Jason Mehring
10 years ago
parent
88cf6f8b59
commit
4e7dbfcb06
@ -1,106 +0,0 @@
|
||||
=====================================================================
|
||||
These are my original notes for steps to intergrate Whonix into Qubes
|
||||
=====================================================================
|
||||
|
||||
Read README.whonix qubes-builder package for build instructions
|
||||
|
||||
None of the notes below apply at this point but I am saving them
|
||||
until whonix intergration is complete since there still may be some
|
||||
valid steps I will need to intergrate ubuntu as well
|
||||
|
||||
=====================================================================
|
||||
# Build depends
|
||||
sudo yum install rpmdevtools rpm-build createrepo rpm-sign
|
||||
|
||||
# Additional for debian template
|
||||
sudo yum install debootstrap dpkg-dev
|
||||
|
||||
# Build
|
||||
# https://qubes-os.org/wiki/BuildingArchlinuxTemplate
|
||||
# ---------------------------------------------------
|
||||
clean all
|
||||
clean all rpms
|
||||
sudo umount chroot-wheezy/proc
|
||||
sudo rm -r chroot-wheezy
|
||||
cd qubes-src/linus-template-builder
|
||||
sudo umount mnt
|
||||
sudo rm prepared_images/...
|
||||
|
||||
make get-sources
|
||||
|
||||
make vmm-xen-vm
|
||||
make core-vchan-xen-vm
|
||||
make linux-utils-vm
|
||||
make core-agent-linux-vm
|
||||
make gui-common-vm
|
||||
make gui-agent-linux-vm
|
||||
|
||||
make linux-template-builder
|
||||
|
||||
|
||||
# builder.conf
|
||||
# ------------
|
||||
GIT_SUBDIR=marmarek
|
||||
COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS))
|
||||
DISTS_VM=wheezy
|
||||
NO_SIGN="1"
|
||||
DEBUG="1"
|
||||
VERBOSE=2
|
||||
|
||||
|
||||
# Changed (XXX: Marks the spot!)
|
||||
# ------------------------------
|
||||
# Makefile.debian
|
||||
# - wheezy repo dir does not get created...
|
||||
# prepare-chroot-debian
|
||||
# - chroot /dev/null should be 0666
|
||||
|
||||
|
||||
# Wheezy needs a keyring
|
||||
# ----------------------
|
||||
# Create in keys_debian
|
||||
# Get from https://ftp-master.debian.org/keys.html
|
||||
gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc
|
||||
# move from /user/home/.gnupgp to keys_debian
|
||||
|
||||
|
||||
# Wheezy Hacks
|
||||
# ------------
|
||||
# Need 2.0 pulse audio drivers
|
||||
# *add to source list*
|
||||
cd qubes-src
|
||||
git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio
|
||||
cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0
|
||||
cd ..
|
||||
|
||||
# Add to...
|
||||
# module-vchan-sink-symdef.h
|
||||
|
||||
#elif PA_CHECK_VERSION(2,0,0)
|
||||
bool pa__load_once(void);
|
||||
|
||||
# Add to..
|
||||
# Makefile
|
||||
|
||||
|
||||
# Build errors - template
|
||||
# -----------------------
|
||||
make[1]: *** [update-repo] Error 32
|
||||
make: *** [linux-template-builder] Error 1
|
||||
mount: mount(2) failed: No such file or directory
|
||||
|
||||
- remove all mounts and try again. Some mounts may need to be tried multiple times
|
||||
|
||||
$ sudo umount chroot-wheezy/proc/
|
||||
$ sudo umount chroot-wheezy/proc/
|
||||
umount: chroot-wheezy/proc/: not mounted
|
||||
|
||||
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
|
||||
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
|
||||
umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted
|
||||
|
||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
||||
umount: chroot-wheezy/tmp/qubes-deb/: not mounted
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: set ts=4 sw=4 sts=4 et :
|
||||
|
||||
#
|
||||
# Whonix Post Install Steps (after qubes install)
|
||||
#
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Source external scripts
|
||||
# ------------------------------------------------------------------------------
|
||||
. ${SCRIPTSDIR}/vars.sh
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Configurations
|
||||
# ------------------------------------------------------------------------------
|
||||
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
|
||||
set -x
|
||||
else
|
||||
set -e
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Disable gnome network-manager since it will prevent networking
|
||||
# ------------------------------------------------------------------------------
|
||||
debug "Disabling gnome network-manager"
