More whonix-gateway tweaks. It should be working now
This commit is contained in:
parent
deb4cbd867
commit
477dadb96c
@ -17,7 +17,7 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
# ------------------------------------------------------------------------------
|
||||||
#
|
# whonix-netvm-gateway contains last known IP used to search and replace
|
||||||
# ------------------------------------------------------------------------------
|
# ------------------------------------------------------------------------------
|
||||||
if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
|
if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
|
||||||
# --------------------------------------------------------------------------
|
# --------------------------------------------------------------------------
|
||||||
@ -26,3 +26,14 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh
|
|||||||
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
|
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
|
||||||
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
|
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
# Remove apt-cacher-ng as it conflicts with something and is only for install
|
||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
|
||||||
|
chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng
|
||||||
|
|
||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
# Remove original sources.list. We will use one installed by Whonix now
|
||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
rm -f "${INSTALLDIR}/etc/apt/sources.list"
|
||||||
|
@ -103,3 +103,10 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/enable-iptables-logging.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
@ -1,2 +1 @@
|
|||||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
||||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="online", RUN+="/usr/lib/whonix/setup-ip"
|
|
||||||
|
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Check /var/log/kern.log for logging results
|
||||||
|
|
||||||
|
LOG_IP4=1
|
||||||
|
LOG_IP6=0
|
||||||
|
|
||||||
|
# for IPv4
|
||||||
|
if [ "$LOG_IP4" == "1" ]; then
|
||||||
|
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
||||||
|
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
||||||
|
modprobe ipt_LOG
|
||||||
|
fi
|
||||||
|
|
||||||
|
# for IPv6
|
||||||
|
if [ "$LOG_IP6" == "1" ]; then
|
||||||
|
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||||
|
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||||
|
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||||
|
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||||
|
modprobe ip6t_LOG
|
||||||
|
fi
|
@ -1,60 +1,86 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Search though files and updates IP address to current qubes-netvm-gateway address on startup
|
# Search though files and updates IP address to the current
|
||||||
# of eth0
|
# 'qubes-netvm-gateway' IP address
|
||||||
|
|
||||||
|
FILES=(
|
||||||
|
'/usr/lib/leaktest-workstation/simple_ping.py'
|
||||||
|
'/usr/lib/whonixcheck/preparation'
|
||||||
|
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
|
||||||
|
'/usr/bin/whonix_firewall'
|
||||||
|
'/etc/whonix_firewall.d/30_default'
|
||||||
|
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
|
||||||
|
'/usr/bin/uwt'
|
||||||
|
'/etc/uwt.d/30_uwt_default'
|
||||||
|
'/usr/share/tor/tor-service-defaults-torrc.anondist'
|
||||||
|
'/usr/bin/update-torbrowser'
|
||||||
|
'/etc/network/interfaces.whonix'
|
||||||
|
'/etc/resolv.conf.anondist'
|
||||||
|
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
|
||||||
|
'/etc/rinetd.conf.anondist'
|
||||||
|
'/etc/network/interfaces.whonix'
|
||||||
|
'/usr/share/anon-torchat/.torchat/torchat.ini'
|
||||||
|
)
|
||||||
|
|
||||||
DIRS="/usr/lib/leaktest-workstation/simple_ping.py \
|
# sed search and replace. return 0 if replace happened, otherwise 1
|
||||||
/usr/lib/whonixcheck/preparation \
|
search_replace() {
|
||||||
/usr/share/anon-kde-streamiso/share/config/kioslaverc \
|
local search="$1"
|
||||||
/usr/bin/whonix_firewall \
|
local replace="$2"
|
||||||
/etc/whonix_firewall.d/30_default \
|
local file="$3"
|
||||||
/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \
|
local retval=1
|
||||||
/usr/bin/uwt \
|
|
||||||
/etc/uwt.d/30_uwt_default \
|
if ! [ -L "${file}" ]; then
|
||||||
/usr/share/tor/tor-service-defaults-torrc.anondist \
|
ls_attrs="$(lsattr "${file}")"
|
||||||
/usr/bin/update-torbrowser \
|
ls_attrs=${ls_attrs:4:1}
|
||||||
/etc/network/interfaces.whonix \
|
if [ "${ls_attrs}" == "i" ]; then
|
||||||
/etc/resolv.conf.anondist \
|
chattr -i "${file}"
|
||||||
/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \
|
fi
|
||||||
/etc/rinetd.conf.anondist \
|
fi
|
||||||
/etc/network/interfaces.whonix \
|
|
||||||
/usr/share/anon-torchat/.torchat/torchat.ini"
|
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
|
||||||
|
retval=$?
