Whonix setup GUI now run on first start to allow configuration
Added alternate for dialag (gdialog) so some of Whonix programs run Changed sudo permissions to fix umask and not use QT shared memory Changed whonix to use basic hosts file Added detection if template is active for updating Added startup code for tinyproxy Added code to disable uwt so apt-get can be used as proxy Created a python GUI Message Alert using yaml for messages (internationalization)
This commit is contained in:
parent
82a68e9c87
commit
0e53e2954f
@ -19,6 +19,20 @@ user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/uwt.d
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/uwt.d/50_uwt_default
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/xdg
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -94,7 +108,7 @@ other::r--
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
other::---
|
||||
|
||||
# file: etc/sudoers.d/qubes
|
||||
# owner: root
|
||||
@ -103,62 +117,6 @@ user::r--
|
||||
group::r--
|
||||
other::---
|
||||
|
||||
# file: home
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/whonix_fix.sh
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/build-steps.d
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/build-steps.d/1000_qubes-patches.sh
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/build-steps.d/2900_qubes-post-installation.sh
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/whonix_build.sh
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: home/user/.whonix_build.sh.swp
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: .facl
|
||||
# owner: user
|
||||
# group: user
|
||||
@ -187,6 +145,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/utility_functions
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/setup-ip
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -194,6 +159,20 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/tests.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/messages.yaml
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/replace-ips
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -201,6 +180,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/alert
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/qubes-whonixsetup
|
||||
# owner: root
|
||||
# group: root
|
||||
|
@ -1,14 +1,5 @@
|
||||
## Anonymity Distribution /etc/hosts
|
||||
|
||||
## Defaults
|
||||
127.0.0.1 host
|
||||
::1 host ip6-host ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff00::0 ip6-mcastprefix
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
## End of defaults
|
||||
|
||||
## Anonymity Distribution specific
|
||||
127.0.0.1 host.localdomain host
|
||||
## End of Anonymity Distribution specific
|
||||
|
@ -0,0 +1,6 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
|
||||
uwtwrapper["/usr/bin/apt-get"]="0"
|
||||
fi
|
Binary file not shown.
@ -1,92 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: set ts=4 sw=4 sts=4 et :
|
||||
|
||||
set -x
|
||||
|
||||
WHONIX_DIR="$(readlink -m .)"
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Initialize Whonix submodules
|
||||
# --------------------------------------------------------------------------
|
||||
pushd "${WHONIX_DIR}"
|
||||
{
|
||||
sudo git submodule update --init --recursive;
|
||||
}
|
||||
popd
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Patch Whonix submodules
|
||||
# --------------------------------------------------------------------------
|
||||
|
||||
# Chekout a branch; create a branch first if it does not exist
|
||||
checkout_branch() {
|
||||
branch=$(git symbolic-ref --short -q HEAD)
|
||||
if ! [ "${branch}" == "${1}" ]; then
|
||||
sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \
|
||||
{
|
||||
sudo -u "${user_name}" git branch "${1}"
|
||||
sudo -u "${user_name}" git checkout "${1}"
|
||||
}
|
||||
fi
|
||||
}
|
||||
|
||||
# sed search and replace. return 0 if replace happened, otherwise 1
|
||||
search_replace() {
|
||||
local search="${1}"
|
||||
local replace="${2}"
|
||||
local file="${3}"
|
||||
|
||||
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
|
||||
}
|
||||
|
||||
# Patch anon-meta-packages to not depend on grub-pc
|
||||
pushd "${WHONIX_DIR}"
|
||||
{
|
||||
search_replace "grub-pc" "" "grml_packages" || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian"
|
||||
{
|
||||
search1=" grub-pc,";
|
||||
replace="";
|
||||
|
||||
#checkout_branch qubes
|
||||
search_replace "${search1}" "${replace}" control && \
|
||||
{
|
||||
cd "${WHONIX_DIR}/packages/anon-meta-packages";
|
||||
:
|
||||
#sudo -E -u "${user_name}" make deb-pkg || :
|
||||
#su "${user_name}" -c "dpkg-source --commit" || :
|
||||
#git add .
