debian: Whonix modifications due to new postinit in core-agent-linux module

This commit is contained in:
Jason Mehring 2014-11-07 00:00:57 -05:00
parent 88cf6f8b59
commit 4e7dbfcb06
23 changed files with 496 additions and 502 deletions

View File

@ -1,106 +0,0 @@
=====================================================================
These are my original notes for steps to intergrate Whonix into Qubes
=====================================================================
Read README.whonix qubes-builder package for build instructions
None of the notes below apply at this point but I am saving them
until whonix intergration is complete since there still may be some
valid steps I will need to intergrate ubuntu as well
=====================================================================
# Build depends
sudo yum install rpmdevtools rpm-build createrepo rpm-sign
# Additional for debian template
sudo yum install debootstrap dpkg-dev
# Build
# https://qubes-os.org/wiki/BuildingArchlinuxTemplate
# ---------------------------------------------------
clean all
clean all rpms
sudo umount chroot-wheezy/proc
sudo rm -r chroot-wheezy
cd qubes-src/linus-template-builder
sudo umount mnt
sudo rm prepared_images/...
make get-sources
make vmm-xen-vm
make core-vchan-xen-vm
make linux-utils-vm
make core-agent-linux-vm
make gui-common-vm
make gui-agent-linux-vm
make linux-template-builder
# builder.conf
# ------------
GIT_SUBDIR=marmarek
COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS))
DISTS_VM=wheezy
NO_SIGN="1"
DEBUG="1"
VERBOSE=2
# Changed (XXX: Marks the spot!)
# ------------------------------
# Makefile.debian
# - wheezy repo dir does not get created...
# prepare-chroot-debian
# - chroot /dev/null should be 0666
# Wheezy needs a keyring
# ----------------------
# Create in keys_debian
# Get from https://ftp-master.debian.org/keys.html
gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc
# move from /user/home/.gnupgp to keys_debian
# Wheezy Hacks
# ------------
# Need 2.0 pulse audio drivers
# *add to source list*
cd qubes-src
git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio
cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0
cd ..
# Add to...
# module-vchan-sink-symdef.h
#elif PA_CHECK_VERSION(2,0,0)
bool pa__load_once(void);
# Add to..
# Makefile
# Build errors - template
# -----------------------
make[1]: *** [update-repo] Error 32
make: *** [linux-template-builder] Error 1
mount: mount(2) failed: No such file or directory
- remove all mounts and try again. Some mounts may need to be tried multiple times
$ sudo umount chroot-wheezy/proc/
$ sudo umount chroot-wheezy/proc/
umount: chroot-wheezy/proc/: not mounted
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted
$ sudo umount chroot-wheezy/tmp/qubes-deb/
$ sudo umount chroot-wheezy/tmp/qubes-deb/
$ sudo umount chroot-wheezy/tmp/qubes-deb/
umount: chroot-wheezy/tmp/qubes-deb/: not mounted

View File

@ -1,26 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Whonix Post Install Steps (after qubes install)
#
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Disable gnome network-manager since it will prevent networking
# ------------------------------------------------------------------------------
debug "Disabling gnome network-manager"
chroot "${INSTALLDIR}" systemctl disable network-manager

View File

@ -1,42 +0,0 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/xen-backend.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev/rules.d/98-kexec.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--

View File

@ -1,16 +0,0 @@
SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}"
SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup"
KERNEL=="evtchn", NAME="xen/%k"
SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600"
SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600"
KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600"
KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"

View File

@ -5,6 +5,41 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc # file: etc
# owner: root # owner: root
# group: root # group: root
@ -75,27 +110,6 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: etc/udev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/99-qubes-whonix.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname # file: etc/hostname
# owner: root # owner: root
# group: root # group: root
@ -152,14 +166,42 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/setup-ip # file: usr/lib/whonix/whonix.sh
# owner: root # owner: root
# group: root # group: root
user::rwx user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/tests.sh # file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-firewall-user-script
# owner: root # owner: root
# group: root # group: root
user::rwx user::rwx
@ -173,13 +215,6 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: usr/lib/whonix/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/alert # file: usr/lib/whonix/alert
# owner: root # owner: root
# group: root # group: root

View File

@ -1 +0,0 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/lib/whonix/init/init.sh
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=qubes-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,38 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

View File

@ -0,0 +1,67 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Or just enable them :)
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi
# Copy firewall script so Qubes will reload it when it reloads
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

View File

@ -0,0 +1,47 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

View File

@ -1,78 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
fi
ip link set ${INTERFACE} up
}
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure hostname is correct
/bin/hostname host
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
fi
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi

View File

@ -1,95 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
#disable_sysv tor
#disable_sysv sdwdate
iptables -F
iptables -t nat -F
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
# Remap ALL traffic
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -v -L
#iptables -v -t nat -L
#telnet 127.0.0.1 9105
#telnet 10.137.2.1 8082
#telnet 127.0.0.1 8082
#tail -100 /var/log/kern.log

View File

@ -5,6 +5,41 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc # file: etc
# owner: root # owner: root
# group: root # group: root
@ -54,27 +89,6 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: etc/udev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/99-qubes-whonix.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname # file: etc/hostname
# owner: root # owner: root
# group: root # group: root
@ -131,7 +145,42 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/setup-ip # file: usr/lib/whonix/whonix.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-firewall-user-script
# owner: root # owner: root
# group: root # group: root
user::rwx user::rwx
@ -145,13 +194,6 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: usr/lib/whonix/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/alert # file: usr/lib/whonix/alert
# owner: root # owner: root
# group: root # group: root

View File

@ -1 +0,0 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/lib/whonix/init/init.sh
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=qubes-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,38 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

View File

@ -0,0 +1,67 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Or just enable them :)
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi
# Copy firewall script so Qubes will reload it when it reloads
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

View File

@ -0,0 +1,47 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

View File

@ -1,78 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
fi
ip link set ${INTERFACE} up
}
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure hostname is correct
/bin/hostname host
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
fi
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi