_code on timeout returns:
|
||||
## - 124 if sigterm was sufficient
|
||||
## - 137 if needed to use kill.
|
||||
|
||||
for invalid_exit_code in "124" "137" "254" ; do
|
||||
if [ "$tor_circuit_established_check_exit_code" = "$invalid_exit_code" ]; then
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>ERROR ($tor_circuit_established_check_exit_code).</b><br> Please report this bug!"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$tor_circuit_established_check_exit_code" = "255" ]; then
|
||||
if [ "$VM" = "Gateway" ]; then
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>Tor's Control Port could not be reached.</b><br>"
|
||||
elif [ "$VM" = "Workstation" ]; then
|
||||
if [ -f /usr/share/whonix/marker ]; then
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>Tor's Control Port could not be reached.</b><br> \
|
||||
<br>Did you start Gateway beforehand? \
|
||||
<br>Please run whonixcheck on Gateway."
|
||||
else
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>Tor's Control Port could not be reached.</b><br> \
|
||||
<br>Did you start Gateway beforehand?"
|
||||
fi
|
||||
else
|
||||
if [ -f /usr/share/whonix/marker ]; then
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>Tor's Control Port could not be reached.</b><br> \
|
||||
<br>Did you start Gateway beforehand? \
|
||||
<br>Please run whonixcheck on Gateway.
|
||||
<br>$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!"
|
||||
else
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>Tor's Control Port could not be reached.</b><br> \
|
||||
<br>Did you start Gateway beforehand?
|
||||
<br>$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!"
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$VM" = "Gateway" ]; then
|
||||
check_tor_bootstrap_status
|
||||
fi
|
||||
|
||||
## When using an old Tor consensus which might be the case when no Tor
|
||||
## circuit has been established yet, there is no point to check Tor
|
||||
## consensus time as it might be outdated leading to concluding that the
|
||||
## clock is fast.
|
||||
if [ "$tor_circuit_established" = "0" ]; then
|
||||
if [ "$VM" = "Gateway" ]; then
|
||||
echo "<b>Tor is not yet fully bootstrapped.</b> $tor_bootstrap_percent % done.\
|
||||
<br>Tor reports: $tor_bootstrap_status"
|
||||
else
|
||||
echo "<b>Tor is not yet fully bootstrapped.</b> Tor circuit: $tor_circuit_established_word."
|
||||
fi
|
||||
exit "2"
|
||||
fi
|
||||
|
||||
## If the static timestamp based time sanity check failed, there is no
|
||||
## need to run the Tor consensus based time sanity check. Avoiding
|
||||
## duplicate output.
|
||||
if [ ! "$timesanitycheck_static_timestamp_based_failed" = "true" ]; then
|
||||
## sets: tor_consensus_valid_after_exit_code
|
||||
## sets: tor_consensus_valid_after_output
|
||||
## sets: tor_consensus_valid_after_unixtime
|
||||
tor_consensus_valid-after
|
||||
|
||||
## sets: tor_consensus_valid_until_exit_code
|
||||
## sets: tor_consensus_valid_until_output
|
||||
## sets: tor_consensus_valid_until_unixtime
|
||||
tor_consensus_valid-until
|
||||
|
||||
current_unixtime="$(date +"%s")"
|
||||
|
||||
if [ "$tor_consensus_valid_after_exit_code" = "0" ] && [ "$tor_consensus_valid_until_exit_code" = "0" ]; then
|
||||
clock_tor_consensus_check_result="ok"
|
||||
if [ "$current_unixtime" -ge "$tor_consensus_valid_after_unixtime" ]; then
|
||||
true
|
||||
else
|
||||
clock_tor_consensus_check_result="slow"
|
||||
clock_tor_consensus_check_msg="The clock might be too slow. Clock is slower than consensus/valid-after $tor_consensus_valid_after_output. $clock_causes"
|
||||
fi
|
||||
if [ "$current_unixtime" -ge "$tor_consensus_valid_until_unixtime" ]; then
|
||||
clock_tor_consensus_check_result="fast"
|
||||
clock_tor_consensus_check_msg="The clock might be too fast. Clock is faster than consensus/valid-until $tor_consensus_valid_until_output. $clock_causes"
|
||||
else
|
||||
true
|
||||
fi
|
||||
elif [ "$tor_consensus_valid_after_exit_code" = "277" ] && [ "$tor_consensus_valid_until_exit_code" = "277" ]; then
|
||||
clock_tor_consensus_check_result="noneyet"
|
||||
clock_tor_consensus_check_msg="Might not have downloaded a Tor consensus yet."
|
||||
else
|
||||
clock_tor_consensus_check_result="error"
|
||||
clock_tor_consensus_check_msg="Consensus time sanity check failed. $clock_causes"
|
||||
fi
|
||||
|
||||
if [ "$clock_tor_consensus_check_result" = "ok" ]; then
|
||||
clock_tor_consensus_check_result="ok"
|
||||
clock_tor_consensus_check_msg="Clock within consensus parameters consensus/valid-after $tor_consensus_valid_after_output and consensus/valid-until $tor_consensus_valid_until_output."
|
||||
fi
|
||||
|
||||
if [ "$clock_tor_consensus_check_result" = "ok" ]; then
|
||||
echo "<p>$clock_tor_consensus_check_msg</p>" >&2
|
||||
else
|
||||
echo "<p>$clock_tor_consensus_check_msg</p>"
|
||||
fi
|
||||
|
||||
## TODO
|
||||
## Would have to parse tor_bootstrap_status.
|
||||
## In case Tor cannot fetch Tor consensus $tor_consensus_valid_after_exit_code /
|
||||
## $tor_consensus_valid_until_exit_code may be zero but $tor_consensus_valid_until_output
|
||||
## may be empty.
|
||||
#if [ ! "$clock_tor_consensus_check_result" = "ok" ]; then
|
||||
# if [ "$VM" = "Gateway" ]; then
|
||||
# exit "1"
|
||||
# fi
|
||||
#fi
|
||||
fi
|
||||
|
||||
if [ "$tor_circuit_established" = "1" ]; then
|
||||
echo "<p>Tor fully bootstrapped.</p>"
|
||||
exit "0"
|
||||
fi
|
||||
|
||||
echo "Tor Bootstrap Result: \
|
||||
<b>ERROR tor_circuit_established is neither 0 nor 1. tor_circuit_established: $tor_circuit_established</b><br> Please report this bug!" >&2
|
||||
exit "0"
|
||||
}
|
||||
|
||||
te_pe_tb_check "$@"
