Tor netvm required for updates!
+Please ensure your template vm has a Whonix gateway as it's VM.
+No updates are possible without an active (running) Whonix gateway VM.
+ +Template will now power off
+ diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 681c889..49dff91 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -1,23 +1,46 @@ -#/bin/bash +#!/bin/bash -# XXX: TODO: -# - Make sure we can't just run this from setup-ip -# - Alternatives? instead of deleting dialog? -# -# INSTALLATION NOTES: -# - Make sure /etc/tor/torrc is disabled initially -# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist -# so repo questions will be asked -# - /etc/xdg/autostart/qubes-whonixsetup must be in place -# - this file must be in place -# - gdialog must have over-written dialog -# - patches to setup-ip: -# - bring eth1 up -# - remove old code that was trying to get setup working +. /usr/lib/whonix/utility_functions -grep "^DisableNetwork 0$" /etc/tor/torrc || { - sudo systemctl stop whonixcheck - sudo systemctl stop tor - sudo /usr/lib/whonix/setup-ip - sudo /usr/bin/whonixsetup -} +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index f2e4076..900a584 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -75,18 +77,42 @@ update_ip() { echo "${ip}" > /etc/whonix-netvm-gateway grep '^DisableNetwork 0$' /etc/tor/torrc && { - service tor reload || true; + service tor status && { + service tor reload || true; + } } } -ip="$(xenstore-read qubes-netvm-gateway)" +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 9a098f7..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -1,141 +1,78 @@ #!/bin/bash -if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" -else - XENSTORE_READ="/usr/bin/xenstore-read" +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy + + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + fi + + ip link set ${INTERFACE} up + } fi -INTERFACE="eth1" -ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) -# Create a dummy eth1 interface so tor can bind to it if there -# are no DOMU virtual machines connected at the moment -ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off - /sbin/ethtool -K ${INTERFACE} tx off + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + fi + /usr/bin/whonix_firewall + + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 fi - ip link set ${INTERFACE} up -} - -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' -) - -immutableFilesEnable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" - fi - done -} - -immutableFilesDisable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" - fi - done -} - -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" - - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" - fi - - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - fi -} - -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/resolv.conf" -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" - -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips - -# Make sure hostname is correct -/bin/hostname host - -# Start Whonix Firewall -export INT_IF="vif+" -export INT_TIF="vif+" -/usr/bin/whonix_firewall - -# Route any traffic FROM netvm TO netvm BACK-TO localhost -# Allows localhost access to tor network -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - -# Will only enable / disable if service is not already in that state -enable_sysv() { - servicename=${1} - disable=${2-0} - - # Check to see if the service is already enabled and if not, enable it - string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" - - if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then - case ${disable} in - 0) - echo "${1} is currently disabled; enabling it" - systemctl --quiet enable ${servicename} - ;; - 1) - echo "${1} is currently enabled; disabling it" - systemctl --quiet disable ${servicename} - ;; - esac - fi -} - -disable_sysv() { - enable_sysv ${1} 1 -} - -# This would be a really good place to apply any hacks required and remove them -# from template build script -grep "^DisableNetwork 0$" /etc/tor/torrc && { - #enable_sysv tor - #enable_sysv whonixcheck - #enable_sysv sdwdate - : -} || { - : -} + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 9e5e47b..bfdec11 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -19,6 +19,20 @@ user::rw- group::r-- other::r-- +# file: etc/uwt.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/uwt.d/50_uwt_default +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -49,10 +63,10 @@ other::r-- # file: etc/sudoers.d # owner: root -# group: user +# group: root user::rwx group::r-x -other::r-x +other::--- # file: etc/sudoers.d/qubes # owner: root @@ -89,6 +103,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/utility_functions +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/setup-ip # owner: root # group: root @@ -96,6 +117,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/tests.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/replace-ips # owner: root # group: root @@ -103,6 +138,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/alert +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/qubes-whonixsetup +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/enable-iptables-logging.