proxy_role/overlay/Linux/usr/local/bin/proxy_ping_lib.bash
2024-01-06 01:57:28 +00:00

1501 lines
43 KiB
Bash
Executable File

#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
# shellcheck disable=SC2154
[ -z "$prog" ] && prog=proxy_ping_lib
. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
base=proxy_ping_lib
# shellcheck disable=SC2154
[ -z "$USER" ] && USER=$(id -un )
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
PROXY_GPG_KEYSERVER=keys.openpgp.org
PROXY_IFCONFIG=/sbin/ifconfig
[ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig
[ -x /bin/ifconfig ] && PROXY_IFCONFIG=/bin/ifconfig
proxy_ifconfig () {
if [ $# -gt 0 ] && [[ $1 =~ .*DBUG:.* ]] ; then
dbug PANIC: $PROXY_IFCONFIG $*
exit 1
elif [ $# -gt 0 ] && [[ $1 =~ .*:.* ]] ; then
dbug WARN: proxy_ifconfig $PROXY_IFCONFIG $*
set -- $( echo $* |sed -e 's/:.*//' )
elif [ $# -eq 0 ] || [[ $1 =~ .*-a.* ]] ; then
:
elif [ $1 = wlan4 -o $1 = wlan6 -o $1 = wlan7 ] || [[ $1 =~ wlan[0-9] ]] ; then
:
else
dbug proxy_ifconfig $PROXY_IFCONFIG $*
# fixme - required
set -- $( echo $1 |sed -e 's/:.*//' )
fi
$PROXY_IFCONFIG $*
}
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128
# shellcheck disable=SC2154
[ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1"
# shellcheck disable=SC2154
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
# shellcheck disable=SC2154
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
# shellcheck disable=SC2154
[ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/portage ] && PRIV_TOR_OWNER=tor
# shellcheck disable=SC2154
[ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/apt ] && PRIV_TOR_OWNER=debian-tor
# shellcheck disable=SC2154
[ -z "$PRIV_TOR_GID" ] && PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 )
set -o pipefail || { ERROR bash is required ; exit 1 ; }
declare -a PROXY_WLAN_FILES
PROXY_WLAN_FILES=(
/etc/conf.d/hostapd
/etc/conf.d/net
/etc/connman/main.conf
/etc/default/macchanger
/etc/dnsmasq.conf
/etc/firewall.conf
/etc/pdnsd/pdnsd.conf
/etc/wicd/manager-settings.conf
/usr/local/etc/testforge/testforge.bash
/usr/local/etc/testforge/testforge.ini
/usr/local/etc/testforge/testforge.yml
/etc/snort/snort.debian.conf
)
# [ "$USER" != root ] && export PATH=/sbin:$PATH
export PATH=/bin:$PATH
grep -q 'Debian\|Devuan' /etc/os-release
DEBIAN=$?
DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"
HTTP_TARGET=172.217.169.14
CURL_ARGS="--connect-timeout 15 -s -S"
TRIES=10
DELAY=10
export PATH=$PATH:$PREFIX/sbin
declare -a PROXY_WHONIX_FILES
PROXY_WHONIX_FILES=(
$HOME/.gitconfig
/etc/dirmngr/dirmngr.conf
/etc/dnsmasq.conf
/etc/firewall.conf
/etc/freshclam.conf
/etc/gnupg/gpgconf.conf
/etc/java-11-openjdk/net.properties
/etc/polipo/config
/etc/privoxy/config
/etc/resolv.conf
/etc/tor/torsocks.conf
/var/local/etc/testforge/firefox/proxy.js
)
. /usr/local/etc/local.d/local.bash || { ERROR /usr/local/etc/local.d/local.bash ; exit 2 ; }
## proxy_rc_service
proxy_rc_service () { DBUG proxy_rc_service MODE=$MODE $* ;
local svc=$1
if [ -x /etc/init.d/$svc ] ; then
shift
/etc/init.d/$svc "$@"
else
local_rc_service $*
fi
return $?
}
proxy_rc_update () { local_rc_update MODE=$MODE $* ; }
## proxy_ping_online - true/0 iff ifconfig and nm-online
proxy_ping_online () { proxy_whonix_get_gateway_dom_bad ; }
GATEW_DOM=
## proxy_whonix_get_gateway_dom_bad
proxy_whonix_get_gateway_dom_bad () {
local host
# shellcheck disable=SC2154
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
if [ -e /usr/local/bin/testforge_get_inventory.bash ] ; then
host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1
[ -n "$host" ] && GATEW_DOM=$host
fi
# shellcheck disable=SC2154
[ -z "$GATEW_DOM" ] && GATEW_DOM=Whonix-Gateway
return 0
}
proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ;
[ $# -eq 0 ] && set -- \
hkp://$PROXY_GPG_KEYSERVER \
hkp://gpg.mit.edu hkp://keys.gnupg.net
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log
[ -h /usr/bin/dirmngr ] || {
ERROR /usr/bin/dirmngr not a symlink
return 2
}
grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do
[ -f $b ] || WARN file not found $b
done
/usr/bin/dirmngr --version </dev/null || {
ERROR /usr/bin/dirmngr not working --version
return 3
}
# grep ^OK
DBUG /usr/bin/dirmngr working --version
/etc/init.d/privoxy status || /etc/init.d/privoxy start
/etc/init.d/privoxy status || {
WARN /etc/init.d/privoxy not running $PROXY_HTTP_PROXY_PORT
}
# /usr/local/bin/proxy_ping_test.bash 3128
netstat -nlpe4 | grep -q :$PROXY_HTTP_PROXY_PORT || {
ERROR /etc/init.d/privoxy not working $PROXY_HTTP_PROXY_PORT
return 4
}
DBUG /etc/init.d/privoxy working $PROXY_HTTP_PROXY_PORT
route | grep -q ^default || return 0
gpg-connect-agent --dirmngr 'loadswdb --force' /bye </dev/null >/tmp/GpgL$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \
cat /tmp/GpgL$$.tmp && \
return 5$retval
! grep -q OK /tmp/GpgL$$.tmp && \
ERROR gpg-connect-agent 'loadswdb --force' not OK `cat /tmp/GpgL$$.tmp` && \
rm -f /tmp/GpgL$$.tmp && \
return 6$retval
DBUG gpg-connect-agent OK `cat /tmp/GpgL$$.tmp`
rm -f /tmp/GpgL$$.tmp
gpg-connect-agent </dev/null --dirmngr 'keyserver' /bye >/tmp/GpgG$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 7$retval
grep -q ^S /tmp/GpgG$$.tmp || { \
ERROR gpg-connect-agent 'keyserver' no S `cat /tmp/GpgG$$.tmp` && \
rm -f /tmp/GpgG$$.tmp && \
return 8$retval
}
DBUG gpg-connect-agent 'keyserver' S `cat /tmp/GpgG$$.tmp`
if [ -d /root/.emacs.d/elpa/gnupg ] && \
ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then
for elt in "$@" ; do
echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp
gpg-connect-agent </dev/null --dirmngr --homedir /root/.emacs.d/elpa/gnupg \
-r /tmp/GpgR$$.tmp >/tmp/GpgC$$.tmp 2>&1
retval=$?