|
||||||
|
|
||||||
|
if [ "${ls_attrs}" == "i" ]; then
|
||||||
|
chattr +i "${file}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
return $retval
|
||||||
|
}
|
||||||
|
|
||||||
# $1 = space delimited files
|
|
||||||
function replace_ips()
|
function replace_ips()
|
||||||
{
|
{
|
||||||
IP=$2
|
local search_ip="${1}"
|
||||||
LAST_IP=$3
|
local replace_ip="${2}"
|
||||||
|
local files=("${!3}")
|
||||||
|
local restart_tor=0
|
||||||
|
|
||||||
if ! [ "$LAST_IP" == "$IP" ]; then
|
# If IP is 10.152.152.10, network is 10.152.152.0
|
||||||
for file in $1; do
|
replace_network="${replace_ip%.*}.0"
|
||||||
|
search_network="${search_ip%.*}.0"
|
||||||
|
|
||||||
|
if ! [ "${search_ip}" == "${replace_ip}" ]; then
|
||||||
|
for file in "${files[@]}"; do
|
||||||
if [ -f "$file" ]; then
|
if [ -f "$file" ]; then
|
||||||
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
|
search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1
|
||||||
# xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g"
|
search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1
|
||||||
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
|
|
||||||
# xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g"
|
|
||||||
sed -i "s/$LAST_IP/$IP/g" "$file"
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
echo "$IP" > /etc/whonix-netvm-gateway
|
|
||||||
|
if [ "${restart_tor}" == "1" ]; then
|
||||||
|
echo "${replace_ip}" > /etc/whonix-netvm-gateway
|
||||||
service tor restart
|
service tor restart
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
IP=`xenstore-read qubes-netvm-gateway`
|
ip="$(xenstore-read qubes-netvm-gateway)"
|
||||||
IP_PART=$(echo $IP | cut -f 1,2,3 -d".")
|
|
||||||
LAST_IP="$(cat /etc/whonix-netvm-gateway)"
|
# Compare to current IP address assiged by Qubes
|
||||||
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
|
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@]
|
||||||
replace_ips "$DIRS" $IP $LAST_IP
|
|
||||||
|
|
||||||
# Do again; checking for original 10.152.152.10 incase of update
|
# Do again; checking for original 10.152.152.10 incase of update
|
||||||
LAST_IP=10.152.152.10
|
replace_ips "10.152.152.10" "${ip}" FILES[@]
|
||||||
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
|
|
||||||
replace_ips "$DIRS" $IP $LAST_IP
|
|
||||||
|
|
||||||
# Do again; checking for original 10.152.152.11 incase of update
|
# Do again; checking for original 10.152.152.11 incase of update
|
||||||
LAST_IP=10.152.152.11
|
replace_ips "10.152.152.11" "${ip}" FILES[@]
|
||||||
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
|
|
||||||
replace_ips "$DIRS" $IP $LAST_IP
|
|
||||||
|
|
||||||
|
@ -1,34 +1,94 @@
|
|||||||
#!/bin/sh
|
#!/bin/bash
|
||||||
|
|
||||||
if [ -x /usr/sbin/xenstore-read ]; then
|
if [ -x /usr/sbin/xenstore-read ]; then
|
||||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||||
else
|
else
|
||||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||||
fi
|
fi
|
||||||
|
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||||
|
|
||||||
|
INTERFACE="eth1"
|
||||||
|
|
||||||
# Create a dummy eth1 interface so tor can bind to it if there
|
# Create a dummy eth1 interface so tor can bind to it if there
|
||||||
# are no DOMU virtual machines connected at the moment
|
# are no DOMU virtual machines connected at the moment
|
||||||
INTERFACE="eth1"
|
ip link show ${INTERFACE} >> /dev/null || {
|
||||||
/sbin/ip link add $INTERFACE type dummy
|
/sbin/ip link add ${INTERFACE} type dummy
|
||||||
|
|
||||||
# Now, assign it the netvm-gateway IP address
|
