#!/bin/bash # -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- PREFIX=/usr/local ROLE=proxy prog=$( basename $0 .bash ) export PATH=$PATH:$PREFIX/sbin:$PREFIX/bin . $PREFIX/bin/usr_local_tput.bash PL=$PREFIX/bin/proxy_libvirt_lib.bash # . $PREFIX/sbin/proxy_whonix_lib.bash || { echo ERROR: loading $PREFIX/sbin/proxy_whonix_lib.bash ; exit 2; } . $PREFIX/bin/proxy_ping_lib.bash || \ { echo ERROR: loading $PREFIX/bin/proxy_ping_lib.bash ; exit 2; } base=proxy_whonix_lib starbucks_torrc () { ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'` [ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; } [ -z "$ip" ] && return 0 for file in /etc/tor/torrc /etc/tor/torrc-default ; do grep -q "^SocksPolicy accept " /etc/tor/torrc || continue grep -q "^SocksPolicy accept $ip$" /etc/tor/torrc && continue sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \ -i $file done return } starbucks_set () { if [ -f /etc/init.d/network-manager ] ; then NetworkManager=network-manager elif [ -f /etc/init.d/NetworkManager ] ; then NetworkManager=NetworkManager elif [ -f /lib/systemd/system/NetworkManager ] ; then NetworkManager=NetworkManager else NetworkManager=network-manager fi mgr=$NetworkManager mgr=wicd [ -x /mnt/linuxBack52/usr/bin/macchanger ] && \ macchanger=/mnt/linuxBack52/usr/bin/macchanger || \ macchanger=macchanger # may be empty wlan7 # ifconfig wlan7 2>/dev/null && wlan7=wlan7 || wlan7=wlp3s0 if [ -z "$wlan7" ] ; then echo ERROR: null wlan7 ;exit 1 fi INFO starbucks_set wlan7=$wlan7 mgr=$mgr macchanger=$macchanger if [ -z "$wlan7" ] ; then rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null & rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null & elif [ $wlan7 = wlan4 ] ; then rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null & elif [ $wlan7 = wlan6 -o $wlan7 = wlan7 ] ; then rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null & fi sleep 5 return 0 } starbucks_ip () { local wlan7 [ $# -eq 0 -o -z "$1" ] && return 1 wlan7=$1 base_wlan_modules_unload $wlan7 || return 1$? base_wlan_modules_load $wlan7 || return 2$? cd /etc grep -l 'wlan[0-9]' * */* 2>/dev/null|grep -v ~$|xargs sed -e "s/wlan[0-9]/$wlan7/g" -i local_rc_service dbus start;local_rc_service wicd start return 0 } starbucks_start_services () { [ -z "$MODE" ] && echo ERROR: $0 unknown MODE && return 2 $PREFIX/sbin/proxy_whonix_host.bash start || return 3$? # $PREFIX/sbin/proxy_whonix_host.bash proxy_whonix_host_start $MODE || return 5$? [ "$MODE" != tor ] || starbucks_torrc || return 5$? return 0 } starbucks_stop () { [ "$#" -eq 0 ] && set -- stop starbucks_restart stop } # old tor only starbucks_restart () { [ "$#" -eq 0 ] && set -- start if [ -x /bin/systemctl ] ; then # [ -e /etc/tor/torrc ] && /bin/systemctl $1 tor >/dev/null [ -e /etc/pdnsd.conf ] && /bin/systemctl $1 pdnsd >/dev/null [ -e /etc/polipo.conf ] && /bin/systemctl $1 polipo >/dev/null /bin/systemctl $1 $mgr else # [ -e /etc/tor/torrc ] && /etc/init.d/tor $1 [ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd $1 [ -e /etc/polipo.conf ] && /etc/init.d/polipo $1 /etc/init.d/$mgr $1 fi return 0 } starbucks_pdnsd () { if [ "$pdnsd" = "dnscrypt" ] && \ ! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then cp /dev/null /var/local/var/log/dnscrypt-proxy.log $HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml & sleep $DELAY [ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \ ! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11 ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12 elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then if [ -x /bin/systemctl ] ; then [ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null else [ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop fi fi } starbucks_torrc () { ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'` [ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; } [ -z "$ip" ] || \ grep -q "SocksPolicy accept $ip@" /etc/tor/torrc || \ sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \ -i /etc/tor/torrc } ## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new proxy_guest_firewall_config () { . $PREFIX/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$? source_config_folder iptables_cmd="echo iptables" ip6tables_cmd="echo # ip6tables" main > /etc/firewall.conf.ws.new return $? } ## proxy_whonix_guest_config proxy_whonix_guest_config () { return 0 } ## proxy_whonix_guest_start proxy_whonix_guest_start () { $PL proxy_libvirt_start_guest return $? } ## proxy_whonix_test_guest proxy_whonix_test_guest () { $PL proxy_libvirt_test_guest return $? } ## proxy_whonix_gateway_config proxy_whonix_gateway_config () { proxy_whonix_dnsmasq_config gateway 10.0.2.15 return 0 } ## proxy_whonix_dnsmasq_config proxy_whonix_dnsmasq_config () { local dire [ "$#" -eq 0 ] || dire=$1 [ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE [ -n "$MODE" ] || MODE=host proxy_dest_port_wlan_config [ -z "$PORT" -o -z "$DEST" ] && return 1 # 9040 - no wgetrc polipo # need dnsmasq to 127 file=/etc/dnsmasq.conf if [ ! -f $file.