[ $retval -ne 0 ] && \
ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \
rm -f /tmp/GpgC$$.tmp && \
return 9$retval
grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \
ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \
rm -f /tmp/GpgC$$.tmp && \
return 10
INFO gpg-connect-agent $elt
done
rm -f /tmp/GpgC$$.tmp
fi
return 0
}
## proxy_whonix_get_gateway_dom
proxy_whonix_get_gateway_dom () {
# shellcheck disable=SC2154
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
proxy_testforge_get_gateway_dom "$@" && return 0
GATEW_DOM=Whonix-Gateway
echo -n "$GATEW_DOM"
return 0
}
## proxy_testforge_get_gateway_dom
proxy_testforge_get_gateway_dom () {
local host
# shellcheck disable=SC2154
[ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
# shellcheck disable=SC2154
if [ -n "$BASE_SRC_ANSIBLE" ] && \
[ -d $BASE_SRC_ANSIBLE ] &&
[ -x /usr/local/bin/testforge_get_inventory.bash ] ; then
host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1
[ $? -eq 0 -a -n "$host" ] && GATEW_DOM=$host
fi
echo -n "$GATEW_DOM"
return 0
}
#move later
## proxy_whonix_mode
proxy_whonix_mode () { #
proxy_ping_mode
return $?
}
## proxy_ping_mode
proxy_ping_mode () { #
# shellcheck disable=SC2154
[ -n "$MODE" ] && echo "$MODE" && return 0
proxy_ifconfig -a > /tmp/ipconfig-a.$$
if grep -q /dev/vda /proc/cmdline ; then
MODE=vda
elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then
# must come before ws gw
MODE=selektor
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth1| grep -q 10.152.152.11 ; then
MODE=ws
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2.15 ; then
MODE=gateway
elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2. ; then
MODE=nat
elif [ -d /var/log/tor ] && proxy_rc_service tor status >/dev/null 2>/dev/null ; then
# a runing tor takes precedence over whonix
MODE=tor
elif [ -f $PREFIX/bin/testforge_get_inventory.bash ] ; then
mode=$( $PREFIX/bin/testforge_get_inventory.bash BOX_PROXY_MODE )
if [ -n "$mode" ] ; then
MODE=$mode
else
host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
[ -n "$host" ] && MODE=whonix
fi
fi
rm -f /tmp/ipconfig-a.$$
echo -n $MODE
return 0
}
proxy_wlan_modules_reload () {
local wlan7
wlan7=$1
# may be empty
proxy_wlan_modules_unload $wlan7 || return 1$?
proxy_wlan_modules_load $wlan7 || return 2$?
return 0
}
base_wlan_modules_load () { proxy_wlan_modules_load ; }
## proxy_wlan_modules_load
proxy_wlan_modules_load () { DBUG proxy_wlan_modules_load MODE=$MODE $* ;
local wlan7
wlan7=$1
proxy_ping_check_root || return 0
# shellcheck disable=SC2154
if [ -z "$wlan7" ] ; then
wlan7=$PROXY_WLAN
fi
# shellcheck disable=SC2154
if [ -z "$wlan7" ] ; then
WARN proxy_wlan_modules_load empty wlan7 PROXY_WLAN
return 3
else
# failsafe
wlan7=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/[: ].*//' )
fi
if [ $wlan7 = wlan7 ] ; then
modprobe iwlmvm
elif [ $wlan7 = wlan6 ] ; then
modprobe iwlmvm
elif [ $wlan7 = wlan4 ] ; then
# this is right but sometimes does not pull in the rest
# modprobe ath ath9k_hw ath9k_common ath9k_htc
modprobe ath9k_htc
else
# no default
return 3
fi
sleep 5
proxy_ifconfig $wlan7 >/dev/null || { return 8 ; }
proxy_ifconfig $wlan7 | grep -qi up && \
proxy_ifconfig $wlan7 down >/dev/null
t=`python2 -c "from random import Random;print ':'.join(['%02x' % Random().randint(0,255) for i in range(6)])"`
# macchanger $wlan7 -m $t
macchanger $wlan7 -A >/dev/null || return 1
old=""
macchanger -s $wlan7 | while read a b ; do
[ "$old" = "" ] && old=$b && continue ;
[ "$old" != "$b" ] && dbug "$old $b" && break
ERROR "$old = $b"
return 2
done
return 0
}
proxy_base_wlan_modules_unload () { proxy_wlan_modules_unload ; }
base_wlan_modules_unload () { proxy_wlan_modules_unload ; }
## base_wlan_modules_unload
proxy_wlan_modules_unload () { DBUG proxy_wlan_modules_unload ;
local wlan7
wlan7=$1
proxy_ping_check_root || return 0
# shellcheck disable=SC2154
if [ -z "$wlan7" ] ; then
[ $# -eq 0 ] && return 1 || wlan7=$1
fi
if [ "$wlan7" = eth2 ] ; then
PROXY_WLAN=$( proxy_set_if ) || return 1$?
wlan7=$PROXY_WLAN
fi
# shellcheck disable=SC2154
[ -z "$wlan7" ] && return 2
macchanger=macchanger
pkill /sbin/dhclient
proxy_ifconfig $wlan7 down >/dev/null || true
proxy_ifconfig $wlan7 | grep -qi "up" && proxy_ifconfig $wlan7 down >/dev/null
a=`ps ax | grep -v grep | grep dnscrypt-proxy`
if [ $? -eq 0 ] ; then
b=`sed -e 's/^ *//' -e 's/ .*$//' <<< $a`
# shellcheck disable=SC2154
[ -z "$b" ] || kill $b
fi
rm -f /var/lib/NetworkManager/*lease
if [ "$wlan7" = wlan7 ] ; then
rmmod iwlmvm iwlwifi # 2>/dev/null
elif [ "$wlan7" = wlan4 ] ; then
rmmod iwlmvm iwlwifi # 2>/dev/null
else
rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null
fi
sleep 5
return 0
}
## proxy_get_if
proxy_get_wlan_ip () {
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_set_if )
[ $? -eq 0 -a -n "$PROXY_WLAN" ] || { return 1$? ; }
fi
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
PROXY_WLAN_IP=$( proxy_ifconfig $PROXY_WLAN | grep -v '127.0.0.1\|grep' | grep 'inet.*broadcast' | sed -e 's/.*inet //' -e 's/ .*//' ) || return 2$?