|
||||
#su "${user_name}" -c "git commit -am 'removed grub-pc depend'"
|
||||
} || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d"
|
||||
{
|
||||
search1="update-grub";
|
||||
replace=":";
|
||||
|
||||
#checkout_branch qubes
|
||||
search_replace "${search1}" "${replace}" 85_update_grub && \
|
||||
{
|
||||
cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub";
|
||||
sudo -E -u "${user_name}" make deb-pkg || :
|
||||
su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub";
|
||||
#git add . ;
|
||||
#su "${user_name}" -c "git commit -am 'removed grub-pc depend'"
|
||||
} || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/build-steps.d"
|
||||
{
|
||||
search1=" check_for_uncommited_changes";
|
||||
replace=" #check_for_uncommited_changes";
|
||||
|
||||
search_replace "${search1}" "${replace}" 1200_create-debian-packages || :
|
||||
}
|
||||
popd
|
||||
|
@ -1,60 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: set ts=4 sw=4 sts=4 et :
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Whonix Post Installation Configurations
|
||||
# ------------------------------------------------------------------------------
|
||||
echo "Post Configuring Whonix System"
|
||||
|
||||
pushd "/etc/network"
|
||||
{
|
||||
rm -f interfaces;
|
||||
ln -s interfaces.backup interfaces;
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "/etc"
|
||||
{
|
||||
rm -f resolv.conf;
|
||||
cp -p resolv.conf.backup resolv.conf;
|
||||
}
|
||||
popd
|
||||
|
||||
# Enable Tor
|
||||
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
|
||||
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
#fi
|
||||
|
||||
# Fake that whonixsetup was already run
|
||||
#mkdir -p "/var/lib/whonix/do_once"
|
||||
#touch "/var/lib/whonix/do_once/whonixsetup.done"
|
||||
|
||||
# Fake that initializer was already run
|
||||
mkdir -p "/root/.whonix"
|
||||
touch "/root/.whonix/first_run_initializer.done"
|
||||
|
||||
# Prevent whonixcheck error
|
||||
echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default"
|
||||
|
||||
# Use gdialog as an alternative for dialog
|
||||
update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999
|
||||
|
||||
# Disable unwanted applications
|
||||
update-rc.d network-manager disable || :
|
||||
update-rc.d spice-vdagent disable || :
|
||||
update-rc.d swap-file-creator disable || :
|
||||
update-rc.d whonix-initializer disable || :
|
||||
|
||||
service apt-cacher-ng stop || :
|
||||
update-rc.d apt-cacher-ng disable || :
|
||||
|
||||
# Remove apt-cacher-ng
|
||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||
apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
|
||||
|
||||
# Remove original sources.list
|
||||
rm -f "/etc/apt/sources.list"
|
||||
|
||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||
apt-get.anondist-orig update
|
||||
|
@ -1,41 +0,0 @@
|
||||
################################################################################
|
||||
# Pre Fixups
|
||||
sudo mkdir -p /boot/grub2
|
||||
sudo touch /boot/grub2/grub.cfg
|
||||
sudo mkdir -p /boot/grub
|
||||
sudo touch /boot/grub/grub.cfg
|
||||
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
|
||||
|
||||
# Whonix seems to re-install sysvinit even though there is a hold
|
||||
# on the package. Things seem to work anyway. BUT hopfully the
|
||||
# hold on grub* don't get removed
|
||||
sudo apt-mark hold sysvinit
|
||||
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
|
||||
|
||||
# Whonix expects haveged to be started
|
||||
sudo /etc/init.d/haveged start
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Link our build steps into Whonix build directory
|
||||
# ------------------------------------------------------------------------------
|
||||
#pushd /home/user/Whonix/build-steps.d
|
||||
#cp -pf /home/user/build-steps.d/* .
|
||||
#popd
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Whonix installation
|
||||
# ------------------------------------------------------------------------------
|
||||
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
|
||||
|
||||
pushd ~/Whonix
|
||||
sudo ~/Whonix/whonix_build \
|
||||
--build $1 \
|
||||
--64bit-linux \
|
||||
--current-sources \
|
||||
--enable-whonix-apt-repository \
|
||||
--whonix-apt-repository-distribution $2 \
|
||||
--install-to-root \
|
||||
--skip-verifiable \
|
||||
--minimal-report \
|
||||
--skip-sanity-tests || { exit 1; }
|
||||
popd
|
@ -1,3 +0,0 @@
|
