diff --git a/create_template_list.sh b/create_template_list.sh index 2ede209..1e9c00f 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -1,48 +1,55 @@ #!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : # # Creates a small script to copy to dom0 to retrieve the generated template rpm's # -TEMPLATES="./rpm/install-templates.sh" +template_dir="$(readlink -m ./rpm/install-templates.sh)" +files=( $(ls rpm/noarch) ) +name=$(xenstore-read name) -write() { - echo "$1" >> "$TEMPLATES" -} +# ----------------------------------------------------------------------------- +# Write $vars +# ----------------------------------------------------------------------------- +cat << EOF > "${template_dir}" +#!/bin/bash -if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" -else - XENSTORE_READ="/usr/bin/xenstore-read" -fi +# Use the following command in DOM0 to retreive this file: +# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh -TEMPLATES="$(readlink -m $TEMPLATES)" -VERSION="-$(cat ./version)" -name=$($XENSTORE_READ name) -path="$(readlink -m .)" -files=$(ls rpm/noarch) +files=" +$(printf "%s \n" ${files[@]}) +" -# -# Write to install-templates -# +path="$(readlink -m .)/rpm/noarch" +version="-$(cat ./version)" +name="${name}" +EOF -echo "#!/bin/bash" > "$TEMPLATES" -write "" +# ----------------------------------------------------------------------------- +# Write installation function +# ----------------------------------------------------------------------------- +cat << 'EOF' >> "${template_dir}" for file in ${files[@]}; do - write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}" - write "" - write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")" - write "" - write "sudo yum install ${file}" - write "" - write "" + if [ ! -e ${file} ]; then + echo "Copying ${file} from ${name} to ${PWD}/${file}..." + qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file} + fi + + sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && { + sudo yum install ${file} && { + rm -f ${file} + } + } done - -write "# Use the following command in DOM0 to retreive this file:" -write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" - +EOF + +# ----------------------------------------------------------------------------- +# Display instructions +# ----------------------------------------------------------------------------- echo "Use the following command in DOM0 to retreive this file:" -echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" +echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh" diff --git a/functions.sh b/functions.sh index ccbcb71..52ae51c 100755 --- a/functions.sh +++ b/functions.sh @@ -67,8 +67,7 @@ if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then chroot() { local retval true ${blue} - /usr/sbin/chroot "$@" - retval=$? + /usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; } true ${reset} return $retval } diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index 6ff9357..0c99295 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -26,7 +26,7 @@ buildStep "$0" "pre" if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then debug "Installing base ${DEBIANVERSION} system" COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ - --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \ + --components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \ "${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; } chroot "${INSTALLDIR}" chmod 0666 "/dev/null" touch "${INSTALLDIR}/tmp/.prepared_debootstrap" diff --git a/scripts_debian/keys/debian-jessie-archive-keyring.gpg b/scripts_debian/keys/jessie-debian-archive-keyring.gpg similarity index 100% rename from scripts_debian/keys/debian-jessie-archive-keyring.gpg rename to scripts_debian/keys/jessie-debian-archive-keyring.gpg diff --git a/scripts_debian/keys/debian-wheezy-archive-keyring.gpg b/scripts_debian/keys/wheezy-debian-archive-keyring.gpg similarity index 100% rename from scripts_debian/keys/debian-wheezy-archive-keyring.gpg rename to scripts_debian/keys/wheezy-debian-archive-keyring.gpg diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index 7c34bde..ef66a30 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -11,8 +11,8 @@ DEBIANVERSION=${DIST} # Location to grab debian packages -DEBIAN_MIRROR=http://ftp.us.debian.org/debian/ +DEBIAN_MIRROR=http://ftp.us.debian.org/debian #DEBIAN_MIRROR=http://http.debian.net/debian -#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/ +#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y" diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index b580d19..f25a44e 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -40,6 +40,13 @@ user::rw- group::r-- other::r-- +# file: lib/systemd/system/qubes-whonix-init.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc # owner: root # group: root @@ -166,14 +173,14 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/whonix.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init +# file: usr/lib/whonix/init/qubes-whonix-firewall.sh # owner: root # group: root user::rwx @@ -201,12 +208,12 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init/qubes-firewall-user-script +# file: usr/lib/whonix/init/qubes-whonix-tor.service # owner: root # group: root -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- # file: usr/lib/whonix/messages.yaml # owner: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service index 649fe7a..89a5229 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service @@ -4,11 +4,9 @@ After=qubes-whonix-network.service Before=network.target [Service] -Type=oneshot -RemainAfterExit=yes -ExecStartPre=/usr/lib/whonix/init/init.sh -ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-firewall.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service new file mode 100644 index 0000000..6215c2c --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service @@ -0,0 +1,13 @@ +[Unit] +Description=Qubes Whonix initialization script +After=qubes-whonix-network.service +Before=qubes-whonix-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/init.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service index 245e031..4e71280 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service @@ -2,7 +2,7 @@ Description=Qubes Whonix network proxy setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target -After=qubes-firewall.service +After=iptables.service [Service] Type=oneshot @@ -12,3 +12,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-network.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh index 67d078e..4010441 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then # we can use to identify that its a tor proxy so updates are secure error_file="/usr/share/tinyproxy/default.html" grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" } fi - -# Copy firewall script so Qubes will reload it when it reloads -cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh similarity index 70% rename from scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh index 6863a9e..50c5cbc 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh @@ -2,16 +2,16 @@ . /usr/lib/whonix/utility_functions +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi + +# Make sure IP forwarding is disabled +echo "0" > /proc/sys/net/ipv4/ip_forward + if [ "${WHONIX}" != "template" ]; then - # Make sure IP forwarding is disabled - echo "0" > /proc/sys/net/ipv4/ip_forward - - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Start Whonix Firewall @@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\ +iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\ \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Allows localhost access to tor network \\ -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ ###################################### EOF fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service new file mode 100644 index 0000000..0a83e1b --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service @@ -0,0 +1,16 @@ +[Unit] +Description = Anonymizing overlay network for TCP +After = syslog.target network.target nss-lookup.target + +[Service] +Type = simple +ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet +ExecReload = /bin/kill -HUP ${MAINPID} +ExecStop = /bin/kill -INT ${MAINPID} +TimeoutSec = 60 +Restart = on-failure +LimitNOFILE = 32768 + +[Install] +WantedBy = multi-user.target +Alias=tor.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml index d3be464..075ab09 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml @@ -7,6 +7,3 @@ update:

