emdee/proxy_role
1
0
Fork 0
Code Issues Pull requests Wiki Activity

second

Browse source
This commit is contained in:
emdee 2024-01-06 03:08:22 +00:00
parent 19597c9297
commit d29b1e4542
128 changed files with 15399 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

34
overlay/Linux/usr/local/sbin/debian_whonix_tor.bash Executable file
View file

@ -0,0 +1,34 @@
#!/bin/sh
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=privacy
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
systemctl stop vanguards
systemctl stop onion-grater
sh /etc/rc.local
#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1
tor --verify-config | grep -v 'notice\|DisableNetwork'
rm -f /etc/torrc.d/*~
netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; }
cp /dev/null /run/tor/log.err
cp /dev/null /run/tor/log.log
rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
systemctl start tor || exit 4$?
sleep 10
sed -e '/configured a non-loopback address/d' /run/tor/log.*
[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5
grep % /run/tor/log.*

827
overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash Executable file
View file

@ -0,0 +1,827 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=privacy
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|| { echo >&2 ERROR: $prog "/usr/local/etc/testforge/testforge.bash" ; exit 1 ; }
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
#set -- -x
DEBUG=
WHONIX_HOST=0
WHONIX_GATE=1
SSH_SERVICE=22
BOOTPC_SERVICE=68
BOOTPS_SERVICE=67
NETBIOSNS_SERVICE=137
NETBIOSDG_SERVICE=138
PRIV_WHONIX_EXTERNAL_NET=10.0.2.0/24
# 10.152.152.10 gateway
# 10.152.152.11 work
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## Copyright (C) 2014 - 2015 Jason Mehring <nrgaway@gmail.com>
## See the file COPYING for copying conditions.
ALLOW_GATEWAY_USER_USER=1
GATEWAY_ALLOW_INCOMING_SSH=0
GATEWAY_ALLOW_INCOMING_ICMP=0
#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end
## --reject-with
## http://ubuntuforums.org/showthread.php?p=12011099
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
## confusion. icmp-port-unreachable looks like a bug while
## icmp-admin-prohibited hopefully makes clear it is by design.
set -e
error_handler() {
echo "$0 ##################################################"
echo "$0 ERROR: Whonix firewall script failed!"
echo "$0 ##################################################"
exit 1
}
trap "error_handler" ERR
init() {
output_cmd "OK: Loading Whonix firewall..."
set -o pipefail
set -o errtrace
}
source_config_folder() {
shopt -s nullglob
local i
for i in \
/etc/whonix_firewall.d/*.conf \
/rw/config/whonix_firewall.d/*.conf \
/usr/local/etc/whonix_firewall.d/*.conf \
; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
output_cmd "ERROR: Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
}
variables_defaults() {
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
[ -n "$WORKSTATION_TRANSPARENT_TCP" ] || WORKSTATION_TRANSPARENT_TCP=1
[ -n "$WORKSTATION_TRANSPARENT_DNS" ] || WORKSTATION_TRANSPARENT_DNS=1
[ -n "$WORKSTATION_ALLOW_SOCKSIFIED" ] || WORKSTATION_ALLOW_SOCKSIFIED=1
[ -n "$CONTROL_PORT_FILTER_PROXY_ENABLE" ] || CONTROL_PORT_FILTER_PROXY_ENABLE=1
[ -n "$GATEWAY_ALLOW_INCOMING_DIR_PORT" ] || GATEWAY_ALLOW_INCOMING_DIR_PORT=0
[ -n "$GATEWAY_ALLOW_INCOMING_OR_PORT" ] || GATEWAY_ALLOW_INCOMING_OR_PORT=0
[ -n "$DIR_PORT" ] || DIR_PORT=80
[ -n "$OR_PORT" ] || OR_PORT=443
[ -n "$GATEWAY_TRANSPARENT_TCP" ] || GATEWAY_TRANSPARENT_TCP=0
[ -n "$GATEWAY_TRANSPARENT_UDP" ] || GATEWAY_TRANSPARENT_UDP=0
[ -n "$GATEWAY_TRANSPARENT_DNS" ] || GATEWAY_TRANSPARENT_DNS=0
[ -n "$ALLOW_GATEWAY_ROOT_USER" ] || ALLOW_GATEWAY_ROOT_USER=0
[ -n "$ALLOW_GATEWAY_USER_USER" ] || ALLOW_GATEWAY_USER_USER=0
[ -n "$GATEWAY_ALLOW_INCOMING_SSH" ] || GATEWAY_ALLOW_INCOMING_SSH=0
[ -n "$GATEWAY_ALLOW_INCOMING_ICMP" ] || GATEWAY_ALLOW_INCOMING_ICMP=0
## Get Tor username, distro specific!
[ -n "$TOR_USER" ] || TOR_USER=$PRIV_TOR_OWNER
## Get user uids.
#!? [ -n "$CLEARNET_USER" ] || CLEARNET_USER="$(id -u clearnet)"
[ -n "$USER_USER" ] || USER_USER="$(id -u user)" || true
[ -n "$ROOT_USER" ] || ROOT_USER="$(id -u root)"
#!? [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel)"
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate)"
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck)"
## No NAT for clearnet user.
[ -n "$CLEARNET_USER" ] && NO_NAT_USERS+=" $CLEARNET_USER"
## No NAT for tunnel user.
[ -n "$TUNNEL_USER" ] && NO_NAT_USERS+=" $TUNNEL_USER"
## No NAT for user user.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$ALLOW_GATEWAY_USER_USER" = "1" ]; then
if [ "$USER_USER" = "" ]; then
output_cmd "INFO: USER_USER is unset. Not adding USER_USER to NO_NAT_USERS."
else
NO_NAT_USERS+=" $USER_USER"
fi
fi
## No NAT for root user.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$ALLOW_GATEWAY_ROOT_USER" = "1" ]; then
NO_NAT_USERS+=" $ROOT_USER"
fi
## Whonix-Gateway firewall does not support TUNNEL_FIREWALL_ENABLE=true yet.
## It only supports VPN_FIREWALL="1".
## In case someone confused this setting, i.e. using TUNNEL_FIREWALL_ENABLE=true
## since this is how it is done on Whonix-Workstation, then gracefully enable
## VPN_FIREWALL="1" to prevent users shooting their own feet.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
VPN_FIREWALL="1"
fi
## No NAT for Tor itself,
## unless VPN_FIREWALL mode is enabled.
if [ "$VPN_FIREWALL" = "1" ]; then
true
else
NO_NAT_USERS+=" $TOR_USER"
fi
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
[ -n "$INT_IF" ] || INT_IF="vif+"
[ -n "$INT_TIF" ] || INT_TIF="vif+"
fi
## External interface
[ -n "$EXT_IF" ] || EXT_IF="eth0"
## Internal interface
[ -n "$INT_IF" ] || INT_IF="eth1"
## Internal "tunnel" interface, usually the same as
## the Internal interface unless using vpn tunnels
## between workstations and gateway
[ -n "$INT_TIF" ] || INT_TIF="eth1"
if [ "$NON_TOR_GATEWAY" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
NON_TOR_GATEWAY=""
else
## 10.0.2.2-10.0.2.24: VirtualBox DHCP
NON_TOR_GATEWAY="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
## Destinations you do not routed through VPN, only for Whonix-Gateway.
if [ "$LOCAL_NET" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
10.137.0.0-10.138.255.255 \
"
else
## 10.0.2.2/24: VirtualBox DHCP
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
if [ "$WORKSTATION_DEST_SOCKSIFIED" = "" ]; then
## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP
##
## 10.137.0.0/8 - persistent Qubes-Whonix-Gateway IP range
## 10.138.0.0/8 - DispVM Qubes-Whonix-Gateway IP range
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16
## 10.152.152.10 is hardcoded in some places.
WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/16,10.138.0.0/16,10.152.152.10"
else
WORKSTATION_DEST_SOCKSIFIED="10.152.152.10"
fi
fi
## The following ports are used
## - here in /usr/bin/whonix_firewall (package: whonix-gw-firewall)
## - by Tor in /usr/share/tor/tor-service-defaults-torrc (package: anon-gw-anonymizer-config)
##
## The following applications will be separated, preventing identity
## correlation through circuit sharing.
## Transparent Proxy Ports for Whonix-Workstation
[ -n "$TRANS_PORT_WORKSTATION" ] || TRANS_PORT_WORKSTATION="9040"
[ -n "$DNS_PORT_WORKSTATION" ] || DNS_PORT_WORKSTATION="5300"
## Transparent Proxy Ports for Whonix-Gateway
[ -n "$TRANS_PORT_GATEWAY" ] || TRANS_PORT_GATEWAY="9041"
[ -n "$DNS_PORT_GATEWAY" ] || DNS_PORT_GATEWAY="5400"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" ] || GATEWAY_ALLOW_INCOMING_FLASHPROXY="0"
[ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
## For testing purposes only.
## To test if prerouting redirection rules for socksified interfere with transparent torification.
## https://phabricator.whonix.org/T462
#[ -n "$SOCKS_PORT_HTTP" ] || SOCKS_PORT_HTTP="80"
#[ -n "$SOCKS_PORT_SSL" ] || SOCKS_PORT_SSL="443"
## Adding more Socks Ports here should no longer be necessary.
## There are already lots of custom ports prepared that you can use.
## See documentation:
## https://www.whonix.org/wiki/Stream_Isolation
##
## Additional Socks Ports for per application circuits could be
## added here, but you would have to:
## - Edit '/usr/local/etc/torrc.d/50_user.conf' to add more 'SocksPort's.
## - And 'sudo service tor@default reload' afterwards.
## - Add more socks port variables to Whonix firewall configuration.
## (For example to '/etc/whonix_firewall.d/50_user.conf'.)
## Follow the 'SOCKS_PORT_...' naming scheme.
## (For example 'SOCKS_PORT_CUSTOM_ONE', 'SOCKS_PORT_CUSTOM_TWO', etc.)
## - And issue "sudo /usr/bin/whonix_firewall" afterwards.
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
}
ipv4_defaults() {
lsmod | grep -q iptable_filter || modprobe iptable_filter
## Set secure defaults.
$iptables_cmd -P INPUT DROP
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
$iptables_cmd -P FORWARD DROP
## Will be lifted below.
$iptables_cmd -P OUTPUT DROP
}
ipv4_preparation() {
lsmod | grep -q nf_nat || modprobe nf_nat
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
## Flush old rules.
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
}
ipv4_drop_invalid_incoming_packages() {
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
$iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
$iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
## DROP INVALID
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
}
qubes() {
lsmod | grep -q xt_owner || modprobe xt_owner
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
return 0
fi
if [ -e /run/qubes/this-is-netvm ] || [ -e /run/qubes/this-is-proxyvm ]; then
local int_if_item
for int_if_item in $INT_IF; do
## Allow connections from port 8082 of internal vif interface for tinyproxy
## tinyproxy is responsible to handle TemplateVMs updates.
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp -m tcp --dport 8082 -j ACCEPT
$iptables_cmd -A OUTPUT -o "$int_if_item" -p tcp -m tcp --sport 8082 -j ACCEPT
done
## Qubes pre-routing. Will be able to intercept traffic destined for
## 10.137.255.254 to be re-routed to tinyproxy.
$iptables_cmd -t nat -N PR-QBS-SERVICES
$iptables_cmd -t nat -A PREROUTING -j PR-QBS-SERVICES
for int_if_item in $INT_IF; do
## Redirects traffic destined for 10.137.255.154 to port 8082 (tinyproxy).
$iptables_cmd -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i "$int_if_item" -p tcp -m tcp --dport 8082 -j REDIRECT
done
## Forward tinyproxy output to port 5300/9040 on internal (Tor) interface (eth1) to be
## able to connect to Internet (via Tor) to proxy updates for TemplateVM.
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
## The same for squid from qubes-updates-cache, which runs as user vm-updates.
if getent passwd vm-updates >/dev/null; then
$iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}"
$iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}"
fi
## https://github.com/QubesOS/qubes-issues/issues/3201#issuecomment-338646742
$iptables_cmd -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${DNS_PORT_GATEWAY}" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${TRANS_PORT_GATEWAY}" -j ACCEPT
fi
}
ipv4_input_rules() {
## Traffic on the loopback interface is accepted.
$iptables_cmd -A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
## Drop all incoming ICMP traffic by default.
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ ! "$GATEWAY_ALLOW_INCOMING_ICMP" = "1" ]; then
$iptables_cmd -A INPUT -p icmp -j DROP
fi
## Allow all incoming connections on the virtual VPN network interface,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
fi
local ext_if_item
for ext_if_item in $EXT_IF; do
## Allow incoming SSH connections on the external interface.
## DISABLED BY DEFAULT. For testing/debugging only.
if [ "$GATEWAY_ALLOW_INCOMING_SSH" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 22 -j ACCEPT
fi
## Allow incoming Flash Proxy connections on the external interface.
## This has NOTHING to do with Adobe Flash.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$FLASHPROXY_PORT" -j ACCEPT
fi
local local_port_to_open
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT
done
local local_udp_port_to_open
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
done
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
$iptables_cmd -A INPUT -j ACCEPT
fi
done
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "timesync-fail-closed mode, skipping rest of function $FUNCNAME"
return 0
fi
for ext_if_item in $EXT_IF; do
## Allow incoming DIRPORT connections for an optional Tor relay.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_DIR_PORT" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$DIR_PORT" -j ACCEPT
fi
## Allow incoming ORPORT connections for an optional Tor relay.
## DISABLED BY DEFAULT.
if [ "$GATEWAY_ALLOW_INCOMING_OR_PORT" = "1" ]; then
$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$OR_PORT" -j ACCEPT
fi
## Custom Open Ports on external interface
## - untested, should work
## - Replace 22,9050,9051,9150,9151 with any ports you like to be open, example: 9050,9051
## or just 9050
## - $iptables_cmd v1.4.14: multiport needs -p tcp, -p udp, -p udplite, -p sctp or -p dccp
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
#$iptables_cmd -A INPUT -i "$ext_if_item" -p udp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT
## OPTIONAL Allow incoming OpenVPN connections on the external interface.
#$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 1194 -j ACCEPT
done
local int_tif_item
local int_if_item
for int_tif_item in $INT_TIF; do
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
## Allow DNS traffic to DnsPort.
$iptables_cmd -A INPUT -i "$int_tif_item" -p udp --dport "$DNS_PORT_WORKSTATION" -j ACCEPT
fi
done
for int_if_item in $INT_IF; do
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
## Allow TCP traffic TransPort.
$iptables_cmd -A INPUT -i "$int_if_item" -p tcp --dport "$TRANS_PORT_WORKSTATION" -j ACCEPT
fi
done
for int_tif_item in $INT_TIF; do
## Allow TCP traffic to Control Port Filter Proxy.
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j ACCEPT
fi
## Allow socksified applications.
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
for socks_port in $socks_ports_list; do
true "$socks_port: ${!socks_port}"
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "${!socks_port}" -j ACCEPT
done
## Accept ports 9152-9189 prepared for user custom applications.
## See /usr/share/tor/tor-service-defaults-torrc for more comments.
$iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT
fi
done
for int_if_item in $INT_IF; do
## Redirect Control Port Filter Proxy to Control Port Filter Proxy port.
if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j REDIRECT --to-ports "$CONTROL_PORT_FILTER_PROXY_PORT"
fi
if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then
for socks_port in $socks_ports_list; do
true "$socks_port: ${!socks_port}"
## Redirect Browser/IRC/TorBirdy, etc. to SocksPort.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "${!socks_port}" -j REDIRECT --to-ports "${!socks_port}"
done
## Redirect ports 9152-9189 prepared for user custom applications.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport 9152:9189 -j REDIRECT
fi
if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then
## Redirect remaining DNS traffic to DNS_PORT_WORKSTATION.
## Only user installed applications not configured to use a SocksPort are affected.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_WORKSTATION"
fi
if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then
## Catch all remaining TCP and redirect to TransPort.
## Only user installed applications not configured to use a SocksPort are affected.
$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
## Optionally restrict TransPort.
## Replace above rule with a more restrictive one, e.g.:
#$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION"
fi
done
}
ipv4_input_defaults() {
## Log.
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
## Reject anything not explicitly allowed above.
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
## (In case someone running Whonix-Gateway on bare metal.)
$iptables_cmd -A INPUT -j DROP
}
ipv4_forward() {
## Log.
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
## Reject everything.
$iptables_cmd -A FORWARD -j REJECT --reject-with icmp-admin-prohibited
}
ipv4_reject_invalid_outgoing_packages() {
## Drop invalid outgoing packages,
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP INVALID SYN PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
fi
}
ipv4_output() {
lsmod | grep -q xt_owner || modprobe xt_owner
## Allow outgoing traffic on VPN interface,
## if VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
fi
local no_nat_user
for no_nat_user in $NO_NAT_USERS ; do
$iptables_cmd -t nat -A OUTPUT -m owner --uid-owner "$no_nat_user" -j RETURN
done
if [ "$firewall_mode" = "full" ]; then
## Redirect of Gateway DNS traffic to DNS_PORT_GATEWAY.
## DISABLED BY DEFAULT. default. Using SocksPort instead.
if [ "$GATEWAY_TRANSPARENT_DNS" = "1" ]; then
$iptables_cmd -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_GATEWAY"
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Exclude connections to local network, Whonix-Workstation, VirtualBox from being redirected through Tor,
## unless VPN_FIREWALL mode is enabled.
## ENABLED BY DEFAULT.
if [ ! "$VPN_FIREWALL" = "1" ]; then
local non_tor_gateway_item
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
$iptables_cmd -t nat -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j RETURN
done
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Redirect all Gateway TCP traffic to TRANS_PORT_GATEWAY.
## DISABLED BY DEFAULT. Using SocksPort instead.
if [ "$GATEWAY_TRANSPARENT_TCP" = "1" ]; then
$iptables_cmd -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_GATEWAY"
fi
fi
## Existing connections are accepted.
$iptables_cmd -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
if [ "$firewall_mode" = "full" ]; then
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled.
## ENABLED BY DEFAULT.
if [ ! "$VPN_FIREWALL" = "1" ]; then
for non_tor_gateway_item in $NON_TOR_GATEWAY; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j ACCEPT
done
fi
fi
if [ "$firewall_mode" = "full" ]; then
## Accept outgoing connections to local network,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
local local_net_item
for local_net_item in $LOCAL_NET; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
done
fi
fi
## Prevent connections to Tor SocksPorts.
## https://phabricator.whonix.org/T533#11025
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
local socks_port_item
for socks_port_item in $socks_ports_list; do
true "$socks_port_item: ${!socks_port_item}"
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
continue
fi
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
done
fi
## Access to localhost is required even in timesync-fail-closed mode,
## otherwise breaks applications such as konsole and kwrite.
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
for no_nat_user in $NO_NAT_USERS ; do
$iptables_cmd -A OUTPUT -m owner --uid-owner "$no_nat_user" -j ACCEPT
done
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
## Otherwise in Whonix firewall full mode this rule is redundant.
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
fi
## Log.
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
## Reject all other outgoing traffic.
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
}
ipv6() {
## Policy DROP for all traffic as fallback.
$ip6tables_cmd -P INPUT DROP
$ip6tables_cmd -P OUTPUT DROP
$ip6tables_cmd -P FORWARD DROP
## Flush old rules.
$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
## Allow unlimited access on loopback.
## Not activated, since we do not need it.
#$ip6tables_cmd -A INPUT -i lo -j ACCEPT
#$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
## Log.
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
## Drop/reject all other traffic.
$ip6tables_cmd -A INPUT -j DROP
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A OUTPUT -j REJECT
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A FORWARD -j REJECT
}
status_files() {
mkdir --parents /run/whonix_firewall
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
touch /run/whonix_firewall/consecutive_run.status
return 0
fi
touch /run/whonix_firewall/first_run_current_boot.status
}
date_cmd(){
date -u +"%Y-%m-%d %T"
}
output_cmd() {
echo "$(date_cmd) - $0 - $@"
}
firewall_mode_detection() {
if [ ! "$firewall_mode" = "" ]; then
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
return 0
elif [ "$firewall_mode" = "full" ]; then
output_cmd "OK: (Full torified network access allowed.)"
return 0
else
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
error_handler
fi
fi
## Run Whonix firewall in full mode if sdwdate already succeeded.
if [ -e /run/sdwdate/first_success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/first_success exists.)"
elif [ -e /run/sdwdate/success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/success exists.)"
## /run/whonix_firewall/first_run_current_boot.status already exists,
## therefore have Whonix firewall run in full mode.
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
firewall_mode=full
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
else
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
## therefore return 'yes, timesync-fail-closed'.
firewall_mode=timesync-fail-closed
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
else
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
output_cmd "OK: (Full torified network access allowed.)"
fi
}
end() {
output_cmd "OK: Whonix firewall loaded."
exit 0
}
main() {
init
firewall_mode_detection
variables_defaults
ipv4_defaults
ipv4_preparation
ipv4_drop_invalid_incoming_packages
qubes
ipv4_input_rules
ipv4_input_defaults
ipv4_forward
ipv4_reject_invalid_outgoing_packages
ipv4_output
if [ -d /proc/sys/net/ipv6/ ]; then
ipv6
fi
status_files
end
}
source_config_folder
main

