More whonix-gateway tweaks. It should be working now

This commit is contained in:
Jason Mehring 2014-10-25 12:49:49 -04:00
parent deb4cbd867
commit 477dadb96c
6 changed files with 188 additions and 59 deletions

View File

@ -17,7 +17,7 @@ else
fi
# ------------------------------------------------------------------------------
#
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
@ -26,3 +26,14 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
fi
# ------------------------------------------------------------------------------
# Remove apt-cacher-ng as it conflicts with something and is only for install
# ------------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng
# ------------------------------------------------------------------------------
# Remove original sources.list. We will use one installed by Whonix now
# ------------------------------------------------------------------------------
rm -f "${INSTALLDIR}/etc/apt/sources.list"

View File

@ -103,3 +103,10 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

View File

@ -1,2 +1 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="online", RUN+="/usr/lib/whonix/setup-ip"

View File

@ -0,0 +1,22 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi

View File

@ -1,60 +1,86 @@
#!/bin/bash
# Search though files and updates IP address to current qubes-netvm-gateway address on startup
# of eth0
# Search though files and updates IP address to the current
# 'qubes-netvm-gateway' IP address
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
DIRS="/usr/lib/leaktest-workstation/simple_ping.py \
/usr/lib/whonixcheck/preparation \
/usr/share/anon-kde-streamiso/share/config/kioslaverc \
/usr/bin/whonix_firewall \
/etc/whonix_firewall.d/30_default \
/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \
/usr/bin/uwt \
/etc/uwt.d/30_uwt_default \
/usr/share/tor/tor-service-defaults-torrc.anondist \
/usr/bin/update-torbrowser \
/etc/network/interfaces.whonix \
/etc/resolv.conf.anondist \
/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \
/etc/rinetd.conf.anondist \
/etc/network/interfaces.whonix \
/usr/share/anon-torchat/.torchat/torchat.ini"
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="$1"
local replace="$2"
local file="$3"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" == "i" ]; then
chattr +i "${file}"
fi
return $retval
}
# $1 = space delimited files
function replace_ips()
{
IP=$2
LAST_IP=$3
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local restart_tor=0
if ! [ "$LAST_IP" == "$IP" ]; then
for file in $1; do
# If IP is 10.152.152.10, network is 10.152.152.0
replace_network="${replace_ip%.*}.0"
search_network="${search_ip%.*}.0"
if ! [ "${search_ip}" == "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
# xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g"
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
# xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g"
sed -i "s/$LAST_IP/$IP/g" "$file"
search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1
search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1
fi
done
echo "$IP" > /etc/whonix-netvm-gateway
service tor restart
if [ "${restart_tor}" == "1" ]; then
echo "${replace_ip}" > /etc/whonix-netvm-gateway
service tor restart
fi
fi
}
IP=`xenstore-read qubes-netvm-gateway`
IP_PART=$(echo $IP | cut -f 1,2,3 -d".")
LAST_IP="$(cat /etc/whonix-netvm-gateway)"
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP
ip="$(xenstore-read qubes-netvm-gateway)"
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@]
# Do again; checking for original 10.152.152.10 incase of update
LAST_IP=10.152.152.10
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP
replace_ips "10.152.152.10" "${ip}" FILES[@]
# Do again; checking for original 10.152.152.11 incase of update
LAST_IP=10.152.152.11
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP
replace_ips "10.152.152.11" "${ip}" FILES[@]

View File

@ -1,34 +1,94 @@
#!/bin/sh
#!/bin/bash
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
INTERFACE="eth1"
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
INTERFACE="eth1"
/sbin/ip link add $INTERFACE type dummy
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null)
if [ x$ip != x ]; then
netmask=$($XENSTORE_READ qubes-netvm-netmask)
gateway=$($XENSTORE_READ qubes-netvm-gateway)
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
/sbin/ifconfig $INTERFACE up
/sbin/ethtool -K $INTERFACE sg off
/sbin/ethtool -K $INTERFACE tx off
fi
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off
/sbin/ethtool -K ${INTERFACE} tx off
fi
}
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
chattr -i "${file}"
rm -f "${file}"
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
elif ! [ -f "${file}" ]; then
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
fi
}
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure we have correct nameserver set
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# Make sure hostname is correct
/bin/hostname -b host
@ -36,3 +96,7 @@ echo "nameserver 127.0.0.1" > /etc/resolv.conf
export INT_IF="vif+"
export INT_TIF="vif+"
/usr/bin/whonix_firewall
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1