|
73
overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper
Executable file
73
overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper
Executable file
@ -0,0 +1,73 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
set -x
|
||||
set -e
|
||||
|
||||
if [ -e "/etc/alternatives/x-terminal-emulator" ]; then
|
||||
## Lets see where for example /etc/alternatives/aptitude links to.
|
||||
if readlink_result="$(readlink "/etc/alternatives/x-terminal-emulator")" ; then
|
||||
## Symlink could be read. Lets use it.
|
||||
etc_alternatives_x_terminal_emulator_full_path="$readlink_result"
|
||||
etc_alternatives_x_terminal_emulator_base_name="${etc_alternatives_x_terminal_emulator_full_path##*/}"
|
||||
fi
|
||||
fi
|
||||
|
||||
supported_terminal_emulator_apps="
|
||||
xfce4-terminal
|
||||
xterm
|
||||
konsole
|
||||
"
|
||||
|
||||
for terminal_emulator_app_supported in $supported_terminal_emulator_apps ; do
|
||||
if [ "$etc_alternatives_x_terminal_emulator_base_name" = "$terminal_emulator_app_supported" ]; then
|
||||
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="$terminal_emulator_app_supported"
|
||||
fi
|
||||
done
|
||||
|
||||
if command -v xfce4-terminal >/dev/null 2>&1; then
|
||||
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="xfce4-terminal"
|
||||
elif command -v xterm >/dev/null 2>&1; then
|
||||
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="xterm"
|
||||
elif command -v konsole >/dev/null 2>&1; then
|
||||
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="konsole"
|
||||
elif [ ! "$etc_alternatives_x_terminal_emulator_base_name" = "" ]; then
|
||||
[ -n "$terminal_emulator_app" ] || terminal_emulator_app="$etc_alternatives_x_terminal_emulator_base_name"
|
||||
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e"
|
||||
else
|
||||
error_message="$0: No supported terminal_emulator_app installed! Please install either:
|
||||
$supported_terminal_emulator_apps
|
||||
|
||||
PPID: $PPID
|
||||
$0 was called by: $(ps --no-headers -o command $PPID)" || true
|
||||
kdialog --sorry "$error_message" >/dev/null 2>&1 || true
|
||||
zenity --error --text "$error_message" >/dev/null 2>&1 || true
|
||||
echo "$error_message" >&2
|
||||
fi
|
||||
|
||||
if [ "$terminal_emulator_app" = "xfce4-terminal" ]; then
|
||||
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--execute"
|
||||
fi
|
||||
|
||||
if [ "$terminal_emulator_app" = "xterm" ]; then
|
||||
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e"
|
||||
fi
|
||||
|
||||
if command -v qubesdb-read >/dev/null 2>&1; then
|
||||
## Qubes.
|
||||
if [ "$terminal_emulator_app" = "konsole" ]; then
|
||||
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e"
|
||||
fi
|
||||
else
|
||||
## Non-Qubes.
|
||||
if [ "$terminal_emulator_app" = "konsole" ]; then
|
||||
## Do not use '--fullscreen' since this starts the window without window
|
||||
## controls (no window close button) which is confusing.
|
||||
## '-e' needs to be the last paramater.
|
||||
[ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e"
|
||||
fi
|
||||
fi
|
||||
|
||||
$terminal_emulator_app $terminal_emulator_extra_args $@
|
156
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh
Executable file
156
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh
Executable file
@ -0,0 +1,156 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
check_tor_bootstrap_helper_variables() {
|
||||
if command -v qubesdb-read >/dev/null 2>&1 ; then
|
||||
local qubes_vm_type
|
||||
qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true
|
||||
if [ "$qubes_vm_type" = "TemplateVM" ] || [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
|
||||
## 'qubesdb-read /qubes-gateway' could fail if NetVM is set to 'none'.
|
||||
if [ "$GATEWAY_IP" = "" ]; then
|
||||
gateway_ip_error=""
|
||||
qubesdb_read_qubes_gateway_result="$(qubesdb-read /qubes-gateway 2>/dev/null)" || { gateway_ip_error="qubesdb_read_failed" ; qubesdb_read_qubes_gateway_result="127.0.0.1" ; };
|
||||
GATEWAY_IP="$qubesdb_read_qubes_gateway_result"
|
||||
fi
|
||||
if [ "$gateway_control_port" = "" ]; then
|
||||
gateway_control_port="9051"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
|
||||
if [ "$GATEWAY_IP" = "" ]; then
|
||||
GATEWAY_IP="10.152.152.10"
|
||||
fi
|
||||
if [ "$gateway_control_port" = "" ]; then
|
||||
gateway_control_port="9051"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
|
||||
if [ "$GATEWAY_IP" = "" ]; then
|
||||
GATEWAY_IP="127.0.0.1"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$gateway_control_port" = "" ]; then
|
||||
gateway_control_port="9051"
|
||||
fi
|
||||
if [ "$GATEWAY_IP" = "" ]; then
|
||||
GATEWAY_IP="127.0.0.1"
|
||||
fi
|
||||
}
|
||||
|
||||
check_tor_bootstrap_helper_run_helper_script() {
|
||||
if [ "$TEMP_DIR" = "" ]; then
|
||||
echo "Variable TEMP_DIR was empty." >&2
|
||||
TEMP_DIR="$(mktemp --directory)"
|
||||
fi
|
||||
|
||||
check_tor_bootstrap_helper_variables
|
||||
|
||||
check_tor_bootstrap_helper_kill_after="5s"
|
||||
check_tor_bootstrap_helper_timeout_after="10s"
|
||||
check_bootstrap_helper_bootstrap_file="$TEMP_DIR/tor_check_bootstrap_helper_bootstrap_file"
|
||||
|
||||
rm --force "$check_bootstrap_helper_bootstrap_file"
|
||||
check_bootstrap_helper_script_exit_code="0"
|
||||
timeout \
|
||||
--kill-after="$check_tor_bootstrap_helper_kill_after" \
|
||||
"$check_tor_bootstrap_helper_timeout_after" \
|
||||
$check_bootstrap_helper_script \
|
||||
> "$check_bootstrap_helper_bootstrap_file" \
|
||||
2>&1 \
|
||||
&
|
||||
lastpid="$!"
|
||||
wait "$lastpid" || { check_bootstrap_helper_script_exit_code="$?" ; true; };
|
||||
|
||||
if [ -f "$check_bootstrap_helper_bootstrap_file" ]; then
|
||||
check_bootstrap_helper_script_output="$(cat "$check_bootstrap_helper_bootstrap_file")"
|
||||
if [ "$check_bootstrap_helper_script_output" = "" ]; then
|
||||
check_bootstrap_helper_script_output="Variable check_bootstrap_helper_script_output is empty."
|
||||
check_bootstrap_helper_script_exit_code="277"
|
||||
fi
|
||||
else
|
||||
check_bootstrap_helper_script_output="ERROR: File '$check_bootstrap_helper_bootstrap_file' does not exist. check_bootstrap_helper_script: '$check_bootstrap_helper_script' Please report this Whonix bug!"