5
overlay/Linux/usr/local/sbin/proxy_firewall_start.bash Executable file
View file

@ -0,0 +1,5 @@
#!/bin/bash
ROLE=proxy
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
proxy_ping_firewall_restart $*

80
overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash Executable file
View file

@ -0,0 +1,80 @@
#!/bin/sh
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=hostvms
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
. /usr/local/bin/usr_local_tput.bash || exit 3
HOST=$1
shift
CMD=$1
shift
# FixMe
if [ $# -lt 1 ] ; then
ARGS=""
elif [ $# -gt 1 ] ; then
ARGS=`sed -e 's/ /","/g' <<< $*`
else
ARGS="$1"
fi
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
[ -z "$CMD" ] && CMD=/usr/sbin/qemu-ga && ARGS=-D
INFO $0 $HOST $CMD $ARGS
if ifconfig virbr1 | grep -q 10.0.2.2 ; then
# lrwxrwxrwx 1 root root 11 Aug 26 21:58 /dev/virtio-ports/org.qemu.guest_agent.0 -> ../vport3p2
INFO ssh user@10.0.2.15 virbr1
ssh user@10.0.2.15 ls -l /dev/virtio-ports/org.qemu.guest_agent.0 | \
grep /dev/virtio-ports/org.qemu.guest_agent.0 || \
WARN NOT ssh ls -l /dev/virtio-ports/org.qemu.guest_agent.0
# /usr/sbin/qemu-ga
ssh user@10.0.2.15 ps ax | \
grep qemu-ga || \
WARN NOT ssh ps qemu-ga
fi
DBUG virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
>/tmp/Q$$.out || exit 1$?
grep -q return /tmp/Q$$.out || exit 2
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
[ $? -eq 0 -a -n "$pid" ] || exit 3
# DBUG virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
#virsh qemu-agent-command $HOST \
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
# >/tmp/R$$.out || exit 4$?
TRIES=10
i=0
while [ $i -lt $TRIES ] ; do
i=`expr $i + 1`
virsh qemu-agent-command $HOST \
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
>/tmp/R$$.out || exit 4$i$?
grep -q '"exitcode":0' /tmp/R$$.out && break
sleep 5
DBUG $i
done
[ $i -lt $TRIES ] || \
{ ERROR $i no exitcode in /tmp/R$$.out; exit 5 ; }
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
[ $? -eq 0 ] || exit 6
[ -n "$b64" ] || exit 7
echo $b64 | base64 -d - || exit 8
rm -f /tmp/{Q,R}$$.out
exit 0

29
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash Executable file
View file

@ -0,0 +1,29 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash
. /usr/local/bin/proxy_ping_lib.bash || exit 1$?
if [ -f /etc/modules-load.d/firewall.conf ] ; then
grep -v '#' /etc/modules-load.d/firewall.conf|xargs modprobe --all
fi
proxy_ping_firewall_restart
retval=$?
if [ $retval -eq 0 ] ; then
logger INFO: $prog proxy_ping_firewall_restart $*
else
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
exit $retval
fi
# clean
exit 0
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml

13
overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash Executable file
View file

@ -0,0 +1,13 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_tput.bash
logger INFO: $0 $PWD $*
exit 0

BIN
overlay/Linux/usr/local/sbin/proxy_tor_lib.bad Executable file
View file

Binary file not shown.

217
overlay/Linux/usr/local/sbin/proxy_tor_lib.bash Executable file
View file

@ -0,0 +1,217 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
## /usr/local/bin/proxy_whonix_tor_start.bash
ROLE=proxy
[ -z "$prog" ] && prog=$( basename $0 .bash )
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
## host_tor_verify_config
. /usr/local/bin/usr_local_tput.bash || exit 3
host_tor_verify_config () {
# tor --verify-config # || exit 2$?
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
| grep -v 'notice\|DisableNetwork'
# || exit 2
return 0
}
tor_grep_log () {
local log
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
INFO grep % $log
grep % $log | grep -v 5%
return 0
}
## host_tor_is_running
host_tor_is_running () {
local retval
retval=0
if netstat -nlp4 2>&1| grep ':90.*/tor' ; then
DBUG $prog tor is already running
retval=2
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
DBUG $prog tor is already running
retval=3
elif ls -l /run/tor/socket 2>/dev/null ; then
DBUG $prog tor is already running
retval=4
fi
tor_grep_log
return $retval
}
## host_tor_start
host_tor_start () {
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
# systemd overrides these
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
chmod 2750 /run/tor/
gateway_tor_stop
# systemctl daemon-reload
rm -f /run/tor/log.err /tmp/log.err
rm -f /run/tor/log /tmp/log.log
rm -f /run/tor/tor.pid /tmp/log.pid
INFO starting tor - see /tmp/tor.err /tmp/tor.log
if false ; then
su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
else
su -c 'tor' -s /bin/sh $debian 2>/tmp/tor.err >/tmp/tor.log &
echo -n $! >/tmp/tor.pid
fi
sleep 15
return 0
}
## host_tor_stop
host_tor_stop () {
local debian
[ -s /tmp/tor.pid ] && \
DBUG $prog kill $( cat /tmp/tor.pid ) && \
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
rm /tmp/tor.pid
rm -f /tmp/tor.log /tmp/tor.err
debian=$PRIV_TOR_OWNER
pkill -u $debian
[ -s /tmp/tog.pid ] && \
kill $( cat /tmp/tog.pid ) 2>/dev/null \
&& rm /tmp/tog.pid
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
return 0
}
PROXY_ExcludeNodes="{gb},{ca}"
## proxy_tor_torrc_update
proxy_tor_torrc_update () {
local file IP
file=$1
IP=$2
grep -q "SocksPort $IP:9050" $file || \
echo "SocksPort $IP:9050" >> $file
grep -q "DNSPort $IP:9053" $file || \
echo "DNSPort $IP:9053" >> $file
if false ; then
grep -q "TransPort $IP:9040" $file || \
echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort" >> $file
fi
grep -q "HTTPTunnelPort $IP:9128" $file || \
echo "HTTPTunnelPort $IP:9128 IsolateDestAddr" >> $file
return 0
}
export TOR_LOG="/var/log/tor/log"
export TOR_DIR=/var/lib/tor/data
cmd_item_list=(
"--has-consensus"
"--current-time-in-valid-range"
"--show-valid-after"
"--show-valid-until"
"--show-middle-range"
)
#"--tor-cert-lifetime-invalid"
#"--tor-cert-valid-after"
## proxy_tor_test_ntp
proxy_tor_test_ntp () {
/usr/local/bin/proxy_ping_test.bash ntp
return $?
}
## proxy_tor_test_anondate
proxy_tor_test_anondate () {
local cmd_item outout exit_code
for cmd_item in ${cmd_item_list[@]} ; do
output="$( /usr/local/lib/helper-scripts/anondate $cmd_item $@ )"
exit_code="$?"
if [ $exit_code -eq 0 ] ; then
INFO "/usr/local/lib/helper-scripts/anondate $cmd_item $@"
echo "output: $output"
else
echo "WARN: /usr/local/lib/helper-scripts/anondate $cmd_item $@"
echo -n "exit_code: $exit_code "
echo "output: $output"
fi
done
return 0
}
host_tor_status () {
[ -f /tmp/tor.pid ] && \
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
rm /tmp/tor.pid
if [ -f /tmp/tor.pid ]; then
ps -p "$( cat /tmp/tor.pid )"
elif [ -f /run/tor/tor.pid ] ; then
ps -p "$( cat /run/tor/tor.pid )"
else
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
fi
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|| return 1
debian=$PRIV_TOR_OWNER
INFO $prog $debian processes:
ps -g $debian
guest_qemu_status || return 2$?
tor_start_not_running && return 3$?
[ ! -f /usr/local/src/helper-scripts/tor_circuit_established_check.py ] || \
a=$( python3 /usr/local/src/helper-scripts/tor_circuit_established_check.py ) \
|| return 4
[ "$a" = "1" ]|| { echo "WARN: $prog tor_circuit_established_check != 1" ;
return 5
}
return 0
}
## proxy_tor_torrc_exclude
proxy_tor_torrc_exclude () {
local file
[ $# -eq 0 ] && file=$1 || file=/etc/tor/torrc
[ -n "$file" ] || return 1
[ -f "$file" ] || return 2
[ -n "$PROXY_ExcludeNodes" ] || return 3
grep -q "ExcludeNodes.*$PROXY_ExcludeNodes" "$file" && return 0
if grep -q "ExcludeNodes" $file ; then
sed -e "s@ExcludeNodes.*@ExcludeNodes ${PROXY_ExcludeNodes}@" -i $file
else
echo "ExcludeNodes $PROXY_ExcludeNodes" >> $file
fi
return 0
}
base=proxy_tor_lib
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0
eval "$@"
exit $?
fi

172
overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash Executable file
View file

@ -0,0 +1,172 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
set -o pipefail || exit 1
# was in /usr/lib/whonix-libvirt/install
# unlike that one, this should be idempotent
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=base
. /usr/local/bin/usr_local_tput.bash
GATEW=1
# for testforge use we only need the Gateway
WORKS=
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
. /usr/local/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
. /usr/local/bin/usr_local_base.bash || exit 2
MODE=`proxy_ping_mode`
[ $MODE = whonix ] || exit 0
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
chmod 1777 /usr/local/var/log
[ -f /etc/firewall.conf.whonix ] || \
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
[ -f /etc/firewall.conf ] || \
cp -p /etc/firewall.conf.whonix /etc/firewall.conf || exit 16
# ERROR: proxy_ping_firewall_check /etc/firewall.conf empty
[ -x /etc/libvirt/hooks/network ] || cat > /etc/libvirt/hooks/network << \EOF
#!/bin/sh
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log
echo INFO: hooks/network $* > /usr/local/var/log/libvirt_network.log
bash /usr/local/bin/proxy_libvirt_hook_network.bash "$@" \
>> /usr/local/var/log/libvirt_network.log 2>&1
EOF
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
/etc/libvirt/hooks/network || exit 16
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
set -e
## {{ Taken from qemu-system-common.postinst.
# Add the kvm group unless it's already there
if ! getent group kvm >/dev/null; then
addgroup --quiet --system kvm || true
fi
## }} Taken from qemu-system-common.postinst.
## {{ Taken from libvirt-bin.postinst.
if ! getent group libvirt >/dev/null; then
addgroup --system libvirt
fi
## }} Taken from libvirt-bin.postinst.
## Existence of user "user" is not guaranteed at this point.
if grep -q ^user /etc/passwd ; then
grep -q ^kvm /etc/group || addgroup user kvm
grep -q ^libvirt /etc/group || addgroup user libvirt
fi
## Create shared directory and adjust permissions
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
chmod 1777 /mnt/gateway-shared
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
## networks
proxy_virsh net-list --all | grep -q default || \
virsh -c qemu:///system net-autostart "default" || exit 1$?
#? virsh -c qemu:///system net-start "default" || exit 2$?
proxy_virsh net-list --all | grep -q Whonix-External || \
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-External.xml" \
|| exit 3$?
proxy_virsh net-list --all | grep -q Whonix-Internal || \
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-Internal.xml" \
|| exit 4$?
#no virsh -c qemu:///system net-autostart "Whonix-External"
proxy_virsh net-list | grep -q Whonix-External || \
virsh -c qemu:///system net-start "Whonix-External" || exit 5$?
# no virsh -c qemu:///system net-autostart "Whonix-Internal"
proxy_virsh net-list | grep -q Whonix-Internal || \
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
lsmod | grep -q kvm||modprobe kvm || exit 7
temp_dir=/usr/local/etc/libvirt/qemu
if virsh capabilities | grep -q "<domain type='kvm'" ; then
true "OK: found KVM"
else
## replace the 'kvm' domain type with 'qemu'
search="<domain type='kvm'>"
replace="<domain type='qemu'>"
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
search="<cpu mode='host-passthrough'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
search="<pvspinlock state='on'/>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
replace=""
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
replace=""
[ -n "$WORKS" ] && \
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
fi
[ -z "$GATEW" ] || \
proxy_virsh list --all | grep -q Whonix-Gateway || \
virsh -c qemu:///system define "$temp_dir/Whonix-Gateway.xml" || exit 8$?
[ -z "$WORKS" ] || \
proxy_virsh list --all | grep -q Whonix-Workstation || \
virsh -c qemu:///system define "$temp_dir/Whonix-Workstation.xml" || exit 9$?
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Gateway.xml" || \
virt-xml "Whonix-Gateway" --add-device \
--filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || exit 10$?
[ -z "$WORKS" ] || \
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Workstation.xml" || \
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
[ -d /var/lib/whonix-libvirt ] || \
mkdir --parents /var/lib/whonix-libvirt
touch /var/lib/whonix-libvirt/install.done
proxy_virsh list | grep -q Whonix-Gateway || \
virsh -c qemu:///system start "Whonix-Gateway" || exit 19$?
if [ -d ~user ] ; then
# kicksecure installs ~user/.xchat2/ not owned by user and it seems to screw up X
# with "unable load load a failsafe session" unable to determine failsafe session name
# even with no-allow-failsafe in /etc/X11/Xsession.options
# Linkname:Xfce - Unable to load a failsafe session / Newbie... / Arch Linux Forums
# https://bbs.archlinux.org/viewtopic.php?id=77646
chown -R user ~user
[ -x /var/local/bin/testforge_user_profile.bash ] && \
su -c /var/local/bin/testforge_user_profile.bash -s /bin/bash user
fi
exit 0