|
||||
chroot "${INSTALLDIR}" systemctl disable network-manager
|
||||
@ -1,42 +0,0 @@
|
||||
# file: .
|
||||
# owner: user
|
||||
# group: user
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/udev
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/udev/rules.d
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/udev/rules.d/xen-backend.rules
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/udev/rules.d/98-kexec.rules
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
@ -1,16 +0,0 @@
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif"
|
||||
SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}"
|
||||
SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup"
|
||||
KERNEL=="evtchn", NAME="xen/%k"
|
||||
SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600"
|
||||
SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600"
|
||||
KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600"
|
||||
KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
|
||||
KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
|
||||
KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
|
||||
SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"
|
||||
@ -1 +0,0 @@
|
||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
||||
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix firewall updater
|
||||
After=qubes-whonix-network.service
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix network proxy setup
|
||||
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||
Before=network.target
|
||||
After=qubes-firewall.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/init/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Or just enable them :)
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
|
||||
|
||||
|
||||
INTERFACE="eth1"
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
# Setup Xen / Qubes proxy
|
||||
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
|
||||
if [ "x$network" != "x" ]; then
|
||||
gateway=$(xenstore-read qubes-netvm-gateway)
|
||||
netmask=$(xenstore-read qubes-netvm-netmask)
|
||||
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
|
||||
modprobe netbk 2> /dev/null || modprobe xen-netback
|
||||
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
||||
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||
#/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
/sbin/ethtool -K eth0 sg off || :
|
||||
fi
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
if [ x${ip} != x ]; then
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
fi
|
||||
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
fi
|
||||
|
||||
# Copy firewall script so Qubes will reload it when it reloads
|
||||
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
||||
@ -0,0 +1,47 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
|
||||
# Inject custom firewall rules into whonix_firewall
|
||||
sed -i -f - /usr/bin/whonix_firewall <<-EOF
|
||||
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
|
||||
## IPv4 DROP INVALID INCOMING PACKAGES \\
|
||||
## \\
|
||||
## --- THE FOLLOWING WS INJECTED --- \\
|
||||
## Qubes Tiny Proxy Updater \\
|
||||
iptables -t nat -N PR-QBS-SERVICES \\
|
||||
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||
\\
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||
# Allows localhost access to tor network \\
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
######################################
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Load the firewall
|
||||
# XXX: TODO: Take down all network accesss if firewall fails
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
systemctl restart qubes-updates-proxy.service
|
||||
fi
|
||||
@ -1,78 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
INTERFACE="eth1"
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
ip link show ${INTERFACE} >> /dev/null || {
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
if [ x${ip} != x ]; then
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
fi
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
}
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
fi
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||
# Allows localhost access to tor network
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||
fi
|
||||
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
@ -1,95 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
#disable_sysv tor
|
||||
#disable_sysv sdwdate
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
|
||||
LOG_IP4=1
|
||||
LOG_IP6=0
|
||||
|
||||
# for IPv4
|
||||
if [ "$LOG_IP4" == "1" ]; then
|
||||
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
||||
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
||||
modprobe ipt_LOG
|
||||
fi
|
||||
|
||||
# for IPv6
|
||||
if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
iptables -A FORWARD -i eth0 -j ACCEPT
|
||||
iptables -A FORWARD -o eth0 -j ACCEPT
|
||||
iptables -A FORWARD -i lo -j ACCEPT
|
||||
iptables -A FORWARD -o lo -j ACCEPT
|
||||
|
