#!/bin/bash # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*- . /usr/local/bin/usr_local_tput.bash || exit 2 PREFIX=/usr/local ROLE=proxy PYVER=3 # DEBUG=1 # TRACE=1 . /usr/local/bin/proxy_ping_lib.bash || \ { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; } PL=/usr/local/bin/proxy_libvirt_lib.bash declare -a tests which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0 which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0 which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0 which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0 [ -z "$prog" ] || prog=proxy_ping_test proxy_ping_get_socks >/dev/null [ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1 [ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050 [ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053 HTTPS_PORT=9128 HTTPS_HOST=127.0.0.1 proxy_ping_get_https >/dev/null [ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1 HTTP_PORT=3128 HTTP_PROXY_HOST=127.0.0.1 proxy_ping_get_http >/dev/null [ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1 [ -f $PREFIX/etc/testforge/testforge.bash ] && \ . /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1 P="BASE_PYTHON${PYVER}_MINOR" PYTHON_MINOR="$(eval echo \$$P)" [ -n "$PYTHON_MINOR" ] || \ PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' ) [ -n "$PYTHON_MINOR" ] || exit 4 if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then LIB=lib elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then LIB=lib64 elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then #? ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR exit 5 fi THOPS=40 NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve" NEEDED_SCRIPTS=" /usr/local/bin/proxy_ping_lib.bash /usr/local/bin/proxy_ping_test.bash " grep -q Debian /etc/os-release DEBIAN=$? TIMEOUT=30 [ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )" [ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway" DNS_HOST1="208.67.220.220" DNS_HOST2="8.8.8.8"ggggg [ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39 [ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39 HTTP_TARGET=www.whatismypublicip.com # time.nist.gov 132.163.97.3 NTP_HOST1=132.163.97.3 # pool.ntp.org 78.46.53.2 NTP_HOST2=78.46.53.2 # --no-check-certificate WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null" CURL="curl -o /dev/null $CURL_ARGS" SCURL="/usr/local/bin/scurl.bash --output /dev/null" NSL='nslookup -querytype=A -debug' NETS='netstat -nl4e' ALL="" USAGE="$prog without arguments tests the current MODE=$MODE, or with 0 to list the tests by number, or one or more of the groups: " [ -z "$USER" ] && USER=$(id -un ) [ $USER = root -a -n "$TRACE" -a "$TRACE" != '0' ] && DMESG_LINES=1 || DMESG_LINES=0 [ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan` # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' ) [ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` # fixme - required PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' ) MODE=$( proxy_ping_mode ) DNS_HOST=$SOCKS_HOST [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin [ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 ) ## proxy_test_netstat_dns proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ; $NETS | grep -q ":53" retval=$? [ $retval -eq 0 ] && return 0 ERROR $prog test=$ARG "${tests[$ARG]}" dns not running [ -z "$ALL" ] && exit $ARG$retval || return 1 } ## proxy_test_traceroute_icmp_gw proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ; [ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1 traceroute --icmp $PROXY_WLAN_GW retval=$? [ $retval -eq 0 ] && return 0 ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW [ -z "$ALL" ] && exit $ARG$retval || return 1 # works GREP="-i icmp" return 0 } ## proxy_test_dig_direct proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ; dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null retval=$? [ $retval -eq 0 ] && return 0 ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1 [ -z "$ALL" ] && exit $ARG$retval || return 1 INFO $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1 # works GREP="53" return 0 } ## proxy_test_curl_firewall_bin proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ; su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null retval=$? [ $retval -eq 0 ] && return 0 ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval \ su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER proxy_iptables_save|tail|grep