349
overlay/Linux/usr/local/sbin/proxy_whonix_gateway_tor.bash Executable file
View file

@ -0,0 +1,349 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
# was /usr/local/bin/proxy_whonix_tor_start.bash
ROLE=proxy
USAGE="config|start|stop|status|restart|verify|test"
[ $( id -u ) -eq 0 ] || { ERROR $prog you must be root ; exit 1 ; }
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 3
. /usr/local/sbin/proxy_whonix_lib.bash || exit 1
. /usr/local/sbin/proxy_tor_lib.bash || exit 2
rm -f /etc/torrc.d/*~
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
NEEDED_SCRIPTS="
/usr/local/sbin/proxy_tor_lib.bash
/usr/local/bin/proxy_ping_test.bash
"
# to stop
# 4269 ttyS0 S 0:00 su -c tor -s /bin/sh debian-tor
# 4272 ? Ss 0:00 sh -c tor
# 4273 ? S 0:02 tor
# 4355 ? S 0:00 timeout --kill-after=5s 10s /usr/lib/helper-scripts/tor_circuit_established_check.py
# 4356 ? R 0:00 /usr/bin/python3 -u /usr/lib/helper-scripts/tor_circuit_established_check.py
## gateway_tor_stop
gateway_tor_stop () {
local debian
[ -s /tmp/tor.pid ] && \
DBUG $prog kill $( cat /tmp/tor.pid ) && \
kill $( cat /tmp/tor.pid ) 2>/dev/null && \
rm /tmp/tor.pid
rm -f /tmp/tor.log /tmp/tor.err
debian=$PRIV_TOR_OWNER
pkill -u $debian
[ -s /tmp/tog.pid ] && \
kill $( cat /tmp/tog.pid ) 2>/dev/null \
&& rm /tmp/tog.pid
systemctl stop vanguards
# systemctl start onion-grater >/dev/null && systemctl stop onion-grater
# echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse
netstat -npet4
return 0
}
## gateway_tor_torrc
gateway_tor_torrc () {
local file IP
# file=/etc/torrc.d/50_user.conf
file=/usr/local/etc/torrc.d/50_user.conf
if [ ! -f $file ] ; then
cat > $file <<EOF
# Tor user specific configuration file
#
# Add user modifications below this line:
############################################
Socks5ProxyUsername foo
Socks5ProxyPassword bar
SafeLogging 0
SocksPort 10.0.2.15:9050
DNSPort 10.0.2.15:9053
HTTPTunnelPort 10.0.2.15:9128 IsolateDestAddr
TransPort 10.0.2.15:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DisableNetwork 0
ControlSocket /run/tor/control
EOF
else
IP=10.0.2.15
proxy_tor_torrc_update $file $IP
fi
proxy_tor_torrc_exclude $file
return 0
}
## gateway_tor_init_config_gateway_conf
gateway_tor_init_config_gateway_conf () {
local elt file
file=/etc/whonix_firewall.d/30_whonix_gateway_default.conf
for elt in GATEWAY_ALLOW_INCOMING_ICMP GATEWAY_ALLOW_INCOMING_SSH ; do
grep -q $elt=1 $file || \
sed -e "s/$elt=.*/$elt=1/" -i $file
done
for elt in 22 9050 9053 9040 9128 ; do
grep -q '^EXTERNAL_OPEN_PORTS.=" '$elt' "' \
/etc/whonix_firewall.d/30_whonix_gateway_default.conf && continue
echo 'EXTERNAL_OPEN_PORTS+=" '$elt' "' >> $file
done
return 0
}
## gateway_tor_init_check_iptables
gateway_tor_init_check_iptables () {
local rule changed
changed=0
rule='-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
rule='-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT'
if ! proxy_iptables_save | grep -q -e "$rule" ; then
[ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP
proxy_iptables $rule
changed=1
fi
[ $changed -gt 0 ] && proxy_iptables -A INPUT -j DROP
return 0
}
# systemctl --no-pager status tor@default
## tor_start_not_running
tor_start_not_running () {
local retval
retval=0
if netstat -nlp4 2>&1| grep '15:90.*/tor' ; then
DBUG $prog tor is already running
retval=2
elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then
DBUG $prog tor is already running
retval=3
elif ls -l /run/tor/socket 2>/dev/null ; then
DBUG $prog tor is already running
retval=4
fi
tor_grep_log
return $retval
}
## gateway_tor_config_tor
gateway_tor_config_tor () {
gateway_tor_init_check_iptables || exit 2$?
gateway_tor_torrc
gateway_tor_init_config_gateway_conf
rm -f /usr/local/etc/torrc.d/*~
return $?
}
## tor_start_verify_config
tor_start_verify_config () {
# tor --verify-config # || exit 2$?
su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \
| grep -v 'notice\|DisableNetwork'
# || exit 2
return 0
}
## tor_prepare_to_start
tor_prepare_to_start () {
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
#sleep 5
[ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor
# systemd overrides these
chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor
chmod 0700 /run/tor/
gateway_tor_stop
# systemctl daemon-reload
rm -f /run/tor/log.err /tmp/log.err
rm -f /run/tor/log /tmp/log.log
rm -f /run/tor/tor.pid /tmp/log.pid
sed '/DisableNetwork/d' -i /usr/local/etc/torrc.d/50_user.conf
return 0
}
## tor_after_start
tor_after_start () {
[ -s /tmp/tor.err ] && ERROR $prog /tmp/tor.err && cat /tmp/tor.err && return 6
grep '\[warn\]' /tmp/tor.log
grep '\[err\]' /tmp/tor.log && ERROR $prog /tmp/tor.log && return 7
ls /run/tor/log* >/dev/null && \
sed -e '/configured a non-loopback address/d' -i /run/tor/log*
chmod 750 /run/tor/
chmod 640 /run/tor/log
INFO checked /tmp/tor.log /tmp/tor.err
INFO starting onion-grater
# systemctl start onion-grater
pidof /usr/lib/onion-grater || return 0
/usr/lib/onion-grater --listen-interface eth1 &
echo -n $! >/tmp/tog.pid
return 0
}
tor_grep_log () {
local log
[ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log
[ -f $log ] || { WARN $prog $log not found ; return 1 ; }
INFO grep % $log
grep % $log | grep -v 5%
return 0
}
tor_test () {
tor_grep_log
tor_qemu_status || return 1$?
return 0
}
tor_qemu_status () {
local pid
pid=$( pidof /usr/sbin/qemu-ga )
[ $? -eq 0 -a -n "$pid" ] || \
{ WARN $prog qemu-qa not running; return 1 ; }
lsof -p $pid | grep -q /dev/v || \
{ WARN /usr/sbin/qemu-ga not bound to /dev ; return 1 ; }
return 0
}
tor_status () {
[ -f /tmp/tor.pid ] && \
[ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \
rm /tmp/tor.pid
if [ -f /tmp/tor.pid ]; then
ps -p "$( cat /tmp/tor.pid )"
elif [ -f /run/tor/tor.pid ] ; then
ps -p "$( cat /run/tor/tor.pid )"
else
WARN $prog no /tmp/tor.pid or /run/tor/tor.pid
fi
[ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \
python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \
|| return 1
debian=$( grep -q ^$PRIV_TOR_OWNER /etc/passwd && echo $PRIV_TOR_OWNER || echo tor )
INFO $prog $debian processes:
ps -g $debian
tor_qemu_status || return 1$?
tor_start_not_running && return 2$?
# /usr/lib/helper-scripts/tor_circuit_established_check.py
return 0
}
gateway_tor_verify () {
tor_start_verify_config || return 1
return 0
}
gateway_tor_start () {
local debian
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
# debian-tor soft nofile 100000
# /etc/security/limits.conf
gateway_tor_config_tor || return 2$?
tor_start_not_running || return 3$?
gateway_tor_verify || return 4$?
tor_prepare_to_start
INFO startiing tor - see /tmp/tor.err /tmp/tor.log
#su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
#netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$?
su -c 'tor' -s /bin/sh $PRIV_TOR_OWNER 2>/tmp/tor.err >/tmp/tor.log &
echo -n $! >/tmp/tor.pid
sleep 15
tor_after_start
tor_status
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog "$USAGE"
elif [ "$d1#" = '--help' ] ; then
echo USAGE: $prog "$USAGE" or:
grep '^## ' $0 | sed -e 's/^## //'
## config
elif [ $1 = config ] ; then
INFO $prog $1
gateway_tor_config_tor || exit 1$?
## stop -
elif [ $1 = stop ] ; then
INFO $prog $1
gateway_tor_stop
exit $?
## status
elif [ $1 = status ] ; then
INFO $prog tor_status
tor_status || exit $?
exit 0
## start
elif [ "$1" = gateway -o "$1" = start ] ; then
INFO $prog tor_start
gateway_tor_start
exit $?
## restart
elif [ "$1" = restart ] ; then
INFO $prog tor_restart
gateway_tor_stop || exit 1$?
sleep 2
gateway_tor_start
exit $?
## verify
elif [ "$1" = verify ] ; then
tor_start_verify_config
elif [ "$1" = test ] ; then
tor_test
elif [ "$1" = '--help' -o "$1" = '-h' ] ; then
echo USAGE: $prog "$USAGE or:"
grep '^## ' $0 | sed -e 's/## //'
else
eval "$@" || exit $?
fi
exit 0

262
overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash Executable file
View file

@ -0,0 +1,262 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
CONN=guest
USAGE="[config|start|stop|test|verify]"
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 1; }
. /usr/local/sbin/proxy_whonix_gateway_tor.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_gateway_tor.bash ; exit 2; }
. /usr/local/bin/usr_local_tput.bash || exit 3
NSL='nslookup -querytype=A'
NETS='netstat -nl4e'
SHARED_MNTS="o"
# ELTS="onion-grater" # these work and start normally
# sdwdate should be linked to NetManager and prevents logins if not connected
# well start tor ourselves
# we dont need vanguards
DISABLE_SERVICES="sdwdate tor vanguards"
DISABLE_X_SERVICES="rads sdwdate-gui-shutdown-notify tor-control-panel"
grep -q ' text ' /proc/cmdline && \
DISABLE_SERVICES="$DISABLE_X_SERVICES $DISABLE_SERVICES"
## proxy_gateway_fix_getty_timeout
proxy_gateway_fix_getty_timeout () {
# fix_getty_timeout - wheres inittab
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
done
return 0
}
## proxy_gateway_disable_rads
proxy_gateway_disable_rads () {
# rads is really hard to kill
if [ ! -f /etc/rads.d/50_default.conf ] ; then
sed /etc/rads.d/30_default.conf > /etc/rads.d/50_default.conf \
-e 's@rads_start_display_manager=1@rads_start_display_manager=0@' \
-e 's@rads_skip_ram_test=0rads_skip_ram_test=1@' \
-e 's@rads_wait=0@rads_wait=1@' \
-e 's@rads_wait_seconds=10@rads_wait_seconds=20@' \
-e 's@rads_debug=0@rads_debug=1@'
fi
return 0
}
## proxy_gateway_install_tor
proxy_gateway_install_tor () {
# fixme parameterize?
if [ ! -f /usr/local/etc/torrc.d/50_user.conf ] ; then
cat > /usr/local/etc/torrc.d/50_user.conf << EOF
Socks5ProxyUsername foo
Socks5ProxyPassword bar
SafeLogging 0
SocksPort 10.0.2.15:9050
DnsPort 10.0.2.15:9053
HTTPTunnelPort 10.0.2.15:9128
TransPort 10.0.2.15:9040
ControlSocket /run/tor/control
ControlSocketGroupWriteable 1
DisableNetwork 0
EOF
fi
return 0
}
## proxy_gateway__shutup_verbosity
proxy_gateway_shutup_verbosity () {
for file in /etc/issue* /etc/issue.d/* ; do
[ -f $file ] || continue
[ -s $file ] && cp /dev/null $file
done
return 0
}
## proxy_gateway_install_fstab
proxy_gateway_install_fstab () {
# /etc/fstab
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
for elt in $SHARED_MNTS ; do
[ -d /mnt/$elt ] || mkdir /mnt/$elt
grep -q /mnt/$elt /etc/fstab && continue
echo "$elt /mnt/$elt 9p $options 0 0" \
>> /etc/fstab
done
return 0
}
## proxy_gateway_install_gagent
proxy_gateway_install_gagent () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
ERROR /dev/virtio-ports/org.qemu.guest_agent.0 not found
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
ERROR "or blame Pottyring's systemd"
}
[ -x /usr/sbin/qemu-ga ] && return 0
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
# /o/Cache/Apt/Debian/10.6/deb.debian.org/debian-security/pool/updates/main/q/qemu/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
fi
false && \
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
ln -s /lib/systemd/system/qemu-guest-agent.service \
/etc/systemd/system/multi-user.target.wants
return 0
}
## proxy_gateway_disable_services
proxy_gateway_disable_services () {
[ -f /usr/local/etc/local.d/local.bash ] || \
{ ERROR loading /usr/local/etc/local.d/local.bash ; return 2; }
local_systemd_stop_and_mask $DISABLE_SERVICES
return 0
}
## proxy_gateway_test
proxy_gateway_test () {
proxy_whonix_test gateway
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
grep '^nameserver 127.0.0.1' /etc/resolv.conf || \
echo 'nameserver 127.0.0.1' >> /etc/resolv.conf
proxy_gateway_disable_services || return 1$?
# /usr/local/sbin/proxy_whonix_gateway_tor.bash config || return 2$?
gateway_tor_verify || return 3$?
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
local dire=gateway
local file
proxy_dest_port_wlan_config $dire || return 1$?
DEST=10.0.2.15
PORT=9053
[ -z "$PORT" -o -z "$DEST" ] && return 2
#? proxy_whonix_polipo_config $dire
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_dnsmasq_config $dire || return 5$?
return 0
}
## proxy_gateway_start_bg
proxy_gateway_start_bg () { proxy_gateway_start $* ; }
## proxy_gateway_start
proxy_gateway_start () {
proxy_gateway_config || return 1$?
proxy_whonix_guest_start gateway
proxy_ping_dnsmasq_status || \
proxy_ping_dnsmasq_start || return 2$?
/usr/local/sbin/proxy_whonix_gateway_tor.bash start || return 3$?
#? . gateway_tor_start
#? polipo
# dnsmasq
return 0
}
## proxy_gateway_stop
proxy_gateway_stop () {
gateway_tor_stop stop || return 3$?
return 0
}
## proxy_gateway_status
proxy_gateway_status () {
if [ -f /etc/ssh/sshd_config ] ; then
rc_service sshd status
else
WARN ssh not installed
fi
# tor_grep_log || return 2$?
tor_status
#? /usr/local/bin/proxy_ping_test.bash polipo || return 3$?
/usr/local/bin/proxy_ping_test.bash gateway || return 3$?
/usr/local/bin/proxy_ping_test.bash dns || return 4$?
return 0
}
## proxy_gateway_config
proxy_gateway_config () {
systemctl is-enabled rc.local || systemctl enable --now rc.local || return 1
# [ -f /etc/systemd/system/multi-user.target.wants/rc-local.service ] || \
# ln -s /lib/systemd/system/rc-local.service \
# /etc/systemd/system/multi-user.target.wants/rc-local.service
systemctl is-enabled tor || systemctl disable --now tor
tor_config_tor || return 1$?
return 0
}
proxy_gateway_verify () {
for elt in $( echo $USAGE | sed -e 's/|/ /' ) do ; grep ^$elt $0 ; done
tor_do_verify || return 1
return 0
}
## proxy_gateway_install
proxy_gateway_install () {
proxy_gateway_config || return 0
proxy_gateway_install_gagent
proxy_gateway_fix_getty_timeout
proxy_gateway_install_tor
proxy_gateway_shutup_verbosity
proxy_gateway_install_fstab
proxy_gateway_disable_rads
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" -o "$1" = install ] ; then
proxy_gateway_$1 || return 3$?
elif [ "$1" = verify -o "$1" = status -o "$1" = test_from -o "$1" = test ] ; then
proxy_gateway_$1 || return 4$?
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
proxy_gateway_$1 || return 5$?
else
INFO $prog "$@"
eval "$@"
exit $?
fi