||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
|
||||
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
|
||||
|
||||
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
||||
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
# Remap ALL traffic
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
|
||||
#iptables -v -L
|
||||
#iptables -v -t nat -L
|
||||
#telnet 127.0.0.1 9105
|
||||
#telnet 10.137.2.1 8082
|
||||
#telnet 127.0.0.1 8082
|
||||
#tail -100 /var/log/kern.log
|
||||
@ -1 +0,0 @@
|
||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
||||
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix firewall updater
|
||||
After=qubes-whonix-network.service
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix network proxy setup
|
||||
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||
Before=network.target
|
||||
After=qubes-firewall.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -0,0 +1,38 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/init/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
@ -0,0 +1,67 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Or just enable them :)
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
|
||||
|
||||
|
||||
INTERFACE="eth1"
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
# Setup Xen / Qubes proxy
|
||||
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
|
||||
if [ "x$network" != "x" ]; then
|
||||
gateway=$(xenstore-read qubes-netvm-gateway)
|
||||
netmask=$(xenstore-read qubes-netvm-netmask)
|
||||
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
|
||||
modprobe netbk 2> /dev/null || modprobe xen-netback
|
||||
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
||||
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||
#/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
/sbin/ethtool -K eth0 sg off || :
|
||||
fi
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
if [ x${ip} != x ]; then
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
fi
|
||||
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
fi
|
||||
|
||||
# Copy firewall script so Qubes will reload it when it reloads
|
||||
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
||||
@ -0,0 +1,47 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
|
||||
# Inject custom firewall rules into whonix_firewall
|
||||
sed -i -f - /usr/bin/whonix_firewall <<-EOF
|
||||
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
|
||||
## IPv4 DROP INVALID INCOMING PACKAGES \\
|
||||
## \\
|
||||
## --- THE FOLLOWING WS INJECTED --- \\
|
||||
## Qubes Tiny Proxy Updater \\
|
||||
iptables -t nat -N PR-QBS-SERVICES \\
|
||||
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||
\\
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||
# Allows localhost access to tor network \\
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
######################################
|
||||
EOF
|
||||
fi
|
||||
|
||||
# Load the firewall
|
||||
# XXX: TODO: Take down all network accesss if firewall fails
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
systemctl restart qubes-updates-proxy.service
|
||||
fi
|
||||
@ -1,78 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
INTERFACE="eth1"
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Create a dummy eth1 interface so tor can bind to it if there
|
||||
# are no DOMU virtual machines connected at the moment
|
||||
ip link show ${INTERFACE} >> /dev/null || {
|
||||
/sbin/ip link add ${INTERFACE} type dummy
|
||||
|
||||
# Now, assign it the netvm-gateway IP address
|
||||
if [ x${ip} != x ]; then
|
||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||
/sbin/ifconfig ${INTERFACE} up
|
||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||
fi
|
||||
|
||||
ip link set ${INTERFACE} up
|
||||
}
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Files that will have the immutable bit set
|
||||
# since we don't want them modified by other programs
|
||||
IMMUTABLE_FILES=(
|
||||
'/etc/resolv.conf'
|
||||
'/etc/hostname'
|
||||
'/etc/hosts'
|
||||
)
|
||||
|
||||
# Make sure all .anondist files in list are immutable
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||
|
||||
# Make sure we are using a copy of the annondist file and if not
|
||||
# copy the annondist file and set it immutable
|
||||
copyAnondist "/etc/resolv.conf"
|
||||
copyAnondist "/etc/hosts"
|
||||
copyAnondist "/etc/hostname"
|
||||
|
||||
# Replace IP addresses in known configuration files / scripts to
|
||||
# currently discovered one
|
||||
/usr/lib/whonix/replace-ips
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
# Start Whonix Firewall
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
export INT_IF="vif+"
|
||||
export INT_TIF="vif+"
|
||||
fi
|
||||
/usr/bin/whonix_firewall
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
||||
# Allows localhost access to tor network
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
||||
fi
|
||||
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
Loading…
Reference in new issue