|
||||
fi
|
||||
}
|
||||
|
||||
check_tor_bootstrap_helper() {
|
||||
check_tor_bootstrap_status
|
||||
check_tor_circuit_established
|
||||
}
|
||||
|
||||
check_tor_bootstrap_status() {
|
||||
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_bootstrap_check.py"
|
||||
|
||||
## sets: check_bootstrap_helper_script_exit_code
|
||||
## sets: check_bootstrap_helper_script_output
|
||||
check_tor_bootstrap_helper_run_helper_script
|
||||
|
||||
tor_bootstrap_percent="$check_bootstrap_helper_script_exit_code"
|
||||
tor_bootstrap_status="$check_bootstrap_helper_script_output"
|
||||
|
||||
## `timeout` returns:
|
||||
## - 124 if sigterm was sufficient
|
||||
## - 137 if needed to use kill.
|
||||
if [ "$check_bootstrap_helper_script_exit_code" = "124" ]; then
|
||||
tor_bootstrap_timeout_type="sigterm"
|
||||
elif [ "$check_bootstrap_helper_script_exit_code" = "137" ]; then
|
||||
tor_bootstrap_timeout_type="sigkill"
|
||||
else
|
||||
tor_bootstrap_timeout_type="none"
|
||||
fi
|
||||
}
|
||||
|
||||
check_tor_circuit_established() {
|
||||
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_circuit_established_check.py"
|
||||
|
||||
## sets: check_bootstrap_helper_script_exit_code
|
||||
## sets: check_bootstrap_helper_script_output
|
||||
check_tor_bootstrap_helper_run_helper_script
|
||||
|
||||
tor_circuit_established_check_exit_code="$check_bootstrap_helper_script_exit_code"
|
||||
|
||||
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
|
||||
tor_circuit_established="$check_bootstrap_helper_script_output"
|
||||
if [ "$tor_circuit_established" = "1" ]; then
|
||||
tor_circuit_established_word="established"
|
||||
else
|
||||
tor_circuit_established_word="not established"
|
||||
fi
|
||||
else
|
||||
tor_circuit_established="0"
|
||||
tor_circuit_established_word="not established"
|
||||
fi
|
||||
}
|
||||
|
||||
tor_consensus_valid-after() {
|
||||
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-after.py"
|
||||
|
||||
## sets: check_bootstrap_helper_script_exit_code
|
||||
## sets: check_bootstrap_helper_script_output
|
||||
check_tor_bootstrap_helper_run_helper_script
|
||||
|
||||
tor_consensus_valid_after_exit_code="$check_bootstrap_helper_script_exit_code"
|
||||
tor_consensus_valid_after_output="$check_bootstrap_helper_script_output"
|
||||
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
|
||||
tor_consensus_valid_after_unixtime="$(date --date="$tor_consensus_valid_after_output" +"%s")" || true
|
||||
fi
|
||||
}
|
||||
|
||||
tor_consensus_valid-until() {
|
||||
check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-until.py"
|
||||
|
||||
## sets: check_bootstrap_helper_script_exit_code
|
||||
## sets: check_bootstrap_helper_script_output
|
||||
check_tor_bootstrap_helper_run_helper_script
|
||||
|
||||
tor_consensus_valid_until_exit_code="$check_bootstrap_helper_script_exit_code"
|
||||
tor_consensus_valid_until_output="$check_bootstrap_helper_script_output"
|
||||
if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then
|
||||
tor_consensus_valid_until_unixtime="$(date --date="$tor_consensus_valid_until_output" +"%s")" || true
|
||||
fi
|
||||
}
|
37
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py
Executable file
37
overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py
Executable file
@ -0,0 +1,37 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from stem.connection import connect
|
||||
import re
|
||||
|
||||
controller = connect()
|
||||
|
||||
if not controller:
|
||||
sys.exit(255)
|
||||
|
||||
bootstrap_status = controller.get_info("status/bootstrap-phase")
|
||||
|
||||
## Possible answer, if network cable has been removed:
|
||||
## 250-status/bootstrap-phase=WARN BOOTSTRAP PROGRESS=80 TAG=conn_or SUMMARY="Connecting to the Tor network" WARNING="No route to host" REASON=NOROUTE COUNT=26 RECOMMENDATION=warn
|
||||
|
||||
## Possible answer:
|
||||
## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=85 TAG=handshake_or SUMMARY="Finishing handshake with first hop"
|
||||
|
||||
## Possible answer, when done:
|
||||
## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"
|
||||
|
||||
## TODO: parse the messages above.
|
||||
## 0
|
||||
|
||||
print(format(bootstrap_status))
|
||||
|
||||
progress_percent = re.match('.* PROGRESS=([0-9]+).*', bootstrap_status)
|
||||
|
||||
exit_code = int(progress_percent.group(1))
|
||||
|
||||
controller.close()
|
||||
|
||||
sys.exit(exit_code)
|
26
overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py
Executable file
26
overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py
Executable file
@ -0,0 +1,26 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from stem.connection import connect
|
||||
|
||||
controller = connect()
|
||||
|
||||
if not controller:
|
||||
sys.exit(255)
|
||||
|
||||
circuit_established = controller.get_info("status/circuit-established")
|
||||
|
||||
## Possible answer, if established:
|
||||
## 1
|
||||
|
||||
## Possible answer, if not established:
|
||||
## 0
|
||||
|
||||
print(format(circuit_established))
|
||||
|
||||
controller.close()
|
||||
|
||||
sys.exit(0)
|
20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py
Executable file
20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py
Executable file
@ -0,0 +1,20 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from stem.connection import connect
|
||||
|
||||
controller = connect()
|
||||
|
||||
if not controller:
|
||||
sys.exit(255)
|
||||
|
||||
output = controller.get_info("consensus/valid-after")
|
||||
|
||||
print(format(output))
|
||||
|
||||
controller.close()
|
||||
|
||||
sys.exit(0)
|
20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py
Executable file
20
overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py
Executable file
@ -0,0 +1,20 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from stem.connection import connect
|
||||
|
||||
controller = connect()
|
||||
|
||||
if not controller:
|
||||
sys.exit(255)
|
||||
|
||||
output = controller.get_info("consensus/valid-until")
|
||||
|
||||
print(format(output))
|
||||
|
||||
controller.close()
|
||||
|
||||
sys.exit(0)
|
65
overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check
Executable file
65
overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check
Executable file
@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
check_tor_enabled_do() {
|
||||
## Fallback.
|
||||
TOR_ENABLED="0"
|
||||
|
||||
## Skip this test, if not running on Whonix-Gateway.
|
||||
if [ ! -e "/usr/share/anon-gw-base-files/gateway" ]; then
|
||||
TOR_ENABLED="1"