161
overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash Executable file
View file

@ -0,0 +1,161 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
MODE=vda
CONN=guest
USAGE="[config|start|stop|status|restart|verify|test]"
[ $( id -u ) -eq 0 ] || { ERROR you must be root ; exit 1 ; }
prog=$( basename $0 .bash )
export PATH=$PATH:/usr/local/sbin
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_test.bash
/usr/local/sbin/proxy_whonix_gateway_tor.bash
"
. /usr/local/etc/local.d/local.bash || exit 1
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
# vda does not need dnsmasq
# $DEST resolv.conf
## proxy_vda_stop
proxy_vda_stop () {
return 0
}
## tor_init_check_iptables
proxy_vda_init_check_iptables () {
# tor_init_check_iptables || return 1$?
return 0
}
## proxy_vda_config
proxy_vda_config () {
proxy_whonix_guest_config || return 1$?
[ -f /etc/firewall.conf.vda ] && \
cp -p /usr/local/etc/firewall.conf.vda /etc/firewall.conf.vda
proxy_guest_firewall_config || return 2$?
#/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash > \
# /etc/firewall.conf.ws.new
proxy_vda_whonix_config
return 0
}
## proxy_vda_verify
proxy_vda_verify () {
for elt in $(echo $USAGE | sed -e 's/|/ /') ; do grep ^$elt $0 ; done
return 0
}
proxy_vda_grep_logs () {
return 0
}
## proxy_vda_test
proxy_vda_test () {
proxy_whonix_test vda || return 3$?
return 0
}
## proxy_vda_status
proxy_vda_status () {
netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null || \
{ [ -n "$DEBUG" ] && WARN $0 polipo not running ; return 1 ; }
[ -n "$DEBUG" ] && DBUG $0 polipo running
/usr/local/bin/proxy_ping_test.bash vda
/usr/local/bin/proxy_ping_test.bash polipo
/usr/local/bin/proxy_ping_test.bash dns
return 0
}
## proxy_vda_whonix_start
proxy_vda_whonix_start () {
local dire=vda
local ret
#? proxy_whonix_guest_start
proxy_whonix_polipo_start $dire || \
{ ret=$? ;ERROR $prog polipo not running ret=$ret ; return 4$ret ; }
return 0
}
## proxy_vda_start
proxy_vda_start () {
# local_guest_start_services
local PROXY_WLAN_GW=10.152.152.10
local IP=10.152.152.11
grep -q gateway /etc//hosts || grep $PROXY_WLAN_GW gateway >> /etc//hosts
if ! ifconfig eth0 | grep -q $IP ; then
ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255
#? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255
fi
ip route | grep -q ^default || \
route add default gw $PROXY_WLAN_GW
# dnsmasq
echo nameserver $PROXY_WLAN_GW > /etc/resolv.conf
[ -f /etc/firewall.conf.vda ] || exit 2
if [ -f /etc/firewall.conf.vda -a ! -f /etc/firewall.conf ] ; then
cp -p /etc/firewall.conf.vda /etc/firewall.conf
proxy_iptables_restore < /etc/firewall.conf
elif ! diff -q /etc/firewall.conf.vda /etc/firewall.conf ; then
mv /etc/firewall.conf /etc/firewall.conf.bak
cp -p /etc/firewall.conf.vda /etc/firewall.conf
proxy_iptables -F; proxy_iptables_restore < /etc/firewall.conf
fi
proxy_iptables_save | grep -i reject || return 3
proxy_vda_whonix_start
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" = 'install' ] ; then
proxy_vda_config || exit 3$?
elif [ "$1" = verify -o "$1" = 'test' ] ; then
proxy_vda_$1 || exit 4$?
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
proxy_vda_$1 || exit 5$?
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
proxy_vda_refresh || exit 6$?
else
eval "$@"
exit $?
fi
exit 0

624
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash Executable file
View file

@ -0,0 +1,624 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
ROLE=proxy
MODE=all
iptables_cmd='echo iptables'
ip6tables_cmd='echo iptables >/dev/null'
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#### meta start
#### project Whonix
#### category networking and firewall
#### description
## firewall script
#### meta end
## NOTE: If you make changes to this firewall, think about, if it would
## make sense to add the changes to Whonix-Gateway script as well.
## Some things like dropping invalid packages, should be shared.
## TODO:
## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN).
## source for some rules:
## http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/
set -e
error_handler() {
echo "$0 ##################################################"
echo "$0 ERROR: Whonix firewall script failed!"
echo "$0 ##################################################"
exit 1
}
# trap "error_handler" ERR
init() {
output_cmd "OK: Loading Whonix firewall..."
set -o pipefail
set -o errtrace
}
source_config_folder() {
shopt -s nullglob
local i
for i in \
/etc/whonix_firewall.d/*.conf \
/usr/local/etc/whonix_firewall.d/*.conf \
; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
output_cmd "ERROR: Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
}
variables_defaults() {
[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"
## Legacy.
if [ "$VPN_FIREWALL" = "1" ]; then
TUNNEL_FIREWALL_ENABLE="true"
fi
## Not in use/defined yet.
## INT_IF could be the internal network.
## EXT_IF could be an additional virtual network adapter,
## such as OnionCat or OpenVPN.
## External interface
[ -n "$EXT_IF" ] || EXT_IF="eth0"
## Internal interface
[ -n "$INT_IF" ] || INT_IF="eth1"
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
## Would fail if netvm is set to 'none',
## which is the case in Qubes R4 TemplateVMs.
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway 2>/dev/null)" || GATEWAY_IP="127.0.0.1"
else
[ -n "$GATEWAY_IP" ] || GATEWAY_IP="10.152.152.10"
fi
## Since hardcoded in anon-ws-disable-stacked-tor.
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
[ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel 2>/dev/null)" || true
[ -n "$NOTUNNEL_USER" ] || NOTUNNEL_USER="$(id -u notunnel 2>/dev/null)" || true
[ -n "$UPDATESPROXYCHECK_USER" ] || UPDATESPROXYCHECK_USER="$(id -u updatesproxycheck 2>/dev/null)" || true
[ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate 2>/dev/null)" || true
[ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck 2>/dev/null)" || true
[ -n "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" ] || TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER="true"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$qubes_updates_proxy_port" ] || qubes_updates_proxy_port="8082"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)"
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
## Destinations you do not routed through VPN.
if [ "$LOCAL_NET" = "" ]; then
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
10.137.0.0-10.138.255.255 \
"
else
## 10.0.2.2/24: VirtualBox DHCP
LOCAL_NET="\
127.0.0.0-127.0.0.24 \
192.168.0.0-192.168.0.24 \
192.168.1.0-192.168.1.24 \
10.152.152.0-10.152.152.24 \
10.0.2.2-10.0.2.24 \
"
fi
fi
}
ipv4_defaults() {
## Set secure defaults.
$iptables_cmd -P INPUT DROP
## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case.
$iptables_cmd -P FORWARD DROP
## Will be lifted below.
$iptables_cmd -P OUTPUT DROP
}
ipv4_preparation() {
## Flush old rules.
$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
}
ipv4_drop_invalid_incoming_packages() {
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
$iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j DROP
$iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j DROP
$iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j DROP
## DROP INVALID
$iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP
$iptables_cmd -A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
}
qubes() {
## Not yet required. Just so Whonix-Workstation firewall can be more similar
## to Whonix-Gateway firewall.
true
}
qubes_dns() {
local counter
counter=0
## Using '2>/dev/null' because 'qubesdb-read' DNS would fail in Qubes R4
## TemplateVMs, because these are non-networked by default.
if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2>/dev/null)" ; then
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
counter=$(( counter + 1 ))
fi
if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2>/dev/null)" ; then
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
counter=$(( counter + 1 ))
fi
if [ "$counter" -ge "2" ]; then
output_cmd "OK: Qubes DNS firewall rules ok."
else
$iptables_cmd -A OUTPUT -p udp --dport 53 -j ACCEPT
fi
}
ipv4_input_rules() {
## Traffic on the loopback interface is accepted.
$iptables_cmd -A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
$iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT
## Allow all incoming connections on the virtual VPN network interface,
## when TUNNEL_FIREWALL_ENABLE mode is enabled.
## DISABLED BY DEFAULT.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
$iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS."
else
local local_port_to_open
for local_port_to_open in $EXTERNAL_OPEN_PORTS; do
$iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT
done
local local_udp_port_to_open
for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do
$iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT
done
if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then
$iptables_cmd -A INPUT -j ACCEPT
fi
fi
}
ipv4_input_defaults() {
## Log.
#$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: "
## Required for Control Port Filter Proxy Connection.
## https://phabricator.whonix.org/T112
$iptables_cmd -A INPUT -p tcp -j REJECT --reject-with tcp-reset
## Reject anything not explicitly allowed above.
$iptables_cmd -A INPUT -j REJECT --reject-with icmp-port-unreachable
}
ipv4_forward() {
## Log.
#$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: "
$iptables_cmd -A FORWARD -j DROP
}
ipv4_reject_invalid_outgoing_packages() {
## Drop invalid outgoing packages,
## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1.
if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then
## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
$iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited
#$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP INVALID SYN PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
$iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED XMAS PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited
## DROP INCOMING MALFORMED NULL PACKETS
$iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited
fi
}
qubes_updates_proxy() {
## Detect Qubes.
if ! command -v "qubesdb-read" >/dev/null 2>&1 ; then
return 0
fi
## Detect being run inside TemplateVM.
if [ ! -f "/run/qubes/this-is-templatevm" ]; then
return 0
fi
## Detect if torified Qubes updates proxy was detected.
if test -f "/run/qubes-service/whonix-secure-proxy" ; then
output_cmd "OK: Torified Qubes Updates Proxy check ok. Full access to Qubes Updates Proxy."
return 0
fi
output_cmd "OK: Torified Qubes Updates Proxy check not done yet. Limiting access to Qubes Updates Proxy to user 'updatesproxycheck'."
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT
$iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
$iptables_cmd -A OUTPUT -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited
}
ipv4_output() {
## Prevent connections to Tor SocksPorts.
## https://phabricator.whonix.org/T533#11025
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
local socks_port_item
for socks_port_item in $socks_ports_list; do
true "$socks_port_item: ${!socks_port_item}"
if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then
continue
fi
$iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT
done
fi
qubes_updates_proxy
## Access to localhost is required even in timesync-fail-closed mode,
## otherwise breaks applications such as konsole and kwrite.
$iptables_cmd -A OUTPUT -o lo -j ACCEPT
## Allow outgoing traffic on VPN interface,
## if TUNNEL_FIREWALL_ENABLE mode is enabled.
## DISABLED BY DEFAULT.
if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting user $TUNNEL_USER traffic."
else
true "firewall_mode is $firewall_mode, therefore allowing user $TUNNEL_USER traffic."
## Connections to VPN servers are allowed,
$iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$TUNNEL_USER" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_SDWDATE_USER" = "true" ]; then
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" = "true" ]; then
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
## Accept outgoing connections to local network.
if [ "$TUNNEL_FIREWALL_ALLOW_LOCAL_NET" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
local local_net_item
for local_net_item in $LOCAL_NET; do
$iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT
done
fi
fi
if [ "$TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY" = "true" ]; then
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
if [ "$TUNNEL_FIREWALL_ALLOW_TB_UPDATER" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
local socks_port_tbb
for socks_port_tbb in $SOCKS_PORT_TBB_DOWNLOAD $SOCKS_PORT_TBB_GPG ; do
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
done
fi
fi
if [ "$TUNNEL_FIREWALL_ALLOW_WHONIXCHECK" = "true" ]; then
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true
else
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
fi
fi
else
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting DNS traffic."
else
true "firewall_mode is $firewall_mode, therefore allowing DNS traffic."
## Allow Whonix-Workstation to query Whonix-Gateway for DNS.
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
if command -v "qubesdb-read" >/dev/null 2>&1 ; then
qubes_dns
fi
fi
## Not sure about the next one. UDP is not supported by Tor, why not
## block any outgoing UDP. Might have unwanted side effects when tunneling
## UDP over Tor.
## https://www.whonix.org/wiki/Tunnel_UDP_over_Tor
##
## All other non-TCP protocol traffic gets rejected.
## iptables knows 7 different protocols and all.
## (tcp, udp, udplite, icmp, esp, ah, sctp or all)
##
## (1) ping torproject.org
## 4 packets transmitted, 0 received, 100% packet loss, time 3000ms
##
## (2) ping torproject.org
## From 10.152.152.11 icmp_seq=1 Destination Port Unreachable
## 0 packets transmitted, 0 received, +100 errors
##
## The next rule ensures, that only tcp can leave and achieves the desired result from (2).
$iptables_cmd -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
true "firewall_mode is $firewall_mode, therefore prohibiting all outgoing traffic."
## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode.
## Otherwise in Whonix firewall full mode this rule is redundant.
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT
$iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT
else
true "firewall_mode is $firewall_mode, therefore allowing all outgoing traffic."
## Allow full outgoing connection but no incoming stuff.
$iptables_cmd -A OUTPUT -j ACCEPT
fi
## Log.
#$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: "
## Reject all other outgoing traffic.
$iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
fi
}
ipv6() {
## Policy DROP for all traffic as fallback.
$ip6tables_cmd -P INPUT DROP
$ip6tables_cmd -P OUTPUT DROP
$ip6tables_cmd -P FORWARD DROP
## Flush old rules.
$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
## Allow unlimited access on loopback.
$ip6tables_cmd -A INPUT -i lo -j ACCEPT
$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT
## Log.
#$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: "
#$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: "
#$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: "
## Drop/reject all other traffic.
$ip6tables_cmd -A INPUT -j DROP
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
## --reject-with icmp-admin-prohibited not supported by ip6tables
$ip6tables_cmd -A FORWARD -j DROP
}
status_files() {
mkdir --parents /run/whonix_firewall
if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
touch /run/whonix_firewall/consecutive_run.status
return 0
fi
touch /run/whonix_firewall/first_run_current_boot.status
}
date_cmd(){
date -u +"%Y-%m-%d %T"
}
output_cmd() {
echo "$(date_cmd) - $0 - $@"
}
firewall_mode_detection() {
if [ ! "$firewall_mode" = "" ]; then
output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'."
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
return 0
elif [ "$firewall_mode" = "full" ]; then
output_cmd "OK: (Full torified network access allowed.)"
return 0
else
output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'."
error_handler
fi
fi
## Run Whonix firewall in full mode if sdwdate already succeeded.
if [ -e /run/sdwdate/first_success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/first_success exists.)"
elif [ -e /run/sdwdate/success ]; then
firewall_mode=full
output_cmd "OK: (/run/sdwdate/success exists.)"
## /run/whonix_firewall/first_run_current_boot.status already exists,
## therefore have Whonix firewall run in full mode.
elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then
firewall_mode=full
output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)"
else
## /run/whonix_firewall/first_run_current_boot.status does not yet exist,
## therefore return 'yes, timesync-fail-closed'.
firewall_mode=timesync-fail-closed
fi
if [ "$firewall_mode" = "timesync-fail-closed" ]; then
output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode."
output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)"
else
output_cmd "OK: Consecutive run during current boot, therefore running in full mode."
output_cmd "OK: (Full torified network access allowed.)"
fi
}
end() {
output_cmd "OK: Whonix firewall loaded."
exit 0
}
main() {
init
firewall_mode_detection
variables_defaults
ipv4_defaults
ipv4_preparation
ipv4_drop_invalid_incoming_packages
qubes
ipv4_input_rules
ipv4_input_defaults
ipv4_forward
ipv4_reject_invalid_outgoing_packages
ipv4_output
if [ -d /proc/sys/net/ipv6/ ]; then
ipv6
fi
status_files
end
}
if [ -x /usr/bin/basename ] && [ $( basename -- $0 ) = 'proxy_whonix_guest_workstation-firewall.bash' ] ; then
source_config_folder
iptables_cmd="echo iptables"
ip6tables_cmd="echo # ip6tables"
main
fi