||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||
sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common
|
||||
sudo apt-mark hold grub-common grub-pc-bin grub2-common
|
90
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert
Executable file
90
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert
Executable file
@ -0,0 +1,90 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
#
|
||||
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
|
||||
#
|
||||
|
||||
from PyQt4 import QtGui
|
||||
import locale
|
||||
import yaml
|
||||
|
||||
DEFAULT_LANG = 'en'
|
||||
|
||||
class Messages():
|
||||
filename = None
|
||||
data = None
|
||||
language = DEFAULT_LANG
|
||||
title = None
|
||||
icon = None
|
||||
message = None
|
||||
|
||||
def __init__(self, section, filename):
|
||||
self.filename = filename
|
||||
|
||||
language = locale.getdefaultlocale()[0].split('_')[0]
|
||||
if language:
|
||||
self.language = language
|
||||
|
||||
try:
|
||||
stream = file(filename, 'r')
|
||||
data = yaml.load(stream)
|
||||
|
||||
if section in data.keys():
|
||||
section = data[section]
|
||||
|
||||
self.icon = section.get('icon', None)
|
||||
|
||||
language = section.get(self.language, DEFAULT_LANG)
|
||||
|
||||
self.title = language.get('title', None)
|
||||
self.message = language.get('message', None)
|
||||
|
||||
except (IOError):
|
||||
pass
|
||||
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
|
||||
pass
|
||||
|
||||
class WhonixMessageBox(QtGui.QMessageBox):
|
||||
def __init__(self, message):
|
||||
super(WhonixMessageBox, self).__init__()
|
||||
self.message = message
|
||||
self.initUI()
|
||||
|
||||
def initUI(self):
|
||||
message = self.message
|
||||
|
||||
if message.title:
|
||||
self.setWindowTitle(message.title)
|
||||
|
||||
if message.icon:
|
||||
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
|
||||
|
||||
if message.message:
|
||||
self.setText(message.message)
|
||||
self.exec_()
|
||||
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description='Display a QT Message Box')
|
||||
|
||||
parser.add_argument('section', help="Message section")
|
||||
parser.add_argument('filename', help="File including full path")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if not args.filename and args.section:
|
||||
print parser.usage()
|
||||
sys.exit(1)
|
||||
|
||||
app = QtGui.QApplication(sys.argv)
|
||||
|
||||
message = Messages(args.section, args.filename)
|
||||
dialog = WhonixMessageBox(message)
|
||||
sys.exit()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
# Redirect local port to remote via socat
|
||||
#apt-get install socat
|
||||
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
|
||||
#
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
@ -0,0 +1,12 @@
|
||||
|
||||
update:
|
||||
icon: Critical
|
||||
en:
|
||||
title: Tor netvm required for updates
|
||||
message: |
|
||||
<p><B>Tor netvm required for updates!</B></p>
|
||||
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
|
||||
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
|
||||
<p/>
|
||||
<p><b>Template will now power off</b></p>
|
||||
|
@ -1,23 +1,46 @@
|
||||
#/bin/bash
|
||||
#!/bin/bash
|
||||
|
||||
# XXX: TODO:
|
||||
# - Make sure we can't just run this from setup-ip
|
||||
# - Alternatives? instead of deleting dialog?
|
||||
#
|
||||
# INSTALLATION NOTES:
|
||||
# - Make sure /etc/tor/torrc is disabled initially
|
||||
# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist
|
||||
# so repo questions will be asked
|
||||
# - /etc/xdg/autostart/qubes-whonixsetup must be in place
|
||||
# - this file must be in place
|
||||
# - gdialog must have over-written dialog
|
||||
# - patches to setup-ip:
|
||||
# - bring eth1 up
|
||||
# - remove old code that was trying to get setup working
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo systemctl stop whonixcheck
|
||||
sudo systemctl stop tor
|
||||
sudo /usr/lib/whonix/setup-ip
|
||||
sudo /usr/bin/whonixsetup
|
||||
}
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
sudo /sbin/poweroff
|
||||
fi
|
||||
|
@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Search though files and updates IP address to the current
|
||||
# 'qubes-netvm-gateway' IP address
|
||||
# IP address(es)
|
||||
|
||||
FILES=(
|
||||
'/usr/lib/leaktest-workstation/simple_ping.py'
|
||||
@ -40,7 +42,7 @@ search_replace() {
|
||||
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
|
||||
retval=$?