|
||||
return 0
|
||||
fi
|
||||
|
||||
## Skip this test, if running in Qubes TemplateVM.
|
||||
if command -v qubesdb-read >/dev/null 2>&1 ; then
|
||||
local qubes_vm_type
|
||||
qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true
|
||||
if [ "$qubes_vm_type" = "TemplateVM" ]; then
|
||||
TOR_ENABLED="1"
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
local line file_name file_name_list i
|
||||
|
||||
shopt -s globstar
|
||||
shopt -s nullglob
|
||||
|
||||
if [ -f /usr/share/tor/tor-service-defaults-torrc ]; then
|
||||
file_name_list+="/usr/share/tor/tor-service-defaults-torrc"
|
||||
file_name_list+=" "
|
||||
fi
|
||||
if [ -f /etc/tor/torrc ]; then
|
||||
file_name_list+="/etc/tor/torrc"
|
||||
file_name_list+=" "
|
||||
fi
|
||||
|
||||
for i in /etc/torrc.d/* ; do
|
||||
file_name_list+="$i"
|
||||
file_name_list+=" "
|
||||
done
|
||||
|
||||
for i in /usr/local/etc/torrc.d/* ; do
|
||||
file_name_list+="$i"
|
||||
file_name_list+=" "
|
||||
done
|
||||
|
||||
for file_name in $file_name_list ; do
|
||||
if ! test -f "$file_name" ; then
|
||||
continue
|
||||
fi
|
||||
true "file_name: '$file_name'"
|
||||
while read -r line || [ -n "$line" ]; do
|
||||
if [ "$line" = "DisableNetwork 0" ]; then
|
||||
TOR_ENABLED="1"
|
||||
fi
|
||||
if [ "$line" = "DisableNetwork 1" ]; then
|
||||
TOR_ENABLED="0"
|
||||
fi
|
||||
done < "$file_name"
|
||||
unset line
|
||||
done
|
||||
}
|
20
overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py
Executable file
20
overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py
Executable file
@ -0,0 +1,20 @@
|
||||
#!/usr/bin/python3 -u
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
import sys
|
||||
from stem.connection import connect
|
||||
from stem.control import Controller
|
||||
from stem import Signal
|
||||
|
||||
controller = connect()
|
||||
|
||||
if not controller:
|
||||
sys.exit(255)
|
||||
|
||||
controller.signal(Signal.NEWNYM)
|
||||
|
||||
controller.close()
|
||||
|
||||
sys.exit(0)
|
36
overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload
Executable file
36
overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload
Executable file
@ -0,0 +1,36 @@
|
||||
#!/bin/sh
|
||||
|
||||
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Must be an sh, not bash script, because /etc/cron.weekly/tor is a sh script,
|
||||
## that sources /etc/default/tor, which sources this script.
|
||||
|
||||
## Cope up with "set -o nounset".
|
||||
: "${DEBDEBUG:="0"}"
|
||||
: "${LD_PRELOAD:=""}"
|
||||
|
||||
if [ "$DEBDEBUG" = "1" ]; then
|
||||
set -x
|
||||
fi
|
||||
|
||||
if [ "$DEBDEBUG" = "1" ]; then
|
||||
true "LD_PRELOAD: $LD_PRELOAD"
|
||||
fi
|
||||
|
||||
## Remove /usr/lib/torsocks/libtorsocks.so from LD_PRELOAD.
|
||||
LD_PRELOAD="$(echo "$LD_PRELOAD" | sed 's/\/usr\/lib\/torsocks\/libtorsocks.so//g')"
|
||||
|
||||
if [ "$DEBDEBUG" = "1" ]; then
|
||||
true "exit code: $?"
|
||||
fi
|
||||
|
||||
export LD_PRELOAD
|
||||
|
||||
if [ "$DEBDEBUG" = "1" ]; then
|
||||
true "exit code: $?"
|
||||
|
||||
true "LD_PRELOAD: $LD_PRELOAD"
|
||||
fi
|
||||
|
||||
## Don't use exit at the end, since this script can be sourced by others.
|
24
overlay/Linux/usr/local/src/proxy_local_src.bash
Executable file
24
overlay/Linux/usr/local/src/proxy_local_src.bash
Executable file
@ -0,0 +1,24 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||
|
||||
prog=`basename $0 .bash`
|
||||
PREFIX=/usr/local
|
||||
ROLE=proxy
|
||||
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||
[ `id -u` -eq 0 ] || echo ERROR: $prog should be run as root && exit 2
|
||||
|
||||
DESC=""
|
||||
|
||||
cd $PREFIX/src || exit 4
|
||||
|
||||
which sdwdate >/dev/null 2>/dev/null || \
|
||||
[ -f $PREFIX/bin/sdwdate.bash ] || \
|
||||
sh sdwdate.bash
|
||||
|
||||
[ -f testssl.sh ] || \
|
||||
sh testssl.bash || exit 7$?
|
||||
|
||||
[ -x ../bin/analyze-ssl.pl.bash ] || \
|
||||
sh analyze-ssl.bash
|
||||
|
||||
exit 0
|
BIN
overlay/Linux/usr/local/src/wicd-new.zip
Normal file
BIN
overlay/Linux/usr/local/src/wicd-new.zip
Normal file
Binary file not shown.
@ -0,0 +1,38 @@
|
||||
*** jks-keystore.dst 2016-03-30 01:41:20.000000000 +0300
|
||||
--- jks-keystore 2019-10-25 05:12:39.275249418 +0300
|
||||
***************
|
||||
*** 33,48 ****
|
||||
if ! mountpoint -q /proc; then
|
||||
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
! for jvm in java-7-openjdk-$arch java-7-openjdk \
|
||||
! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
|
||||
! java-8-openjdk-$arch java-8-openjdk \
|
||||
oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
|
||||
java-9-openjdk-$arch java-9-openjdk \
|
||||
! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch; do
|
||||
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
export JAVA_HOME=/usr/lib/jvm/$jvm
|
||||
--- 33,49 ----
|
||||
if ! mountpoint -q /proc; then
|
||||
echo >&2 "the keytool command requires a mounted proc fs (/proc)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
! for jvm in java-8-openjdk-$arch java-8-openjdk \
|
||||
oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \
|
||||
java-9-openjdk-$arch java-9-openjdk \
|
||||
! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \
|
||||
! java-7-openjdk-$arch java-7-openjdk \
|
||||
! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \
|
||||
! ; do
|
||||
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
export JAVA_HOME=/usr/lib/jvm/$jvm
|
117
tasks/Debian.yml
Normal file
117
tasks/Debian.yml
Normal file
@ -0,0 +1,117 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "DEBUG: Including proxy Debian.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Debian.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
