From 477dadb96c327a3a019a38be8d12c8a4e03fbf66 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 25 Oct 2014 12:49:49 -0400 Subject: [PATCH] More whonix-gateway tweaks. It should be working now --- .../99_custom_configuration.sh | 13 ++- .../wheezy+whonix-gateway/files/.facl | 7 ++ .../etc/udev/rules.d/99-qubes-whonix.rules | 1 - .../usr/lib/whonix/enable-iptables-logging.sh | 22 ++++ .../files/usr/lib/whonix/replace-ips | 108 +++++++++++------- .../files/usr/lib/whonix/setup-ip | 96 +++++++++++++--- 6 files changed, 188 insertions(+), 59 deletions(-) create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh diff --git a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh index 048dc79..0d4a9bb 100755 --- a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh @@ -17,7 +17,7 @@ else fi # ------------------------------------------------------------------------------ -# +# whonix-netvm-gateway contains last known IP used to search and replace # ------------------------------------------------------------------------------ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then # -------------------------------------------------------------------------- @@ -26,3 +26,14 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi + +# ------------------------------------------------------------------------------ +# Remove apt-cacher-ng as it conflicts with something and is only for install +# ------------------------------------------------------------------------------ +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng + +# ------------------------------------------------------------------------------ +# Remove original sources.list. We will use one installed by Whonix now +# ------------------------------------------------------------------------------ +rm -f "${INSTALLDIR}/etc/apt/sources.list" diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index 4e00c79..9e5e47b 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -103,3 +103,10 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/enable-iptables-logging.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules index 679a178..8bcf97d 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules @@ -1,2 +1 @@ SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="online", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh new file mode 100755 index 0000000..d3a2b95 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Check /var/log/kern.log for logging results + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index dbf7022..7f818b8 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -1,60 +1,86 @@ #!/bin/bash -# Search though files and updates IP address to current qubes-netvm-gateway address on startup -# of eth0 +# Search though files and updates IP address to the current +# 'qubes-netvm-gateway' IP address +FILES=( + '/usr/lib/leaktest-workstation/simple_ping.py' + '/usr/lib/whonixcheck/preparation' + '/usr/share/anon-kde-streamiso/share/config/kioslaverc' + '/usr/bin/whonix_firewall' + '/etc/whonix_firewall.d/30_default' + '/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh' + '/usr/bin/uwt' + '/etc/uwt.d/30_uwt_default' + '/usr/share/tor/tor-service-defaults-torrc.anondist' + '/usr/bin/update-torbrowser' + '/etc/network/interfaces.whonix' + '/etc/resolv.conf.anondist' + '/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin' + '/etc/rinetd.conf.anondist' + '/etc/network/interfaces.whonix' + '/usr/share/anon-torchat/.torchat/torchat.ini' +) -DIRS="/usr/lib/leaktest-workstation/simple_ping.py \ - /usr/lib/whonixcheck/preparation \ - /usr/share/anon-kde-streamiso/share/config/kioslaverc \ - /usr/bin/whonix_firewall \ - /etc/whonix_firewall.d/30_default \ - /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \ - /usr/bin/uwt \ - /etc/uwt.d/30_uwt_default \ - /usr/share/tor/tor-service-defaults-torrc.anondist \ - /usr/bin/update-torbrowser \ - /etc/network/interfaces.whonix \ - /etc/resolv.conf.anondist \ - /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \ - /etc/rinetd.conf.anondist \ - /etc/network/interfaces.whonix \ - /usr/share/anon-torchat/.torchat/torchat.ini" +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="$1" + local replace="$2" + local file="$3" + local retval=1 + + if ! [ -L "${file}" ]; then + ls_attrs="$(lsattr "${file}")" + ls_attrs=${ls_attrs:4:1} + if [ "${ls_attrs}" == "i" ]; then + chattr -i "${file}" + fi + fi + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" + retval=$? + + if [ "${ls_attrs}" == "i" ]; then + chattr +i "${file}" + fi + + return $retval +} -# $1 = space delimited files function replace_ips() { - IP=$2 - LAST_IP=$3 + local search_ip="${1}" + local replace_ip="${2}" + local files=("${!3}") + local restart_tor=0 - if ! [ "$LAST_IP" == "$IP" ]; then - for file in $1; do + # If IP is 10.152.152.10, network is 10.152.152.0 + replace_network="${replace_ip%.