$dire ] ; then cp -p $file $file.$dire cat >> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.$dire </dev/null || \ proxy_rc_service libvirtd start || \ echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG $PL proxy_libvirt_status return 0 } ## proxy_whonix_libvirt_start proxy_whonix_libvirt_start () { local domain [ "$#" -ge 1 ] && domain=$1 if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then cp /dev/null /var/log/libvirt/libvirtd.log /etc/init.d/libvirtd status retval=$? [ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap [ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd proxy_rc_service libvirtd start || return 3 sleep $DELAY fi $PL proxy_libvirt_no_autostart $PL proxy_libvirt_start $PL proxy_libvirt_status proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3 proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4 [ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )" [ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \ domain=Whonix-Gateway && \ INFO set proxy_testforge_get_gateway_dom $domain $PL proxy_libvirt_list | grep -v grep | grep "$domain" || \ virsh start $domain || { ret=$? echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret return 5$ret } return 0 } ## proxy_whonix_test proxy_whonix_test () { local dire DBUG proxy_whonix_test $dire [ "$#" -eq 0 ] && dire=$MODE || dire=$1 [ $dire = ws -o $dire = workstation ] && dire=vda if [ $dire = client ] ; then : # dunno - look at netstat? -nle4 elif [ $dire = nat ] ; then $PL proxy_libvirt_test_guest elif [ $dire = vda -o $dire = gateway ] ; then proxy_whonix_test_guest elif [ $dire = tor ] ; then $PL proxy_libvirt_test_host elif [ $dire = whonix ] ; then $PL proxy_libvirt_no_autostart $PL proxy_libvirt_clean_virbr1_rules proxy_whonix_get_gateway_dom [ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; } $PREFIX/bin/proxy_ping_test.bash from_tor || return 6$? fi #? gateway if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then proxy_rc_service polipo status >/dev/null >/dev/null || \ { echo ERROR: $prog polipo not running ; return 4 ; } $PREFIX/bin/proxy_ping_test.bash polipo || return 9$? elif [ $dire = host -o $dire = tor ] ; then proxy_rc_service privoxy status >/dev/null >/dev/null || \ { echo ERROR: $prog privoxy not running ; return 4 ; } $PREFIX/bin/proxy_ping_test.bash privoxy || return 9$? fi if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then proxy_clobber_resolv_local 10.152.152.10 elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \ { echo ERROR: $prog dnsmasq not running ; return 5 ; } proxy_clobber_resolv_local 127.0.0.1 fi $PREFIX/bin/proxy_ping_test.bash dns # || return 9$? $PREFIX/bin/proxy_ping_test.bash $dire || return 6$? return 0 } # Weher was this ## rc_host_symlink_etc_fstab rc_host_symlink_etc_fstab () { grep -q root=/dev/vda /proc/cmdline PROXY_IS_VDA=$? if [ $PROXY_IS_VDA -eq 0 ] ; then [ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \ rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab return 1 # else # [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \ # rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab fi return 0 } ## proxy_vda_config proxy_vda_config () { rc_host_symlink_etc_fstab sed -e 's/^#x1/x1/' -i /etc/inittab # if false ; then sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/ fi fi if false ; then [ -f /etc/firewall.conf.vda ] && \ cp -p /etc/firewall.conf.vda /etc/firewall.conf fi return 0 } ## old_proxy_vda_config () { [ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab return 0 } ## proxy_vda_whonix_config proxy_vda_whonix_config () { local dir=vda DEST=10.152.152.10 PROXY_WLAN=eth0 proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN return $? } ## proxy_quest_config proxy_quest_config () { proxy_vda_config sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/ fi return 0 } ## proxy_whonix_dnsmasq_start