# Now, assign it the netvm-gateway IP address
|
||||||
ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null)
|
if [ x${ip} != x ]; then
|
||||||
if [ x$ip != x ]; then
|
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||||
netmask=$($XENSTORE_READ qubes-netvm-netmask)
|
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||||
gateway=$($XENSTORE_READ qubes-netvm-gateway)
|
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||||
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
|
/sbin/ifconfig ${INTERFACE} up
|
||||||
/sbin/ifconfig $INTERFACE up
|
/sbin/ethtool -K ${INTERFACE} sg off
|
||||||
/sbin/ethtool -K $INTERFACE sg off
|
/sbin/ethtool -K ${INTERFACE} tx off
|
||||||
/sbin/ethtool -K $INTERFACE tx off
|
fi
|
||||||
fi
|
}
|
||||||
|
|
||||||
|
# Files that will have the immutable bit set
|
||||||
|
# since we don't want them modified by other programs
|
||||||
|
IMMUTABLE_FILES=(
|
||||||
|
'/etc/resolv.conf'
|
||||||
|
'/etc/hostname'
|
||||||
|
'/etc/hosts'
|
||||||
|
)
|
||||||
|
|
||||||
|
immutableFilesEnable() {
|
||||||
|
files="${1}"
|
||||||
|
suffix="${2}"
|
||||||
|
|
||||||
|
for file in "${files[@]}"; do
|
||||||
|
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||||
|
chattr +i "${file}${suffix}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
immutableFilesDisable() {
|
||||||
|
files="${1}"
|
||||||
|
suffix="${2}"
|
||||||
|
|
||||||
|
for file in "${files[@]}"; do
|
||||||
|
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
|
||||||
|
chattr -i "${file}${suffix}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
copyAnondist() {
|
||||||
|
file="${1}"
|
||||||
|
suffix="${2-.anondist}"
|
||||||
|
|
||||||
|
# Remove any softlinks first
|
||||||
|
if [ -L "${file}" ]; then
|
||||||
|
rm -f "${file}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
|
||||||
|
chattr -i "${file}"
|
||||||
|
rm -f "${file}"
|
||||||
|
cp -p "${file}${suffix}" "${file}"
|
||||||
|
chattr +i "${file}"
|
||||||
|
elif ! [ -f "${file}" ]; then
|
||||||
|
cp -p "${file}${suffix}" "${file}"
|
||||||
|
chattr +i "${file}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Make sure all .anondist files in list are immutable
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||||
|
|
||||||
|
# Make sure we are using a copy of the annondist file and if not
|
||||||
|
# copy the annondist file and set it immutable
|
||||||
|
copyAnondist "/etc/resolv.conf"
|
||||||
|
copyAnondist "/etc/hosts"
|
||||||
|
copyAnondist "/etc/hostname"
|
||||||
|
|
||||||
# Replace IP addresses in known configuration files / scripts to
|
# Replace IP addresses in known configuration files / scripts to
|
||||||
# currently discovered one
|
# currently discovered one
|
||||||
/usr/lib/whonix/replace-ips
|
/usr/lib/whonix/replace-ips
|
||||||
|
|
||||||
# Make sure we have correct nameserver set
|
|
||||||
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
|
||||||
|
|
||||||
# Make sure hostname is correct
|
# Make sure hostname is correct
|
||||||
/bin/hostname -b host
|
/bin/hostname -b host
|
||||||
|
|
||||||
@ -36,3 +96,7 @@ echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
|||||||
export INT_IF="vif+"
|
export INT_IF="vif+"
|
||||||
export INT_TIF="vif+"
|
export INT_TIF="vif+"
|
||||||
/usr/bin/whonix_firewall
|
/usr/bin/whonix_firewall
|
||||||
|
|
||||||
|
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||||
|
# Allows localhost access to tor network
|
||||||
|
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||||
|
Loading…
Reference in New Issue
Block a user