|
||||
|
||||
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
|
||||
# the apt-cache (not needed in a container) and disable translation fetching...
|
||||
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
|
||||
blockinfile:
|
||||
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
|
||||
block: |
|
||||
force-unsafe-io
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-cache"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-cache
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
|
||||
block: |
|
||||
Acquire::http {No-Cache=True;};
|
||||
when:
|
||||
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-cache"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-cache
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
|
||||
block: |
|
||||
Acquire::http {No-Cache=False;};
|
||||
when:
|
||||
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-lang"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-lang
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
|
||||
block: |
|
||||
Acquire::Languages "none";
|
||||
|
||||
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
shell: |
|
||||
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
|
||||
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
|
||||
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
exit 0
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70insecure.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70insecure.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml"
|
||||
block: |
|
||||
Acquire::AllowInsecureRepositories false;
|
||||
|
||||
- name: install proxy_debs_inst packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- item != '' and item != []
|
||||
- not ansible_check_mode
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
with_items:
|
||||
- "{{ proxy_debs_inst }}"
|
||||
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
|
||||
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
|
||||
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
|
||||
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
|
||||
|
||||
- name: install cntlm packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "cntlm"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- false
|
||||
- not ansible_check_mode
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
|
||||
- name: "/etc/default/console-setup"
|
||||
lineinfile:
|
||||
dest: /etc/default/console-setup
|
||||
regexp: "^#* *{{item.name}}.*"
|
||||
line: '{{ item.name }}="{{ item.val }}"'
|
||||
state: present
|
||||
with_items:
|
||||
- { name: CODESET, val: "Uni2" }
|
||||
- { name: FONTFACE, val: "TerminusBold" }
|
||||
- { name: FONTSIZE, val: "28x14" }
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70testforge.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70testforge.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
|
||||
block: |
|
||||
APT::Install-Recommends false;
|
||||
APT::Install-Suggests false;
|
||||
#APT::AutoRemove::RecommendsImportant false;
|
||||
#APT::AutoRemove::SuggestsImportant false;
|
||||
APT::Periodic::Enable 0;
|
40
tasks/Debian_post.yml
Normal file
40
tasks/Debian_post.yml
Normal file
@ -0,0 +1,40 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
|
||||
|
||||
- name: /etc/apt/apt.conf.d/80proxy.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/80proxy.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
|
||||
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
|
||||
block: |
|
||||
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
|
||||
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70testforge.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70testforge.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
|
||||
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
|
||||
block: |
|
||||
|
||||
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
|
||||
Acquire::tor::Timeout 60;
|
||||
when:
|
||||
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
|
||||
|
||||
- name: "/etc/sdwdate.d/30_default.conf"
|
||||
lineinfile:
|
||||
dest: /etc/sdwdate.d/30_default.conf
|
||||
create: true
|
||||
regexp: "^#*{{ item.name }}.*"
|
||||
line: "{{ item.name }}={{ item.val }}"
|
||||
with_items:
|
||||
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
|
||||
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }
|
||||
|
137
tasks/Devuan.yml
Normal file
137
tasks/Devuan.yml
Normal file
@ -0,0 +1,137 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "DEBUG: Including proxy Devuan.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Devuan.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
|
||||
|
||||
# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off
|
||||
# the apt-cache (not needed in a container) and disable translation fetching...
|
||||
- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io"
|
||||
blockinfile:
|
||||
dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
force-unsafe-io
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-cache"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-redirect
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
# https://lists.debian.org/debian-security-announce/2019/msg00010.html
|
||||
Acquire::http::AllowRedirect=false update;
|
||||
Acquire::http::AllowRedirect=false upgrade;
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-cache"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-cache
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
Acquire::http {No-Cache=True;};
|
||||
when:
|
||||
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-cache"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-cache
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
Acquire::http {No-Cache=False;};
|
||||
when:
|
||||
- ansible_virtualization_role|replace('NA', 'host') != 'guest'
|
||||
|
||||
- name: "/etc/apt/apt.conf.d/no-lang"
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/no-lang
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
Acquire::Languages "none";
|
||||
|
||||
- name: disable /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
shell: |
|
||||
[ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0
|
||||
grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0
|
||||
sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades
|
||||
exit 0
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70insecure.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70insecure.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml"
|
||||
block: |
|
||||
Acquire::AllowInsecureRepositories false;
|
||||
|
||||
- name: install proxy_debs_inst packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "{{ item }}"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- item != '' and item != []
|
||||
- not ansible_check_mode
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
with_items:
|
||||
- "{{proxy_debs_inst}}"
|
||||
- "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}"
|
||||
- "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}"
|
||||
- "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}"
|
||||
- "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}"
|
||||
|
||||
- name: install cntlm packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "cntlm"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- false
|
||||
- not ansible_check_mode
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
|
||||
- name: "/etc/default/console-setup"
|
||||
lineinfile:
|
||||
dest: /etc/default/console-setup
|
||||
create: yes
|
||||
regexp: "^#* *{{item.name}}.*"
|
||||
line: '{{ item.name }}="{{ item.val }}"'
|
||||
state: present
|
||||
with_items:
|
||||
- { name: CODESET, val: "Uni2" }
|
||||
- { name: FONTFACE, val: "TerminusBold" }
|
||||
- { name: FONTSIZE, val: "28x14" }
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70testforge.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70testforge.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
|
||||
block: |
|
||||
APT::Install-Recommends false;
|
||||
APT::Install-Suggests false;
|
||||
#APT::AutoRemove::RecommendsImportant false;
|
||||
#APT::AutoRemove::SuggestsImportant false;
|
||||
APT::Periodic::Enable 0;
|
||||
|
||||
- name: //usr/share/tor/tor-service-defaults-torrc
|
||||
shell: |
|
||||
[ -f /usr/share/tor/tor-service-defaults-torrc ] &&
|
||||
[ -h /usr/share/tor/tor-service-defaults-torrc ] && return 0
|
||||
[ -f /usr/share/tor/tor-service-defaults-torrc ] || return 0
|
||||
mv /usr/share/tor/tor-service-defaults-torrc \
|
||||
/usr/share/tor/tor-service-defaults-torrc.bak
|
||||
ln -s /etc/tor/torrc-defaults /usr/share/tor/tor-service-defaults-torrc
|
40
tasks/Devuan_post.yml
Normal file
40
tasks/Devuan_post.yml
Normal file
@ -0,0 +1,40 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"
|
||||
|
||||
- name: /etc/apt/apt.conf.d/80proxy.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/80proxy.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml"
|
||||
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
|
||||
block: |
|
||||
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
|
||||
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
|
||||
|
||||
- name: /etc/apt/apt.conf.d/70testforge.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/70testforge.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml"
|
||||
state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}"
|
||||
block: |
|
||||
|
||||
Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}";
|
||||
Acquire::tor::Timeout 60;
|
||||
when:
|
||||
- "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''"
|
||||
|
||||
- name: "/etc/sdwdate.d/30_default.conf"
|
||||
lineinfile:
|
||||
dest: /etc/sdwdate.d/30_default.conf
|
||||
create: true
|
||||
regexp: "^#*{{ item.name }}.*"
|
||||
line: "{{ item.name }}={{ item.val }}"
|
||||
with_items:
|
||||
- { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" }
|
||||
- { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" }
|
||||
|
67
tasks/Gentoo.yml
Normal file
67
tasks/Gentoo.yml
Normal file
@ -0,0 +1,67 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "DEBUG: proxy Gentoo2.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Gentoo2.yml"
|
||||
|
||||
- assert:
|
||||
that: "'{{BOX_OS_FLAVOR}}' in ['Clipos', 'Funtoo', 'Pentoo' , 'Gentoo']"
|
||||
|
||||
- name: "include proxy by-flavour tasks"
|
||||
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}/{{ BOX_OS_FLAVOR }}/main.yml"
|
||||
|
||||
- name: install proxy packages proxy_pkgs_inst
|
||||
environment: "{{ portage_proxy_env }}"
|
||||
shell: |
|
||||
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
|
||||
retval=0
|
||||
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
|
||||
{{proxy_pkgs_bootstrap}} \
|
||||
{{proxy_pkgs_inst}} \
|
||||
&& exit 0
|
||||
retval=$?