*}.0" + search_network="${search_ip%.*}.0" + + if ! [ "${search_ip}" == "${replace_ip}" ]; then + for file in "${files[@]}"; do if [ -f "$file" ]; then - #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ - # xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g" - #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ - # xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g" - sed -i "s/$LAST_IP/$IP/g" "$file" + search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1 + search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1 fi done - echo "$IP" > /etc/whonix-netvm-gateway - service tor restart + + if [ "${restart_tor}" == "1" ]; then + echo "${replace_ip}" > /etc/whonix-netvm-gateway + service tor restart + fi fi } -IP=`xenstore-read qubes-netvm-gateway` -IP_PART=$(echo $IP | cut -f 1,2,3 -d".") -LAST_IP="$(cat /etc/whonix-netvm-gateway)" -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +ip="$(xenstore-read qubes-netvm-gateway)" + +# Compare to current IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] # Do again; checking for original 10.152.152.10 incase of update -LAST_IP=10.152.152.10 -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +replace_ips "10.152.152.10" "${ip}" FILES[@] # Do again; checking for original 10.152.152.11 incase of update -LAST_IP=10.152.152.11 -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +replace_ips "10.152.152.11" "${ip}" FILES[@] diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 0c4fbec..2044731 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -1,34 +1,94 @@ -#!/bin/sh +#!/bin/bash if [ -x /usr/sbin/xenstore-read ]; then XENSTORE_READ="/usr/sbin/xenstore-read" else XENSTORE_READ="/usr/bin/xenstore-read" fi +ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + +INTERFACE="eth1" # Create a dummy eth1 interface so tor can bind to it if there # are no DOMU virtual machines connected at the moment -INTERFACE="eth1" -/sbin/ip link add $INTERFACE type dummy +ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy -# Now, assign it the netvm-gateway IP address -ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null) -if [ x$ip != x ]; then - netmask=$($XENSTORE_READ qubes-netvm-netmask) - gateway=$($XENSTORE_READ qubes-netvm-gateway) - /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 - /sbin/ifconfig $INTERFACE up - /sbin/ethtool -K $INTERFACE sg off - /sbin/ethtool -K $INTERFACE tx off -fi + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off + /sbin/ethtool -K ${INTERFACE} tx off + fi +} + +# Files that will have the immutable bit set +# since we don't want them modified by other programs +IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' +) + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + chattr -i "${file}" + rm -f "${file}" + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + elif ! [ -f "${file}" ]; then + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + fi +} + +# Make sure all .anondist files in list are immutable +immutableFilesEnable "${IMMUTABLE_FILES}" +immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + +# Make sure we are using a copy of the annondist file and if not +# copy the annondist file and set it immutable +copyAnondist "/etc/resolv.conf" +copyAnondist "/etc/hosts" +copyAnondist "/etc/hostname" # Replace IP addresses in known configuration files / scripts to # currently discovered one /usr/lib/whonix/replace-ips -# Make sure we have correct nameserver set -echo "nameserver 127.0.0.1" > /etc/resolv.conf - # Make sure hostname is correct /bin/hostname -b host @@ -36,3 +96,7 @@ echo "nameserver 127.0.0.1" > /etc/resolv.conf export INT_IF="vif+" export INT_TIF="vif+" /usr/bin/whonix_firewall + +# Route any traffic FROM netvm TO netvm BACK-TO localhost +# Allows localhost access to tor network +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1