# REQUIRED!
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan\|^en' |sed -e 's/:.*//' )
# may be empty
echo -n $PROXY_WLAN_IP
return 0
}
proxy_get_wlan_if () { proxy_get_if ; }
## proxy_get_if
proxy_get_if () { #
local wlan7
wlan7=$( proxy_set_if )
# shellcheck disable=SC2154
[ $? -ne 0 -o -z "$wlan7" ] && \
DEBUG=1 dbug proxy_get_if empty wlan7 && return 1
proxy_ifconfig $wlan7 >/dev/null || \
proxy_wlan_modules_load $wlan7
proxy_ifconfig $wlan7 >/dev/null || \
{ DEBUG=1 dbug proxy_get_if errored proxy_ifconfig $wlan7 ; return 1 ; }
# fixme - required
PROXY_WLAN=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/:.*//' )
echo -n $PROXY_WLAN
return 0
}
## proxy_route_check
proxy_route_check () { DBUG proxy_route_check MODE=$MODE $* ;
# PATH=$PATH:/sbin ip
route|grep -q ^def || {
retval=$?
WARN $prog proxy_route_check retval=$retval
return 2$retval
}
return 0
}
## proxy_route_test
proxy_route_test () { DBUG proxy_route_test MODE=$MODE $* ;
PATH=$PATH:/sbin ip route | grep -q ^def || {
WARN no route
exit 0
}
proxy_route_check||return $?
return 0
}
## proxy_set_if
proxy_set_if () { #
# stdout
# shellcheck disable=SC2154
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
proxy_ifconfig -a > /tmp/ipconfig-a.$$
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
PROXY_WLAN=eth0
elif [ "$MODE" = nat ] || [ "$MODE" = gateway ] ; then
PROXY_WLAN=eth0
# elif [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = host -o "$MODE" = selektor -o "$MODE" = client ] ; then
else
if ip route | grep -q ^defa ; then
PROXY_WLAN=$( ip route | grep ^defa|sed -e 's/.*dev //' -e 's/ .*//' )
fi
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=`ifconfig|grep -B 1 inet.*broadcast|grep ^wlan|sed -e 's/ .*//'`
fi
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] && [ -d "$BASE_SRC_ANSIBLE" ] ; then
# do we really want this in inventory or live?
# shellcheck disable=SC2154
if [ -z "$BOX_DEFAULT_OUTPUT_IF" ] ; then
BOX_DEFAULT_OUTPUT_IF=$( /usr/local/bin/testforge_get_inventory.bash BOX_DEFAULT_OUTPUT_IF )
# shellcheck disable=SC2154
[ $? -ne 0 -o -z "$BOX_DEFAULT_OUTPUT_IF" ] && return 1
#? recurse
fi
PROXY_WLAN="$BOX_DEFAULT_OUTPUT_IF"
fi
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] && cat /tmp/ipconfig-a.$$ | grep -q '^wlan\|^eth' ; then
# there may be not a route yet
# there may be 2!!!
PROXY_WLAN=$( cat /tmp/ipconfig-a.$$ | grep '^eth\|^wlan' |head -1 |sed -e 's/:.*//' )
fi
fi
rm -f /tmp/ipconfig-a.$$
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN" ] && return 2
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN" ] && return 3
echo -n $PROXY_WLAN
return 0
}
## proxy_ping_get_https
proxy_ping_get_https () {
# shellcheck disable=SC2154
if [ -n "$https_proxy" ] ; then
HTTPS_HOST=$( echo $https_proxy|sed -e 's@.*//@@' -e 's@:[0-9]*@@' )
HTTPS_PORT=$( echo $https_proxy|sed -e 's@.*//[^:]*:@@' )
# DBUG $prog $https_proxy HTTPS_PORT=$HTTPS_PORT HTTPS_HOST=$HTTPS_HOST
# shellcheck disable=SC2154
[ -z "$HTTPS_HOST" ] && [ "$MODE" = whonix ] && HTTPS_HOST=10.0.2.15
if [ -z "$HTTPS_HOST" ] && [ "$MODE" = nat ] ; then
[ -z "$external"] && \
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
HTTPS_HOST=$external
fi
# shellcheck disable=SC2154
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
# shellcheck disable=SC2154
[ -z "$HTTPS_PORT" ] && HTTPS_PORT=9128
fi
echo -n "$HTTPS_HOST:$HTTPS_PORT"
return 0
}
## proxy_ping_get_http
proxy_ping_get_http () {
# shellcheck disable=SC2154
if [ -n "$http_proxy" ] ; then
HTTP_HOST=$( echo $http_proxy | sed -e 's@.*//@@' -e 's@:[0-9]*@@' )
HTTP_PORT=$( echo $http_proxy | sed -e 's@.*//[^:]*:@@' )
# DBUG $prog $http_proxy HTTP_PORT=$HTTP_PORT HTTP_HOST=$HTTP_HOST
# shellcheck disable=SC2154
[ -z "$HTTP_HOST" -a "$MODE" = whonix ] && HTTP_HOST=127.0.0.1
# shellcheck disable=SC2154
[ -z "$HTTP_HOST" -a "$MODE" = tor ] && HTTP_HOST=127.0.0.1
if [ -z "$HTTP_HOST" ] && [ "$MODE" = nat ] ; then
[ -z "$external"] && \
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
HTTP_HOST=$external
fi
# shellcheck disable=SC2154
[ -z "$HTTP_PORT" ] && HTTP_PORT=3128
fi
echo -n "$HTTP_HOST:$HTTP_PORT"
return 0
}