|
||||
|
||||
if [ "${ls_attrs}" == "i" ]; then
|
||||
if [ "${ls_attrs}" = "i" ]; then
|
||||
chattr +i "${file}"
|
||||
fi
|
||||
|
||||
@ -58,7 +60,7 @@ function replace_ips()
|
||||
search_network="${search_ip%[.]*}.0"
|
||||
replace_network="${replace_ip%[.]*}.0"
|
||||
|
||||
if ! [ "${search_ip}" == "${replace_ip}" ]; then
|
||||
if ! [ "${search_ip}" = "${replace_ip}" ]; then
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "$file" ]; then
|
||||
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
|
||||
@ -75,18 +77,42 @@ update_ip() {
|
||||
|
||||
echo "${ip}" > /etc/whonix-netvm-gateway
|
||||
grep '^DisableNetwork 0$' /etc/tor/torrc && {
|
||||
service tor reload || true;
|
||||
service tor status && {
|
||||
service tor reload || true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
ip="$(xenstore-read qubes-netvm-gateway)"
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
ip="$(xenstore-read qubes-netvm-gateway)"
|
||||
if [ x${ip} != x ]; then
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
fi
|
||||
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
ip="$(xenstore-read qubes-ip)"
|
||||
gateway="$(xenstore-read qubes-gateway)"
|
||||
|
||||
if [ x${ip} != x ]; then
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
fi
|
||||
|
||||
if [ x${gateway} != x ]; then
|
||||
# Compare to current gateway IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
fi
|
||||
fi
|
||||
|
@ -1,141 +1,78 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
INTERFACE="eth1"
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
ip link show ${INTERFACE} >> /dev/null || {
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
if [ x${ip} != x ]; then
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
fi
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
}
|
||||
fi
|
||||
|
||||
INTERFACE="eth1"
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
ip link show ${INTERFACE} >> /dev/null || {
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
if [ x${ip} != x ]; then
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off
|
||||
/sbin/ethtool -K ${INTERFACE} tx off
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
fi
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||
# Allows localhost access to tor network
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||
fi
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
}
|
||||
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
immutableFilesEnable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
chattr +i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
immutableFilesDisable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
chattr -i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
copyAnondist() {
|
||||
file="${1}"
|
||||
suffix="${2-.anondist}"
|
||||
|
||||
# Remove any softlinks first
|
||||
if [ -L "${file}" ]; then
|
||||
rm -f "${file}"
|
||||
fi
|
||||
|
||||
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
|
||||
chattr -i "${file}"
|
||||
rm -f "${file}"
|
||||
cp -p "${file}${suffix}" "${file}"
|
||||
chattr +i "${file}"
|
||||
elif ! [ -f "${file}" ]; then
|
||||
cp -p "${file}${suffix}" "${file}"
|
||||
chattr +i "${file}"
|
||||
fi
|
||||
}
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||
# Allows localhost access to tor network
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||
|
||||
# Will only enable / disable if service is not already in that state
|
||||
enable_sysv() {
|
||||
servicename=${1}
|
||||
disable=${2-0}
|
||||
|
||||
# Check to see if the service is already enabled and if not, enable it
|
||||
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
|
||||
|
||||
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
|
||||
case ${disable} in
|
||||
0)
|
||||
echo "${1} is currently disabled; enabling it"
|
||||
systemctl --quiet enable ${servicename}
|
||||
;;
|
||||
1)
|
||||
echo "${1} is currently enabled; disabling it"
|
||||
systemctl --quiet disable ${servicename}
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
disable_sysv() {
|
||||
enable_sysv ${1} 1
|
||||
}
|
||||
|
||||
# This would be a really good place to apply any hacks required and remove them
|
||||
# from template build script
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc && {
|
||||
#enable_sysv tor
|
||||
#enable_sysv whonixcheck
|
||||
#enable_sysv sdwdate
|
||||
:
|
||||
} || {
|
||||
:
|
||||
}
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
95
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh
Executable file
95
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh
Executable file
@ -0,0 +1,95 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
#disable_sysv tor
|
||||
#disable_sysv sdwdate
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
|
||||
LOG_IP4=1
|
||||
LOG_IP6=0
|
||||
|
||||
# for IPv4
|
||||
if [ "$LOG_IP4" == "1" ]; then
|
||||
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
||||
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
||||
modprobe ipt_LOG
|
||||
fi
|
||||
|
||||
# for IPv6
|
||||
if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
iptables -A FORWARD -i eth0 -j ACCEPT
|
||||
iptables -A FORWARD -o eth0 -j ACCEPT
|
||||
iptables -A FORWARD -i lo -j ACCEPT
|
||||
iptables -A FORWARD -o lo -j ACCEPT
|
||||
|
||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
|
||||
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
|
||||
|
||||
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
||||
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
