qubes-linux-template-builder/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip

#!/bin/bash

if [ -x /usr/sbin/xenstore-read ]; then
	XENSTORE_READ="/usr/sbin/xenstore-read"
else
	XENSTORE_READ="/usr/bin/xenstore-read"
fi

INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)

# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
    /sbin/ip link add ${INTERFACE} type dummy

    # Now, assign it the netvm-gateway IP address
    if [ x${ip} != x ]; then
        netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
        gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
        /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
        /sbin/ifconfig ${INTERFACE} up
        /sbin/ethtool -K ${INTERFACE} sg off
        /sbin/ethtool -K ${INTERFACE} tx off
    fi

    ip link set ${INTERFACE} up
}

# Files that will have the immutable bit set 
# since we don't want them modified by other programs
IMMUTABLE_FILES=( 
    '/etc/resolv.conf'
    '/etc/hostname'
    '/etc/hosts'
)

immutableFilesEnable() {
    files="${1}"
    suffix="${2}"

    for file in "${files[@]}"; do
        if [ -f "${file}" ] && ! [ -L "${file}" ]; then 
            chattr +i "${file}${suffix}"
        fi
    done
}

immutableFilesDisable() {
    files="${1}"
    suffix="${2}"

    for file in "${files[@]}"; do
        if [ -f "${file}" ] && ! [ -L "${file}" ]; then 
            chattr -i "${file}${suffix}"
        fi
    done
}

copyAnondist() {
    file="${1}"
    suffix="${2-.anondist}"

    # Remove any softlinks first
    if [ -L "${file}" ]; then 
        rm -f "${file}"
    fi

    if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then 
        chattr -i "${file}"
        rm -f "${file}"
        cp -p "${file}${suffix}" "${file}"
        chattr +i "${file}"
    elif ! [ -f "${file}" ]; then 
        cp -p "${file}${suffix}" "${file}"
        chattr +i "${file}"
    fi
}

# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"

# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"

# Replace IP addresses in known configuration files / scripts to 
# currently discovered one
/usr/lib/whonix/replace-ips

# Make sure hostname is correct
/bin/hostname host

# Start Whonix Firewall
export INT_IF="vif+"
export INT_TIF="vif+"
/usr/bin/whonix_firewall

# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1

# Will only enable / disable if service is not already in that state
enable_sysv() {
    servicename=${1}
    disable=${2-0}

    # Check to see if the service is already enabled and if not, enable it
    string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"

    if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
        case ${disable} in
            0)
                echo "${1} is currently disabled; enabling it"
                systemctl --quiet enable ${servicename}
                ;;
            1)
                echo "${1} is currently enabled; disabling it"
                systemctl --quiet disable ${servicename}
                ;;
        esac
    fi
}

disable_sysv() {
    enable_sysv ${1} 1
}

# This would be a really good place to apply any hacks required and remove them
# from template build script
grep "^DisableNetwork 0$" /etc/tor/torrc && {
    #enable_sysv tor
    #enable_sysv whonixcheck
    #enable_sysv sdwdate
    :
} || {
    :
}