195
overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash Executable file
View file

@ -0,0 +1,195 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
[ -n "$prog" ] || prog= # no qa
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash
USAGE="[config|start|stop|status|restart|test]"
SHARED_MNTS="o"
[ "$#" -eq 0 ] && set -- install
## proxy_workstation_fix_getty_timeout
proxy_workstation_fix_getty_timeout () {
# fix_getty_timeout - wheres inittab
grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/agetty -o/agetty -t 120 -o/' -i $file
done
return 0
}
## proxy_workstation__shutup_verbosity
proxy_workstation_shutup_verbosity () {
for file in /etc/issue* /etc/issue.d/* ; do
[ -f $file ] || continue
[ -s $file ] && cp /dev/null $file
done
return 0
}
## proxy_workstation_install_fstab
proxy_workstation_install_fstab () {
# /etc/fstab
options=noauto,rw,trans=virtio,version=9p2000.L,cache=none
for elt in $SHARED_MNTS ; do
[ -d /mnt/$elt ] || mkdir /mnt/$elt
grep -q /mnt/$elt /etc/fstab && continue
echo "$elt /mnt/$elt 9p $options 0 0" \
>> /etc/fstab
done
# root
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent () {
[ -d /etc/apt ] && proxy_workstation_install_gagent_debian || return 1$?
[ -d /etc/gentoo ] && proxy_workstation_install_gagent_gentoo || return 2$?
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent_gentoo () {
[ -x /usr/bin/qemu-ga -a -x /etc/init.d/qemu-guest-agent ] || \
emerge -vb app-emulation/qemu-guest-agent || return 1$?
return 0
}
## proxy_workstation_install_gagent
proxy_workstation_install_gagent_debian () {
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || {
echo ERROR: /dev/virtio-ports/org.qemu.guest_agent.0 not found
ERROR "check the host xml for <target type='virtio' name='org.qemu.guest_agent.0'/>"
ERROR "or blame Pottyring's systemd"
}
[ -x /usr/sbin/qemu-ga ] && return 0
# /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then
dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb
fi
# start guest-service - its failing on the device prerequisite
systemctl is-enabled qemu-guest-agent || systemctl enable --now qemu-guest-agent
false && \
[ -f /lib/systemd/system/qemu-guest-agent.service ] && \
[ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \
ln -s /lib/systemd/system/qemu-guest-agent.service \
/etc/systemd/system/multi-user.target.wants
return 0
}
## proxy_workstation_test
proxy_workstation_test () {
service qemu-guest-agent status >/dev/null || return 1$?
proxy_whonix_test ws || return 2$?
return 0
}
## proxy_workstation_config
proxy_workstation_config () {
proxy_whonix_guest_config || return 1$?
proxy_guest_firewall_config || return 2$?
proxy_ws_whonix_config ws || return 3$?
variables_defaults
[ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10"
## Control Port Filter Proxy Port
[ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051"
[ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050"
## Socks Ports for per application circuits.
[ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100"
[ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101"
[ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102"
[ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103"
[ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104"
[ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105"
[ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106"
[ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107"
[ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108"
[ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109"
[ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110"
[ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111"
[ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112"
[ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113"
[ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114"
[ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115"
[ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116"
[ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117"
[ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118"
[ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119"
[ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120"
[ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121"
[ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122"
[ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123"
[ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124"
[ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125"
[ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150"
return 0
}
## proxy_workstation_start_bg
proxy_workstation_start_bg () { proxy_workstation_start $* ; }
## proxy_workstation_start
proxy_workstation_start () {
local dire=ws
proxy_workstation_config || return 1$?
proxy_whonix_guest_start
proxy_whonix_polipo_start $dire || \
{ ret=$? ;echo ERROR: $prog polipo not started ret=$ret; return 4$ret ; }
return 0
}
## proxy_workstation_stop
proxy_workstation_stop () {
service qemu-guest-agent status >/dev/null \
&& service qemu-guest-agent stop || return 2$?
return 0
}
## proxy_workstation_install
proxy_workstation_install () {
proxy_workstation_install_gagent
proxy_workstation_fix_getty_timeout
proxy_workstation_shutup_verbosity
proxy_workstation_install_fstab
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config -o "$1" = install ] ; then
proxy_workstation_install || return 3$?
elif [ "$1" = verify -o "$1" = test ] ; then
proxy_workstation_test || return 4$?
elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then
proxy_workstation_$1 || return 5$?
else
eval "$@"
exit $?
fi

769
overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash Executable file
View file

@ -0,0 +1,769 @@
#!/bin/bash
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
prog=$( basename $0 .bash )
PREFIX=/usr/local
ROLE=proxy
. /usr/local/bin/usr_local_base.bash || exit 2
VER=10
set -o pipefail || { ERROR use bash ; exit 1 ; } #! illegal option
. /usr/local/bin/proxy_ping_lib.bash || exit 2
# unlike the original script, this just generates the rules
# and writes the to an output file
OUT=/tmp/I4$$.iptables
cp /dev/null $OUT4
ip4_tables () {
# now unused
echo "$@" >> $OUT4
return 0
}
ip6_tables () {
[ -d /proc/sys/net/ipv6/ ] || return 0
echo "$@" >> $OUT6
return 0
}
. /usr/local/bin/proxy_ping_lib.bash || exit 2
# sysctl net.ipv4.conf.all.accept_redirects != 1 in /etc/sysctl.d/70_testforge_harden_lynis.conf
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
# || { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 3 ; }
if [ "$#" -eq 1 -a "$1" = test ] ; then
bash /usr/local/bin/proxy_ping_test.bash 2>&1| grep ' 0% packet loss' \
|| { echo ERROR: ping ; exit 4 ; }
exit 0
fi
#set -- -x
# leave empty for debugging
[ "$DEBUG" = "1" ] && HUSH="" || HUSH="#D#"
WHONIX_HOST=1
# leave it in anyway
LOCAL_TOR=1
if [ -f /etc/firewall.conf.block ] ; then
BLOCK_IPS=`cat /etc/firewall.conf.block`
else
BLOCK_IPS="37.191.192.147 51.79.22.22"
fi
NOW=$( date +%c )
PROXY_WLAN=$( proxy_get_if )
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 2 ; }
[ -n "$PROXY_WLAN" ] || { echo ERROR: " error getting device $PROXY_WLAN" ; exit 3 ; }
## External interface
[ -n "$WLAN_IF" ] || WLAN_IF="$PROXY_WLAN"
[ -n "$IP" ] && WLAN_NET=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.0/' )/24
[ -n "$PROXY_WLAN_GW" ] && PROXY_WLAN_GW=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.1/' )
[ -z "$PRIV_NTP_OWNER" ] && PRIV_NTP_OWNER=ntp
PRIV_NTP_GID=$( grep ^$PRIV_NTP_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_TOR_OWNER" ] && PRIV_TOR_OWNER=tor
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
[ $LOCAL_TOR -ne 0 ] && CLEARNET_GIDS="$PRIV_BIN_GID $PRIV_TOR_GID" || CLEARNET_GIDS="$PRIV_BIN_GID"
[ -z "$PRIV_TOR_SOCKSPORT" ] && PRIV_TOR_SOCKSPORT=9050
[ -z "$PRIV_TOR_CONTROLPORT" ] && PRIV_TOR_CONTROLPORT=9051
[ -z "$PRIV_TOR_DNSSPORT" ] && PRIV_TOR_DNSSPORT=9053
[ -z "$PRIV_POLIPO_PROXYPORT" ] && PRIV_POLIPO_PROXYPORT=3128
[ -z "$PRIV_TOR_PROXYPORT" ] && PRIV_TOR_PROXYPORT=9128
[ -z "$PRIV_NAT_TRANSPORT" ] && PRIV_NAT_TRANSPORT="9040"
PRIV_NAT_TRANSHOST="$PROXY_WLAN"
SSH_SERVICE=22
BOOTPC_SERVICE=68
BOOTPS_SERVICE=67
[ -z "$PRIV_SERVICE_NTPPORT" ] && PRIV_SERVICE_NTPPORT=123
NETBIOSNS_SERVICE=137
NETBIOSDG_SERVICE=138
NETBIOSSS_SERVICE=139
WLAN_ALLOW_SERVICES="$PRIV_SERVICE_NTPPORT $BOOTPC_SERVICE $BOOTPS_SERVICE"
WLAN_DROP_SERVICES="$NETBIOSNS_SERVICE $NETBIOSDG_SERVICE $NETBIOSSS_SERVICE"
NAT_SERVICES_TO_LO_TCP=""
EXT_ALLOW_SERVICES_IN_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
EXT_ALLOW_SERVICES_IN_UDP="$PRIV_TOR_DNSSPORT"
# $PRIV_NAT_TRANSPORT
EXT_ALLOW_SERVICES_OUT_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001"
EXT_ALLOW_SERVICES_OUT_UDP="$PRIV_TOR_DNSSPORT"
EXT_VNET=virbr1
PRIV_WHONIX_EXTERNAL_NET="10.0.2.0/24"
# 10.152.152.10 gateway
# 10.152.152.11 work
# 10.16.238.0.0
INT_VNET=virbr2
# gateway is 10.152.152.10
PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24
PRIVATE_NET="" # 192.168.1.0/24
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
VPN_FIREWALL="0"
LIBVIRT_FW=1 # 0 or 1 or 2
# I think this is still needed - dnsmasq is on 127:
LOCALHOST_DNS=1
HOST_ALLOW_INCOMING_ICMP=1
HOST_ALLOW_OUTGOING_ICMP=1
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT.
VPN_FIREWALL="0"
LIBVIRT_FW=1 # 0 or 1 or 2
#override
HOST_nat_TRANS="";PRIV_NAT_TRANSPORT="";PRIV_NAT_TRANSHOST=""
INFO "Loading Whonix firewall for $PROXY_WLAN IP=$IP LIBVIRT_FW=$LIBVIRT_FW"
if ifconfig -a | grep -q $EXT_VNET && proxy_virsh list | grep Whonix-Gateway ; then
# on the host - does this work?
ifconfig -a | grep -q inet # || ifconfig $EXT_VNET 10.0.2.2 up
HOST_WHONIX_GATE=1
fi
if ifconfig -a | grep -q $INT_VNET && proxy_virsh list | grep Whonix-Workstation ; then
# on the host
ifconfig -a | grep -q inet #? || ifconfig $INT_VNET 10.152.152.10 up
HOST_WHONIX_WORK=1
fi
HOST_WHONIX_GATE=1
HOST_WHONIX_WORK=1
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
###########################
## debugging
###########################
#set -x
###########################
## error_handler
###########################
error_handler() {
echo "##################################################"
echo "Whonix firewall script failed!" see $OUT4
echo "##################################################"
exit 1
}
#? trap "error_handler" ERR
###########################
## source config folder
###########################
shopt -s nullglob || exit 1
for i in /etc/whonix_firewall.d/*.conf /usr/local/etc/whonix_firewall.d/*.conf; do
bash_n_exit_code="0"
bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; };
if [ ! "$bash_n_exit_code" = "0" ]; then
ERROR "Invalid config file: $i
bash_n_exit_code: $bash_n_exit_code
bash_n_output:
$bash_n_output" >&2
exit 1
fi
source "$i"
done
###########################
## comments
###########################
## --reject-with
## http://ubuntuforums.org/showthread.php?p=12011099
## Set to icmp-admin-prohibited because icmp-port-unreachable caused
## confusion. icmp-port-unreachable looks like a bug while
## icmp-admin-prohibited hopefully makes clear it is by design.
###########################
## /usr/bin/whonix_firewall
###########################
###########################
## interfaces
###########################
INFO "Loading Whonix firewall for $WLAN_IF"
###########################
DBUG NON_TOR_GATEWAY
###########################
#me these defaults should be in the .conf files
## Destinations you do not routed through VPN, only for Whonix-Gateway.
## 10.0.2.2/24: VirtualBox DHCP
[ -n "$NON_TOR_GATEWAY" ] || NON_TOR_GATEWAY="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
################
## VPN related #
################
## Space separated list of VPN servers,
## which Whonix-Gateway is allowed to connect to.
[ -n "$VPN_SERVERS" ] || VPN_SERVERS="198.252.153.26"
VPN_SERVERS=
[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0"
VPN_INTERFACE=
## Destinations you do not routed through VPN, only for Whonix-Gateway.
## $PRIV_WHONIX_EXTERNAL_NET: VirtualBox DHCP
[ -n "$LOCAL_NET" ] || LOCAL_NET="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET"
###########################
DBUG IPv4 DEFAULTS
###########################
lsmod | grep -q iptable_filter || modprobe iptable_filter
###########################
DBUG IPv4 PREPARATIONS
###########################
# FixMe: nf or xt?
lsmod | grep -q nf_nat || modprobe nf_nat
lsmod | grep -q iptable_filter || modprobe iptable_filter
lsmod | grep -q iptable_mangle || modprobe iptable_mangle
## Flush old rules. We now let the caller do that when it uses the rules
# mangle comes before filter, before nat
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -t filter -F
# iptables -t filter -X
# iptables -t nat -F
# iptables -t nat -X
DBUG MANGLE COMES BEFORE FILTER
cat >> $OUT4 << EOF
# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
