debian: Whonix modifications due to new postinit in core-agent-linux module
This commit is contained in:
parent
88cf6f8b59
commit
4e7dbfcb06
@ -1,106 +0,0 @@
|
|||||||
=====================================================================
|
|
||||||
These are my original notes for steps to intergrate Whonix into Qubes
|
|
||||||
=====================================================================
|
|
||||||
|
|
||||||
Read README.whonix qubes-builder package for build instructions
|
|
||||||
|
|
||||||
None of the notes below apply at this point but I am saving them
|
|
||||||
until whonix intergration is complete since there still may be some
|
|
||||||
valid steps I will need to intergrate ubuntu as well
|
|
||||||
|
|
||||||
=====================================================================
|
|
||||||
# Build depends
|
|
||||||
sudo yum install rpmdevtools rpm-build createrepo rpm-sign
|
|
||||||
|
|
||||||
# Additional for debian template
|
|
||||||
sudo yum install debootstrap dpkg-dev
|
|
||||||
|
|
||||||
# Build
|
|
||||||
# https://qubes-os.org/wiki/BuildingArchlinuxTemplate
|
|
||||||
# ---------------------------------------------------
|
|
||||||
clean all
|
|
||||||
clean all rpms
|
|
||||||
sudo umount chroot-wheezy/proc
|
|
||||||
sudo rm -r chroot-wheezy
|
|
||||||
cd qubes-src/linus-template-builder
|
|
||||||
sudo umount mnt
|
|
||||||
sudo rm prepared_images/...
|
|
||||||
|
|
||||||
make get-sources
|
|
||||||
|
|
||||||
make vmm-xen-vm
|
|
||||||
make core-vchan-xen-vm
|
|
||||||
make linux-utils-vm
|
|
||||||
make core-agent-linux-vm
|
|
||||||
make gui-common-vm
|
|
||||||
make gui-agent-linux-vm
|
|
||||||
|
|
||||||
make linux-template-builder
|
|
||||||
|
|
||||||
|
|
||||||
# builder.conf
|
|
||||||
# ------------
|
|
||||||
GIT_SUBDIR=marmarek
|
|
||||||
COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS))
|
|
||||||
DISTS_VM=wheezy
|
|
||||||
NO_SIGN="1"
|
|
||||||
DEBUG="1"
|
|
||||||
VERBOSE=2
|
|
||||||
|
|
||||||
|
|
||||||
# Changed (XXX: Marks the spot!)
|
|
||||||
# ------------------------------
|
|
||||||
# Makefile.debian
|
|
||||||
# - wheezy repo dir does not get created...
|
|
||||||
# prepare-chroot-debian
|
|
||||||
# - chroot /dev/null should be 0666
|
|
||||||
|
|
||||||
|
|
||||||
# Wheezy needs a keyring
|
|
||||||
# ----------------------
|
|
||||||
# Create in keys_debian
|
|
||||||
# Get from https://ftp-master.debian.org/keys.html
|
|
||||||
gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc
|
|
||||||
# move from /user/home/.gnupgp to keys_debian
|
|
||||||
|
|
||||||
|
|
||||||
# Wheezy Hacks
|
|
||||||
# ------------
|
|
||||||
# Need 2.0 pulse audio drivers
|
|
||||||
# *add to source list*
|
|
||||||
cd qubes-src
|
|
||||||
git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio
|
|
||||||
cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0
|
|
||||||
cd ..
|
|
||||||
|
|
||||||
# Add to...
|
|
||||||
# module-vchan-sink-symdef.h
|
|
||||||
|
|
||||||
#elif PA_CHECK_VERSION(2,0,0)
|
|
||||||
bool pa__load_once(void);
|
|
||||||
|
|
||||||
# Add to..
|
|
||||||
# Makefile
|
|
||||||
|
|
||||||
|
|
||||||
# Build errors - template
|
|
||||||
# -----------------------
|
|
||||||
make[1]: *** [update-repo] Error 32
|
|
||||||
make: *** [linux-template-builder] Error 1
|
|
||||||
mount: mount(2) failed: No such file or directory
|
|
||||||
|
|
||||||
- remove all mounts and try again. Some mounts may need to be tried multiple times
|
|
||||||
|
|
||||||
$ sudo umount chroot-wheezy/proc/
|
|
||||||
$ sudo umount chroot-wheezy/proc/
|
|
||||||
umount: chroot-wheezy/proc/: not mounted
|
|
||||||
|
|
||||||
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
|
|
||||||
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
|
|
||||||
umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted
|
|
||||||
|
|
||||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
|
||||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
|
||||||
$ sudo umount chroot-wheezy/tmp/qubes-deb/
|
|
||||||
umount: chroot-wheezy/tmp/qubes-deb/: not mounted
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: set ts=4 sw=4 sts=4 et :
|
|
||||||
|
|
||||||
#
|
|
||||||
# Whonix Post Install Steps (after qubes install)
|
|
||||||
#
|
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
# Source external scripts
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
. ${SCRIPTSDIR}/vars.sh
|
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
# Configurations
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
|
|
||||||
set -x
|
|
||||||
else
|
|
||||||
set -e
|
|
||||||
fi
|
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
# Disable gnome network-manager since it will prevent networking
|
|
||||||
# ------------------------------------------------------------------------------
|
|
||||||
debug "Disabling gnome network-manager"
|
|
||||||
chroot "${INSTALLDIR}" systemctl disable network-manager
|
|
@ -1,42 +0,0 @@
|
|||||||
# file: .
|
|
||||||
# owner: user
|
|
||||||
# group: user
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d/xen-backend.rules
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d/98-kexec.rules
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif"
|
|
||||||
SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}"
|
|
||||||
SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup"
|
|
||||||
KERNEL=="evtchn", NAME="xen/%k"
|
|
||||||
SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600"
|
|
||||||
SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600"
|
|
||||||
KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600"
|
|
||||||
KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
|
|
||||||
KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
|
|
||||||
KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
|
|
||||||
SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"
|
|
@ -5,6 +5,41 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd/system
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd/system/qubes-whonix-firewall.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
|
# file: lib/systemd/system/qubes-whonix-network.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
# file: etc
|
# file: etc
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -75,27 +110,6 @@ user::rw-
|
|||||||
group::r--
|
group::r--
|
||||||
other::r--
|
other::r--
|
||||||
|
|
||||||
# file: etc/udev
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d/99-qubes-whonix.rules
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
|
|
||||||
# file: etc/hostname
|
# file: etc/hostname
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -152,14 +166,42 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
# file: usr/lib/whonix/setup-ip
|
# file: usr/lib/whonix/whonix.sh
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
user::rwx
|
user::rwx
|
||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
# file: usr/lib/whonix/tests.sh
|
# file: usr/lib/whonix/init
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/replace-ips
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/init.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/qubes-firewall-user-script
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
user::rwx
|
user::rwx
|
||||||
@ -173,13 +215,6 @@ user::rw-
|
|||||||
group::r--
|
group::r--
|
||||||
other::r--
|
other::r--
|
||||||
|
|
||||||
# file: usr/lib/whonix/replace-ips
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: usr/lib/whonix/alert
|
# file: usr/lib/whonix/alert
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
|
@ -1 +0,0 @@
|
|||||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes Whonix firewall updater
|
||||||
|
After=qubes-whonix-network.service
|
||||||
|
Before=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||||
|
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes Whonix network proxy setup
|
||||||
|
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||||
|
Before=network.target
|
||||||
|
After=qubes-firewall.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
38
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
Executable file
38
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
Executable file
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if [ "${WHONIX}" != "template" ]; then
|
||||||
|
# Files that will have the immutable bit set
|
||||||
|