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts index 87b1540..cc0e30d 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts @@ -1,14 +1,5 @@ ## Anonymity Distribution /etc/hosts -## Defaults -127.0.0.1 host -::1 host ip6-host ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -## End of defaults - ## Anonymity Distribution specific 127.0.0.1 host.localdomain host ## End of Anonymity Distribution specific diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default new file mode 100644 index 0000000..bac9ef3 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default @@ -0,0 +1,6 @@ + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then + uwtwrapper["/usr/bin/apt-get"]="0" +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh deleted file mode 100755 index 0fdf086..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh +++ /dev/null @@ -1,41 +0,0 @@ -################################################################################ -# Pre Fixups -sudo mkdir -p /boot/grub2 -sudo touch /boot/grub2/grub.cfg -sudo mkdir -p /boot/grub -sudo touch /boot/grub/grub.cfg -sudo mkdir --parents --mode=g+rw "/tmp/uwt" - -# Whonix seems to re-install sysvinit even though there is a hold -# on the package. Things seem to work anyway. BUT hopfully the -# hold on grub* don't get removed -sudo apt-mark hold sysvinit -sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common - -# Whonix expects haveged to be started -sudo /etc/init.d/haveged start - -# ------------------------------------------------------------------------------ -# Link our build steps into Whonix build directory -# ------------------------------------------------------------------------------ -#pushd /home/user/Whonix/build-steps.d -#cp -pf /home/user/build-steps.d/* . -#popd - -# ------------------------------------------------------------------------------ -# Whonix installation -# ------------------------------------------------------------------------------ -export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" - -pushd ~/Whonix -sudo ~/Whonix/whonix_build \ - --build $1 \ - --64bit-linux \ - --current-sources \ - --enable-whonix-apt-repository \ - --whonix-apt-repository-distribution $2 \ - --install-to-root \ - --skip-verifiable \ - --minimal-report \ - --skip-sanity-tests || { exit 1; } -popd diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert new file mode 100755 index 0000000..e585475 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# +# Copyright 2014 Jason Mehring (nrgaway@gmail.com) +# + +from PyQt4 import QtGui +import locale +import yaml + +DEFAULT_LANG = 'en' + +class Messages(): + filename = None + data = None + language = DEFAULT_LANG + title = None + icon = None + message = None + + def __init__(self, section, filename): + self.filename = filename + + language = locale.getdefaultlocale()[0].split('_')[0] + if language: + self.language = language + + try: + stream = file(filename, 'r') + data = yaml.load(stream) + + if section in data.keys(): + section = data[section] + + self.icon = section.get('icon', None) + + language = section.get(self.language, DEFAULT_LANG) + + self.title = language.get('title', None) + self.message = language.get('message', None) + + except (IOError): + pass + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + pass + +class WhonixMessageBox(QtGui.QMessageBox): + def __init__(self, message): + super(WhonixMessageBox, self).__init__() + self.message = message + self.initUI() + + def initUI(self): + message = self.message + + if message.title: + self.setWindowTitle(message.title) + + if message.icon: + self.setIcon(getattr(QtGui.QMessageBox, message.icon)) + + if message.message: + self.setText(message.message) + self.exec_() + +import argparse +import sys + + + +def main(): + parser = argparse.ArgumentParser(description='Display a QT Message Box') + + parser.add_argument('section', help="Message section") + parser.add_argument('filename', help="File including full path") + + args = parser.parse_args() + + if not args.filename and args.section: + print parser.usage() + sys.exit(1) + + app = QtGui.QApplication(sys.argv) + + message = Messages(args.section, args.filename) + dialog = WhonixMessageBox(message) + sys.exit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh index d3a2b95..a8e1653 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh @@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE modprobe ip6t_LOG fi + +# Redirect local port to remote via socat +#apt-get install socat +#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082 +# +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml new file mode 100644 index 0000000..d3be464 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml @@ -0,0 +1,12 @@ + +update: + icon: Critical + en: + title: Tor netvm required for updates + message: | +Tor netvm required for updates!
+Please ensure your template vm has a Whonix gateway as it's VM.
+No updates are possible without an active (running) Whonix gateway VM.
