whonix: Changes to allow secure update

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh

@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
+if [ -x /usr/sbin/xenstore-read ]; then
-    # Make sure IP forwarding is disabled
+    XENSTORE_READ="/usr/sbin/xenstore-read"
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
+# Make sure IP forwarding is disabled
-        XENSTORE_READ="/usr/sbin/xenstore-read"
+echo "0" > /proc/sys/net/ipv4/ip_forward
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh

@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
+if [ -x /usr/sbin/xenstore-read ]; then
-    # Make sure IP forwarding is disabled
+    XENSTORE_READ="/usr/sbin/xenstore-read"
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
+# Make sure IP forwarding is disabled
-        XENSTORE_READ="/usr/sbin/xenstore-read"
+echo "0" > /proc/sys/net/ipv4/ip_forward
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi

scripts_debian/wheezy+whonix/04_install_qubes_post.sh

@@ -19,6 +19,11 @@ else
     set -e
 fi
 
+# ------------------------------------------------------------------------------
+# Make sure IP forwarding is disabled (Qubes enables it by default)
+# ------------------------------------------------------------------------------
+echo "0" > /proc/sys/net/ipv4/ip_forward
+
 # ------------------------------------------------------------------------------
 # Enable Qubes-Whonix services
 # ------------------------------------------------------------------------------