## proxy_ping_get_socks_host
proxy_ping_get_socks_host () {
# shellcheck disable=SC2154
if [ -n "$socks_proxy" ] ; then
SOCKS_HOST=$( echo $socks_proxy|sed -e 's@.*//@@' -e 's/.*@//' -e 's@:[0-9]*@@' )
# DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST
fi
echo -n $SOCKS_HOST:9050
}
## proxy_ping_get_socks_port
proxy_ping_get_socks_port () {
# shellcheck disable=SC2154
if [ -n "$socks_proxy" ] ; then
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@.*//[^:]*:@@' )
# DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST
fi
# echo -n $SOCKS_PORT
}
## proxy_ping_get_socks
proxy_ping_get_socks () {
# let socks_proxy override
proxy_ping_get_socks_host
proxy_ping_get_socks_port
# shellcheck disable=SC2154
[ -z "$SOCKS_HOST" ] || return 0
if [ "$MODE" = whonix ] ; then
SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050
elif [ "$MODE" = gateway ] ; then
SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050
elif [ "$MODE" = nat ] ; then
SOCKS_HOST=10.0.2.2 && SOCKS_PORT=9050
elif [ "$MODE" = tor ] || [ "$MODE" = selektor ]; then
SOCKS_HOST=127.0.0.1 && SOCKS_PORT=9050
elif [ "$MODE" = vda ] ; then
SOCKS_HOST=10.152.152.10 && SOCKS_PORT=9050
elif [ "$MODE" = nat ] ; then
[ -z "$external"] && \
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
SOCKS_HOST=$external && SOCKS_PORT=9050
fi
# shellcheck disable=SC2154
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
echo -n $SOCKS_HOST:$SOCKS_PORT
return 0
}
# proxy_ping_chattr
proxy_ping_chattr () { DBUG proxy_ping_chattr MODE=$MODE $* ;
local elt
[ -f /etc/sysctl.d/70_testforge_ping.conf ] || \
{ echo 'net.ipv4.ping_group_range=0 1000' > /etc/sysctl.d/70_testforge_ping.conf ; \
sysctl net.ipv4.ping_group_range="0 1000" >/dev/null ; }
# setcap not supported on ext2?
mount | grep -q ' / .*type ext2' && return 0
# https://github.com/DietPi/issues/1012
for elt in ping traceroute ; do
EXE=$(which $elt) || continue
# shellcheck disable=SC2154
[ -z "$EXE" ] && continue
[ -h $EXE ] && EXE=$(readlink $EXE)
[ -h $EXE ] && continue
getcap $EXE | grep -q 'cap_net_admin' && continue
setcap 'cap_net_admin,cap_net_raw+ep' $(which $elt)
done
return 0
}
proxy_tor_update_wlan_ip () { DBUG proxy_tor_update_wlan_ip MODE=$MODE $* ;
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN_IP" ] ; then
PROXY_WLAN_IP=`proxy_get_wlan_ip`
[ $? -ne 0 ] && return 1
fi
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN_IP" ] && return 2
[ -f /etc/tor/torrc-defaults ] || return 0
sed -e "s@^SocksPolicy accept 10.16.*@SocksPolicy accept $PROXY_WLAN_IP@" \
-i /etc/tor/torrc-defaults
return 0
}
## proxy_tor_set_socks_accept
proxy_tor_set_socks_accept () { DBUG proxy_tor_set_socks_accept MODE=$MODE $* ;
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_ping_get_wlan`
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_tor_set_socks_accept empty wlan retval=$retval
return 2
}
wlan7=$PROXY_WLAN
if [ -n "$wlan7" ] ; then
ip=`proxy_get_wlan_ip`
anet="${ip:0:3}"
for file in /etc/tor/torrc-defaults /etc/tor/torrc ; do
[ -f $file ] || continue
DBUG $file
if grep -q "^SocksPolicy accept $anet" $file ; then
sed -e "s@^SocksPolicy accept ${anet}.*@SocksPolicy accept $ip@" \
-i $file
INFO updated $anet $file
break
fi
done
fi
return 0
}
## proxy_ping_get_ip_gw
proxy_ping_get_ip_gw () { proxy_ping_get_wlan_gw ; }
## proxy_ping_get_wlan_gw
proxy_ping_get_wlan_gw () {
PROXY_WLAN=`proxy_ping_get_wlan`
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_ping_get_wlan_gw empty wlan retval=$retval
return 2
}
# can be up without having an address
a=$( proxy_ifconfig $PROXY_WLAN | grep 'inet.*broadcast' )
[ $? -ne 0 -o -z "$a" ] && return 2
IP=$( echo $a | sed -e 's/.*inet //' -e 's/ .*//' )
# | grep -v '127.0.0.1\|grep'
[ -z "$IP" ] && return 2
PROXY_WLAN_GW=$( echo -n $IP | sed -e 's/[0-9]*$//' )1
echo -n $PROXY_WLAN_GW
return 0
}
## proxy_ping_get_wlan
proxy_ping_get_wlan () {
local retval
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
# REQUIRED!
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
echo -n $PROXY_WLAN
return 0
}
## proxy_ping_test_env
proxy_ping_test_env () { DBUG proxy_ping_test_env MODE=$MODE $* ;