# since we don't want them modified by other programs
|
||||||
|
IMMUTABLE_FILES=(
|
||||||
|
'/etc/resolv.conf'
|
||||||
|
'/etc/hostname'
|
||||||
|
'/etc/hosts'
|
||||||
|
)
|
||||||
|
|
||||||
|
# Make sure all .anondist files in list are immutable
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||||
|
|
||||||
|
# Make sure we are using a copy of the annondist file and if not
|
||||||
|
# copy the annondist file and set it immutable
|
||||||
|
copyAnondist "/etc/resolv.conf"
|
||||||
|
copyAnondist "/etc/hosts"
|
||||||
|
copyAnondist "/etc/hostname"
|
||||||
|
|
||||||
|
# Replace IP addresses in known configuration files / scripts to
|
||||||
|
# currently discovered one
|
||||||
|
/usr/lib/whonix/init/replace-ips
|
||||||
|
|
||||||
|
# Make sure hostname is correct
|
||||||
|
/bin/hostname host
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||||
|
# to allow choice of repo and prevent whonixcheck errors
|
||||||
|
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||||
|
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,67 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
# Or just enable them :)
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
|
||||||
|
|
||||||
|
|
||||||
|
INTERFACE="eth1"
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
|
||||||
|
if [ -x /usr/sbin/xenstore-read ]; then
|
||||||
|
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||||
|
else
|
||||||
|
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup Xen / Qubes proxy
|
||||||
|
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
|
||||||
|
if [ "x$network" != "x" ]; then
|
||||||
|
gateway=$(xenstore-read qubes-netvm-gateway)
|
||||||
|
netmask=$(xenstore-read qubes-netvm-netmask)
|
||||||
|
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
|
||||||
|
modprobe netbk 2> /dev/null || modprobe xen-netback
|
||||||
|
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
||||||
|
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||||
|
#/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
/sbin/ethtool -K eth0 sg off || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Now, assign it the netvm-gateway IP address
|
||||||
|
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||||
|
if [ x${ip} != x ]; then
|
||||||
|
# Create a dummy eth1 interface so tor can bind to it if there
|
||||||
|
# are no DOMU virtual machines connected at the moment
|
||||||
|
/sbin/ip link add ${INTERFACE} type dummy
|
||||||
|
|
||||||
|
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||||
|
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||||
|
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||||
|
/sbin/ifconfig ${INTERFACE} up
|
||||||
|
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||||
|
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||||
|
|
||||||
|
ip link set ${INTERFACE} up
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
# Allow whonix-gateway to act as an update-proxy
|
||||||
|
touch /var/run/qubes-service/qubes-updates-proxy
|
||||||
|
#systemctl stop qubes-updates-proxy.service
|
||||||
|
|
||||||
|
# Search and replace tinyproxy error files so we can inject code that
|
||||||
|
# we can use to identify that its a tor proxy so updates are secure
|
||||||
|
error_file="/usr/share/tinyproxy/default.html"
|
||||||
|
grep -q "${PROXY_META}" "${error_file}" || {
|
||||||
|
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Copy firewall script so Qubes will reload it when it reloads
|
||||||
|
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
@ -0,0 +1,47 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if [ "${WHONIX}" != "template" ]; then
|
||||||
|
# Make sure IP forwarding is disabled
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
if [ -x /usr/sbin/xenstore-read ]; then
|
||||||
|
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||||
|
else
|
||||||
|
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||||
|
|
||||||
|
# Start Whonix Firewall
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
export INT_IF="vif+"
|
||||||
|
export INT_TIF="vif+"
|
||||||
|
|
||||||
|
# Inject custom firewall rules into whonix_firewall
|
||||||
|
sed -i -f - /usr/bin/whonix_firewall <<-EOF
|
||||||
|
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
|
||||||
|
## IPv4 DROP INVALID INCOMING PACKAGES \\
|
||||||
|
## \\
|
||||||
|
## --- THE FOLLOWING WS INJECTED --- \\
|
||||||
|
## Qubes Tiny Proxy Updater \\
|
||||||
|
iptables -t nat -N PR-QBS-SERVICES \\
|
||||||
|
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||||
|
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||||
|
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||||
|
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||||
|
\\
|
||||||
|
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||||
|
# Allows localhost access to tor network \\
|
||||||
|
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||||
|
######################################
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Load the firewall
|
||||||
|
# XXX: TODO: Take down all network accesss if firewall fails
|
||||||
|
/usr/bin/whonix_firewall
|
||||||
|
|
||||||
|
systemctl restart qubes-updates-proxy.service
|
||||||
|
fi
|
@ -1,78 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
. /usr/lib/whonix/utility_functions
|
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