proxy_whonix_dnsmasq_start () { local dire local service=dnsmasq [ "$#" -eq 0 ] || dire=$1 [ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE [ -n "$MODE" ] || MODE=host DBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN proxy_whonix_config $dire || return 1$? PROXY_WLAN=$( proxy_get_if ) [ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4 sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then proxy_rc_service dnsmasq status >/dev/null || \ proxy_ping_dnsmasq_start || return 8$? else proxy_rc_service dnsmasq status >/dev/null && \ proxy_ping_dnsmasq_stop cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf proxy_ping_dnsmasq_start || return 8$? fi return 0 } ## proxy_whonix_privoxy_start proxy_whonix_polipo_start () { local dire local service=polipo [ $# -eq 1 ] && dire=$1 [ -z "$dire" ] && dire="$( proxy_ping_mode )" DBUG proxy_whonix_start_$service $dire proxy_whonix_config $dire || \ echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$? sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then cp -p /etc/polipo/config.$dire /etc/polipo/config proxy_rc_service $service restart || return 2$? else proxy_rc_service $service status >/dev/null || \ proxy_rc_service $service start||return 3$ fi return 0 } ## proxy_whonix_host_prepare_blocks proxy_whonix_host_prepare_blocks () { if [ ! -s /etc/firewall.conf.block ] ; then if [ -f $PREFIX/etc/firewall.conf.block ] ; then echo "WARN: $prog copying $PREFIX/etc/firewall.conf.block" cp -p $PREFIX/etc/firewall.conf.block /etc/firewall.conf.block else ERROR "$prog missing $PREFIX/etc/firewall.conf.block" return 1 fi fi return 0 } ## proxy_whonix_host_add_block proxy_whonix_host_add_block () { local elt tab ip # PROXY_WLAN=$( proxy_get_if ) # [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1 if [ "$#" -eq 0 ] ; then proxy_whonix_host_prepare_blocks \| return 1$? set -- $( cat /etc/firewall.conf.block ) fi # DBUG "$prog adding $*" [ -f /etc/firewall.conf.newer ] || \ cp -p /etc/firewall.conf /etc/firewall.conf.newer for elt in wlan virbr1 ; do [ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI grep -q "^# blocks $elt" /etc/firewall.conf.newer || { echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer return 2 } sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$ echo "# blocks $elt" >> /etc/firewall.conf.$$ for ip in $* ; do grep -q $ip /etc/firewall.conf.block || \ grep -q $ip /etc/firewall.conf.block.newer || \ echo $ip >> /etc/firewall.conf.block.newer grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$ DBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP" done sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$ mv /etc/firewall.conf.$$ /etc/firewall.conf.newer done return 0 } ## proxy_whonix_host_online proxy_whonix_host_online () { [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? [ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2 if [ -x /etc/init.d/NetworkManager ] ; then /etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3 else proxy_rc_service NetworkManager status >/dev/null \ || proxy_rc_service NetworkManager start || return 3$? fi nm-online -t 0 -x || return 4$? return 0 } ## proxy_whonix_down - call when the network goes down proxy_whonix_down () { # $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? proxy_ping_online && return 0 # dont do anything # nothing to do? return 0 } ## proxy_whonix_up - call when the network comes up proxy_whonix_up () { # $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? proxy_ping_online || return 0 # dont do anything return 0 } ## proxy_whonix_start_wget proxy_whonix_start_wget () { return 0 if [ -f /etc/wgetrc ] ; then sp=https://127.0.0.1:3128 grep -q ^https_proxy /etc/wgetrc && \ sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc grep -q ^https_proxy /etc/wgetrc && \ echo "https_proxy = $sp" >> /etc/wgetrc grep -q ^http_proxy /etc/wgetrc && \ sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc grep -q ^http_proxy /etc/wgetrc || \ echo "http_proxy = $sp" >> /etc/wgetrc fi sp=http://127.0.0.1:3128 for elt_proxy in http https ; do grep -q ^$elt_proxy /etc/wgetrc && \ sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \ echo "$elt_proxy = $sp" >> /etc/wgetrc done return 0 } if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then [ "$#" -eq 0 ] && exit 0 [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \ echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \ exit 0 DBUG $base "$@" eval "$@" exit $? fi