|
||||
echo WARN: $retval
|
||||
exit $retval
|
||||
when:
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
- ansible_virtualization_role|replace('NA', 'host') == 'host'
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
|
||||
- name: install proxy packages GUEST
|
||||
environment: "{{ portage_proxy_env }}"
|
||||
shell: |
|
||||
cd {{ BASE_ROOT_LOG_DIR }} || exit 2
|
||||
/usr/local/bin/usr_local_base.bash box_gentoo_emerge \
|
||||
{{ proxy_pkgs_bootstrap }} \
|
||||
{{ proxy_pkgs_inst_guest }} \
|
||||
|| exit $?
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
- ansible_virtualization_role|replace('NA', 'host') != 'host'
|
||||
|
||||
- name: install cntlm packages
|
||||
portage: package="net-proxy/cntlm" state=present
|
||||
when: CORP_NTLM_PROXY|default('') != ''
|
||||
|
||||
- name: /etc/conf.d/consolefont
|
||||
blockinfile:
|
||||
dest: "/etc/{{ETC_CONF_D}}/consolefont"
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Gentoo"
|
||||
mode: 0644
|
||||
owner: "{{BOX_ROOT_USER}}"
|
||||
group: "{{BOX_ROOT_GROUP}}"
|
||||
create: yes
|
||||
block: |
|
||||
consolefont="ter-v24b"
|
||||
|
||||
- name: rc-update add bootlogd boot
|
||||
shell: |
|
||||
rc-update | grep -q 'bootlogd .* boot' || \
|
||||
rc-update add bootlogd boot
|
||||
exit 0
|
||||
|
||||
|
15
tasks/Gentoo/Gentoo/accept_keywords.yml
Normal file
15
tasks/Gentoo/Gentoo/accept_keywords.yml
Normal file
@ -0,0 +1,15 @@
|
||||
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
|
||||
# This is an automatically generated file: do not edit
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy polipo"
|
||||
block: |
|
||||
=net-proxy/polipo-9999 **
|
||||
|
16
tasks/Gentoo/Gentoo/main.yml
Normal file
16
tasks/Gentoo/Gentoo/main.yml
Normal file
@ -0,0 +1,16 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "proxy Gentoo/Pentoo.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "proxy Gentoo/Pentoo.yml"
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/portage.yml
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/use.yml
|
||||
|
||||
#- include_tasks: Gentoo/Pentoo/mask.yml
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/accept_keywords.yml
|
8
tasks/Gentoo/Gentoo/portage.yml
Normal file
8
tasks/Gentoo/Gentoo/portage.yml
Normal file
@ -0,0 +1,8 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "proxy Gentoo/Pentoo/portage.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "proxy Gentoo/Pentoo/portage.yml"
|
55
tasks/Gentoo/Gentoo/use.yml
Normal file
55
tasks/Gentoo/Gentoo/use.yml
Normal file
@ -0,0 +1,55 @@
|
||||
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
|
||||
# This is an automatically generated file: do not edit
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
- name: "/etc/portage/package.use/2022-08_nss.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2022-08_nss.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy curl"
|
||||
block: |
|
||||
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
|
||||
|
||||
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy unzip"
|
||||
block: |
|
||||
app-arch/unzip natspec
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2021-00_verify-sig.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap verify-sig
|
||||
|
||||
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2019-02_rkhunter.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy lsof"
|
||||
block: |
|
||||
sys-process/lsof rpc
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy lsof"
|
||||
block: |
|
||||
sys-process/lsof -ipv6
|
||||
|
15
tasks/Gentoo/Pentoo/accept_keywords.yml
Normal file
15
tasks/Gentoo/Pentoo/accept_keywords.yml
Normal file
@ -0,0 +1,15 @@
|
||||
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
|
||||
# This is an automatically generated file: do not edit
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy polipo"
|
||||
block: |
|
||||
=net-proxy/polipo-9999 **
|
||||
|
16
tasks/Gentoo/Pentoo/main.yml
Normal file
16
tasks/Gentoo/Pentoo/main.yml
Normal file
@ -0,0 +1,16 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "proxy Gentoo/Pentoo.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "proxy Gentoo/Pentoo.yml"
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/portage.yml
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/use.yml
|
||||
|
||||
#- include_tasks: Gentoo/Pentoo/mask.yml
|
||||
|
||||
- include_tasks: Gentoo/Pentoo/accept_keywords.yml
|
8
tasks/Gentoo/Pentoo/portage.yml
Normal file
8
tasks/Gentoo/Pentoo/portage.yml
Normal file
@ -0,0 +1,8 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "proxy Gentoo/Pentoo/portage.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "proxy Gentoo/Pentoo/portage.yml"
|
55
tasks/Gentoo/Pentoo/use.yml
Normal file
55
tasks/Gentoo/Pentoo/use.yml
Normal file
@ -0,0 +1,55 @@
|
||||
# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
|
||||
# This is an automatically generated file: do not edit
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
- name: "/etc/portage/package.use/2022-08_nss.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2022-08_nss.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy curl"
|
||||
block: |
|
||||
net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls
|
||||
|
||||
- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2017-01-01_libguestfs.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy unzip"
|
||||
block: |
|
||||
app-arch/unzip natspec
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap -ipv6
|
||||
|
||||
- name: "/etc/portage/package.use/2021-00_verify-sig.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2021-00_verify-sig.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy nmap"
|
||||
block: |
|
||||
net-analyzer/nmap verify-sig
|
||||
|
||||
- name: "/etc/portage/package.use/2019-02_rkhunter.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2019-02_rkhunter.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy lsof"
|
||||
block: |
|
||||
sys-process/lsof rpc
|
||||
|
||||
- name: "/etc/portage/package.use/2020-00_ipv6.txt"
|
||||
blockinfile:
|
||||
dest: /etc/portage/package.use/2020-00_ipv6.txt
|
||||
create: true
|
||||
marker: "# {mark} Ansible Managed Block proxy lsof"
|
||||
block: |
|
||||