if [ -x /usr/sbin/xenstore-read ]; then
|
|
||||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
|
||||||
else
|
|
||||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
|
||||||
fi
|
|
||||||
|
|
||||||
INTERFACE="eth1"
|
|
||||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
|
||||||
|
|
||||||
# Create a dummy eth1 interface so tor can bind to it if there
|
|
||||||
# are no DOMU virtual machines connected at the moment
|
|
||||||
ip link show ${INTERFACE} >> /dev/null || {
|
|
||||||
/sbin/ip link add ${INTERFACE} type dummy
|
|
||||||
|
|
||||||
# Now, assign it the netvm-gateway IP address
|
|
||||||
if [ x${ip} != x ]; then
|
|
||||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
|
||||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
|
||||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
|
||||||
/sbin/ifconfig ${INTERFACE} up
|
|
||||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
|
||||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
ip link set ${INTERFACE} up
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${WHONIX}" != "template" ]; then
|
|
||||||
# Files that will have the immutable bit set
|
|
||||||
# since we don't want them modified by other programs
|
|
||||||
IMMUTABLE_FILES=(
|
|
||||||
'/etc/resolv.conf'
|
|
||||||
'/etc/hostname'
|
|
||||||
'/etc/hosts'
|
|
||||||
)
|
|
||||||
|
|
||||||
# Make sure all .anondist files in list are immutable
|
|
||||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
|
||||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
|
||||||
|
|
||||||
# Make sure we are using a copy of the annondist file and if not
|
|
||||||
# copy the annondist file and set it immutable
|
|
||||||
copyAnondist "/etc/resolv.conf"
|
|
||||||
copyAnondist "/etc/hosts"
|
|
||||||
copyAnondist "/etc/hostname"
|
|
||||||
|
|
||||||
# Replace IP addresses in known configuration files / scripts to
|
|
||||||
# currently discovered one
|
|
||||||
/usr/lib/whonix/replace-ips
|
|
||||||
|
|
||||||
# Make sure hostname is correct
|
|
||||||
/bin/hostname host
|
|
||||||
|
|
||||||
# Start Whonix Firewall
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
export INT_IF="vif+"
|
|
||||||
export INT_TIF="vif+"
|
|
||||||
fi
|
|
||||||
/usr/bin/whonix_firewall
|
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
|
||||||
# Allows localhost access to tor network
|
|
||||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
|
||||||
# to allow choice of repo and prevent whonixcheck errors
|
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
|
||||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
|
||||||
}
|
|
||||||
fi
|
|
@ -1,95 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
. /usr/lib/whonix/utility_functions
|
|
||||||
|
|
||||||
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
|
||||||
#disable_sysv tor
|
|
||||||
#disable_sysv sdwdate
|
|
||||||
|
|
||||||
iptables -F
|
|
||||||
iptables -t nat -F
|
|
||||||
|
|
||||||
LOG_IP4=1
|
|
||||||
LOG_IP6=0
|
|
||||||
|
|
||||||
# for IPv4
|
|
||||||
if [ "$LOG_IP4" == "1" ]; then
|
|
||||||
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
|
||||||
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
|
||||||
modprobe ipt_LOG
|
|
||||||
fi
|
|
||||||
|
|
||||||
# for IPv6
|
|
||||||
if [ "$LOG_IP6" == "1" ]; then
|
|
||||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
|
||||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
|
||||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
|
||||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
|
||||||
modprobe ip6t_LOG
|
|
||||||
fi
|
|
||||||
|
|
||||||
sysctl -w net.ipv4.ip_forward=1
|
|
||||||
|
|
||||||
iptables -A FORWARD -i eth0 -j ACCEPT
|
|
||||||
iptables -A FORWARD -o eth0 -j ACCEPT
|
|
||||||
iptables -A FORWARD -i lo -j ACCEPT
|
|
||||||
iptables -A FORWARD -o lo -j ACCEPT
|
|
||||||
|
|
||||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
||||||
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
|
|
||||||
|
|
||||||
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
|
||||||
|
|
||||||
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
|
|
||||||
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
|
|
||||||
|
|
||||||
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
|
|
||||||
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
|
|
||||||
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
|
||||||
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
|
||||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
|
|
||||||
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
|
||||||
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
|
||||||
|
|
||||||
# Works
|
|
||||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
|
||||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
|
||||||
|
|
||||||
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
|
|
||||||
# Remap ALL traffic
|
|
||||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
|
|
||||||
|
|
||||||
|
|
||||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
|
|
||||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
|
||||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
|
||||||
|
|
||||||
#iptables -v -L
|
|
||||||
#iptables -v -t nat -L
|
|
||||||
#telnet 127.0.0.1 9105
|
|
||||||
#telnet 10.137.2.1 8082
|
|
||||||