# shellcheck disable=SC2154
[ -n "$https_proxy" ] && return 0
# shellcheck disable=SC2154
[ -n "$socks_proxy" ] && return 0
# shellcheck disable=SC2154
[ -n "$http_proxy" ] && return 0
return 1
}
## proxy_whonix_get_conn
proxy_whonix_get_conn () {
# shellcheck disable=SC2154
[ -n "$CONN" ] && echo -n $CONN && return 0
[ -f /etc/rc.local ] && return 0
for elt in Gateway Host Vda Workstation ; do
if grep -q Whonix-$elt.rc /etc/rc.local && \
[ -f /usr/local/etc/local.d/Whonix-$elt.rc ] ; then
CONN=$elt
break
fi
done
[ "$CONN" = Vda -o "$CONN" = Gateway -o "$CONN" = Workstation ] && CHORG=guest
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || CHORG=guest
[ -z "$CONN" -a "$CONN" = "Host" ] && CHORG=host
# giggle host in host?
#? [ -e /run/libvirt/libvirt-sock ] && CHORG=host
echo -n $CONN
return 0
}
## proxy_ping_curl_privoxy
proxy_ping_curl_privoxy () { DBUG proxy_ping_curl_privoxy MODE=$MODE $* ;
curl $CURL_ARGS --insecure \
--proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT \
--proxy-insecure https://$HTTP_TARGET
}
## proxy_ping_curl_polipo
proxy_ping_curl_polipo () { DBUG proxy_ping_curl_polipo MODE=$MODE $* ;
curl $CURL_ARGS --insecure --proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT --proxy-insecure https://$HTTP_TARGET
}
## proxy_ping_curl_bin
proxy_ping_curl_bin () { DBUG proxy_ping_curl_bin MODE=$MODE $* ;
su -c "curl $CURL_ARGS --insecure --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
}
## proxy_nmap_guid_$PRIV_BIN_OWNER
proxy_nmap_guid_bin () { DBUG proxy_nmap_guid_bin MODE=$MODE $* ;
# must be suid bin
if [ -z "$( find /usr/bin/nmap -perm 2755 )" ] ; then
chgrp $PRIV_BIN_OWNER /usr/bin/nmap
chmod 2755 /usr/bin/nmap
fi
}
## proxy_ping_nmap_direct
proxy_ping_nmap_direct () { DBUG proxy_ping_nmap_direct MODE=$MODE $* ;
local i
local target
proxy_nmap_guid_bin
[ "$#" -eq 1 ] && target=$1 || target="$DNS_HOST1"
shift
[ "$#" -eq 1 ] && p=$1 || p="U:53"
i=0
while [ $i -lt $TRIES ] ; do
#su -s /bin/bash -c 'ping -c 1 8.8.8.8' $PRIV_BIN_OWNER && break
nmap -Pn -sU -p $p $target && break
sleep $DELAY
i=$( expr $i + 1 )
done
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_nmap_direct nmap -Pn -sU -p U:53 $target failed" && return 5
return 0
}
## proxy_whonix_copy_dir_file
proxy_whonix_copy_dir_file () { DBUG proxy_whonix_copy_dir_file PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
[ "$#" -le 1 ] && { ERROR proxy_whonix_copy_dir_file from empty: MODE=$MODE $* ; return 1 ; }
[ "$#" -eq 2 ] || { ERROR to empty ; return 2 ; }
local file=$1
local to=$2
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
[ $? -ne 0 -o -z "$PROXY_WLAN" ] && ERROR empty PROXY_WLAN && return 2
fi
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' )
[ -f $to ] || return 0
[ -f $file ] || return 0
diff -q $to $file && return 0
proxy_ping_check_root || return 0
if ! diff -q $to $file && false ; then
INFO proxy_whonix_copy_files cp -p $to $file
cp -p $to $file || { ERROR copying $file.dire ; }
fi
grep -q wlan $file || \
sed -e "s@wlan[0-9]@$PROXY_WLAN@" \
-i $file
# -e "s@eth[0-9]@$PROXY_WLAN@"
return 0
}
## proxy_whonix_copy_files
proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
local dire
[ "$#" -eq 1 ] || { ERROR dire empty ; return 1 ; }
dire=$1
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
# DBUG proxy_whonix_copy_files $dire ${PROXY_WHONIX_FILES[*]}
for file in "${PROXY_WHONIX_FILES[@]}" ; do
proxy_whonix_copy_dir_file $file.$dire $file
done
if [ -d /etc/apt/apt.conf.f ] ; then
for file in /etc/apt/*.conf.$dire ; do
to=`sed -e "s/.$dire//" <<< $file`
proxy_whonix_copy_dir_file $file $to
done
fi
return 0
}
## proxy_ping_firewall_check
proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then
:
elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then
:
elif [ "$MODE" = tor -o "$MODE" = selektor ] ; then
[ -s /etc/firewall.conf ] || {
ERROR "proxy_ping_firewall_check /etc/firewall.conf empty "
return 1
}
grep -q -i reject /etc/firewall.conf || {
ERROR "proxy_ping_firewall_check no reject in /etc/firewall.conf"
return 2
}
grep -q -e "--gid-owner $PRIV_BIN_GID .* ACCEPT" /etc/firewall.conf || {
WARN "proxy_ping_firewall_check no bin --gid-owner $PRIV_BIN_GID in /etc/firewall.conf"
# return 3
}
grep -q -e "--gid-owner $PRIV_TOR_GID .* ACCEPT" /etc/firewall.conf || {
WARN "proxy_ping_firewall_check no tor --gid-owner $PRIV_TOR_GID in /etc/firewall.conf"
# return 4
}
fi
return 0
}
## proxy_ping_wlan_config
proxy_ping_wlan_config () { DBUG proxy_ping_wlan_config MODE=$MODE $* ;
local file gid
# shellcheck disable=SC2154
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || {
ERROR proxy_whonix_wlan_config null interface && return 1
}
for file in "${PROXY_WLAN_FILES[@]}" ; do
[ -f "$file" ] || continue
sed -e "s@wlan[0-9]@$PROXY_WLAN@" -i $file
done
if ! grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf ; then
sed -e "s@-m owner --gid-owner [1-9] -j ACCEPT@-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT@" -i /etc/firewall.conf
fi
grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf || {
return 2
}
return 0
}
## proxy_ping_firewall_sysctl_ipv6
proxy_ping_firewall_sysctl_ipv6 () {
if [ ! -e /proc/net/if_inet6 ] ; then
sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
else
sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf
fi
return 0
}
## proxy_iptables_rename
proxy_iptables_rename () { DBUG proxy_iptables_rename MODE=$MODE $* ;
local wd=$PWD
cd /usr/sbin/
for file in iptables* ; do
base=$( basename $file .bin )
[ $base = $file ] || continue
[ -e $file.bin ] || mv $file $file.bin
[ ! -e $file.bash ] && \
echo "#!/bin/sh" > $file.bash && \
echo "exec $file.bin \"\$@\"" >> $file.bash && \
chmod 755 $file.bash
done
return 0
}
IPT_LEGACY="iptables-legacy"
## proxy_iptables
proxy_iptables () { DBUG proxy_iptables MODE=$MODE $* ;
if [ "$IPT_LEGACY" = "" ] ;then
# DEBIAN -eq 0
which iptables-legacy 2>/dev/null >/dev/null && \
IPT_LEGACY=iptables-legacy || IPT_LEGACY=iptables
fi
$IPT_LEGACY $*
return $?