# firewall.bash.libvirt.$VER
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
:LIBVIRT_PRT - [0:0]
${HUSH}-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
EOF
cat >> $OUT4 << EOF
COMMIT
EOF
cat >> $OUT4 << EOF
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
EOF
cat >> $OUT4 << EOF
:LIBVIRT_PRT - [0:0]
EOF
# iptables: No chain/target/match by that name.
false && \
[ $LOCALHOST_DNS -gt 0 ] && \
cat >> $OUT4 << EOF
# was ! -o lo
# let resolve.conf redirect to lo - this rule cannot be removed
#-A OUTPUT -o $WLAN_IF -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
#-A OUTPUT -o $WLAN_IF -p udp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT
EOF
#?
for elt in $NAT_SERVICES_TO_LO_TCP ; do
cat >> $OUT4 << EOF
-A OUTPUT ! -o lo -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$elt
EOF
done
if [ $LOCAL_TOR -ne 0 -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" -a "$PRIV_NAT_VIRTUAL_NET" != "" ] ; then
NO=""
else
NO="#"
fi
cat >> $OUT4 << EOF
# .onion mapped addresses redirection to Tor.
${NO}-A OUTPUT -d $PRIV_NAT_VIRTUAL_NET -p tcp -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
EOF
if [ -n "$HOST_nat_TRANS" -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" ] ; then
cat >> $OUT4 << EOF
# nat REDIRECT ALL REMAINING TCP TRAFFIC TO TOR.
# was ! -o lo
-A OUTPUT -o $WLAN_IF -j LOG --log-uid --log-prefix "iptables_nat_TRANS: "
-A OUTPUT -o $WLAN_IF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT
EOF
fi
cat >> $OUT4 << EOF
## Log.
${HUSH}-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
EOF
lsmod | grep -q nft_masq || modprobe nft_masq
#4 lsmod | grep -q xt_MASQUERADE|| modprobe xt_MASQUERADE
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -j MASQUERADE
EOF
cat >> $OUT4 << EOF
COMMIT
EOF
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
lsmod | grep -q xt_state || modprobe xt_state
cat >> $OUT4 << EOF
# SET SECURE DEFAULTS FOR INPUT FILTER
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
${HUSH}-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.bash.libvirt.$VER" --log-uid
# blocks wlan
EOF
for elt in $BLOCK_IPS ; do
cat >> $OUT4 << EOF
-A INPUT -s $elt -p tcp -j DROP
EOF
done
DBUG IPv4 DROP INVALID INCOMING PACKAGES
cat >> $OUT4 << EOF
## DROP MARTIANS
## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: "
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: "
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: "
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: "
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: "
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: "
-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP
-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP
-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP
-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP
-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP
-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP
## DROP INVALID
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m state --state INVALID -j DROP
## DROP INVALID SYN PACKETS
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
-A INPUT -f -j DROP
## DROP INCOMING MALFORMED XMAS PACKETS
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
## DROP INCOMING MALFORMED NULL PACKETS
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
EOF
cat >> $OUT4 << EOF
## Traffic on the loopback interface is accepted.
-A INPUT -i lo -j ACCEPT
## Established incoming connections are accepted.
-A INPUT -m state --state ESTABLISHED -j ACCEPT
EOF
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
DBUG Drop all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
-A INPUT -i $WLAN_IF -p icmp -j DROP
EOF
else
DBUG Accept all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
### this is required for outgoing pings
-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i $WLAN_IF -p icmp -j ACCEPT
EOF
fi
## Allow all incoming connections on the virtual VPN network interface,
## when VPN_FIREWALL mode is enabled. DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
cat >> $OUT4 << EOF
-A INPUT -i "$VPN_INTERFACE" -j ACCEPT
EOF
fi
#root@Flati:# su -c '/usr/sbin/ntpdate 132.163.97.3' -s /bin/sh ntp
#12 Nov 21:39:14 ntpdate[4085]: bind() fails: Permission denied
#root@Flati:# ls -l `which ntpdate`
#-rwxr-sr-x 1 root ntp 85016 Jun 29 17:18 /usr/sbin/ntpdate
lsmod | grep -q xt_owner || modprobe xt_owner
cat >> $OUT4 << EOF
# these are NOT needed
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT
EOF
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
for elt in $CLEARNET_GIDS ; do
cat >> $OUT4 << EOF
# these are NOT needed
#!-A INPUT -i $WLAN_IF -p tcp -m owner --gid-owner $elt -j ACCEPT
EOF
done
cat >> $OUT4 << EOF
#?# let dhcp through?
#?-A INPUT -p udp --sport $BOOTPC_SERVICE -j ACCEPT
#?-A INPUT -p udp --sport $BOOTPS_SERVICE -j ACCEPT
EOF
# was ACCEPT - try DROP - should be up in mangle as REJECT?
for elt in $WLAN_DROP_SERVICES ; do
cat >> $OUT4 << EOF
-A INPUT -i $WLAN_IF -p udp --sport $elt -j DROP
EOF
done
if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then
DBUG Drop all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid
-A INPUT -i $EXT_VNET -p icmp -j DROP
EOF
else
DBUG Accept all incoming ICMP traffic by default.
cat >> $OUT4 << EOF
### this is required for outgoing pings
-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
-A INPUT -i $EXT_VNET -p icmp -j ACCEPT
EOF
fi
DBUG use the gateway as a proxy box, including ssh INPUT
# works -i virbr1 and -sport not -dport
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
for elt in $EXT_ALLOW_SERVICES_IN_TCP ; do
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
-A INPUT -i $EXT_VNET -p tcp --sport $elt -j ACCEPT
EOF
done
for elt in $EXT_ALLOW_SERVICES_IN_UDP ; do
cat >> $OUT4 << EOF
-A INPUT -i $EXT_VNET -p udp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: "
-A INPUT -i $EXT_VNET -p udp --sport $elt -j ACCEPT
EOF
done
## Reject anything not explicitly allowed above.
## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway.
## (In case someone running Whonix-Gateway on bare metal.)
cat >> $OUT4 << EOF
-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
-A INPUT -j DROP
EOF
# FixMe: DROP?
[ may = be ] && \
cat >> $OUT4 << EOF
#?-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
#?-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
EOF
[ $LIBVIRT_FW -ge 1 ] && \
cat >> $OUT4 << EOF
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
EOF
###########################
## IPv4 OUTPUT
###########################
cat >> $OUT4 << EOF
## Traffic on the loopback interface is accepted.
-A OUTPUT -o lo -j ACCEPT
## Existing connections are accepted.
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
EOF
## Allow outgoing traffic on VPN interface,
## if VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
cat >> $OUT4 << EOF
-A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT
EOF
fi
## Connections to VPN servers are allowed,
## when VPN_FIREWALL mode is enabled.
## DISABLED BY DEFAULT.
if [ "$VPN_FIREWALL" = "1" ]; then
for SERVER in $VPN_SERVERS; do
cat >> $OUT4 << EOF
-A OUTPUT -d $SERVER -j ACCEPT
EOF
done
fi
## Drop all incoming ICMP traffic by default.
## All incoming connections are dropped by default anyway, but should a user
## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should
## still be dropped to filter for example ICMP time stamp requests.
if [ "$HOST_ALLOW_OUTGOING_ICMP" != "1" ]; then
DBUG Drop all outcoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-o: " --log-uid
-A OUTPUT -o $WLAN_IF -p icmp -j DROP
EOF
else
DBUG Accept all outcoming ICMP traffic by default.
cat >> $OUT4 << EOF
-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o $WLAN_IF -p icmp -j ACCEPT
EOF
fi
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
## unless VPN_FIREWALL mode is enabled. ENABLED BY DEFAULT.
#? WHY?!
if [ "$VPN_FIREWALL" != "1" ]; then
for NET in $NON_TOR_GATEWAY; do
cat >> $OUT4 << EOF
#?-A OUTPUT -d $NET -j ACCEPT
EOF
done
fi
# required sufficient works - not for user ntp
[ -n "$PRIV_NTP_GID" ] && \
cat >> $OUT4 << EOF
# The ntp user is allowed to connect to services listening on the ntp port...
# If root runs ntpdate manually you will see requests to port 53 UID=0
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: "
-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT
EOF
cat >> $OUT4 << EOF
# ssh - specifically forbid ssh out the wlan
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j REJECT --reject-with icmp-port-unreachable
EOF
DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS
for elt in $CLEARNET_GIDS ; do
cat >> $OUT4 << EOF
# necessary and sufficient
-A OUTPUT -o $WLAN_IF -m owner --gid-owner $elt -j ACCEPT
EOF
done
if [ "$HOST_ALLOW_OUTGOING_ICMP" == "1" ]; then
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
-A OUTPUT -o $EXT_VNET -p icmp -j ACCEPT
EOF
fi
DBUG use the gateway as a proxy box, including ssh OUTPUT host to guest
# works -i virbr1 and -sport not -dport
# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
for elt in $EXT_ALLOW_SERVICES_OUT_TCP ; do
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j ACCEPT
EOF
done
for elt in $EXT_ALLOW_SERVICES_OUT_UDP ; do
cat >> $OUT4 << EOF
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: "
-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j ACCEPT
EOF
done
cat >> $OUT4 << EOF
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
EOF
if [ $LIBVIRT_FW -ge 1 ] ; then
cat >> $OUT4 << EOF
-A OUTPUT -j LIBVIRT_OUT
# block virbr1
EOF
for elt in $BLOCK_IPS ; do
cat >> $OUT4 << EOF
-A LIBVIRT_FWI -s $elt -p tcp -j DROP
EOF
done
cat >> $OUT4 << EOF
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
-A LIBVIRT_FWI -o $INT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d $PRIV_WHONIX_EXTERNAL_NET -o $EXT_VNET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
#blocks
-A LIBVIRT_FWI -o $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i $INT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i $INT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s $PRIV_WHONIX_EXTERNAL_NET -i $EXT_VNET -j ACCEPT
-A LIBVIRT_FWO -i $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
-A LIBVIRT_FWO -i $EXT_VNET -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i $INT_VNET -o $INT_VNET -j ACCEPT
-A LIBVIRT_FWX -i $EXT_VNET -o $EXT_VNET -j ACCEPT
# FixMe: sic this is what libvirt did -i --dport
# FixMe: I will disable them as I dont think theyre needed or wanted
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 67 -j ACCEPT
#no
#no # FixMe:sic this is what libvirt did -i --dport
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 67 -j ACCEPT
#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 67 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 68 -j ACCEPT
#no
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 53 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 68 -j ACCEPT
#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 68 -j ACCEPT
EOF
fi
cat >> $OUT4 << EOF
# added
-A LIBVIRT_FWX -o $EXT_VNET -s 10.0.2.2 -d 10.0.2.15 -j ACCEPT
${HUSH}-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
${HUSH}-A OUTPUT -j DROP
EOF
cat >> $OUT4 << EOF
COMMIT
# Generated $NOW
EOF
# IPV6
if [ ! -e /proc/net/if_inet6 ] ; then
[ -f /etc/sysctl.d/70_testforge_harden_lynis.conf ] && \
sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
else
# nft_reject nft_reject_inet nf_reject_ipv4 nft_reject_ipv4 ipt_REJECT
for elt in nf_reject_ipv6 nft_reject_ipv6 ip6t_REJECT ; do
lsmod | grep -q $elt || modprobe $elt
done
sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
# ACTIVE
## Log.
proxy_ip6tables -A INPUT -j LOG --log-prefix "IPTABLES_Whonix blocked input6: "
proxy_ip6tables -A OUTPUT -j LOG --log-prefix "IPTABLES_Whonix blocked output6: "
proxy_ip6tables -A FORWARD -j LOG --log-prefix "IPTABLES_Whonix blocked forward6: "
## Drop/reject all other traffic.
proxy_ip6tables -A INPUT -j DROP
#### --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
proxy_ip6tables -A OUTPUT -j REJECT
## --reject-with icmp-admin-prohibited not supported by proxy_ip6tables
proxy_ip6tables -A FORWARD -j REJECT
fi
###########################
## End
###########################
proxy_iptables_restore -tv < $OUT4 >/tmp/I$$.log 2>&1
retval=$?
if [ $retval -ne 0 ] ;then
ERROR "$prog firewall - $retval see /tmp/I$$.log"
exit $retval
fi
echo "# Whonix firewall for wlan=$PROXY_WLAN LIBVIRT_FW=$LIBVIRT_FW" >> $OUT4
if [ `id -u` -eq 0 ] && ls /etc/sysctl.d/*.conf 2>/dev/null >/dev/null; then
# hardcore
sed -i \
-e 's/forward = 0/forward = 1 ##libvirt/' \
-e 's/forwarding = 0/forwarding = 1 ##libvirt/' \
/etc/sysctl.d/*.conf
grep -l forward /etc/sysctl.d/*f | xargs sysctl -p | grep forward >/dev/null
fi
# mv $OUT4 /etc/firewall.conf.new || { echo ERROR: ; exit 9 ; }
INFO "OK Whonix firewall - mv $OUT4 /etc/firewall.conf.new"
exit 0