sys-process/lsof -ipv6
|
||||
|
104
tasks/Gentoo_post.yml
Normal file
104
tasks/Gentoo_post.yml
Normal file
@ -0,0 +1,104 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "DEBUG: proxy Gentoo_post.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Gentoo_post.yml"
|
||||
|
||||
- name: proxy http equals
|
||||
blockinfile:
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http equals"
|
||||
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
||||
block: |
|
||||
# emerge does not seem to pick up .gitconfig settings for proxy from ~portage/.gitconfig
|
||||
# neded to get these form the environment or hosts.yml
|
||||
# fucking google go calls home during COMPILE
|
||||
#NO api/services/events/v1/events.pb.go:15:2: google.golang.org/grpc@v1.43.0: Get "https://proxy.golang.org/google.golang.org/grpc/@v/v1.43.0.zip": proxyconnect tcp: dial tcp 127.0.0.1:9128: connect: connection refused
|
||||
|
||||
# allow
|
||||
#NO http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
||||
#NO https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
|
||||
#NO socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
|
||||
# NO RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
||||
http_proxy=http://127.0.0.1:666
|
||||
https_proxy=http://127.0.0.1:666
|
||||
socks_proxy=socks5h://127.0.0.1:666
|
||||
no_proxy="{{ NO_PROXY }}"
|
||||
RSYNC_PROXY=127.0.0.1:666
|
||||
|
||||
when:
|
||||
- "item.bool == 'yes'"
|
||||
with_items:
|
||||
- dest: "/etc/portage/make.conf"
|
||||
owner: "portage"
|
||||
group: "portage"
|
||||
mode: "0644"
|
||||
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
|
||||
|
||||
- name: proxy http CURL_OPTS
|
||||
blockinfile:
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http CURL_OPTS"
|
||||
# state: "{{ 'present' if SOCKS_PROXY != '' else 'absent' }}"
|
||||
block: |
|
||||
CURL_OPTS="--cert-status --connect-timeout 30 {{ '--tlsv1.3' if BOX_TLS_VERSION == '1.3' else '--tlsv1.2' }} --location --proto-redir https --proto-default https --proto =https -x ${socks_proxy} --fail"
|
||||
when:
|
||||
- "item.bool == 'yes'"
|
||||
with_items:
|
||||
- dest: "/etc/portage/make.conf"
|
||||
owner: "portage"
|
||||
group: "portage"
|
||||
mode: "0644"
|
||||
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
|
||||
|
||||
- name: proxy http FETCHCOMMAND
|
||||
blockinfile:
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http FETCHCOMMAND"
|
||||
# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
||||
block: |
|
||||
#FETCHCOMMAND='wget -t 1 -T 10 --passive-ftp -O "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
|
||||
FETCHCOMMAND='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
FETCHCOMMAND_HTTP='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
FETCHCOMMAND_HTTPS='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
|
||||
RESUMECOMMAND='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
RESUMECOMMAND_HTTP='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
RESUMECOMMAND_HTTPS='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"'
|
||||
|
||||
when:
|
||||
- "item.bool == 'yes'"
|
||||
with_items:
|
||||
- dest: "/etc/portage/make.conf"
|
||||
owner: "portage"
|
||||
group: "portage"
|
||||
mode: "0644"
|
||||
bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}"
|
||||
|
||||
- name: /etc/portage/make.conf PORTAGE_RSYNC_EXTRA_OPTS
|
||||
blockinfile:
|
||||
dest: /etc/portage/make.conf
|
||||
create: no
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy [PORTAGE_RSYNC_EXTRA_OPTS]"
|
||||
block: |
|
||||
PORTAGE_RSYNC_RETRIES=5
|
||||
#mgorny suggested this speeds up sync, in my testing it makes a rather large difference
|
||||
PORTAGE_RSYNC_EXTRA_OPTS="--omit-dir-times -4 --timeout=20"
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
28
tasks/Msys.yml
Executable file
28
tasks/Msys.yml
Executable file
@ -0,0 +1,28 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
---
|
||||
|
||||
- name: "DEBUG: Including proxy Msys.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Msys.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
|
||||
|
||||
- name: netsh interface ip set address name="Ethernet0" static 10.1.2.220 255.255.255.0 10.1.2.1
|
||||
shell: |
|
||||
# https://pureinfotech.com/set-static-ip-address-windows-10/
|
||||
netsh interface ip set address name="{{BOX_DEFAULT_OUTPUT_IF}}" static 10.152.152.13 255.255.255.0 10.152.152.10
|
||||
|
||||
- name: "proxy local_connection.yml"
|
||||
include_tasks: "local_connection.yml"
|
||||
|
||||
- block:
|
||||
|
||||
- name: mvmc_setup.msi
|
||||
shell: |
|
||||
[ -f /e/net/Http/https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi ] \
|
||||
wget --restrict-file-names=windows -xcP /e/net/Http \
|
||||
https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi || \
|
||||
exit 1
|
||||
[ -d /c/Program Files/ ] || \
|
||||
start "/e/net/Http/github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi" //quiet
|
||||
|
41
tasks/Ubuntu.yml
Normal file
41
tasks/Ubuntu.yml
Normal file
@ -0,0 +1,41 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "DEBUG: Including proxy Ubuntu.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Ubuntu.yml"
|
||||
|
||||
- name: install proxy_debs_inst packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
shell: |
|
||||
apt-get install {{ proxy_debs_inst|join(' ') }} -y \
|
||||
{{ '--print-uris' if BASE_ARE_CONNECTED|default('') == '' else '' }}
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- not ansible_check_mode
|
||||
|
||||
- name: install cntlm packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "cntlm"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- not ansible_check_mode
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
|
||||
- name: "/etc/default/console-setup"
|
||||
lineinfile:
|
||||
dest: /etc/default/console-setup
|
||||
regexp: "^#* *{{item.name}}.*"
|
||||
line: '{{ item.name }}="{{ item.val }}"'
|
||||
state: present
|
||||
with_items:
|
||||
- { name: FONTFACE, val: "TerminusBold" }
|
||||
- { name: FONTSIZE, val: "12x24" }
|
||||
|
35
tasks/Ubuntu16.yml
Normal file
35
tasks/Ubuntu16.yml
Normal file
@ -0,0 +1,35 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- name: "DEBUG: proxy Ubuntu14.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Ubuntu14.yml"