PTABLES_filter_DROP-o [ -z "$ALL" ] && exit $ARG$retval || return $retval } ## proxy_ping_curl proxy_ping_curl () { DBUG proxy_ping_curl $* ; local retval timeout -k $TIMEOUT $TIMEOUT $CURL "$@" retval=$? # "DEBUG: wierd failure curl: (35) Encountered end of file" [ $retval -eq 0 -o $retval -eq 35 ] && return 0 return $retval } ## proxy_ping_make_help proxy_ping_make_help () { grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \ > /tmp/proxy_ping_test.hlp return 0 } ## proxy_ping_test_virbr proxy_ping_test_virbr () { local n=$1 [ -z "$n" ] && n=1 [ -z "$CONN" ] || proxy_whonix_get_conn [ "$CONN" = guest ] && return 0 [ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0 proxy_ifconfig virbr$n >/dev/null && return 0 return 0 } ## proxy_ping_broken proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ; # 0 is true local a=$MODE if [ "$a" = vda -o "$a" = ws ]; then # grep 10.152.152.10 /etc/resolv.conf && PING_BROKEN=0 return 0 elif [ "$a" = gateway ]; then PING_BROKEN=0 return 0 elif [ -z "$PROXY_WLAN_GW" ] ; then PING_BROKEN=0 return 0 fi [ -n "$PING_BROKEN" ] && return $PING_BROKEN DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1 if [ $? -ne 0 ] ; then PING_BROKEN=0 else PING_BROKEN=1 fi return $PING_BROKEN } ## proxy_do_ping proxy_do_ping () { DBUG proxy_do_ping $* ; proxy_route_check || { ERROR $prog route not connected ; return 1$? ; } proxy_ping_broken && return 0 [ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || { ERROR $prog unable to get wlan $? ; return 2 ; } ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1 retval=$? if [ $retval -eq 1 ] ; then # false negatives sleep 4 ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1 retval=$? fi [ $retval -lt 1 ] || { ERROR $prog do_ping $PROXY_WLAN retval=$retval rm /tmp/P$$.log PING_BROKEN=0 return 3$retval } grep -q ' 0% ' /tmp/P$$.log || \ { ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; } PING=1 grep 'packet\|bytes from' /tmp/P$$.log rm /tmp/P$$.log return 0 } proxy_run_as_root () { DBUG proxy_run_as_root $* ; [ $( id -u ) -eq 0 ] && return 0 ERROR must be root [ -z "$ALL" ] && exit 9 return 1 } # could pull these out as tests and add them to ## proxy_test_pretest_exit proxy_test_pretest_exit () { proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } if [ "$1" = panic -o "$1" = firewall ] ; then : dont ping on panic proxy_ping_broken || proxy_do_ping || \ { WARN ping failed for panic so skipping ; exit 0 ; } elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then proxy_ping_broken || proxy_do_ping || exit 3$? proxy_ping_test_resolv $MODE ||\ { WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; } proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; } elif [ "$1" = nat ] ; then : proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } else proxy_do_ping || exit 4$? proxy_ping_test_resolv $MODE || \ { WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE exit 4 ; } fi return 0 } ## proxy_test_help_args proxy_test_help_args () { declare -a elts=() declare -a ret=() local elt if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then elts=($1 socks http dns https tordns firefail) elif [ "$1" = torlibvirthost ] ; then elts=($1 libvirthost socks http https tordns firefail) elts+=($MODE) elif [ "$1" = gateway ] ; then elts=($1 libvirtguest socks dns http https firefail) else elts=($1) fi for elt in "${elts[@]}" ; do # DBUG proxy_test_help_args $elt $1 >&2 ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \ sed -e 's/.=.*//' -e 's/.*tests.//') ) done DBUG proxy_test_help_args "${ret[@]}" >&2 echo "${ret[@]}" return 0 } ALL=0 ## proxy_ping_test_set_args proxy_ping_test_set_args () { local args="$@" local val="$@" declare -a aret=() rm -f /tmp/proxy_ping_test.hlp [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help ## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition [ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] && aret=( 6 13 16 ) && \ ! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv ## vda - through the Gateway with the firewall - also polipo,panic - uses env [ "$1" = vda ] && aret=( 35 3 20 ) # ## kick - open firewall with tor running - call dns,polipo +tor in addition [ "$1" = kick -o "$1" = host ] && aret=( 24 31 13 16 6 )# 30 24 31 6 13 16 ## gateway - on the Gateway, trans firewall with tor running - call dns in addition [ "$1" = gateway ] && aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16 # aliases # socks defines http as the target of a user using socks [ "$1" = "$SOCKS_PORT" ] && set -- socks # http defines http as the target of a user using http [ "$1" = "$HTTP_PORT" ] && set -- http # https defines http as the target of a user using https [ "$1" = "$HTTPS_PORT" ] && set -- https # dns defines http as the target of a user using dns [ "$1" = "53" ] && set -- dns # tordns defines http as the target of a user using tordns [ "$1" = "9053" ] && set -- tordns [ "$1" = scan ] && set -- iwlist [ "$1" = panic ] && set -- firewall [ "$1" = to_gateway ] && set -- whonix [ "$1" = from_tor ] && set -- whonix [ "$1" = from_gateway ] && set -- gateway [ "$1" = traceroute ] && set -- = trace [ "$1" = connected ] && set -- wifi [ "$1" = clear ] && set -- direct # scenarios - modes: nat selektor ## nat - through the Gateway via the nat [ "$1" = nat ] && \ set -- ping dns socks http https tordns firefail libvirtguest # wifi? [ "$1" = whonix ] && \ set -- ping tordns dns socks http https torhost tordns firefail gw [ "$1" = tor -o "$1" = selektor ] && \ set -- ping tordns dns trace torhost nmap gw ## torhost implies - #? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition [ "$1" = direct -o "$1" = '' ] && \ set -- ping dns trace nmap gw ## all - all tests not stopping on the first error [ "$1" = all ] && ALL=1 # aret="${#tests[@]}" ## gw - test if we are connected to the gateway ## env - from the cmdline with a properly setup env ## firefail - test the proxy without env vars to expect failure ## torhost - running tor with the firewall ## http - assumes torhost or whonix and env setup ## https - assumes torhost or whonix and env setup ## socks - assumes torhost or whonix and env setup ## tordns - test 9053 for dns using tor-resolve ## dns - dns using tor or the gateway, with the firewall - does not assume env ## ping - connected routed test the ping to DNS hosts ## ntp - ntpdate through the firewall ## nmap - nmap sgid through the firewall - does not assume env ## iwlist - wlan scan of a wifi host ## firewall - test that the firewall blocks ## virbr1 - looks for virbr1 on a libvirt host torhost or whonix ## gateway - ssh to the whonix gateway from the torhost ## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda ## wifi - test if we are connected - call scan in addition ## libvirthost - hosting a libvirt container ## libvirtguest - in a libvirt container ## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor ## direct - assume no firewall and no proxy - but may work depend on env for elt in "$@" ; do if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \ "$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \ "$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \ "$elt" = libvirthost -o "$elt" = torlibvirthost -o \ "$elt" = libvirtguest -o "$elt" = virbr1 -o \ "$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \ "$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \ "$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \ ] ; then aret+=( `proxy_test_help_args $elt` ) else WARN unrecognized: $elt >&2 fi done DBUG "${aret[@]}" >&2 echo "${aret[@]}" return 0 } # -I $PROXY_WLAN -c 1 $DNS_HOST2 if [ "$#" = 0 ] ; then # default to mode set -- $MODE fi if [ $1 = '-h' -o $1 = '--help' ] ; then echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g' grep '^## [a-oq-z]' $0 | sed -e 's/^## / /' exit 0 elif [ "$1" = 0 ] ; then INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE echo 0 help /tmp/proxy_ping_test.hlp [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help . /tmp/proxy_ping_test.hlp for elt in "${!tests[@]}" ; do echo $elt "${tests[$elt]}" done exit 0 elif [[ $1 =~ ^[0-9] ]] ; then : passthrough else set -- `proxy_ping_test_set_args "$@"` DBUG running tests numbered "$@" fi proxy_test_pretest_exit "$1" # https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379 if [ $( id -u ) -eq 0 ] ; then proxy_ping_chattr fi DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* # $( sysctl net.ipv4.ping_group_range ) # proxy_iptables_save|grep 216 while [ "$#" -gt 0 ] ; do # DBUG $prog $1 ARG=$1 ; shift GREP="" if [ -z "$ARG" ] ; then continue elif ! [ "$ARG" -ge 0 ] ; then ERROR $prog called with an unrecognized argument $ARG from $0 exit 9 elif [ $ARG -le 0 ] ; then # do the ping and resov.conf true elif [ $ARG -eq 1 ] ; then tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https " [ -n "$https_proxy" ] && LARGS="" || \ LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}" $LARGS $WGET https://$HTTP_TARGET retval=$? if [ $retval -eq 8 -o $retval -eq 0 ] ; then INFO $prog test=$ARG "${tests[$ARG]}" else ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG [ -z "$ALL" ] && continue fi # works with fix GREP="${HTTPS_PORT}" elif [ $ARG -eq 2 ] ; then [ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \ LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}" tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https " proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works with fix GREP="${HTTPS_PORT}" elif [ $ARG -eq 3 ] ; then tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost " # proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; } # curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision [ $DEBIAN -eq 0 ] && continue [ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT # mode whonix implies torhost if [ $MODE = whonix ] ; then ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || { retval=$? ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat [ -z "$ALL" ] && exit $ARG$retval || continue ; } socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT proxy_ping_curl -x $socks_proxy \ --interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || { retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } else socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \ || { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT [ -z "$ALL" ] && exit $ARG$retval || continue ; } fi INFO $prog test=$ARG "${tests[$ARG]}" # works with user/pass GREP="$SOCKS_PORT" elif [ $ARG -eq 4 ] ; then tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET - tordns " [ $HAVE_DIG = 1 ] || continue if [ $MODE = whonix ] ; then # test ssh to the whonix_gateway libvirt container # and make sure that the socks proxy is runninh ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS fi dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works with fix GREP="$SOCKS_DNS" elif [ $ARG -eq 5 ] ; then tests[5]="nslookup_socks_as_user - tordns " [ $HAVE_NSLOOKUP = 1 ] || continue desc="$NSL -port=$SOCKS_DNS $DNS_TARGET ${DNS_HOST}" $desc >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" $desc # works with fix GREP="$SOCKS_DNS" elif [ $ARG -eq 6 ] ; then proxy=`proxy_ping_get_https` desc="curl --proxy http://${proxy}" tests[6]="curl_https_as_user - https " proxy_ping_curl --proxy http://${proxy} \ --proxy-insecure https://$HTTP_TARGET || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" $desc # works GREP="$HTTP_PORT" elif [ $ARG -eq 7 ] ; then tests[8]="traceroute_icmp_dns_as_root --icmp - trace " [ $USER = root ] || continue [ -n "$PROXY_WLAN" ] || proxy_get_if || continue [ $HAVE_TRACEROUTE = 1 ] || continue traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS || { \ retval=$? ERROR $retval traceroute --icmp -m $THOPS [ -z "$ALL" ] && exit 7$retval } INFO $prog test=$ARG "${tests[$ARG]}" GREP="-i icmp" elif [ $ARG -eq 8 ] ; then tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace " [ $USER = root ] || continue [ -n "$PROXY_WLAN" ] || proxy_get_if || continue [ $HAVE_TRACEROUTE = 1 ] || continue traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET -m $THOPS || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP="53" elif [ $ARG -eq 9 ] ; then tests[9]="traceroute_icmp_dns_as_user -p 53 - trace " [ $USER = root ] || continue [ -n "$PROXY_WLAN" ] || proxy_get_if || continue [ $HAVE_TRACEROUTE = 1 ] || continue traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53 -m $THOPS || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP="53" elif [ $ARG -eq 10 ] ; then tests[10]="wget_http_as_user $HTTP_PORT - http " proxy=`proxy_ping_get_http` env http_proxy=http://${proxy} \ $WGET -S http://$HTTP_TARGET 2>/dev/null retval=$? # 8 is an oddball if [ $retval -eq 8 -o $retval -eq 0 ] ; then INFO $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT else WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT [ -z "$ALL" ] && exit $ARG$retval || continue fi GREP="$HTTP_PORT" elif [ $ARG -eq 11 ] ; then tests[11]="curl_https_as_user - https " proxy=`proxy_ping_get_https` proxy_ping_curl --proxy http://${proxy} \ --proxy-insecure https://$HTTP_TARGET || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP="$HTTP_PORT" elif [ $ARG -eq 12 ] ; then tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct " [ $USER = root ] || continue which nmap 2>/dev/null >/dev/null || continue [ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220" nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53 [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works GREP="53" elif [ $ARG -eq 13 ] ; then tests[13]="curl_firewall_bin - wifi " [ $USER = root ] || continue proxy_test_curl_firewall_bin || continue INFO $prog test=$ARG "${tests[$ARG]}" curl bin # works GREP="443" elif [ $ARG -eq 14 ] ; then tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi " [ $USER = root ] || continue [ $HAVE_TRACEROUTE = 1 ] || continue proxy_test_traceroute_icmp_gw || continue # works INFO $prog test=$ARG "${tests[$ARG]}" GREP="-i icmp" elif [ $ARG -eq 15 ] ; then tests[15]="test_dig_direct - direct " [ $HAVE_DIG = 1 ] || continue proxy_test_dig_direct || continue INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct elif [ $ARG -eq 16 ] ; then tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost " [ $USER = root ] || continue [ $HAVE_NSLOOKUP = 1 ] || continue su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works /fails but maybe a noop GREP="53" elif [ $ARG -eq 17 ] ; then tests[17]="ntpdate_as_root ntpdate without service - ntp " proxy_run_as_root || exit 9 [ -x /usr/sbin/ntpdate ] || continue # Curious: even though sgid 2755 ntp it fails as su ntp # 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied /usr/sbin/ntpdate "$NTP_HOST1" || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP="123" elif [ $ARG -eq 18 ] ; then tests[18]="ntpdate_as_root ntpdate with servie - ntp " proxy_run_as_root || exit 9 proxy_rc_service ntpd status >/dev/null && \ proxy_rc_service ntpd stop >/dev/null && sleep 2 /usr/sbin/ntpdate $NTP_HOST1 || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start GREP="123" elif [ $ARG -eq 19 ] ; then tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail " proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \ http://$HTTP_TARGET >/dev/null && { retval=$? ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP=80 elif [ $ARG -eq 20 ] ; then tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks " # needs dns [ $DEBIAN -eq 0 ] && continue socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null || { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works with user/pass GREP="$SOCKS_PORT" elif [ $ARG -eq 21 ] ; then tests[21]="curl_httpsproxy_as_user - https " [ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT} proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \ if [ "$MODE" = gateway ] ; then WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT} continue else ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT} [ -z "$ALL" ] && exit $ARG$retval || continue fi } INFO $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT} GREP="${HTTPS_PORT}" elif [ $ARG -eq 22 ] ; then tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist " [ $USER = root ] || continue which iwlist 2>/dev/null || continue [ -n "$PROXY_WLAN" ] || proxy_get_if || continue iwlist $PROXY_WLAN scan >/dev/null || { ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan [ -z "$ALL" ] && exit $ARG$1 || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works elif [ $ARG -eq 23 ] ; then tests[23]="curl_proxy_as_user - direct " proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 24 ] ; then tests[24]="dig_direct_or_dnsmasq dig -b $IP $DNS_TARGET - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue [ -n "$IP" ] || continue dig -b $IP $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" dig -b $IP elif [ $ARG -eq 25 ] ; then tests[25]="nslookup_as_user - direct " [ $HAVE_NSLOOKUP = 1 ] || continue # noenv with or without proxy # @$DNS_HOST1 should fail for firewall unless dnsmasq is working $NSL >/dev/null $DNS_TARGET || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" nslookup elif [ $ARG -eq 26 ] ; then tests[26]="route_connected_ping_scan - direct " [ $HAVE_DIG = 1 ] || continue #? done already in proxy_test_pretest_exit proxy_do_ping && \ INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \ WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP elif [ $ARG -eq 27 ] ; then tests[27]="dns_as_user dig -b 127.0.0.1 - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue dig -b 127.0.0.1 $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 28 ] ; then tests[28]="wget_as_user - direct " proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; } $WGET -S https://$HTTP_TARGET 2>/dev/null retval=$? if [ $retval -eq 8 -o $retval -eq 0 ] ; then INFO $prog test=$ARG "${tests[$ARG]}" wget else ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval wget [ -z "$ALL" ] && exit $ARG$retval || continue fi elif [ $ARG -eq 29 ] ; then tests[29]="curl_as_user - direct " proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; } proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 30 ] ; then tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost " [ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || { # are there other roles that run tor? WARN $prog MODE != tor test=$ARG } port=$SOCKS_PORT $NETS | grep -q :$port || { ERROR $prog retval=$? test=$ARG tor not running on $port [ -z "$ALL" ] && exit $ARG || continue } [ $USER = root ] || continue # was /usr/local/bin/tor_bootstrap_check.bash [ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1 python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py # morons 100% retval=$? [ $retval -eq 0 -o $retval -eq 100 ] || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check } INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 31 ] ; then tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http " proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \ retval=$? ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works GREP="$HTTP_PORT" elif [ $ARG -eq 32 ] ; then tests[32]="ping_nmap_direct_as_root nmap 53 - direct " [ $USER = root ] || continue which nmap 2>/dev/null >/dev/null || continue [ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || proxy_ping_get_wlan_gw || continue proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || { retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53 [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works GREP="53" elif [ $ARG -eq 33 ] ; then tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost " proxy_ping_test_virbr 1 || { retval=$? ERROR $CONN virbr1 not running [ -z "$ALL" ] && exit 1 || continue } # * Immediate connect fail for 10.0.2.15: Connection refused INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 34 ] ; then tests[34]="python_ping_as_root traceroute --icmp $PROXY_WLAN_GW - wifi " [ $USER = root ] || continue [ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue [ -f /usr/local/bin/ping2.py ] || continue /usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1 [ -z "$ALL" ] && exit $ARG$retval || continue } # works INFO $prog test=$ARG "${tests[$ARG]}" GREP="-i icmp" elif [ $ARG -eq 35 ] ; then tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns " [ $USER = root ] || continue [ $HAVE_DIG = 1 ] || continue # @$DNS_HOST1 su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" # works GREP="53" elif [ $ARG -eq 36 ] ; then tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns " [ $HAVE_TOR_RESOLVE = 1 ] || continue tor-resolve pool.ntp.org >/dev/null || { \ retval=$? # dunno Failed parsing SOCKS5 response conf? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org continue } INFO $prog test=$ARG "${tests[$ARG]}" # works GREP="9053" elif [ $ARG -eq 37 ] ; then tests[37]="qemu-guest-agent and ports - libvirtguest " ser=qemu-guest-agent proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start proxy_rc_service $ser status >/dev/null || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status [ -z "$ALL" ] && exit $ARG$retval || continue } [ -d /dev/virtio-ports ] || { \ retval=$? ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" GREP="" elif [ $ARG -eq 38 ] ; then tests[38]="qemu-guest-agent and ports - libvirthost " [ $USER = root ] || continue $PL proxy_libvirt_list aret=$? if [ $aret -eq 10 ] ;then WARN proxy_libvirt_status hung elif [ $aret -ne 10 -a $aret -ne 0 ] ; then DBUG proxy_libvirt_status aret=$aret else # was $GATEW_DOM but now can be gentoo_vm-2 etc $PL proxy_libvirt_list 2>&1 | grep -q "running" || { WARN MODE=$MODE and nothing libvirt running ; continue } INFO $prog test=$ARG "${tests[$ARG]}" fi elif false ; then if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then $NETS | grep -q :53 || { ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running [ -z "$ALL" ] && exit 1 || continue } fi fi [ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \ DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES` done exit 0 1) env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate 2) curl $D -k --proxy 3) curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure 6) curl -k --proxy $HTTP_PORT 16) nslookup $PRIV_BIN_OWNER 18) ntpdate as sroot 19) curl raw noproxy 0) usage