whonix: Added ability to be able to update templates via tor proxy. Firewall rules not working yet on gateway
parent
422dcc9c24
commit
d6d22e875e
@ -1,95 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
#disable_sysv tor
|
||||
#disable_sysv sdwdate
|
||||
|
||||
iptables -F
|
||||
iptables -t nat -F
|
||||
|
||||
LOG_IP4=1
|
||||
LOG_IP6=0
|
||||
|
||||
# for IPv4
|
||||
if [ "$LOG_IP4" == "1" ]; then
|
||||
iptables -t raw -A OUTPUT -p icmp -j TRACE
|
||||
iptables -t raw -A PREROUTING -p icmp -j TRACE
|
||||
modprobe ipt_LOG
|
||||
fi
|
||||
|
||||
# for IPv6
|
||||
if [ "$LOG_IP6" == "1" ]; then
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
|
||||
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
|
||||
modprobe ip6t_LOG
|
||||
fi
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
iptables -A FORWARD -i eth0 -j ACCEPT
|
||||
iptables -A FORWARD -o eth0 -j ACCEPT
|
||||
iptables -A FORWARD -i lo -j ACCEPT
|
||||
iptables -A FORWARD -o lo -j ACCEPT
|
||||
|
||||
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
|
||||
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
|
||||
|
||||
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
|
||||
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
|
||||
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
|
||||
|
||||
# Works
|
||||
# localhost/loopback maps localhost port 8082 to localhost port 8888
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
|
||||
|
||||
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
# Remap ALL traffic
|
||||
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
|
||||
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
|
||||
|
||||
|
||||
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
|
||||
|
||||
#iptables -v -L
|
||||
#iptables -v -t nat -L
|
||||
#telnet 127.0.0.1 9105
|
||||
#telnet 10.137.2.1 8082
|
||||
#telnet 127.0.0.1 8082
|
||||
#tail -100 /var/log/kern.log
|
@ -1,157 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: set ts=4 sw=4 sts=4 et :
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Source external scripts
|
||||
# ------------------------------------------------------------------------------
|
||||
. ${SCRIPTSDIR}/vars.sh
|
||||
. ./umount_kill.sh >/dev/null
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Configurations
|
||||
# ------------------------------------------------------------------------------
|
||||
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
|
||||
set -x
|
||||
else
|
||||
set -e
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXX: Create a snapshot - Only for DEBUGGING!
|
||||
# ------------------------------------------------------------------------------
|
||||
# Only execute if SNAPSHOT is set
|
||||
if [ "${SNAPSHOT}" == "1" ]; then
|
||||
splitPath "${IMG}" path_parts
|
||||
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
|
||||
|
||||
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
umount_kill "${INSTALLDIR}" || :
|
||||
warn "Copying ${IMG} to ${PREPARED_IMG}"
|
||||
cp -f "${IMG}" "${PREPARED_IMG}"
|
||||
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
|
||||
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done
|
||||
fi
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Set defualts for apt not to install recommended or extra packages
|
||||
# ------------------------------------------------------------------------------
|
||||
#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF'
|
||||
#Acquire::Languages "none";
|
||||
#APT::Install-Recommends "false";
|
||||
#APT::Install-Suggests "false";
|
||||
#Dpkg::Options "--force-confold";
|
||||
#EOF
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Cleanup function
|
||||
# ------------------------------------------------------------------------------
|
||||
function cleanup() {
|
||||
error "Whonix error; umounting ${INSTALLDIR} to prevent further writes"
|
||||
umount_kill "${INSTALLDIR}" || :
|
||||
exit 1
|
||||
}
|
||||
trap cleanup ERR
|
||||
trap cleanup EXIT
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Mount devices, etc required for Whonix installation
|
||||
# ------------------------------------------------------------------------------
|
||||
if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
info "Preparing Whonix system"
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Qubes needs a user named 'user'
|
||||
# --------------------------------------------------------------------------
|
||||
debug "Whonix Add user"
|
||||
chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \
|
||||
{
|
||||
chroot "${INSTALLDIR}" groupadd -f user
|
||||
chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Copy over any extra files
|
||||
# ------------------------------------------------------------------------------
|
||||
copyTree "files"
|
||||
|
||||
touch "${INSTALLDIR}/tmp/.whonix_prepared"
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Install Whonix
|
||||
# ------------------------------------------------------------------------------
|
||||
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then
|
||||
info "Installing Whonix system"
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Create Whonix mount point
|
||||
# ------------------------------------------------------------------------------
|
||||
if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
|
||||
debug "Installing Whonix build environment..."
|
||||
chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix'
|
||||
fi
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Install Whonix code base
|
||||
# --------------------------------------------------------------------------
|
||||
if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
|
||||
debug "Building Whonix..."
|
||||
mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix"
|
||||
sync
|
||||
sleep 1
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Determine type of Whonix build
|
||||
# ------------------------------------------------------------------------------
|
||||
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
|
||||
BUILD_TYPE="--torgateway"
|
||||
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
|
||||
BUILD_TYPE="--torworkstation"
|
||||
else
|
||||
error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
|
||||
error "You need to set TEMPLATE_FLAVOR environment variable to either"
|
||||
error "whonix-gateway OR whonix-workstation"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Start Whonix build process
|
||||
# ------------------------------------------------------------------------------
|
||||
chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; }
|
||||
|
||||
touch "${INSTALLDIR}/tmp/.whonix_installed"
|
||||
touch "${INSTALLDIR}/tmp/.whonix_post"
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Execute any template flavor or sub flavor scripts
|
||||
# ------------------------------------------------------------------------------
|
||||
buildStep "99_custom_configuration.sh"
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Bring back original apt-get for installation of Qubues
|
||||
# ------------------------------------------------------------------------------
|
||||
pushd "${INSTALLDIR}/usr/bin"
|
||||
{
|
||||
rm -f apt-get;
|
||||
cp -p apt-get.anondist-orig apt-get;
|
||||
}
|
||||
popd
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Make sure the temporary policy-rc.d to prevent apt from starting services
|
||||
# on package installation is still active; Whonix may have reset it
|
||||
# ------------------------------------------------------------------------------
|
||||
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
|
||||
#!/bin/sh
|
||||
return 101 # Action forbidden by policy
|
||||
EOF
|
||||
chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Leave cleanup to calling function
|
||||
# ------------------------------------------------------------------------------
|
||||
trap - ERR EXIT
|
||||
trap
|
Loading…
Reference in new issue