#telnet 127.0.0.1 8082
|
|
||||||
#tail -100 /var/log/kern.log
|
|
@ -5,6 +5,41 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd/system
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: lib/systemd/system/qubes-whonix-firewall.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
|
# file: lib/systemd/system/qubes-whonix-network.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
# file: etc
|
# file: etc
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -54,27 +89,6 @@ user::rw-
|
|||||||
group::r--
|
group::r--
|
||||||
other::r--
|
other::r--
|
||||||
|
|
||||||
# file: etc/udev
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/udev/rules.d/99-qubes-whonix.rules
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
|
|
||||||
# file: etc/hostname
|
# file: etc/hostname
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -131,7 +145,42 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
# file: usr/lib/whonix/setup-ip
|
# file: usr/lib/whonix/whonix.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/replace-ips
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/init.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/qubes-firewall-user-script
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
user::rwx
|
user::rwx
|
||||||
@ -145,13 +194,6 @@ user::rw-
|
|||||||
group::r--
|
group::r--
|
||||||
other::r--
|
other::r--
|
||||||
|
|
||||||
# file: usr/lib/whonix/replace-ips
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: usr/lib/whonix/alert
|
# file: usr/lib/whonix/alert
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
|
@ -1 +0,0 @@
|
|||||||
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"
|
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes Whonix firewall updater
|
||||||
|
After=qubes-whonix-network.service
|
||||||
|
Before=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||||
|
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes Whonix network proxy setup
|
||||||
|
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||||
|
Before=network.target
|
||||||
|
After=qubes-firewall.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
38
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
Executable file
38
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
Executable file
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if [ "${WHONIX}" != "template" ]; then
|
||||||
|
# Files that will have the immutable bit set
|
||||||
|
# since we don't want them modified by other programs
|
||||||
|
IMMUTABLE_FILES=(
|
||||||
|
'/etc/resolv.conf'
|
||||||
|
'/etc/hostname'
|
||||||
|
'/etc/hosts'
|
||||||
|
)
|
||||||
|
|
||||||
|
# Make sure all .anondist files in list are immutable
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}"
|
||||||
|
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
||||||
|
|
||||||
|
# Make sure we are using a copy of the annondist file and if not
|
||||||
|
# copy the annondist file and set it immutable
|
||||||
|
copyAnondist "/etc/resolv.conf"
|
||||||
|
copyAnondist "/etc/hosts"
|
||||||
|
copyAnondist "/etc/hostname"
|
||||||
|
|
||||||
|
# Replace IP addresses in known configuration files / scripts to
|
||||||
|
# currently discovered one
|
||||||
|
/usr/lib/whonix/init/replace-ips
|
||||||
|
|
||||||
|
# Make sure hostname is correct
|
||||||
|
/bin/hostname host
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||||
|
# to allow choice of repo and prevent whonixcheck errors
|
||||||
|
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||||
|
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,67 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
# Or just enable them :)
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
|
||||||
|
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
|
||||||
|
|
||||||
|
|
||||||
|
INTERFACE="eth1"
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
|
||||||
|
if [ -x /usr/sbin/xenstore-read ]; then
|
||||||
|
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||||
|
else
|
||||||
|
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup Xen / Qubes proxy
|
||||||
|
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
|
||||||
|
if [ "x$network" != "x" ]; then
|
||||||
|
gateway=$(xenstore-read qubes-netvm-gateway)
|
||||||
|
netmask=$(xenstore-read qubes-netvm-netmask)
|
||||||
|
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
|
||||||
|
modprobe netbk 2> /dev/null || modprobe xen-netback
|
||||||
|
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
||||||
|
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||||
|
#/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
/sbin/ethtool -K eth0 sg off || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Now, assign it the netvm-gateway IP address
|
||||||
|
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||||
|
if [ x${ip} != x ]; then
|
||||||
|
# Create a dummy eth1 interface so tor can bind to it if there
|
||||||
|
# are no DOMU virtual machines connected at the moment
|
||||||
|
/sbin/ip link add ${INTERFACE} type dummy
|
||||||
|
|
||||||
|
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
||||||
|
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
||||||
|
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
||||||
|
/sbin/ifconfig ${INTERFACE} up
|
||||||
|
/sbin/ethtool -K ${INTERFACE} sg off || true
|
||||||
|