# Remap ALL traffic
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
|
||||
#iptables -v -L
|
||||
#iptables -v -t nat -L
|
||||
#telnet 127.0.0.1 9105
|
||||
#telnet 10.137.2.1 8082
|
||||
#telnet 127.0.0.1 8082
|
||||
#tail -100 /var/log/kern.log
|
94
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions
Executable file
94
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions
Executable file
@ -0,0 +1,94 @@
|
||||
#!/bin/bash
|
||||
|
||||
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
|
||||
# to proxy for template
|
||||
PROXY_SERVER="http://10.137.255.254:8082/"
|
||||
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
|
||||
|
||||
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
|
||||
WHONIX="template"
|
||||
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
|
||||
WHONIX="gateway"
|
||||
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
|
||||
WHONIX="workstation"
|
||||
else
|
||||
WHONIX="unknown"
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "template" ]; then
|
||||
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
|
||||
PROXY_SECURE=1
|
||||
} || {
|
||||
PROXY_SECURE=0
|
||||
}
|
||||
fi
|
||||
|
||||
immutableFilesEnable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
sudo chattr +i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
immutableFilesDisable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
sudo chattr -i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
copyAnondist() {
|
||||
file="${1}"
|
||||
suffix="${2-.anondist}"
|
||||
|
||||
# Remove any softlinks first
|
||||
if [ -L "${file}" ]; then
|
||||
sudo rm -f "${file}"
|
||||
fi
|
||||
|
||||
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
|
||||
sudo chattr -i "${file}"
|
||||
sudo rm -f "${file}"
|
||||
sudo cp -p "${file}${suffix}" "${file}"
|
||||
sudo chattr +i "${file}"
|
||||
elif ! [ -f "${file}" ]; then
|
||||
sudo cp -p "${file}${suffix}" "${file}"
|
||||
sudo chattr +i "${file}"
|
||||
fi
|
||||
}
|
||||
|
||||
# Will only enable / disable if service is not already in that state
|
||||
enable_sysv() {
|
||||
servicename=${1}
|
||||
disable=${2-0}
|
||||
|
||||
# Check to see if the service is already enabled and if not, enable it
|
||||
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
|
||||
|
||||
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
|
||||
case ${disable} in
|
||||
0)
|
||||
echo "${1} is currently disabled; enabling it"
|
||||
sudo systemctl --quiet enable ${servicename}
|
||||
;;
|
||||
1)
|
||||
echo "${1} is currently enabled; disabling it"
|
||||
sudo service ${servicename} stop
|
||||
sudo systemctl --quiet disable ${servicename}
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
disable_sysv() {
|
||||
enable_sysv ${1} 1
|
||||
}
|
||||
|
@ -19,6 +19,20 @@ user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/uwt.d
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/uwt.d/50_uwt_default
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/udev
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -49,10 +63,10 @@ other::r--
|
||||
|
||||
# file: etc/sudoers.d
|
||||
# owner: root
|
||||
# group: user
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
other::---
|
||||
|
||||
# file: etc/sudoers.d/qubes
|
||||
# owner: root
|
||||
@ -89,6 +103,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/utility_functions
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/setup-ip
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -96,6 +117,20 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/tests.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/messages.yaml
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/replace-ips
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -103,6 +138,20 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/alert
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/qubes-whonixsetup
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/enable-iptables-logging.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
|
@ -1,14 +1,5 @@
|
||||
## Anonymity Distribution /etc/hosts
|
||||
|
||||
## Defaults
|
||||
127.0.0.1 host
|
||||
::1 host ip6-host ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
ff00::0 ip6-mcastprefix
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
## End of defaults
|
||||
|
||||
## Anonymity Distribution specific
|
||||
127.0.0.1 host.localdomain host
|
||||
## End of Anonymity Distribution specific
|
||||
|
@ -0,0 +1,6 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
|
||||
uwtwrapper["/usr/bin/apt-get"]="0"
|
||||
fi
|
@ -1,41 +0,0 @@
|
||||
################################################################################
|
||||
# Pre Fixups
|
||||
sudo mkdir -p /boot/grub2
|
||||
sudo touch /boot/grub2/grub.cfg
|
||||
sudo mkdir -p /boot/grub
|
||||
sudo touch /boot/grub/grub.cfg
|
||||
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
|
||||
|
||||
# Whonix seems to re-install sysvinit even though there is a hold
|
||||
# on the package. Things seem to work anyway. BUT hopfully the
|
||||
# hold on grub* don't get removed
|
||||
sudo apt-mark hold sysvinit
|
||||
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
|
||||
|
||||
# Whonix expects haveged to be started
|
||||
sudo /etc/init.d/haveged start
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Link our build steps into Whonix build directory
|
||||
# ------------------------------------------------------------------------------
|
||||
#pushd /home/user/Whonix/build-steps.d
|
||||
#cp -pf /home/user/build-steps.d/* .