}
IPT_SAVE_LEGACY="iptables-legacy-save"
## proxy_iptables_save
proxy_iptables_save () { DBUG proxy_iptables_save MODE=$MODE $* ;
if [ "$IPT_SAVE_LEGACY" = "" ] ; then
# DEBIAN -eq 0
which iptables-legacy-save 2>/dev/null >/dev/null && \
IPT_SAVE_LEGACY=iptables-legacy-save || IPT_SAVE_LEGACY=iptables-save
fi
$IPT_SAVE_LEGACY $*
return $?
}
IPT_RESTORE_LEGACY="iptables-legacy-restore"
## proxy_iptables_restore
proxy_iptables_restore () { DBUG proxy_iptables_restore MODE=$MODE $* ;
local retval
proxy_iptables -F -t filter ;proxy_iptables -F -t nat ; proxy_iptables -F -t mangle;
if [ "$IPT_RESTORE_LEGACY" = "" ] ; then
which iptables-legacy-restore 2>/dev/null >/dev/null && \
IPT_RESTORE_LEGACY=iptables-legacy-restore || \
IPT_RESTORE_LEGACY=iptables-restore
fi
$IPT_RESTORE_LEGACY $*
retval=$?
if [ $retval -eq 0 ] ; then
DBUG proxy_iptables_restored $*
else
ERROR proxy_iptables_restore retval=$retval $*
fi
# /usr/local/bin/proxy_firewall_restore_iptable.bash
return $?
}
## proxy_ping_firewall_modules
proxy_ping_firewall_modules () { DBUG proxy_ping_firewall_modules MODE=$MODE $* ;
local elt kern
proxy_ping_check_root || return 0
if [ $MODE = nat ] ; then
lsmod|grep -q virtio_console || \
modprobe virtio_console
return $?
fi
# /etc/modules-load.d/vda*.conf
for file in /etc/modules-load.d/firewall.conf ; do
grep -v '#\|floppy' $file | xargs modprobe --all
done
kern=$( uname -r )
if [ -d "/lib/modules/$kern" ] ; then
# bpfilter
for elt in xt_MASQUERADE nf_nat_ipv4 ; do
if grep -q -i $elt "/lib/modules/$kern"/*der ; then
lsmod | grep -qi $elt || modprobe $elt || return 5$?
# else # 5.0.8 kernel
# WARN $elt not in "/lib/modules/$kern"/*der # 2>&1|tee $WLOG
fi
done
fi
lsmod | grep -q nf_conntrack || modprobe nf_conntrack
lsmod | grep -q nft_masq || modprobe nft_masq
lsmod | grep -q bridge|| modprobe bridge
return 0
}
proxy_ping_check_root () {
[ $USER = root ] || {
# WARN proxy_ping_check_root - not root
return 2
}
return 0
}
## proxy_ping_firewall_start
proxy_ping_firewall_start () { DBUG proxy_ping_firewall_start PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ;
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
[ $MODE = direct -o $MODE = nat ] && {
WARN no proxy_ping_firewall_start MODE=$MODE
return 0
}
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
proxy_ping_firewall_modules
proxy_ping_firewall_check || {
ret=$?
ERROR failed proxy_ping_firewall_start ret=$ret
return 1$ret
}
[ $MODE = tor -o $MODE = selektor -o $MODE = ws ] || {
ERROR failed proxy_ping_firewall_check MODE=$MODE
return 1$ret
}
proxy_ping_check_root || return 0
proxy_iptables_save 2>&1 | grep -iq reject && return 0
proxy_ping_firewall_restart || return 3$?
return 0
}
proxy_ping_firewall_set () { proxy_ping_firewall_restart ; }
## proxy_ping_firewall_restart
proxy_ping_firewall_restart () { DBUG proxy_ping_firewall_restart MODE=$MODE $* ;
local gid
proxy_ping_check_root || return 2
# shellcheck disable=SC2154
[ -n "$MODE" ] || MODE="$( proxy_ping_mode )"
proxy_ping_check_root || { WARN must be root to copy files && return 0 ; }
proxy_ping_firewall_modules
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_ping_get_wlan empty wlan retval=$retval
return 1
}
fi
proxy_ping_wlan_config
proxy_iptables_restore /etc/firewall.conf || {
ERROR $prog proxy_iptables_restore failed
[ -x /usr/local/bin/proxy_wall.bash ] && \
/usr/local/bin/proxy_wall.bash ERROR: $prog proxy_iptables_restore failed
return 3
}
proxy_whonix_copy_files "$MODE" || {
ERROR "proxy_ping_firewall_restart failed proxy_whonix_copy_files"
return 4
}
return 0
}
## proxy_ping_dnsmasq_config
proxy_ping_dnsmasq_config () { DBUG proxy_ping_dnsmasq_config MODE=$MODE $* ;
# fixme: NEEDS dire
local dire
local retval=0
if [ "$#" -gt 0 ] ; then
dire=$1
DEBUG=1 dbug proxy_ping_dnsmasq_config "$@"
else
WARN proxy_ping_dnsmasq_config no args - defaulting $MODE
dire=$MODE
fi
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$?
[ $retval -ne 0 -o -z "$PROXY_WLAN" ] && {
ERROR proxy_ping_dnsmasq_config null PROXY_WLAN=$PROXY_WLAN
return 3
}
[ -e /etc/dnsmasq.conf ] || {
ERROR proxy_ping_dnsmasq_config not /etc/dnsmasq.conf ; return 2 ;
}
if [ ! -f /etc/dnsmasq.conf.$dire ] ; then
cp -p /etc/dnsmasq.conf /etc/dnsmasq.conf.$dire
fi
sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" \
-i /etc/dnsmasq.conf
INFO proxy_ping_dnsmasq_config setting PROXY_WLAN=$PROXY_WLAN
return 0
}
## proxy_ping_gw_check
proxy_ping_gw_check () { DBUG proxy_ping_gw_check MODE=$MODE $* ;
PROXY_WLAN_GW=`proxy_ping_get_ip_gw`
# shellcheck disable=SC2154
[ -z "$ELOG" ] && ELOG=/tmp/proxy_test_gw$$.err
# shellcheck disable=SC2154
[ -z "$WLOG" ] && WLOG=/tmp/proxy_test_gw$$.log
if [ $? -eq 0 -a -n "$PROXY_WLAN_GW" ] ; then
a=`traceroute -m 10 $PROXY_WLAN_GW | wc -l`
[ $? -eq 0 -a -n "$a" -a "$a" -gt 4 ] && \
echo ERROR: traceroute $PROXY_WLAN_GW >> $ELOG && \
traceroute -m 10 $PROXY_WLAN_GW >> $ELOG && \
nmap -A -T4 $PROXY_WLAN_GW |tee -a $WLOG | grep -A 1 HOP | grep -v ^1
# /usr/local/bin/base_wall.bash $prog CRIT: traceroute $PROXY_WLAN_GW '>10'
fi
return 0
}
## proxy_ping_dnsd_check
proxy_ping_dnsd_check () { DBUG proxy_ping_dnsd_check MODE=$MODE $* ;
# fixme: decide which
proxy_ping_dnsmasq_check $*
return 0
}
## proxy_ping_dnsmasq_status
proxy_ping_dnsmasq_status () { DBUG proxy_ping_dnsmasq_status MODE=$MODE $* ;
proxy_rc_service dnsmasq status >/dev/null || return 2$?