534
overlay/Linux/usr/local/sbin/proxy_whonix_host.bash Executable file
View file

@ -0,0 +1,534 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
DELAY=10
prog=proxy_whonix_host
PL=$PREFIX/bin/proxy_libvirt_lib.bash
USAGE="config|from_tor|to_tor|start|status|test|refresh|update"
[ -f /usr/local/etc/testforge/testforge.bash ] && \
. /usr/local/etc/testforge/testforge.bash
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
. /usr/local/bin/proxy_ping_lib.bash || exit 3
prog=proxy_whonix_host
[ -z "$MODE" ] && MODE=`proxy_ping_mode`
HTTP_PROXY_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] || SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] || SOCKS_PORT=9050
proxy_ping_get_https
proxy_ping_get_http
WD=$PWD
NEEDED_DIRS=""
# /usr/local/lib/helper-scripts
# /usr/local/etc/ssl
NEEDED_SCRIPTS="
/usr/local/bin/proxy_get_if.bash
/usr/local/bin/proxy_libvirt_hook_qemu.bash
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
/usr/local/etc/jnettop.conf
/usr/local/lib/helper-scripts/tor_bootstrap_check.py
/usr/local/lib/helper-scripts/tor_bootstrap_check.bsh
/usr/local/etc/ssl/cacert-testforge.pem
/usr/local/sbin/Whonix-Gateway.rc
/usr/local/sbin/debian_cache_to_archives.bash
/usr/local/sbin/debian_elts_to_uris.bash
/usr/local/sbin/debian_uris_to_urls.bash
/usr/local/sbin/proxy_libvirt_ga_test.bash
/usr/local/sbin/proxy_whonix_gateway_tor.bash
/usr/local/sbin/proxy_whonix_guest_gateway.bash
/usr/local/sbin/proxy_whonix_host-firewall.bash
/usr/local/sbin/proxy_whonix_host_lib.bash
/usr/local/sbin/proxy_whonix_host.bash
/usr/local/sbin/proxy_whonix_host_tor.bash
/usr/local/sbin/root_nm_wireless.bash
"
proxy_install_package () {
for pkg in $* ; do
if [ -d /etc/apt ] ; then
[ "$pkg" = guestfish ] && pkg=libguestfs-tools
apt-get install -y $pkg || return $?
elif [ -d /etc/portage ] ; then
apt-get install -y $pkg || return $?
fi
done
return 0
}
## proxy_whonix_host_dmesg_blocks
proxy_whonix_host_dmesg_blocks () {
local retval=0
[ -f /etc/firewall.conf.block ] || touch /etc/firewall.conf.block
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
ERROR $prog null interface && return 1
}
dmesg|tail -1000 | grep IPTABLES_FWI_REJECT-o| \
sed -e 's/.*SRC=//' -e 's/ .*//'|sort -u| \
while read elt ; do
grep -q $elt /etc/firewall.conf.block && continue
grep -q $elt /etc/firewall.conf && continue
echo $elt >> /etc/firewall.conf.block
done
[ -s /etc/firewall.conf.block ] || proxy_whonix_host_prepare_blocks || return 1$?
proxy_whonix_host_add_block $( cat /etc/firewall.conf.block ) || return 2$?
if [ ! -f /etc/firewall.conf.$$ -o ! -f /etc/firewall.conf ] ; then
return 3
elif diff /etc/firewall.conf.$$ /etc/firewall.conf ; then
return 4
else
base_wall.bash WARN: $prog BLOCKING \
$(diff /etc/firewall.conf.$$ /etc/firewall.conf | grep -v , | cut -f 7 -d ' ') \
in /etc/firewall.conf.block
proxy_ping_wlan_config /etc/firewall.conf.$$
mv /etc/firewall.conf /etc/firewall.conf.bak && \
mv /etc/firewall.conf.$$ /etc/firewall.conf && \
/usr/local/bin/proxy_libvirt_hook_network.bash
fi
return 0
}
## proxy_whonix_host_refresh
proxy_whonix_host_refresh () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
if [ $dire = whonix ] ; then
$PL proxy_libvirt_clean_iptables
proxy_whonix_host_dmesg_blocks
fi
return 0
}
## proxy_whonix_host_update
proxy_whonix_host_update () {
local copy_in
# use nbd instead
return 0
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$DOM" ] && \
WARN proxy_whonix_host_update empty DOM from proxy_whonix_get_gateway_dom && \
DOM=Whonix-Gateway
cd /usr/local/sbin/
cp -p $PWD/$DOM.rc rc.local
copy_in="copy-in $PWD/rc.local /etc"
for dir in $NEEDED_DIRS ; do
copy_in="$copy_in
mkdir $dir
"
done
for file in $NEEDED_SCRIPTS ; do
dir=$( dirname $file )
copy_in="$copy_in
copy-in $file $dir
"
done
QCOW=/var/lib/libvirt/images/$DOM.qcow2
if [ -f $QCOW ] ; then
which virsh 2>/dev/null >/dev/null || proxy_install_package libvirt
proxy_virsh list | grep -q $DOM && virsh shutdown $DOM && echo sleep 60 && sleep 60
which guestfish 2>/dev/null >/dev/null || proxy_install_package guestfish
INFO copying in $( echo $NEEDED_SCRIPTS| wc -w ) files
guestfish -a $QCOW << EOF
run
mount /dev/sda1 /
$copy_in
umount /
EOF
fi
rm -f rc.local
return 0
}
## proxy_whonix_host_config
proxy_whonix_host_config () {
local dire
local retval=0
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
DBUG proxy_whonix_host_config dire=$dire
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
ERROR proxy_whonix_host_config null interface && return 1
}
proxy_ping_firewall_restart
proxy_ping_firewall_check || {
ERROR /etc/firewall.conf missing $? ; return 2 ;
}
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_privoxy_config $dire
proxy_ping_dnsmasq_config $dire || return 3$?
if [ -f /etc/inittab ] ; then
grep -q '^x1' /etc/inittab || \
sed -e 's/^x1/#x1/' -i /etc/inittab
# x1:12345:respawn:/sbin/agetty
fi
proxy_ping_firewall_modules
if [ "$dire" = whonix ] ; then
[ -f /var/lib/libvirt/images/Whonix-Gateway.qcow2 ] || \
WARN /var/lib/libvirt/images/Whonix-Gateway.qcow2 - mount /mnt/linuxKick150154
if [ -s /etc/firewall.conf.$dire ] ; then
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
proxy_iptables_restore /etc/firewall.conf || return 3
fi
elif [ -s /etc/firewall.conf ] ; then
iptables-save |grep -q virbr1 || {
proxy_iptables_restore /etc/firewall.conf || return 4
}
else
[ -s /etc/firewall.conf.new ] || \
/usr/local/sbin/privacy_whonix_host-firewall.bash || \
{ ERROR " $prog privacy_whonix_host-firewall.bash failed " ; return 5 ; }
[ -s /etc/firewall.conf.new ] || \
{ ERROR " /etc/firewall.conf.new missing " ; return 6 ; }
[ -s /etc/firewall.conf ] || cp -p /etc/firewall.conf.new /etc/firewall.conf
proxy_iptables_restore < /etc/firewall.conf || return 7
fi
proxy_host_whonix_config $dire
elif [ "$dire" = selektor -o "$dire" = tor ] ; then
proxy_host_selektor_config $dire
fi
return 0
}
proxy_host_selektor_config () { DBUG proxy_host_selektor_config ;
local dire=$1
# /var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
if [ -s /etc/firewall.conf.$dire ] ; then
proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf
if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then
cp -p /etc/firewall.conf.$dire /etc/firewall.conf
proxy_iptables_restore /etc/firewall.conf || return 8
elif [ -s /etc/firewall.conf ] ; then
iptables-save |grep -q gid-owner || \
proxy_iptables_restore /etc/firewall.conf || return 9
else
{ ERROR " /etc/firewall.conf.$dire missing " ; return 7 ; }
fi
fi
return 0
}
## proxy_whonix_host_install
proxy_whonix_host_install () { DBUG proxy_whonix_host_install $* ;
if [ $dire = host ] ; then
ERROR proxy_whonix_host_install host
return 1
elif [ $dire = whonix ] ; then
proxy_whonix_libvirt_start
proxy_whonix_gateway_start $dire
else
if /etc/init.d/libvirtd status ; then
proxy_virsh list | grep -q Whonix-Gateway && \
proxy_virsh shutdown Whonix-Gateway
fi
fi
/usr/local/sbin/proxy_whonix_host_tor.bash $dire || return 7$?
return 0
}
## proxy_host_from_config
proxy_host_from_config () {
#? rm -f /etc/modules_load.d/vda*conf
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$DOM" ] && \
WARN proxy_host_whonix_config empty DOM assuming Whonix-Gateway && \
DOM=Whonix-Gateway
if [ -d /etc/libvirt/qemu/ -a /etc/libvirt/qemu/$DOM.xml ] ; then
if [ ! -f /etc/libvirt/qemu/$DOM.xml.dst ] ; then
cd /etc/libvirt/qemu/
cp -p /etc/libvirt/qemu/$DOM.xml /etc/libvirt/qemu/$DOM.xml.dst
for file in $WD/$DOM.xml.?.diff ; do
[ -f /etc/libvirt/qemu/$DOM.xml ] || \
ERROR $prog /etc/libvirt/qemu/$DOM.xml missing ; return 2
patch /etc/libvirt/qemu/$DOM.xml < $file
done
cd $WD
fi
fi
return 0
}
## proxy_host_from_config
proxy_host_whonix_config () {
local dire=whonix
local file
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || return 1
if false && ! [ -x /etc/libvirt/hooks/network ] ; then
cat > /etc/libvirt/hooks/network <<EOF
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
[ ! -f /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
/usr/local/bin/proxy_libvirt_hook_network.bash
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
EOF
chmod 755 /etc/libvirt/hooks/network
fi
return 0
}
## proxy_whonix_host_verify
proxy_whonix_host_verify () {
$0 --help > /dev/null || return 6
$0 -h > /dev/null || return 7
for elt in $( echo $USAGE | sed -e 's/|/ /g' ) ; do
grep -q ^proxy_whonix_host_$elt $0 || { WARN proxy_whonix_host_$elt NOT in $0 ; return 8 ; }
done
return 0
}
## proxy_whonix_host_status
proxy_whonix_host_status () { proxy_whonix_host_test "$@" ; }
## proxy_whonix_host_test
proxy_whonix_host_test () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
proxy_whonix_host_verify
proxy_ping_status
/usr/local/bin/proxy_ping_test.bash $dire || \
WARN $prog proxy_ping_test.bash FAILED $dire
if [ "$dire" = whonix ] ; then
grep "`date +%Y-%m-%d`.* error :" /var/local/log/libvirtd.log
proxy_whonix_host_tor.bash proxy_libvirt_test || return 1
proxy_virsh list | grep running || return 2
# FixMe look in /etc/libvirt/qemu
for elt in Whonix-Gateway Whonix-Workstation Pen19-1 Kick15-1 ; do
proxy_virsh list | grep -q $elt || continue
# /usr/local/sbin/proxy_libvirt_ga_test.bash $elt /bin/netstat -lnp4 ||
/usr/local/sbin/proxy_libvirt_ga_test.bash $elt ls /dev/virtio-ports/ || \
WARN $prog $elt not responding
# fallsover with
# error: internal error: unable to execute QEMU agent command 'guest-exec-status': Invalid parameter 'pid'
done
fi
return 0
}
## proxy_whonix_host_restart
proxy_whonix_host_restart () {
local dire
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
proxy_whonix_host_start $dire || return 1$?
proxy_whonix_host_status $dire || return 2$?
return 0
}
## proxy_whonix_host_selektor
proxy_whonix_host_selektor () {
local dire=selektor
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_host_from_tor
proxy_whonix_host_from_tor () {
local dire=whonix
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_host_to_tor
proxy_whonix_host_to_tor () {
local dire=tor
proxy_virsh list | grep -q Whonix-Gateway && proxy_virsh shutdown Whonix-Gateway
proxy_whonix_host_start $dire
return $?
}
## proxy_whonix_stop
proxy_whonix_stop () {
local dire
[ "$#" -gt 0 ] && dire=$1
[ -z "$dire" ] && dire=$( proxy_ping_mode )
DBUG proxy_whonix_stop $*
if [ $dire = whonix -o $dire = host -o $dire = tor ] ; then
proxy_whonix_host_stop $dire
fi
return 0
}
## proxy_whonix_libvirt_stop
proxy_whonix_libvirt_stop () {
proxy_virsh net-list | grep -q Whonix-External && \
virsh net-destroy Whonix-External
proxy_virsh net-list | grep -q Whonix-Internal && \
virsh net-destroy Whonix-Internal
proxy_virsh list | grep -q Whonix-Gateway && \
virsh shutdown Whonix-Gateway
proxy_virsh list | grep -q Whonix-Gateway && \
virsh destroy Whonix-Gateway
return 0
}
## proxy_whonix_host_stop
proxy_whonix_host_stop () {
local dire=$1
DBUG $prog proxy_whonix_host_stop $*
if [ $dire = whonix ] ; then
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
proxy_whonix_libvirt_stop || return 3$?
elif [ $dire = tor ] ; then
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop
fi
return 0
}
## proxy_whonix_gateway_start - start whonix on a host
proxy_whonix_gateway_start () {
local dire
[ "$#" -gt 0 ] && dire=$1
# proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop
proxy_whonix_libvirt_start || return 3$?
proxy_virsh net-list | grep -q Whonix-External || \
virsh net-start Whonix-External || return 4$?
ifconfig virbr1 || return 5$?
proxy_virsh net-list | grep -q Whonix-Internal || \
virsh net-start Whonix-Internal|| return 6$?
ifconfig virbr2 || return 7$?
DOM=$( proxy_whonix_get_gateway_dom )
[ -z "$GATEW_DOM" ] && \
WARN $prog empty DOM from proxy_whonix_get_gateway_dom && \
DOM=Whonix-Gateway
proxy_virsh list | grep -q $DOM || \
{ INFO $prog virsh starting $DOM ; virsh start $DOM ; } || \
return 8$?
return 0
}
## proxy_whonix_host_start - start either whonix or tor on a host
proxy_whonix_host_start () { DBUG $prog proxy_whonix_host_start $* ;
local dire
[ "$#" -gt 0 ] && dire=$1
proxy_whonix_host_config $dire || return 2$?
proxy_whonix_host_install $dire || return 4$?
proxy_clobber_resolv_local
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' -o "$1" = '--help' -o "$1" = 'host' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = config ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_config $MODE || exit 2$?
elif [ "$1" = start ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_start $MODE || exit 2$?
elif [ "$1" = selektor ] ; then
MODE=$1
proxy_whonix_host_start $MODE
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_to_tor || exit 3$?
elif [ "$1" = from -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_from_tor || exit 4$?
elif [ "$1" = verify -o "$1" = 'install' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_$1 $MODE || exit 5$?
elif [ "$1" = 'test' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_test $MODE || exit 4$?
elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_$1 $MODE || exit 5$?
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
[ -z "$MODE" ] && MODE=$( proxy_ping_mode )
proxy_whonix_host_refresh || exit 6$?
else
DBUG $base "$@"
eval "$@"
exit $?
fi
exit 0

3
overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
exec bash /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_test "$@"

257
overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash Executable file
View file

@ -0,0 +1,257 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
ROLE=proxy
prog=$( basename $0 .bash )
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
USAGE="[to_tor|from_tor|test_to|test_from|verify]"
. /usr/local/sbin/proxy_whonix_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; }
. /usr/local/bin/usr_local_base.bash || exit 2
. /usr/local/sbin/proxy_tor_lib.bash || \
{ ERROR loading /usr/local/sbin/proxy_tor_lib.bash ; exit 3; }
. /usr/local/bin/usr_local_base.bash || exit 2
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor
PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
#ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' && \
# ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' | sed -e 's/ .*//' \
# | xargs kill
[ $USER != root ] || proxy_iptables_save | grep -qi reject || \
proxy_ping_firewall_restart || exit 2$?
# bash /usr/local/sbin/base_firewall_start.bash
## proxy_whonix_or_tor
proxy_whonix_or_tor () { DBUG proxy_whonix_or_tor $* ;
local a dire debian file
dire=$1
file=/etc/tor/torrc
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -n "$PROXY_WLAN" ] || return 2$?
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
true || \
proxy_ping_online || {
wlan7=$PROXY_WLAN
base_wlan_modules_unload $PROXY_WLAN
proxy_base_wlan_modules_load $PROXY_WLAN
ERROR not online ret=$? ; return 3 ;
}
proxy_whonix_copy_files $dire
## proxy_whonix_to_tor
}
proxy_whonix_to_selektor () { DBUG proxy_whonix_to_selektor $* ;
local a dire file
dire=selektor
file=
proxy_whonix_or_tor $dire
if ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
:
elif ! proxy_route_check ; then
return $?
elif tty >/dev/null ; then
/var/local/bin/selektor.bash &
fi
}
proxy_whonix_to_tor () { DBUG proxy_whonix_to_tor $* ;
local a dire debian file
dire=tor
file=/etc/tor/torrc
proxy_whonix_or_tor $dire || return 2$?
DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $*
proxy_tor_torrc_update /etc/tor/torrc 127.0.0.1
proxy_tor_torrc_exclude /etc/tor/torrc
# proxy_rc_service tor status >/dev/null || proxy_rc_service tor start
# weaker - includes running from cmdline
debian=$PRIV_TOR_OWNER
ps ax -g $debian | grep -v grep | grep -q ' tor ' || \
proxy_rc_service tor start || \
{ ERROR not service start ret=$? ; return 3 ; }
proxy_whonix_privoxy_start tor || {
echo WARN: $prog privoxy NOT running ret=$?
# return 4 ;
}
proxy_whonix_dnsmasq_start tor || {
echo WARN: proxy_whonix_to_tor dnsmasq NOT started retval=$?
# return 5$? ;
}
# proxy_whonix_start_wget
proxy_iptables_save | grep -q 'udp --dport 53 -j DNAT --to-destination 127.0.0.1:9053' || \
proxy_rc_service dnsmasq status >/dev/null || \
{ ERROR $prog dnsmasq not running ; return 6 ; }
netstat -nlp4 | grep 127.0.0.1:9 || return 9
return 0
}
## proxy_tor_clean
proxy_tor_clean () {
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
if [ "$MODE" = whonix ] ; then
proxy_whonix_get_gateway_dom || exit 8
if [ -z "$GATEW_DOM" ] ; then
proxy_virsh list | grep -q $GATEW_DOM && \
proxy_libvirt_clean_virbr1_rules
fi
fi
return 0
}
## proxy_tor_test
proxy_tor_test () {
local dire
[ $# -eq 1 ] && dire=$1
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
if [ $dire = tor -o $dire = whonix -o $dire = host ] ; then
# is vda a host?
proxy_tor_test_ntp || return 2$?
proxy_tor_test_anondate # || return 3$?
fi
proxy_whonix_test $dire || return 1$?
return 0
}
starbucks_torrc () { proxy_whonix_host_tor_install $* ; }
## proxy_whonix_host_install
proxy_whonix_host_tor_install () { DBUG proxy_whonix_host_tor_install $* ;
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -n "$PROXY_WLAN_IP" ] || PROXY_WLAN_IP=$( proxy_get_wlan_ip ) || \
{ ERROR proxy_whonix_host_tor_install ifconfig $PROXY_WLAN ; return 7 ; }
[ -z "$PROXY_WLAN_IP" ] && return 0
for file in /etc/tor/torrc /etc/tor/torrc-defaults ; do
[ -f $file ] || continue
grep -q "SocksPolicy accept " /etc/tor/torrc || continue
grep -q "SocksPolicy accept $PROXY_WLAN_IP" /etc/tor/torrc || continue
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $PROXY_WLAN_IP@" \
-i $file
done
return 0
}
proxy_whonix_host_whonix () { proxy_whonix_from_tor $* ; }
## proxy_whonix_from_tor
proxy_whonix_from_tor () {
local dire=whonix
local ret
DBUG proxy_whonix_from_tor $*
proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
# ; return 2$ret
proxy_whonix_config $dire || { ret=$? ; ERROR proxy_whonix_from_tor failed proxy_whonix_config ret=$ret ; return 2$ret ; }
proxy_whonix_libvirt_start || {
ret=$? ;
ERROR proxy_whonix_from_tor failed proxy_whonix_libvirt_start ret=$ret ;
return 3$ret
}
a=$( proxy_iptables_save | grep -e '-A OUTPUT -o .* -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT' | grep -c -v grep )
[ $? -eq 0 ] && [ -n "$a" ] && [ "$a" -gt 0 ] && \
WARN proxy_iptables -D OUTPUT -o $PROXY_WLAN -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT
proxy_whonix_copy_files $dire
# netstat -nlp4e | grep 127.0.0.1:53 && { ERROR dns still running ; return 3;}
if false; then
proxy_rc_service pdnsd status >/dev/null && proxy_rc_service pdnsd stop
[ -f /etc/pdnsd/pdnsd.conf.whonix ] && \
cp -p /etc/pdnsd/pdnsd.conf.whonix /etc/pdnsd/pdnsd.conf
# proxy_whonix_start_wget
proxy_whonix_dnsmasq_start $dire || \
{ ret=$? ; echo WARN: proxy_whonix_from_tor dnsmasq NOT started $ret ; }
fi
proxy_whonix_privoxy_start $dire || \
{ ret=$?; echo WARN: proxy_privoxy_from_tor polipo not started $ret ; }
proxy_whonix_host_tor_install
return 0
}
if [ "$#" -eq 0 ] ; then
echo USAGE: $prog $USAGE
elif [ "$1" = '-h' ] || [ "$1" = 'help' ] || [ "$1" = '--help' ] ; then
echo USAGE: $prog $USAGE or:
grep '^## ' $0 | sed -e 's/^## //'
elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_to_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
elif [ "$1" = 'selektor' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_to_selektor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; }
elif [ "$1" = 'from' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_from_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
elif [ "$1" = 'gateway' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_whonix_gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; }
proxy_whonix_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 4$ret ; }
elif [ "$1" = 'test_from' -o "$1" = 'test_whonix' ] ; then
[ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; }
proxy_tor_test whonix || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'test_gateway' -o "$1" = 'test_gateway' ] ; then
proxy_tor_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'test_to' -o "$1" = 'test_tor' ] ; then
proxy_tor_test tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 7$ret ; }
/usr/local/bin/proxy_ping_test.bash panic || exit 7
elif [ "$1" = 'direct' -o "$1" = 'test_direct' ] ; then
/usr/local/bin/proxy_ping_test.bash direct
elif [ "$1" = 'verify' ] ; then
/usr/local/bin/proxy_ping_test.bash panic || exit 7
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
proxy_whonix_test $MODE || \
{ ret=$? ; ERROR "$prog host='$GATEW_DOM' retval=$ret" ; exit 8$ret ; }
elif [ "$1" = 'clean' -o "$1" = 'stop' ] ; then
proxy_whonix_$1
/usr/local/bin/proxy_ping_test.bash panic || exit 8
elif [ "$1" = 'config' ] ; then
ERROR $prog not implemented $1;exit 1
else
eval "$@"
exit $?
fi