|
||||
#popd
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Whonix installation
|
||||
# ------------------------------------------------------------------------------
|
||||
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
|
||||
|
||||
pushd ~/Whonix
|
||||
sudo ~/Whonix/whonix_build \
|
||||
--build $1 \
|
||||
--64bit-linux \
|
||||
--current-sources \
|
||||
--enable-whonix-apt-repository \
|
||||
--whonix-apt-repository-distribution $2 \
|
||||
--install-to-root \
|
||||
--skip-verifiable \
|
||||
--minimal-report \
|
||||
--skip-sanity-tests || { exit 1; }
|
||||
popd
|
90
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert
Executable file
90
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert
Executable file
@ -0,0 +1,90 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
#
|
||||
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
|
||||
#
|
||||
|
||||
from PyQt4 import QtGui
|
||||
import locale
|
||||
import yaml
|
||||
|
||||
DEFAULT_LANG = 'en'
|
||||
|
||||
class Messages():
|
||||
filename = None
|
||||
data = None
|
||||
language = DEFAULT_LANG
|
||||
title = None
|
||||
icon = None
|
||||
message = None
|
||||
|
||||
def __init__(self, section, filename):
|
||||
self.filename = filename
|
||||
|
||||
language = locale.getdefaultlocale()[0].split('_')[0]
|
||||
if language:
|
||||
self.language = language
|
||||
|
||||
try:
|
||||
stream = file(filename, 'r')
|
||||
data = yaml.load(stream)
|
||||
|
||||
if section in data.keys():
|
||||
section = data[section]
|
||||
|
||||
self.icon = section.get('icon', None)
|
||||
|
||||
language = section.get(self.language, DEFAULT_LANG)
|
||||
|
||||
self.title = language.get('title', None)
|
||||
self.message = language.get('message', None)
|
||||
|
||||
except (IOError):
|
||||
pass
|
||||
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
|
||||
pass
|
||||
|
||||
class WhonixMessageBox(QtGui.QMessageBox):
|
||||
def __init__(self, message):
|
||||
super(WhonixMessageBox, self).__init__()
|
||||
self.message = message
|
||||
self.initUI()
|
||||
|
||||
def initUI(self):
|
||||
message = self.message
|
||||
|
||||
if message.title:
|
||||
self.setWindowTitle(message.title)
|
||||
|
||||
if message.icon:
|
||||
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
|
||||
|
||||
if message.message:
|
||||
self.setText(message.message)
|
||||
self.exec_()
|
||||
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description='Display a QT Message Box')
|
||||
|
||||
parser.add_argument('section', help="Message section")
|
||||
parser.add_argument('filename', help="File including full path")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if not args.filename and args.section:
|
||||
print parser.usage()
|
||||
sys.exit(1)
|
||||
|
||||
app = QtGui.QApplication(sys.argv)
|
||||
|
||||
message = Messages(args.section, args.filename)
|
||||
dialog = WhonixMessageBox(message)
|
||||
sys.exit()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
# Redirect local port to remote via socat
|
||||
#apt-get install socat
|
||||
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
|
||||
#
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
@ -0,0 +1,12 @@
|
||||
|
||||
update:
|
||||
icon: Critical
|
||||
en:
|
||||
title: Tor netvm required for updates
|
||||
message: |
|
||||
<p><B>Tor netvm required for updates!</B></p>
|
||||
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
|
||||
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
|
||||
<p/>
|
||||
<p><b>Template will now power off</b></p>
|
||||
|
@ -0,0 +1,46 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
sudo /sbin/poweroff
|
||||
fi
|
@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Search though files and updates IP address to the current
|
||||
# 'qubes-netvm-gateway' IP address
|
||||
# IP address(es)
|
||||
|
||||
FILES=(
|
||||
'/usr/lib/leaktest-workstation/simple_ping.py'
|
||||
@ -40,7 +42,7 @@ search_replace() {
|
||||
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
|
||||
retval=$?
|
||||
|
||||
if [ "${ls_attrs}" == "i" ]; then
|
||||
if [ "${ls_attrs}" = "i" ]; then
|
||||
chattr +i "${file}"
|
||||
fi
|
||||
|
||||
@ -58,7 +60,7 @@ function replace_ips()
|
||||
search_network="${search_ip%[.]*}.0"
|
||||
replace_network="${replace_ip%[.]*}.0"
|
||||
|
||||
if ! [ "${search_ip}" == "${replace_ip}" ]; then
|
||||
if ! [ "${search_ip}" = "${replace_ip}" ]; then
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "$file" ]; then
|
||||
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
|
||||
@ -70,18 +72,47 @@ function replace_ips()
|
||||
return $retval
|
||||
}
|
||||
|
||||
ip="$(xenstore-read qubes-ip)"
|
||||
gateway="$(xenstore-read qubes-gateway)"
|
||||
update_ip() {
|
||||
ip=${1}
|
||||
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
echo "${ip}" > /etc/whonix-netvm-gateway
|
||||
grep '^DisableNetwork 0$' /etc/tor/torrc && {
|
||||
service tor status && {
|
||||
service tor reload || true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
ip="$(xenstore-read qubes-netvm-gateway)"
|
||||
if [ x${ip} != x ]; then
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
|
||||
# Compare to current gateway IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
ip="$(xenstore-read qubes-ip)"
