QubesOS/qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

whonix: Changes to allow secure update

Browse Source
This commit is contained in:
Jason Mehring 2014-11-11 13:39:27 -05:00
parent 6bed22eec5
commit 356f49d779
3 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
View File

@ -2,16 +2,16 @@
. /usr/lib/whonix/utility_functions . /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall # Start Whonix Firewall
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\ \\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\ # Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ #iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
###################################### ######################################
EOF EOF
fi fi

22
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
View File

@ -2,16 +2,16 @@
. /usr/lib/whonix/utility_functions . /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall # Start Whonix Firewall
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\ \\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\ # Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ #iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
###################################### ######################################
EOF EOF
fi fi

5
scripts_debian/wheezy+whonix/04_install_qubes_post.sh
View File

@ -19,6 +19,11 @@ else
set -e set -e
fi fi
# ------------------------------------------------------------------------------
# Make sure IP forwarding is disabled (Qubes enables it by default)
# ------------------------------------------------------------------------------
echo "0" > /proc/sys/net/ipv4/ip_forward
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Enable Qubes-Whonix services # Enable Qubes-Whonix services
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------