/sbin/ethtool -K ${INTERFACE} tx off || true
|
||||||
|
|
||||||
|
ip link set ${INTERFACE} up
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
# Allow whonix-gateway to act as an update-proxy
|
||||||
|
touch /var/run/qubes-service/qubes-updates-proxy
|
||||||
|
#systemctl stop qubes-updates-proxy.service
|
||||||
|
|
||||||
|
# Search and replace tinyproxy error files so we can inject code that
|
||||||
|
# we can use to identify that its a tor proxy so updates are secure
|
||||||
|
error_file="/usr/share/tinyproxy/default.html"
|
||||||
|
grep -q "${PROXY_META}" "${error_file}" || {
|
||||||
|
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Copy firewall script so Qubes will reload it when it reloads
|
||||||
|
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
@ -0,0 +1,47 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if [ "${WHONIX}" != "template" ]; then
|
||||||
|
# Make sure IP forwarding is disabled
|
||||||
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
|
if [ -x /usr/sbin/xenstore-read ]; then
|
||||||
|
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||||
|
else
|
||||||
|
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||||
|
|
||||||
|
# Start Whonix Firewall
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
export INT_IF="vif+"
|
||||||
|
export INT_TIF="vif+"
|
||||||
|
|
||||||
|
# Inject custom firewall rules into whonix_firewall
|
||||||
|
sed -i -f - /usr/bin/whonix_firewall <<-EOF
|
||||||
|
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
|
||||||
|
## IPv4 DROP INVALID INCOMING PACKAGES \\
|
||||||
|
## \\
|
||||||
|
## --- THE FOLLOWING WS INJECTED --- \\
|
||||||
|
## Qubes Tiny Proxy Updater \\
|
||||||
|
iptables -t nat -N PR-QBS-SERVICES \\
|
||||||
|
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||||
|
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||||
|
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||||
|
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||||
|
\\
|
||||||
|
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||||
|
# Allows localhost access to tor network \\
|
||||||
|
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||||
|
######################################
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Load the firewall
|
||||||
|
# XXX: TODO: Take down all network accesss if firewall fails
|
||||||
|
/usr/bin/whonix_firewall
|
||||||
|
|
||||||
|
systemctl restart qubes-updates-proxy.service
|
||||||
|
fi
|
@ -1,78 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
. /usr/lib/whonix/utility_functions
|
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
if [ -x /usr/sbin/xenstore-read ]; then
|
|
||||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
|
||||||
else
|
|
||||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
|
||||||
fi
|
|
||||||
|
|
||||||
INTERFACE="eth1"
|
|
||||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
|
||||||
|
|
||||||
# Create a dummy eth1 interface so tor can bind to it if there
|
|
||||||
# are no DOMU virtual machines connected at the moment
|
|
||||||
ip link show ${INTERFACE} >> /dev/null || {
|
|
||||||
/sbin/ip link add ${INTERFACE} type dummy
|
|
||||||
|
|
||||||
# Now, assign it the netvm-gateway IP address
|
|
||||||
if [ x${ip} != x ]; then
|
|
||||||
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
|
|
||||||
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
|
|
||||||
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
|
|
||||||
/sbin/ifconfig ${INTERFACE} up
|
|
||||||
/sbin/ethtool -K ${INTERFACE} sg off || true
|
|
||||||
/sbin/ethtool -K ${INTERFACE} tx off || true
|
|
||||||
fi
|
|
||||||
|
|
||||||
ip link set ${INTERFACE} up
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${WHONIX}" != "template" ]; then
|
|
||||||
# Files that will have the immutable bit set
|
|
||||||
# since we don't want them modified by other programs
|
|
||||||
IMMUTABLE_FILES=(
|
|
||||||
'/etc/resolv.conf'
|
|
||||||
'/etc/hostname'
|
|
||||||
'/etc/hosts'
|
|
||||||
)
|
|
||||||
|
|
||||||
# Make sure all .anondist files in list are immutable
|
|
||||||
immutableFilesEnable "${IMMUTABLE_FILES}"
|
|
||||||
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
|
|
||||||
|
|
||||||
# Make sure we are using a copy of the annondist file and if not
|
|
||||||
# copy the annondist file and set it immutable
|
|
||||||
copyAnondist "/etc/resolv.conf"
|
|
||||||
copyAnondist "/etc/hosts"
|
|
||||||
copyAnondist "/etc/hostname"
|
|
||||||
|
|
||||||
# Replace IP addresses in known configuration files / scripts to
|
|
||||||
# currently discovered one
|
|
||||||
/usr/lib/whonix/replace-ips
|
|
||||||
|
|
||||||
# Make sure hostname is correct
|
|
||||||
/bin/hostname host
|
|
||||||
|
|
||||||
# Start Whonix Firewall
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
export INT_IF="vif+"
|
|
||||||
export INT_TIF="vif+"
|
|
||||||
fi
|
|
||||||
/usr/bin/whonix_firewall
|
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost
|
|
||||||
# Allows localhost access to tor network
|
|
||||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
|
||||||
# to allow choice of repo and prevent whonixcheck errors
|
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
|
||||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
|
||||||
}
|
|
||||||
fi
|
|
Loading…
Reference in New Issue
Block a user