|
||||
gateway="$(xenstore-read qubes-gateway)"
|
||||
|
||||
if [ x${ip} != x ]; then
|
||||
# Compare to current IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
|
||||
# Do again; checking for original 10.152.152.11 incase of update
|
||||
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
|
||||
fi
|
||||
|
||||
if [ x${gateway} != x ]; then
|
||||
# Compare to current gateway IP address assiged by Qubes
|
||||
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
|
||||
# Do again; checking for original 10.152.152.10 incase of update
|
||||
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
|
||||
fi
|
||||
fi
|
||||
|
@ -1,70 +1,78 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
immutableFilesEnable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
chattr +i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
immutableFilesDisable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
chattr -i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
copyAnondist() {
|
||||
file="${1}"
|
||||
suffix="${2-.anondist}"
|
||||
|
||||
# Remove any softlinks first
|
||||
if [ -L "${file}" ]; then
|
||||
rm -f "${file}"
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
|
||||
chattr -i "${file}"
|
||||
rm -f "${file}"
|
||||
cp -p "${file}${suffix}" "${file}"
|
||||
chattr +i "${file}"
|
||||
elif ! [ -f "${file}" ]; then
|
||||
cp -p "${file}${suffix}" "${file}"
|
||||
chattr +i "${file}"
|
||||
INTERFACE="eth1"
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
ip link show ${INTERFACE} >> /dev/null || {
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
if [ x${ip} != x ]; then
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
fi
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
}
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
fi
|
||||
}
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
/usr/bin/whonix_firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||
# Allows localhost access to tor network
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||
fi
|
||||
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
95
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh
Executable file
95
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh
Executable file
@ -0,0 +1,95 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
#disable_sysv tor
|
||||
#disable_sysv sdwdate
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
|
||||
LOG_IP4=1
|
||||
LOG_IP6=0
|
||||
|
||||
# for IPv4
|
||||
if [ "$LOG_IP4" == "1" ]; then
|
||||
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
||||
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
||||
modprobe ipt_LOG
|
||||
fi
|
||||
|
||||
# for IPv6
|
||||
if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
iptables -A FORWARD -i eth0 -j ACCEPT
|
||||
iptables -A FORWARD -o eth0 -j ACCEPT
|
||||
iptables -A FORWARD -i lo -j ACCEPT
|
||||
iptables -A FORWARD -o lo -j ACCEPT
|
||||
|
||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
|
||||
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
|
||||
|
||||
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
||||
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
# Remap ALL traffic
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
|
||||
#iptables -v -L
|
||||
#iptables -v -t nat -L
|
||||
#telnet 127.0.0.1 9105
|
||||
#telnet 10.137.2.1 8082
|
||||
#telnet 127.0.0.1 8082
|
||||
#tail -100 /var/log/kern.log
|
@ -0,0 +1,94 @@
|
||||
#!/bin/bash
|
||||
|
||||
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
|
||||
# to proxy for template
|
||||
PROXY_SERVER="http://10.137.255.254:8082/"
|
||||
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
|
||||
|
||||
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
|
||||
WHONIX="template"
|
||||
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
|
||||
WHONIX="gateway"
|
||||
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
|
||||
WHONIX="workstation"
|
||||
else
|
||||
WHONIX="unknown"
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "template" ]; then
|
||||
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
|
||||
PROXY_SECURE=1
|
||||
} || {
|
||||
PROXY_SECURE=0
|
||||
}
|
||||
fi
|
||||
|
||||
immutableFilesEnable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
sudo chattr +i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
immutableFilesDisable() {
|
||||
files="${1}"
|
||||
suffix="${2}"
|
||||
|
||||
for file in "${files[@]}"; do
|
||||
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||
sudo chattr -i "${file}${suffix}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
copyAnondist() {
|
||||
file="${1}"
|
||||
suffix="${2-.anondist}"
|
||||
|
||||
# Remove any softlinks first
|
||||
if [ -L "${file}" ]; then
|
||||
sudo rm -f "${file}"
|
||||
fi
|
||||
|
||||
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
|
||||
sudo chattr -i "${file}"
|
||||
sudo rm -f "${file}"
|
||||
sudo cp -p "${file}${suffix}" "${file}"
|
||||
sudo chattr +i "${file}"
|
||||
elif ! [ -f "${file}" ]; then
|
||||
sudo cp -p "${file}${suffix}" "${file}"
|
||||
sudo chattr +i "${file}"
|
||||
fi
|
||||
}
|
||||
|
||||
# Will only enable / disable if service is not already in that state
|
||||
enable_sysv() {
|
||||