742
overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash Executable file
View file

@ -0,0 +1,742 @@
#!/bin/bash
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
PREFIX=/usr/local
ROLE=proxy
prog=$( basename $0 .bash )
export PATH=$PATH:$PREFIX/sbin:$PREFIX/bin
. $PREFIX/bin/usr_local_tput.bash
PL=$PREFIX/bin/proxy_libvirt_lib.bash
# . $PREFIX/sbin/proxy_whonix_lib.bash || { echo ERROR: loading $PREFIX/sbin/proxy_whonix_lib.bash ; exit 2; }
. $PREFIX/bin/proxy_ping_lib.bash || \
{ echo ERROR: loading $PREFIX/bin/proxy_ping_lib.bash ; exit 2; }
base=proxy_whonix_lib
starbucks_torrc () {
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
[ -z "$ip" ] && return 0
for file in /etc/tor/torrc /etc/tor/torrc-default ; do
grep -q "^SocksPolicy accept " /etc/tor/torrc || continue
grep -q "^SocksPolicy accept $ip$" /etc/tor/torrc && continue
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
-i $file
done
return
}
starbucks_set () {
if [ -f /etc/init.d/network-manager ] ; then
NetworkManager=network-manager
elif [ -f /etc/init.d/NetworkManager ] ; then
NetworkManager=NetworkManager
elif [ -f /lib/systemd/system/NetworkManager ] ; then
NetworkManager=NetworkManager
else
NetworkManager=network-manager
fi
mgr=$NetworkManager
mgr=wicd
[ -x /mnt/linuxBack52/usr/bin/macchanger ] && \
macchanger=/mnt/linuxBack52/usr/bin/macchanger || \
macchanger=macchanger
# may be empty wlan7
# ifconfig wlan7 2>/dev/null && wlan7=wlan7 || wlan7=wlp3s0
if [ -z "$wlan7" ] ; then
echo ERROR: null wlan7 ;exit 1
fi
INFO starbucks_set wlan7=$wlan7 mgr=$mgr macchanger=$macchanger
if [ -z "$wlan7" ] ; then
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
elif [ $wlan7 = wlan4 ] ; then
rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null &
elif [ $wlan7 = wlan6 -o $wlan7 = wlan7 ] ; then
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null &
fi
sleep 5
return 0
}
starbucks_ip () {
local wlan7
[ $# -eq 0 -o -z "$1" ] && return 1
wlan7=$1
base_wlan_modules_unload $wlan7 || return 1$?
base_wlan_modules_load $wlan7 || return 2$?
cd /etc
grep -l 'wlan[0-9]' * */* 2>/dev/null|grep -v ~$|xargs sed -e "s/wlan[0-9]/$wlan7/g" -i
local_rc_service dbus start;local_rc_service wicd start
return 0
}
starbucks_start_services () {
[ -z "$MODE" ] && echo ERROR: $0 unknown MODE && return 2
$PREFIX/sbin/proxy_whonix_host.bash start || return 3$?
# $PREFIX/sbin/proxy_whonix_host.bash proxy_whonix_host_start $MODE || return 5$?
[ "$MODE" != tor ] || starbucks_torrc || return 5$?
return 0
}
starbucks_stop () {
[ "$#" -eq 0 ] && set -- stop
starbucks_restart stop
}
# old tor only
starbucks_restart () {
[ "$#" -eq 0 ] && set -- start
if [ -x /bin/systemctl ] ; then
# [ -e /etc/tor/torrc ] && /bin/systemctl $1 tor >/dev/null
[ -e /etc/pdnsd.conf ] && /bin/systemctl $1 pdnsd >/dev/null
[ -e /etc/polipo.conf ] && /bin/systemctl $1 polipo >/dev/null
/bin/systemctl $1 $mgr
else
# [ -e /etc/tor/torrc ] && /etc/init.d/tor $1
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd $1
[ -e /etc/polipo.conf ] && /etc/init.d/polipo $1
/etc/init.d/$mgr $1
fi
return 0
}
starbucks_pdnsd () {
if [ "$pdnsd" = "dnscrypt" ] && \
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
sleep $DELAY
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
if [ -x /bin/systemctl ] ; then
[ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null
else
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop
fi
fi
}
starbucks_torrc () {
ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'`
[ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; }
[ -z "$ip" ] || \
grep -q "SocksPolicy accept $ip@" /etc/tor/torrc || \
sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \
-i /etc/tor/torrc
}
## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new
proxy_guest_firewall_config () {
. $PREFIX/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$?
source_config_folder
iptables_cmd="echo iptables"
ip6tables_cmd="echo # ip6tables"
main > /etc/firewall.conf.ws.new
return $?
}
## proxy_whonix_guest_config
proxy_whonix_guest_config () {
return 0
}
## proxy_whonix_guest_start
proxy_whonix_guest_start () {
$PL proxy_libvirt_start_guest
return $?
}
## proxy_whonix_test_guest
proxy_whonix_test_guest () {
$PL proxy_libvirt_test_guest
return $?
}
## proxy_whonix_gateway_config
proxy_whonix_gateway_config () {
proxy_whonix_dnsmasq_config gateway 10.0.2.15
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
proxy_dest_port_wlan_config
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc polipo
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_polipo_config
proxy_whonix_polipo_config () {
local dire
local file
[ "$#" -eq 0 ] && { echo ERROR: proxy_whonix_polipo_config no dire ; return 1; }
dire=$1
file=/etc/polipo/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=10.0.2.15:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
elif [ $dire = nat ]; then
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
#? . /usr/local/bin/proxy_export.bash
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=$external
proxyPort=3128
proxyName=$external
socksParentProxy=$external:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=${DEST}:$PORT
socksProxyType=socks5
EOF
fi
fi
return 0
}
## proxy_whonix_privoxy_config
proxy_whonix_privoxy_config () {
local dire
local file
dire=$1 ; shift
file=/etc/privoxy/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 10.0.2.15:9050 .
EOF
fi
elif [ $dire = nat ]; then
# get external
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
#? . /usr/local/bin/proxy_export.bash
if [ ! -f $file.$dire ] ; then
cp /dev/null $file.$dire
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / 127.0.0.1:9050 .
EOF
fi
fi
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () {
local dire
[ "$#" -eq 0 ] && set -- tor
dire=$1 ; shift
proxy_dest_port_wlan_config $*
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.$dire <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
## proxy_whonix_tor_config
proxy_whonix_tor_config () {
proxy_host_tor_config tor 127.0.0.1
return $?
}
## proxy_host_tor_config
proxy_host_tor_config () {
local dir
local file
dire=tor
DEST=127.0.0.1
PORT=9050
#? [ -z "$DEST" ] && proxy_dest_port_wlan_config || return 1$?
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire || return 3$?
proxy_whonix_dnsmasq_config $dire || return 4$?
if proxy_ping_online ; then
proxy_ping_test_resolv $dire || { echo ERROR: proxy_host_tor_config 5$?; return 5 ; }
fi
return 0
}
## proxy_host_from_config
proxy_host_whonix_config () {
local dire=whonix
local file
proxy_dest_port_wlan_config || return 1$?
DEST=10.0.2.15
PORT=9053
[ -z "$PORT" -o -z "$DEST" ] && return 2
proxy_whonix_polipo_config $dire
proxy_ping_test_resolv $dire || return 4$?
proxy_whonix_dnsmasq_config $dire || return 5$?
return 0
}
## proxy_host_gateway
proxy_whonix_gateway () {
local dire=gateway
debug proxy_whonix_gateway $dire
PROXY_WLAN=$( proxy_get_if ) || return 1$?
s proxy_whonix_config $dire || return 2$?
# works?
proxy_ping_set_resolv gateway
return 0
}
## proxy_whonix_from_config
proxy_whonix_config () {
local dire=$1
[ -z "$DEST" ] && proxy_dest_port_wlan_config
if [ ! -f /etc/tor/torsocks.conf.$dire ] ; then
cp -p /etc/tor/torsocks.conf /etc/tor/torsocks.conf.$dire
# TorAddress 127.0.0.1
# TorPort 9050
fi
sed -e "s@^#* *TorAddress.*@TorAddress $DEST@" -i /etc/tor/torsocks.conf
sed -e "s@^#* *TorPort.*@TorPort 9050@" -i /etc/tor/torsocks.conf
# proxy_whonix_start_wget
proxy_host_${dire}_config
return $?
}
## proxy_ws_whonix_config
proxy_ws_whonix_config () {
local dir=ws
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_whonix_libvirt_status
proxy_whonix_libvirt_status () {
proxy_rc_service libvirtd status >/dev/null || \
proxy_rc_service libvirtd start || \
echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG
$PL proxy_libvirt_status
return 0
}
## proxy_whonix_libvirt_start
proxy_whonix_libvirt_start () {
local domain
[ "$#" -ge 1 ] && domain=$1
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
cp /dev/null /var/log/libvirt/libvirtd.log
/etc/init.d/libvirtd status
retval=$?
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
[ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd
proxy_rc_service libvirtd start || return 3
sleep $DELAY
fi
$PL proxy_libvirt_no_autostart
$PL proxy_libvirt_start
$PL proxy_libvirt_status
proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3
proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4
[ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )"
[ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \
domain=Whonix-Gateway && \
INFO set proxy_testforge_get_gateway_dom $domain
$PL proxy_libvirt_list | grep -v grep | grep "$domain" || \
virsh start $domain || {
ret=$?
echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret
return 5$ret
}
return 0
}
## proxy_whonix_test
proxy_whonix_test () {
local dire
DBUG proxy_whonix_test $dire
[ "$#" -eq 0 ] && dire=$MODE || dire=$1
[ $dire = ws -o $dire = workstation ] && dire=vda
if [ $dire = client ] ; then
:
# dunno - look at netstat? -nle4
elif [ $dire = nat ] ; then
$PL proxy_libvirt_test_guest
elif [ $dire = vda -o $dire = gateway ] ; then
proxy_whonix_test_guest
elif [ $dire = tor ] ; then
$PL proxy_libvirt_test_host
elif [ $dire = whonix ] ; then
$PL proxy_libvirt_no_autostart
$PL proxy_libvirt_clean_virbr1_rules
proxy_whonix_get_gateway_dom
[ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM
proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; }
$PREFIX/bin/proxy_ping_test.bash from_tor || return 6$?
fi
#? gateway
if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then
proxy_rc_service polipo status >/dev/null >/dev/null || \
{ echo ERROR: $prog polipo not running ; return 4 ; }
$PREFIX/bin/proxy_ping_test.bash polipo || return 9$?
elif [ $dire = host -o $dire = tor ] ; then
proxy_rc_service privoxy status >/dev/null >/dev/null || \
{ echo ERROR: $prog privoxy not running ; return 4 ; }
$PREFIX/bin/proxy_ping_test.bash privoxy || return 9$?
fi
if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
proxy_clobber_resolv_local 10.152.152.10
elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then
proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \
{ echo ERROR: $prog dnsmasq not running ; return 5 ; }
proxy_clobber_resolv_local 127.0.0.1
fi
$PREFIX/bin/proxy_ping_test.bash dns # || return 9$?
$PREFIX/bin/proxy_ping_test.bash $dire || return 6$?
return 0
}
# Weher was this
## rc_host_symlink_etc_fstab
rc_host_symlink_etc_fstab () {
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
if [ $PROXY_IS_VDA -eq 0 ] ; then
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
return 1
# else
# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \
# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab
fi
return 0
}
## proxy_vda_config
proxy_vda_config () {
rc_host_symlink_etc_fstab
sed -e 's/^#x1/x1/' -i /etc/inittab #
if false ; then
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/
fi
fi
if false ; then
[ -f /etc/firewall.conf.vda ] && \
cp -p /etc/firewall.conf.vda /etc/firewall.conf
fi
return 0
}
##
old_proxy_vda_config () {
[ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab
return 0
}
## proxy_vda_whonix_config
proxy_vda_whonix_config () {
local dir=vda
DEST=10.152.152.10
PROXY_WLAN=eth0
proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN
return $?
}
## proxy_quest_config
proxy_quest_config () {
proxy_vda_config
sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf
if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then
cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/
fi
return 0
}
## proxy_whonix_dnsmasq_start
proxy_whonix_dnsmasq_start () {
local dire
local service=dnsmasq
[ "$#" -eq 0 ] || dire=$1
[ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE
[ -n "$MODE" ] || MODE=host
DBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN
proxy_whonix_config $dire || return 1$?
PROXY_WLAN=$( proxy_get_if )
[ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire
if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then
proxy_rc_service dnsmasq status >/dev/null || \
proxy_ping_dnsmasq_start || return 8$?
else
proxy_rc_service dnsmasq status >/dev/null && \
proxy_ping_dnsmasq_stop
cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf
proxy_ping_dnsmasq_start || return 8$?
fi
return 0
}
## proxy_whonix_privoxy_start
proxy_whonix_polipo_start () {
local dire
local service=polipo
[ $# -eq 1 ] && dire=$1
[ -z "$dire" ] && dire="$( proxy_ping_mode )"
DBUG proxy_whonix_start_$service $dire
proxy_whonix_config $dire || \
echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$?
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire
if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then
cp -p /etc/polipo/config.$dire /etc/polipo/config
proxy_rc_service $service restart || return 2$?
else
proxy_rc_service $service status >/dev/null || \
proxy_rc_service $service start||return 3$
fi
return 0
}
## proxy_whonix_host_prepare_blocks
proxy_whonix_host_prepare_blocks () {
if [ ! -s /etc/firewall.conf.block ] ; then
if [ -f $PREFIX/etc/firewall.conf.block ] ; then
echo "WARN: $prog copying $PREFIX/etc/firewall.conf.block"
cp -p $PREFIX/etc/firewall.conf.block /etc/firewall.conf.block
else
ERROR "$prog missing $PREFIX/etc/firewall.conf.block"
return 1
fi
fi
return 0
}
## proxy_whonix_host_add_block
proxy_whonix_host_add_block () {
local elt tab ip
# PROXY_WLAN=$( proxy_get_if )
# [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1
if [ "$#" -eq 0 ] ; then
proxy_whonix_host_prepare_blocks \| return 1$?
set -- $( cat /etc/firewall.conf.block )
fi
# DBUG "$prog adding $*"
[ -f /etc/firewall.conf.newer ] || \
cp -p /etc/firewall.conf /etc/firewall.conf.newer
for elt in wlan virbr1 ; do
[ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI
grep -q "^# blocks $elt" /etc/firewall.conf.newer || {
echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer
return 2
}
sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$
echo "# blocks $elt" >> /etc/firewall.conf.$$
for ip in $* ; do
grep -q $ip /etc/firewall.conf.block || \
grep -q $ip /etc/firewall.conf.block.newer || \
echo $ip >> /etc/firewall.conf.block.newer
grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue
echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$
DBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP"
done
sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$
mv /etc/firewall.conf.$$ /etc/firewall.conf.newer
done
return 0
}
## proxy_whonix_host_online
proxy_whonix_host_online () {
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$?
[ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2
if [ -x /etc/init.d/NetworkManager ] ; then
/etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3
else
proxy_rc_service NetworkManager status >/dev/null \
|| proxy_rc_service NetworkManager start || return 3$?
fi
nm-online -t 0 -x || return 4$?
return 0
}
## proxy_whonix_down - call when the network goes down
proxy_whonix_down () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online && return 0 # dont do anything
# nothing to do?
return 0
}
## proxy_whonix_up - call when the network comes up
proxy_whonix_up () {
# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
proxy_ping_online || return 0 # dont do anything
return 0
}
## proxy_whonix_start_wget
proxy_whonix_start_wget () {
return 0
if [ -f /etc/wgetrc ] ; then
sp=https://127.0.0.1:3128
grep -q ^https_proxy /etc/wgetrc && \
sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc
grep -q ^https_proxy /etc/wgetrc && \
echo "https_proxy = $sp" >> /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc && \
sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc
grep -q ^http_proxy /etc/wgetrc || \
echo "http_proxy = $sp" >> /etc/wgetrc
fi
sp=http://127.0.0.1:3128
for elt_proxy in http https ; do
grep -q ^$elt_proxy /etc/wgetrc && \
sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \
echo "$elt_proxy = $sp" >> /etc/wgetrc
done
return 0
}
if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then
[ "$#" -eq 0 ] && exit 0
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \
exit 0
DBUG $base "$@"
eval "$@"
exit $?
fi

2
overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash Executable file
View file

@ -0,0 +1,2 @@
#!/bin/bash
exec sh proxy_whonix_gateway_tor.bash "$@"