[ -s /var/log/dnsmasq.log ] || {
WARN proxy_ping_dnsmasq_status no file /var/log/dnsmasq.log
return 3
}
tail /var/log/dnsmasq.log | grep 'using nameserver ' || \
WARN proxy_ping_dnsmasq_status no using in /var/log/dnsmasq.log
return 0
}
## proxy_ping_dnsmasq_start
proxy_ping_dnsmasq_start () { DBUG proxy_ping_dnsmasq_start MODE=$MODE $* ;
local ret
# fixme: need dire
[ "$#" -eq 0 ] && set -- $MODE
proxy_ping_dnsmasq_config $* || {
ret=$?
WARN proxy_ping_dnsmasq_start dnsmasq not configing $ret
return 1$ret
}
proxy_ping_dnsmasq_status && return 0
cp /dev/null /var/log/dnsmasq.log
proxy_rc_service dnsmasq start || {
WARN proxy_ping_dnsmasq_start dnsmasq not starting
tail /var/log/dnsmasq.log
return 3$?
}
sleep $DELAY
netstat -nlp4e | grep :53 || {
WARN proxy_ping_dnsmasq_start dnsmasq not running
tail /var/log/dnsmasq.log
return 4
}
return 0
}
## proxy_ping_dnsmasq_stop
proxy_ping_dnsmasq_stop () { DBUG proxy_ping_dnsmasq_stop MODE=$MODE $* ;
proxy_ping_dnsmasq_status || return 0
proxy_rc_service dnsmasq stop >/dev/null || return 2$?
return 0
}
## proxy_ping_pdnsd_check
proxy_ping_pdnsd_check () { DBUG proxy_ping_pdnsd_check MODE=$MODE $* ;
ps ax | grep -v grep | grep -q pdnsd && return 0
[ -e /etc/pdnsd/pdnsd.conf ] || return 0
proxy_rc_service pdnsd start || return 1$?
sleep $DELAY
tail /var/log/pdnsd.log | grep -q 'All threads started successfully' || return 4
return 0
}
## proxy_ping_dnsmasq_check
proxy_ping_dnsmasq_check () { DBUG proxy_ping_dnsmasq_check MODE=$MODE $* ;
ps ax | grep -v grep | grep -q dnsmasq && return 0
[ -e /etc/dnsmasq.conf ] && return 0
proxy_rc_service dnsmasq start || return 1$?
sleep $DELAY
tail /var/log/dnsmasq.log | grep -q 'started, ' || return 4
return 0
}
## proxy_dest_port_wlan_config
proxy_dest_port_wlan_config () { DBUG proxy_dest_port_wlan_config MODE=$MODE $* ;
# shellcheck disable=SC2154
[ -z "$DEST" -a "$#" -gt 0 ] && DEST=$1 && shift
# shellcheck disable=SC2154
[ -z "$DEST" ] && DEST=127.0.0.1
# shellcheck disable=SC2154
[ -z "$PORT" -a "$#" -gt 0 ] && PORT=$1 && shift
# shellcheck disable=SC2154
[ -z "$PORT" ] && PORT=9053
# shellcheck disable=SC2154
[ -z "$PROXY_WLAN" -a "$#" -gt 0 ] && PROXY_WLAN=$1 && shift
# shellcheck disable=SC2154
if [ -z "$PROXY_WLAN" ] ; then
PROXY_WLAN=$( proxy_get_if )
retval=$?
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
ERROR proxy_get_if empty wlan7 retval=$retval
return 2$retval
}
fi
return 0
}
## proxy_whonix_polipo_config
proxy_whonix_polipo_config () { DBUG proxy_whonix_polipo_config MODE=$MODE $* ;
local dire
local file
dire=$1 ; shift
file=/etc/polipo/config
if [ $dire = whonix ]; then
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=10.0.2.15:9050
socksProxyType=socks5
#?ssocksUserName=foo
EOF
fi
else
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
proxyAddress=127.0.0.1
proxyPort=3128
proxyName=127.0.0.1
socksParentProxy=${DEST}:$PORT
socksProxyType=socks5
EOF
fi
fi
return 0
}
## proxy_whonix_privoxy_config
proxy_whonix_privoxy_config () { DBUG proxy_whonix_privoxy_config MODE=$MODE $* ;
local dire
local file
dire=$1 ; shift
file=/etc/privoxy/config
if [ $dire = whonix ]; then
SOCKS_HOST=10.0.2.15
SOCKS_PORT=9050
elif [ $dire = selaktor ]; then
SOCKS_HOST=127.0.0.1
SOCKS_PORT=9050
else
SOCKS_HOST=127.0.0.1
SOCKS_PORT=9050
fi
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.conf <<EOF
listen-address 127.0.0.1:3128
forward-socks5t / $SOCKS_HOST:$SOCKS_PORT .