+ +Template will now power off
+ diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup new file mode 100755 index 0000000..49dff91 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -0,0 +1,46 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips index bc44984..900a584 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -70,18 +72,47 @@ function replace_ips() return $retval } -ip="$(xenstore-read qubes-ip)" -gateway="$(xenstore-read qubes-gateway)" +update_ip() { + ip=${1} -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + echo "${ip}" > /etc/whonix-netvm-gateway + grep '^DisableNetwork 0$' /etc/tor/torrc && { + service tor status && { + service tor reload || true; + } + } +} -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" -# Compare to current gateway IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" + + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip index 2dca037..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -1,70 +1,78 @@ #!/bin/bash -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/hostname' - '/etc/hosts' -) +. /usr/lib/whonix/utility_functions -immutableFilesEnable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" - fi - done -} - -immutableFilesDisable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" - fi - done -} - -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" - - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" fi - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy + + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + fi + + ip link set ${INTERFACE} up + } +fi + +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" fi -} + /usr/bin/whonix_firewall -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" - -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips - -# Make sure hostname is correct -/bin/hostname host - -# Start Whonix Firewall -/usr/bin/whonix_firewall + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 + fi + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 7cda7ca..2416fb6 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -55,6 +55,12 @@ sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common # Whonix expects haveged to be started sudo /etc/init.d/haveged start +# Whonix does not always fix permissions after writing as sudo, especially +# when running whonixsetup so /var/lib/whonix/done_once is not readable by +# user, so set defualt umask for sudo +#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers' +#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers' + ################################################################################ # Whonix installation export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" @@ -74,17 +80,8 @@ popd EOF # ------------------------------------------------------------------------------ -# chroot Whonix fix script (Make sure set -e is not set) -# Run ../whonix_fix when whonix gives grub-pc error +# Pin grub so it won't install # ------------------------------------------------------------------------------ -# TODO: Do something in whonix build to automatically run fixups and -# ignore certain errors -read -r -d '' WHONIX_FIX_SCRIPT <<'EOF' -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common -sudo apt-mark hold grub-common grub-pc-bin grub2-common -EOF - read -r -d '' WHONIX_APT_PIN <<'EOF' Package: grub-pc Pin: version * @@ -230,13 +227,9 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - # Install Whonix fix script - echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix" - chmod 0755 "${INSTALLDIR}/home/user/whonix_fix" - # Install Whonix build scripts - echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build" - chmod 0755 "${INSTALLDIR}/home/user/whonix_build" + echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh" + chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh" # ------------------------------------------------------------------------------ # Copy over any extra files @@ -287,6 +280,7 @@ fi if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then info "Post Configuring Whonix System" + # Don't need Whonix interfaces; restore original pushd "${INSTALLDIR}/etc/network" { rm -f interfaces; @@ -294,6 +288,8 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Qubes installation will need a normal resolv.conf; will be restored back + # in 04_qubes_install_post.sh within the wheezy+whonix-* directories pushd "${INSTALLDIR}/etc" { rm -f resolv.conf; @@ -301,6 +297,17 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Remove link to hosts file and copy original back + # Will get set back to Whonix hosts file when the + # /usr/lib/whonix/setup-ip is run on startup + pushd "${INSTALLDIR}/etc" + { + rm -f hosts; + cp -p hosts.anondist-orig hosts; + } + popd + + # Enable Tor #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" @@ -315,7 +322,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" # Fake that whonixsetup was already run - mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" + #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" # Fake that initializer was already run @@ -338,6 +345,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh chroot "${INSTALLDIR}" service apt-cacher-ng stop || : chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || : + # Tor will be re-enabled upon initial configuration + chroot "${INSTALLDIR}" update-rc.d tor disable || : + chroot "${INSTALLDIR}" update-rc.d sdwdate disable || : + # Remove apt-cacher-ng DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 73aa49a..f394ff8 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -45,4 +45,4 @@ popd rm -rf "${INSTALLDIR}"/home/user/Whonix rm -rf "${INSTALLDIR}"/home/user/whonix_binary rm -f "${INSTALLDIR}"/home/user/whonix_fix -rm -f "${INSTALLDIR}"/home/user/whonix_build +rm -f "${INSTALLDIR}"/home/user/whonix_build.sh