Tor netvm required for updates!

Please ensure your template vm has a Whonix gateway as it's VM.

No updates are possible without an active (running) Whonix gateway VM.

-

-

Template will now power off

- diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 814af62..edb6240 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + # Set secure defaults. + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP + + # Flush old rules. + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + + # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index d33107e..41e3aba 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -40,6 +40,13 @@ user::rw- group::r-- other::r-- +# file: lib/systemd/system/qubes-whonix-init.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc # owner: root # group: root @@ -145,14 +152,14 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/whonix.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init +# file: usr/lib/whonix/init/qubes-whonix-firewall.sh # owner: root # group: root user::rwx @@ -180,13 +187,6 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init/qubes-firewall-user-script -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - # file: usr/lib/whonix/messages.yaml # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service index 649fe7a..89a5229 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service @@ -4,11 +4,9 @@ After=qubes-whonix-network.service Before=network.target [Service] -Type=oneshot -RemainAfterExit=yes -ExecStartPre=/usr/lib/whonix/init/init.sh -ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-firewall.service diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service new file mode 100644 index 0000000..6215c2c --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service @@ -0,0 +1,13 @@ +[Unit] +Description=Qubes Whonix initialization script +After=qubes-whonix-network.service +Before=qubes-whonix-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/init.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service index 245e031..4e71280 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service @@ -2,7 +2,7 @@ Description=Qubes Whonix network proxy setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target -After=qubes-firewall.service +After=iptables.service [Service] Type=oneshot @@ -12,3 +12,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-network.service diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh index a08322d..4010441 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -2,12 +2,6 @@ . /usr/lib/whonix/utility_functions -# Or just enable them :) -#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' -#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' -#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' - - INTERFACE="eth1" if [ "${WHONIX}" == "gateway" ]; then @@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then # we can use to identify that its a tor proxy so updates are secure error_file="/usr/share/tinyproxy/default.html" grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" } fi - -# Copy firewall script so Qubes will reload it when it reloads -cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh similarity index 70% rename from scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script rename to scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh index 6863a9e..50c5cbc 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh @@ -2,16 +2,16 @@ . /usr/lib/whonix/utility_functions +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi + +# Make sure IP forwarding is disabled +echo "0" > /proc/sys/net/ipv4/ip_forward + if [ "${WHONIX}" != "template" ]; then - # Make sure IP forwarding is disabled - echo "0" > /proc/sys/net/ipv4/ip_forward - - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Start Whonix Firewall @@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\ +iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\ \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Allows localhost access to tor network \\ -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ ###################################### EOF fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml index d3be464..075ab09 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml @@ -7,6 +7,3 @@ update:

Tor netvm required for updates!

Please ensure your template vm has a Whonix gateway as it's VM.

No updates are possible without an active (running) Whonix gateway VM.

-

-

Template will now power off

- diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index 814af62..edb6240 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + # Set secure defaults. + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP + + # Flush old rules. + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + + # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 7456adf..c6ab0e3 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -19,11 +19,21 @@ else set -e fi +# ------------------------------------------------------------------------------ +# Make sure IP forwarding is disabled (Qubes enables it by default) +# ------------------------------------------------------------------------------ +echo "0" > /proc/sys/net/ipv4/ip_forward + # ------------------------------------------------------------------------------ # Enable Qubes-Whonix services # ------------------------------------------------------------------------------ +chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || : chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || : -chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || : + +chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || : +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || : + +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || : # ------------------------------------------------------------------------------ # Restore Whonix apt-get