From 356f49d779453a89ee50049a4931b5e1fa844a91 Mon Sep 17 00:00:00 2001
From: Jason Mehring <nrgaway@gmail.com>
Date: Tue, 11 Nov 2014 13:39:27 -0500
Subject: [PATCH] whonix: Changes to allow secure update

---
 .../lib/whonix/init/qubes-whonix-firewall.sh  | 20 ++++++++++---------
 .../lib/whonix/init/qubes-whonix-firewall.sh  | 20 ++++++++++---------
 .../wheezy+whonix/04_install_qubes_post.sh    |  5 +++++
 3 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
index 6863a9e..50c5cbc 100755
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
-    # Make sure IP forwarding is disabled
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+if [ -x /usr/sbin/xenstore-read ]; then
+    XENSTORE_READ="/usr/sbin/xenstore-read"
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
-        XENSTORE_READ="/usr/sbin/xenstore-read"
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
+# Make sure IP forwarding is disabled
+echo "0" > /proc/sys/net/ipv4/ip_forward
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi
diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
index 6863a9e..50c5cbc 100755
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
-    # Make sure IP forwarding is disabled
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+if [ -x /usr/sbin/xenstore-read ]; then
+    XENSTORE_READ="/usr/sbin/xenstore-read"
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
-        XENSTORE_READ="/usr/sbin/xenstore-read"
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
+# Make sure IP forwarding is disabled
+echo "0" > /proc/sys/net/ipv4/ip_forward
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi
diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
index 9f58254..c6ab0e3 100755
--- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
+++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
@@ -19,6 +19,11 @@ else
     set -e
 fi
 
+# ------------------------------------------------------------------------------
+# Make sure IP forwarding is disabled (Qubes enables it by default)
+# ------------------------------------------------------------------------------
+echo "0" > /proc/sys/net/ipv4/ip_forward
+
 # ------------------------------------------------------------------------------
 # Enable Qubes-Whonix services
 # ------------------------------------------------------------------------------