EOF
fi
return 0
}
## proxy_whonix_dnsmasq_config
proxy_whonix_dnsmasq_config () { DBUG proxy_whonix_dnsmasq_config MODE=$MODE $* ;
local dire
[ "$#" -eq 0 ] && set -- tor
dire=$1 ; shift
proxy_dest_port_wlan_config $*
# shellcheck disable=SC2154
[ -z "$PORT" -o -z "$DEST" ] && return 1
# 9040 - no wgetrc
# need dnsmasq to 127
file=/etc/dnsmasq.conf
if [ ! -f $file.$dire ] ; then
cp -p $file $file.$dire
cat >> $file.$dire <<EOF
log-facility=/var/log/dnsmasq.log
no-resolv
listen-address=127.0.0.1
server=${DEST}#$PORT
port=53
# wlan4
interface=$PROXY_WLAN
bind-interfaces
no-dhcp-interface=$PROXY_WLAN
EOF
fi
return 0
}
# unused
## proxy_testssl_lib_update
proxy_testssl_lib_update () { DBUG proxy_testssl_lib_update MODE=$MODE $* ;
[ ! -s /usr/local/bin/proxy_testssl_lib.bash -o \
/usr/bin/testssl.sh -nt /usr/local/bin/proxy_testssl_lib.bash ] && \
sed -e '/^##* main ##/,$d' /usr/bin/testssl.sh > /usr/local/bin/proxy_testssl_lib.bash
return 0
}
## proxy_ping_wait_for_tor
proxy_ping_wait_for_tor () { DBUG proxy_ping_wait_for_tor MODE=$MODE $* ;
local i
i=0
while [ $i -lt $TRIES ] ; do
sleep $DELAY
tail -20 /var/log/tor/notice.log | grep 100% && break
i=$( expr $i + 1 )
done
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_tor tor failed" && return 3
return 0
}
## proxy_ping_dig_test
proxy_ping_dig_test () { DBUG proxy_ping_dig_test MODE=$MODE $* ;
proxy_ping_wait_for_dig $*
return $?
}
## proxy_ping_wait_for_dig
proxy_ping_wait_for_dig () { DBUG proxy_ping_wait_for_dig MODE=$MODE $* ;
local i
i=0
while [ $i -lt $TRIES ] ; do
su -s /bin/bash -c 'dig google.com' $PRIV_BIN_OWNER 2>&1 | grep -v grep | grep -A 1 ANSWER && break
sleep $DELAY
i=$( expr $i + 1 )
done
[ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_dig dig failed" && return 2
}
## proxy_ping_set_resolv
proxy_ping_set_resolv () { DBUG proxy_ping_set_resolv MODE=$MODE $* ;
local dire
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
proxy_ping_test_resolv $dire
ret=$?
[ $ret -eq 0 ] && return 0
[ $ret -eq 1 ] && return 1
proxy_clobber_resolv_local $DEST
return 0
}
## proxy_ping_test_resolv
proxy_ping_test_resolv () { DBUG proxy_ping_test_resolv MODE=$MODE $* ;
local dire
[ "$#" -gt 0 ] && dire=$1 || dire=$MODE
[ -z "$dire" ] && return 1
# fixme - has polipo?
#? proxy_whonix_polipo_config $dire
if [ $dire = whonix ] ; then
# PROXY_DNS_IP="10.0.2.15#9053"
PROXY_DNS_IP=127.0.0.1
elif [ $dire = gateway ] ; then
PROXY_DNS_IP=10.0.2.15
elif [ $dire = nat ] ; then
PROXY_DNS_IP=10.0.2.2
elif [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then
PROXY_DNS_IP=10.152.152.10
elif [ $dire = tor -o $dire = selektor -o $dire = host ] ; then
PROXY_DNS_IP=127.0.0.1
else
WARN proxy_ping_test_resolv unexpected dire=$dire
PROXY_DNS_IP=127.0.0.1
#?
return 1
fi
grep -q $PROXY_DNS_IP /etc/resolv.conf && return 0
#? grep '^nameserver *[2-9]' /etc/resolv.conf && return 2
if [ "$USER" = root ] ; then
[ -f /etc/resolv.conf.$dire ] && \
sed -e "s@nameserver.*@nameserver $PROXY_DNS_IP@" -i /etc/resolv.conf.$dire \
|| echo nameserver $PROXY_DNS_IP > /etc/resolv.conf.$dire
fi
return 0
}
## proxy_clobber_resolv_local
proxy_clobber_resolv_local () { DBUG proxy_clobber_resolv_local MODE=$MODE $* ;
local ip
[ "$#" -eq 0 ] && ip=127.0.0.1 || ip=$1
# FixMe: /etc/resolv.conf resolvconf
grep -q "^nameserver $ip" /etc/resolv.conf && return 0
proxy_ping_check_root || return 0
grep -q "^nameserver" /etc/resolv.conf && \
sed -e "s/^nameserver.*/nameserver $ip/" -i /etc/resolv.conf || \
echo "nameserver $ip" >> /etc/resolv.conf
return 0
}
## proxy_ping_status
proxy_ping_status () { DBUG proxy_ping_status MODE=$MODE $* ;
/usr/local/bin/proxy_libvirt_lib.bash proxy_libvirt_status
return 0
}
## proxy_virsh
proxy_virsh () { DBUG proxy_virsh MODE=$MODE $* ;
timeout --kill-after=10 20 virsh $*
# timeout=124
return $?
}
## proxy_ping_update_cacert
proxy_ping_update_cacert () {
# echos filename answer
local WD=$PWD
local DIR=/usr/local/etc/ssl
local URL=https://curl.se/ca/cacert.pem
local curls='curl.bash'
local RARGS
local retval=0
[ -d $DIR ] || return 0
cd $DIR
if [ -w $DIR ] ; then
if [ -f cacert-curl.se.pem ] ; then
$curls -o $DIR/cacert-curl.se.pem -z cacert-curl.se.pem $RARGS $URL \
>/dev/null
else
$curls -o $DIR/cacert-curl.se.pem $RARGS $URL \
>/dev/null
fi
retval=$?
# [ $? -ne 0 ] && exit $?
fi
for file in cacert-curl.se.pem cacert-testforge.pem; do
if [ -s $DIR/$file ] ; then
echo -n $DIR/$file
break
fi
done
cd $WD
return $retval
}
starbucks_pdnsd () {
# shellcheck disable=SC2154
[ -z "$pdnsd" ] && return 0
if [ "$pdnsd" = "dnscrypt" ] && \
! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then
cp /dev/null /var/local/var/log/dnscrypt-proxy.log
$HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml &
sleep $DELAY
[ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \
! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11
ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12
elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then
if [ -x /bin/systemctl ] ; then
[ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null
else
[ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop
fi
fi
}
base=proxy_ping_lib
# DBUG 0=$0
if [ -x /usr/bin/basename ] && \
[ $( basename -- "$0" .bash ) = $base \
-o $( basename -- "$0" .sh ) = $base ] ; then
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
"$@"
exit $?
fi