|
||||
|
||||
- name: install proxy_debs_inst packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "{{ proxy_debs_inst }}"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: BASE_ARE_CONNECTED|default('') == ''
|
||||
when:
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
- not ansible_check_mode
|
||||
|
||||
- name: install cntlm packages
|
||||
environment:
|
||||
- "RUNLEVEL": 1
|
||||
apt:
|
||||
force_apt_get: true
|
||||
name: "cntlm"
|
||||
state: latest
|
||||
update_cache: no
|
||||
ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}"
|
||||
when:
|
||||
- not ansible_check_mode
|
||||
- CORP_NTLM_PROXY|default('') != ''
|
||||
- BASE_ARE_CONNECTED|default('') != ''
|
||||
|
11
tasks/Ubuntu16_no_systemd.yml
Normal file
11
tasks/Ubuntu16_no_systemd.yml
Normal file
@ -0,0 +1,11 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
|
||||
# http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_an_Ubuntu_Xenial_installation
|
||||
|
||||
---
|
||||
|
||||
- name: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"
|
||||
debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Ubuntu16_no_systemd.yml"
|
||||
|
23
tasks/Ubuntu_post.yml
Normal file
23
tasks/Ubuntu_post.yml
Normal file
@ -0,0 +1,23 @@
|
||||
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||
---
|
||||
|
||||
- debug:
|
||||
verbosity: 1
|
||||
msg: "DEBUG: Including proxy Ubuntu_post.yml"
|
||||
|
||||
- name: /etc/apt/apt.conf.d/80proxy.conf
|
||||
blockinfile:
|
||||
dest: /etc/apt/apt.conf.d/80proxy.conf
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
|
||||
block: |
|
||||
Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}";
|
||||
Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}";
|
||||
when: HTTP_PROXYHOST != ''
|
||||
|
||||
- name: /etc/apt/apt.conf.d/80proxy.conf
|
||||
file:
|
||||
path: /etc/apt/apt.conf.d/80proxy.conf
|
||||
state: absent
|
||||
when: HTTP_PROXYHOST == ''
|
||||
|
20
tasks/dirmngr.err
Normal file
20
tasks/dirmngr.err
Normal file
@ -0,0 +1,20 @@
|
||||
3root@Ulati:# dirmngr --help|less
|
||||
3root@Ulati:# dirmngr --server --http-proxy $http_proxy &
|
||||
[1] 8783
|
||||
3root@Ulati:# dirmngr[8783]: No ldapserver file at: '/root/.gnupg/dirmngr_ldapservers.conf'
|
||||
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
|
||||
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
|
||||
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
|
||||
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
|
||||
dirmngr[8783.0]: oops: ksba_cert_hash failed: No value
|
||||
dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object
|
||||
ksba: ERROR: object length field 2 octects too large
|
||||
ksba: ERROR: object length field 12 octects too large
|
||||
ksba: ERROR: object length field 12 octects too large
|
||||
ksba: ERROR: object length field 71 octects too large
|
||||
ksba: ERROR: object length field 59 octects too large
|
||||
ksba: ber-decoder: node `?': TLV length too large
|
||||
dirmngr[8783.0]: can't parse certificate '/etc/ssl/certs/ca-certificates.crt': BER error
|
||||
dirmngr[8783.0]: permanently loaded certificates: 2
|
||||
dirmngr[8783.0]: runtime cached certificates: 0
|
||||
dirmngr[8783.0]: trusted certificates: 2 (1,0,0,1)
|
54
tasks/dirmngr.hlp
Normal file
54
tasks/dirmngr.hlp
Normal file
@ -0,0 +1,54 @@
|
||||
dirmngr (GnuPG) 2.2.12
|
||||
Copyright (C) 2018 Free Software Foundation, Inc.
|
||||
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
|
||||
This is free software: you are free to change and redistribute it.
|
||||
There is NO WARRANTY, to the extent permitted by law.
|
||||
|
||||
Syntax: dirmngr [options] [command [args]]
|
||||
Keyserver, CRL, and OCSP access for GnuPG
|
||||
|
||||
Commands:
|
||||
|
||||
--server run in server mode (foreground)
|
||||
--daemon run in daemon mode (background)
|
||||
--supervised run in supervised mode
|
||||
--list-crls list the contents of the CRL cache
|
||||
--load-crl FILE load CRL from FILE into cache
|
||||
--fetch-crl URL fetch a CRL from URL
|
||||
--shutdown shutdown the dirmngr
|
||||
--flush flush the cache
|
||||
|
||||
Options:
|
||||
|
||||
-v, --verbose verbose
|
||||
-q, --quiet be somewhat more quiet
|
||||
-s, --sh sh-style command output
|
||||
-c, --csh csh-style command output
|
||||
--options FILE read options from FILE
|
||||
--debug-level LEVEL set the debugging level to LEVEL
|
||||
--no-detach do not detach from the console
|
||||
--log-file FILE write server mode logs to FILE
|
||||
--batch run without asking a user
|
||||
--force force loading of outdated CRLs
|
||||
--allow-ocsp allow sending OCSP requests
|
||||
--allow-version-check allow online software version check
|
||||
--disable-http inhibit the use of HTTP
|
||||
--disable-ldap inhibit the use of LDAP
|
||||
--ignore-http-dp ignore HTTP CRL distribution points
|
||||
--ignore-ldap-dp ignore LDAP CRL distribution points
|
||||
--ignore-ocsp-service-url ignore certificate contained OCSP service URLs
|
||||
--http-proxy URL redirect all HTTP requests to URL
|
||||
--ldap-proxy HOST use HOST for LDAP queries
|
||||
--only-ldap-proxy do not use fallback hosts with --ldap-proxy
|
||||
--ldapserverlist-file FILE read LDAP server list from FILE
|
||||
--add-servers add new servers discovered in CRL distribution points to serverlist
|
||||
--ldaptimeout N set LDAP timeout to N seconds
|
||||
--ocsp-responder URL use OCSP responder at URL
|
||||
--ocsp-signer FPR OCSP response signed by FPR
|
||||
--max-replies N do not return more than N items in one query
|
||||
--hkp-cacert FILE use the CA certificates in FILE for HKP over TLS
|
||||
--use-tor route all network traffic via Tor
|
||||
|
||||
(See the "info" manual for a complete listing of all commands and options)
|
||||
|
||||
Please report bugs to <https://bugs.gnupg.org>.
|
1
tasks/dirmngr.sh
Normal file
1
tasks/dirmngr.sh
Normal file
@ -0,0 +1 @@
|
||||
dirmngr --server --http-proxy http://127.0.0.1:3128 --options /etc/dirmngr/dirmngr.conf --disable-ldap --hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem --log-file /var/log/dirmngr.log --no-detach
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user