servicename=${1}
|
||||
disable=${2-0}
|
||||
|
||||
# Check to see if the service is already enabled and if not, enable it
|
||||
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
|
||||
|
||||
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
|
||||
case ${disable} in
|
||||
0)
|
||||
echo "${1} is currently disabled; enabling it"
|
||||
sudo systemctl --quiet enable ${servicename}
|
||||
;;
|
||||
1)
|
||||
echo "${1} is currently enabled; disabling it"
|
||||
sudo service ${servicename} stop
|
||||
sudo systemctl --quiet disable ${servicename}
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
disable_sysv() {
|
||||
enable_sysv ${1} 1
|
||||
}
|
||||
|
@ -55,6 +55,12 @@ sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
|
||||
# Whonix expects haveged to be started
|
||||
sudo /etc/init.d/haveged start
|
||||
|
||||
# Whonix does not always fix permissions after writing as sudo, especially
|
||||
# when running whonixsetup so /var/lib/whonix/done_once is not readable by
|
||||
# user, so set defualt umask for sudo
|
||||
#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers'
|
||||
#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers'
|
||||
|
||||
################################################################################
|
||||
# Whonix installation
|
||||
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
|
||||
@ -74,17 +80,8 @@ popd
|
||||
EOF
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# chroot Whonix fix script (Make sure set -e is not set)
|
||||
# Run ../whonix_fix when whonix gives grub-pc error
|
||||
# Pin grub so it won't install
|
||||
# ------------------------------------------------------------------------------
|
||||
# TODO: Do something in whonix build to automatically run fixups and
|
||||
# ignore certain errors
|
||||
read -r -d '' WHONIX_FIX_SCRIPT <<'EOF'
|
||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||
sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common
|
||||
sudo apt-mark hold grub-common grub-pc-bin grub2-common
|
||||
EOF
|
||||
|
||||
read -r -d '' WHONIX_APT_PIN <<'EOF'
|
||||
Package: grub-pc
|
||||
Pin: version *
|
||||
@ -230,13 +227,9 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
|
||||
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
|
||||
|
||||
# Install Whonix fix script
|
||||
echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix"
|
||||
chmod 0755 "${INSTALLDIR}/home/user/whonix_fix"
|
||||
|
||||
# Install Whonix build scripts
|
||||
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build"
|
||||
chmod 0755 "${INSTALLDIR}/home/user/whonix_build"
|
||||
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
|
||||
chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Copy over any extra files
|
||||
@ -287,6 +280,7 @@ fi
|
||||
if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
|
||||
info "Post Configuring Whonix System"
|
||||
|
||||
# Don't need Whonix interfaces; restore original
|
||||
pushd "${INSTALLDIR}/etc/network"
|
||||
{
|
||||
rm -f interfaces;
|
||||
@ -294,6 +288,8 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
|
||||
}
|
||||
popd
|
||||
|
||||
# Qubes installation will need a normal resolv.conf; will be restored back
|
||||
# in 04_qubes_install_post.sh within the wheezy+whonix-* directories
|
||||
pushd "${INSTALLDIR}/etc"
|
||||
{
|
||||
rm -f resolv.conf;
|
||||
@ -301,6 +297,17 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
|
||||
}
|
||||
popd
|
||||
|
||||
# Remove link to hosts file and copy original back
|
||||
# Will get set back to Whonix hosts file when the
|
||||
# /usr/lib/whonix/setup-ip is run on startup
|
||||
pushd "${INSTALLDIR}/etc"
|
||||
{
|
||||
rm -f hosts;
|
||||
cp -p hosts.anondist-orig hosts;
|
||||
}
|
||||
popd
|
||||
|
||||
|
||||
# Enable Tor
|
||||
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
|
||||
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc"
|
||||
@ -315,7 +322,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
|
||||
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
|
||||
|
||||
# Fake that whonixsetup was already run
|
||||
mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once"
|
||||
#mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once"
|
||||
#touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done"
|
||||
|
||||
# Fake that initializer was already run
|
||||
@ -338,6 +345,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
|
||||
chroot "${INSTALLDIR}" service apt-cacher-ng stop || :
|
||||
chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || :
|
||||
|
||||
# Tor will be re-enabled upon initial configuration
|
||||
chroot "${INSTALLDIR}" update-rc.d tor disable || :
|
||||
chroot "${INSTALLDIR}" update-rc.d sdwdate disable || :
|
||||
|
||||
# Remove apt-cacher-ng
|
||||
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||
chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
|
||||
|
@ -45,4 +45,4 @@ popd
|
||||
rm -rf "${INSTALLDIR}"/home/user/Whonix
|
||||
rm -rf "${INSTALLDIR}"/home/user/whonix_binary
|
||||
rm -f "${INSTALLDIR}"/home/user/whonix_fix
|
||||
rm -f "${INSTALLDIR}"/home/user/whonix_build
|
||||
rm -f "${INSTALLDIR}"/home/user/whonix_build.sh
|
||||
|
Loading…
Reference in New Issue
Block a user